-
Notifications
You must be signed in to change notification settings - Fork 0
Response Action
mrblacyk edited this page Apr 24, 2020
·
2 revisions
{
"references": ["https://www.lifewire.com/save-an-email-as-an-eml-file-in-gmail-1171956","https://eml.tooutlook.com/"],
"stage": "identification",
"linked_ra": [],
"creation_date": "31.01.2019",
"title": "RA_0001_identification_get_original_email",
"description": "Obtain original phishing email",
"author": "@atc_project",
"workflow": "Obtain original phishing email from on of the available/fastest options:\n\n- Email Team/Email server: if there is such option\n- Person who reported the attack (if it wasn't detected automatically or reported by victims)\n- Victims: if they were reporting the attack\n\nAsk for email in `.EML` format. Instructions: \n\n 1. Drug and drop email from Email client to Desktop\n 2. Send to IR specialists by <email>\n"
}title: RA_0001_identification_get_original_email
stage: identification
author: '@atc_project'
creation_date: 31.01.2019
references:
- https://www.lifewire.com/save-an-email-as-an-eml-file-in-gmail-1171956
- https://eml.tooutlook.com/
description: >
Obtain original phishing email
workflow: |
Obtain original phishing email from on of the available/fastest options:
- Email Team/Email server: if there is such option
- Person who reported the attack (if it wasn't detected automatically or reported by victims)
- Victims: if they were reporting the attack
Ask for email in `.EML` format. Instructions:
1. Drug and drop email from Email client to Desktop
2. Send to IR specialists by <email>path_to_ra = "RA0001.yml"
with open(path_to_ra, "r") as stream:
ra = [x for x in yaml.safe_load_all(stream)]
data = ra
r = requests.post(
"http://127.0.0.1:8000/api/v1/atc/responseaction/",
json=data,
auth=('admin', 'admin')
)There are two types of filters - exact match and contains. Here is the list of valid filters:
title_containsstage_containsauthor_containsdescription_containslinked_ra_contains
title_exactstage_exactauthor_exactlinked_ra_exact