G Suite for GMail

Integrates with G Suite for various investigative and containment actions

Supported Actions

• on poll: Poll for new emails from Gmail and yield Container objects.
• on es poll: Poll for new emails and yield Finding objects for ES ingestion.
• test connectivity: Test connectivity to Google Workspace. Verifies that the service account credentials are valid and can access the configured domain.
• get user: Retrieve user profile information. Uses the Gmail API to get user profile metadata including message and thread counts. Args: params: Action parameters containing email address soar: SOAR client instance asset: Asset configuration object Returns: User profile information Raises: ActionFailure: If user retrieval fails
• list users: List users in the Google Workspace domain. Uses the Admin SDK to retrieve users with pagination support. Args: params: Action parameters with optional max_items and page_token soar: SOAR client instance asset: Asset configuration object Returns: List of user profiles Raises: ActionFailure: If user listing fails
• run query: Search emails in a user's mailbox. Constructs a Gmail query from provided filters and returns matching emails with pagination support. Args: params: Action parameters for search filters soar: SOAR client instance asset: Asset configuration object Returns: List of matching email messages Raises: ActionFailure: If search fails
• delete email: Delete emails from a user's mailbox (idempotent). Deletes one or more emails by their message IDs. If a message ID doesn't exist (likely already deleted), it's treated as successful and added to ignored_ids. Args: params: Action parameters with email and message IDs soar: SOAR client instance asset: Asset configuration object Returns: Summary of deleted and ignored/already-deleted email IDs Raises: ActionFailure: If no valid email IDs are provided, or if any deletion fails for a reason other than the message already being deleted (404)
• get email: Retrieve and parse email details. Fetches email from Gmail API, parses MIME structure, extracts IOCs and optionally downloads attachments and raw email to vault. Args: params: Action parameters soar: SOAR client instance asset: Asset configuration object Returns: Parsed email with extracted data Raises: ActionFailure: If email retrieval fails
• send email: Send email via Gmail. Constructs MIME message with attachments, respecting 25MB size limit. Optionally creates send-as alias before sending. Args: params: Action parameters soar: SOAR client instance asset: Asset configuration object Returns: Send result with message ID and thread ID Raises: ActionFailure: If email send fails