Configuring the script
To configure the script, you need to add an incident owner and, optionally, define one or more whitelists.
# The new incident owner - email address of a user or name of a group and cannot be blank.
# Change this value to reflect who will be the owner of the incident before running the script.
newIncidentOwner = "L1@businessname.com"
A whitelist is a list of trustworthy data items that should not become suspicious artifacts; for example, your own email server's IP address. There are two categories of whitelist used in the script: IP address and URL domain as shown in the following table. These whitelists are configured by altering data in the script.
Variable Name | Line Number | Purpose |
---|---|---|
ipV4WhiteList |
11 |
IP v4 whitelist |
ipV6WhiteList |
30 |
IP v6 whitelist |
domainWhiteList |
51 |
URL domain whitelist |
Initially, the whitelists are comprised of commented-out entries which serve as examples of the data you might want to exclude from consideration. The whitelists have no effect unless you uncomment the entries and make a grammatically correct list, or add entries of your own.
The IP address whitelists are divided into separate IPv4 and IPv6 lists. These lists apply to the IP addresses retrieved by pattern matching in the body of the email message. If an IP address appears on a whitelist then it is not added as an artifact to the incident.
9
class A network. You may want to also whitelist an
IP range, such as 12.0.0.1 - 12.5.5.5. To add these criteria to the white list, add the
following to ipV4WhiteList: "9.0.0.0/8",
"12.0.0.1-12.5.5.5"
"13.13.13.13"
# Whitelist for IP V4 addresses
ipV4WhiteList = WhiteList([
"9.0.0.0/8",
"12.0.0.1-12.5.5.5",
"13.13.13.13"
])
# Whitelist for IP V6 addresses
ipV6WhiteList = WhiteList([
"aaaa::/16"
])
# Domain whitelist
domainWhiteList = WhiteList([
#"*.ibm.com"
])
# Domain whitelist
domainWhiteList = WhiteList([
"mail.businessname.com",
"*.otherbusinessname.com"
])