IBM Security SOAR

Expand all | Collapse all

Hashing Attachments in Emails Attached to Tickets

  • 1.  Hashing Attachments in Emails Attached to Tickets

    Posted Mon June 21, 2021 03:15 PM
    Hi Everyone!

    Before I start another custom integration from scratch - I wanted to poll the group and see if any other shops have developed a way to get the hash of an email attachment(s) and add it as an artifact for an email attached to a resilient ticket? Is there an app out there that would have this functionality as well?

    Thanks!

    ------------------------------
    Jason Jemmott
    Cyber Security Analyst
    ------------------------------


  • 2.  RE: Hashing Attachments in Emails Attached to Tickets

    Posted Tue June 22, 2021 04:53 AM
    You may refer to this app https://exchange.xforce.ibmcloud.com/hub/extension/2b6699ac8a3976b67dfbddee26dbe3a5 or the doc https://www.ibm.com/docs/en/rsoa-and-rp/41?topic=tutorials-tutorial-processing-inbound-email

    ------------------------------
    Leo Kuo
    ------------------------------



  • 3.  RE: Hashing Attachments in Emails Attached to Tickets

    Posted Tue June 22, 2021 08:39 AM
    The custom email file parser function I wrote pulls out email attachments from emails (eml files) and adds them as incident attachments, I believe the Resilient one does the same. My function is here: https://github.com/jjfallete/resilient/blob/master/functions/utilities/utility_email_file_parser.py

    We append [MALICIOUS] to the names of those attachments on line 229 (since in our case they are from phishes), and then leverage an automatic rule that kicks off a workflow using the the fn_utilities utilities_attachment_hash to automatically get hashes of them based on a rule that fires if the name contains that string.

    Post processor on that function in the workflow is:
    incident.addArtifact("Malware SHA-256 Hash", results.sha256, u"SHA-256 hash of {}".format(attachment.name).replace('[MALICIOUS]', '').strip())
    incident.addArtifact("Malware SHA-1 Hash", results.sha1, u"SHA-1 hash of {}".format(attachment.name).replace('[MALICIOUS]', '').strip())
    incident.addArtifact("Malware MD5 Hash", results.md5, u"MD5 hash of {}".format(attachment.name).replace('[MALICIOUS]', '').strip())


    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------