Configuring the script
To configure the script, you need to add an incident owner and, optionally, define one or more whitelists.
# The new incident owner - email address of a user or name of a group and cannot be blank. # Change this value to reflect who will be the owner of the incident before running the script. newIncidentOwner = "L1@businessname.com"
A whitelist is a list of trustworthy data items that should not become suspicious artifacts; for example, your own email server's IP address. There are two categories of whitelist used in the script: IP address and URL domain as shown in the following table. These whitelists are configured by altering data in the script.
|Variable Name||Line Number||Purpose|
IP v4 whitelist
IP v6 whitelist
URL domain whitelist
Initially, the whitelists are comprised of commented-out entries which serve as examples of the data you might want to exclude from consideration. The whitelists have no effect unless you uncomment the entries and make a grammatically correct list, or add entries of your own.
The IP address whitelists are divided into separate IPv4 and IPv6 lists. These lists apply to the IP addresses retrieved by pattern matching in the body of the email message. If an IP address appears on a whitelist then it is not added as an artifact to the incident.
9class A network. You may want to also whitelist an IP range, such as 18.104.22.168 - 22.214.171.124. To add these criteria to the white list, add the following to ipV4WhiteList:
# Whitelist for IP V4 addresses ipV4WhiteList = WhiteList([ "126.96.36.199/8", "188.8.131.52-184.108.40.206", "220.127.116.11" ]) # Whitelist for IP V6 addresses ipV6WhiteList = WhiteList([ "aaaa::/16" ])
# Domain whitelist domainWhiteList = WhiteList([ #"*.ibm.com" ])
# Domain whitelist domainWhiteList = WhiteList([ "mail.businessname.com", "*.otherbusinessname.com" ])