The custom email file parser function I wrote pulls out email attachments from emails (eml files) and adds them as incident attachments, I believe the Resilient one does the same. My function is here:
https://github.com/jjfallete/resilient/blob/master/functions/utilities/utility_email_file_parser.pyWe append [MALICIOUS] to the names of those attachments on line 229 (since in our case they are from phishes), and then leverage an automatic rule that kicks off a workflow using the the fn_utilities utilities_attachment_hash to automatically get hashes of them based on a rule that fires if the name contains that string.
Post processor on that function in the workflow is:
incident.addArtifact("Malware SHA-256 Hash", results.sha256, u"SHA-256 hash of {}".format(attachment.name).replace('[MALICIOUS]', '').strip())
incident.addArtifact("Malware SHA-1 Hash", results.sha1, u"SHA-1 hash of {}".format(attachment.name).replace('[MALICIOUS]', '').strip())
incident.addArtifact("Malware MD5 Hash", results.md5, u"MD5 hash of {}".format(attachment.name).replace('[MALICIOUS]', '').strip())
------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------
Original Message:
Sent: Mon June 21, 2021 03:14 PM
From: Jason Jemmott
Subject: Hashing Attachments in Emails Attached to Tickets
Hi Everyone!
Before I start another custom integration from scratch - I wanted to poll the group and see if any other shops have developed a way to get the hash of an email attachment(s) and add it as an artifact for an email attached to a resilient ticket? Is there an app out there that would have this functionality as well?
Thanks!
------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------