Configuring the script

To configure the script, you need to add an incident owner and, optionally, define one or more whitelists.

New incidents need an owner ,which is an individual identified by their email address or a group name. In the provided script, this value is left blank. To edit the script to add a Resilient user as the owner, locate and edit line 8 of the script. For example, add L1@businessname.com as follows:
# The new incident owner - email address of a user or name of a group and cannot be blank.
# Change this value to reflect who will be the owner of the incident before running the script.
newIncidentOwner = "L1@businessname.com"

A whitelist is a list of trustworthy data items that should not become suspicious artifacts; for example, your own email server's IP address. There are two categories of whitelist used in the script: IP address and URL domain as shown in the following table. These whitelists are configured by altering data in the script.

Variable Name Line Number Purpose
ipV4WhiteList 11

IP v4 whitelist

ipV6WhiteList 30

IP v6 whitelist

domainWhiteList 51

URL domain whitelist

Initially, the whitelists are comprised of commented-out entries which serve as examples of the data you might want to exclude from consideration. The whitelists have no effect unless you uncomment the entries and make a grammatically correct list, or add entries of your own.

The IP address whitelists are divided into separate IPv4 and IPv6 lists. These lists apply to the IP addresses retrieved by pattern matching in the body of the email message. If an IP address appears on a whitelist then it is not added as an artifact to the incident.

There are two categories of IP whitelist entry, CIDR (Classless Inter-Domain Routing) and IPRange. For example, in IPV4, IBM owns the 9 class A network. You may want to also whitelist an IP range, such as 12.0.0.1 - 12.5.5.5. To add these criteria to the white list, add the following to ipV4WhiteList:
  "9.0.0.0/8",
  "12.0.0.1-12.5.5.5"
You may also want to whitelist an explicit IP address, such as 13.13.13.13. This would be specified by:
"13.13.13.13"
IP v6 whitelists operate similarly. For example, you might wish to add "aaaa::/16" to whitelist a V6 CIDR. The following example shows how to add these changes to the IPV4 and IPV6 whitelists:
 # Whitelist for IP V4 addresses 
 ipV4WhiteList = WhiteList([
   "9.0.0.0/8",
   "12.0.0.1-12.5.5.5",
   "13.13.13.13"
 ])

 # Whitelist for IP V6 addresses
 ipV6WhiteList = WhiteList([
   "aaaa::/16"
 ])
The domain whitelist applies to URLs found in the body of the email. If a whitelisted domain is discovered in a potential URL artifact, it is not added to the incident. Domains can be added explicitly, such as mail.businessname.com, or by using a wildcard, such as *.otherbusinessname.com. First, locate this line:
# Domain whitelist
domainWhiteList = WhiteList([
  #"*.ibm.com"
])
Change the line to:
# Domain whitelist
domainWhiteList = WhiteList([
  "mail.businessname.com",
  "*.otherbusinessname.com"
])