G Suite for GMail

Integrates with G Suite for various investigative and containment actions

Supported Actions

• on poll: Poll for new emails from Gmail and yield Container objects.
• on es poll: Poll for new emails and yield Finding objects for ES ingestion.
• test connectivity: Test connectivity to Google Workspace. Verifies that the service account credentials are valid and can access the configured domain.
• get user: Retrieve user profile information. Uses the Gmail API to get user profile metadata including message and thread counts. Args: params: Action parameters containing email address soar: SOAR client instance asset: Asset configuration object Returns: User profile information Raises: ActionFailure: If user retrieval fails
• list users: List users in the Google Workspace domain. Uses the Admin SDK to retrieve users with pagination support. Args: params: Action parameters with optional max_items and page_token soar: SOAR client instance asset: Asset configuration object Returns: List of user profiles Raises: ActionFailure: If user listing fails
• run query: Search emails in a user's mailbox. Constructs a Gmail query from provided filters and returns matching emails with pagination support. Args: params: Action parameters for search filters soar: SOAR client instance asset: Asset configuration object Returns: List of matching email messages Raises: ActionFailure: If search fails
• delete email: Delete emails from a user's mailbox (idempotent). Deletes one or more emails by their message IDs. If a message ID doesn't exist (likely already deleted), it's treated as successful and added to ignored_ids. Args: params: Action parameters with email and message IDs soar: SOAR client instance asset: Asset configuration object Returns: Summary of deleted and ignored/already-deleted email IDs Raises: ActionFailure: If no valid email IDs are provided, or if any deletion fails for a reason other than the message already being deleted (404)
• get email: Retrieve and parse email details. Fetches email from Gmail API, parses MIME structure, extracts IOCs and optionally downloads attachments and raw email to vault. Args: params: Action parameters soar: SOAR client instance asset: Asset configuration object Returns: Parsed email with extracted data Raises: ActionFailure: If email retrieval fails
• send email: Send email via Gmail. Constructs MIME message with attachments, respecting 25MB size limit. Optionally creates send-as alias before sending. Args: params: Action parameters soar: SOAR client instance asset: Asset configuration object Returns: Send result with message ID and thread ID Raises: ActionFailure: If email send fails
• trash email: Move emails to trash in a user's mailbox (idempotent). Moves one or more emails to the Trash label by their message IDs. If a message ID doesn't exist, it is treated as successful and added to ignored_ids. Args: params: Action parameters with email and message IDs soar: SOAR client instance asset: Asset configuration object Returns: Summary of trashed and ignored/already-trashed email IDs Raises: ActionFailure: If no valid email IDs are provided, or if any trash operation fails for a reason other than the message not existing (404)
• untrash email: Restore emails from trash in a user's mailbox (idempotent). Removes one or more emails from the Trash label by their message IDs. If a message ID doesn't exist, it is treated as successful and added to ignored_ids. Args: params: Action parameters with email and message IDs soar: SOAR client instance asset: Asset configuration object Returns: Summary of untrashed and ignored email IDs Raises: ActionFailure: If no valid email IDs are provided, or if any untrash operation fails for a reason other than the message not existing (404)
• add label: Add labels to emails in a user's mailbox using Gmail batchModify. Applies one or more label IDs to one or more messages. Args: params: Action parameters with email, message IDs, and label IDs soar: SOAR client instance asset: Asset configuration object Returns: Summary of labeled email IDs Raises: ActionFailure: If no valid email IDs or label IDs are provided, if more than 1000 message IDs are supplied, or if the batch modify request fails
• make request: make request