Gmail
Gmail_BlockDomain
Details
Author |
David Strassegger, @oscd_initiative |
Version |
1.0 |
License |
MIT |
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:case_artifact |
Description
Move emails from a given domain to trash
Configuration
Name |
Description |
thehive_url |
URL for thehive instance |
thehive_api_key |
API key for TheHive instance |
gmail_domain |
Gsuite Domain |
gmail_project_id |
GCP Project ID |
gmail_private_key_id |
Service account private key id |
gmail_private_key |
Service Account private key (PEM Format) |
gmail_client_email |
Service Account E-Mail address |
gmail_client_id |
OAuth Client ID |
Gmail_BlockSender
Details
Author |
David Strassegger, @oscd_initiative |
Version |
1.0 |
License |
MIT |
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:case_artifact |
Description
Move emails from a given sender to trash
Configuration
Name |
Description |
thehive_url |
URL for thehive instance |
thehive_api_key |
API key for TheHive instance |
gmail_domain |
Gsuite Domain |
gmail_project_id |
GCP Project ID |
gmail_private_key_id |
Service account private key id |
gmail_private_key |
Service Account private key (PEM Format) |
gmail_client_email |
Service Account E-Mail address |
gmail_client_id |
OAuth Client ID |
Gmail_DeleteMessage
Details
Author |
David Strassegger, @oscd_initiative |
Version |
1.0 |
License |
MIT |
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:case_artifact |
Description
Move a given message into the trash folder
Configuration
Name |
Description |
thehive_url |
URL for thehive instance |
thehive_api_key |
API key for TheHive instance |
gmail_domain |
Gsuite Domain |
gmail_project_id |
GCP Project ID |
gmail_private_key_id |
Service account private key id |
gmail_private_key |
Service Account private key (PEM Format) |
gmail_client_email |
Service Account E-Mail address |
gmail_client_id |
OAuth Client ID |
Gmail_UnblockDomain
Details
Author |
David Strassegger, @oscd_initiative |
Version |
1.0 |
License |
MIT |
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:case_artifact |
Description
Remove a message filter for a given domain
Configuration
Name |
Description |
thehive_url |
URL for thehive instance |
thehive_api_key |
API key for TheHive instance |
gmail_domain |
Gsuite Domain |
gmail_project_id |
GCP Project ID |
gmail_private_key_id |
Service account private key id |
gmail_private_key |
Service Account private key (PEM Format) |
gmail_client_email |
Service Account E-Mail address |
gmail_client_id |
OAuth Client ID |
Gmail_UnblockSender
Details
Author |
David Strassegger, @oscd_initiative |
Version |
1.0 |
License |
MIT |
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
thehive:case_artifact |
Description
Remove a message filter for a given sender
Configuration
Name |
Description |
thehive_url |
URL for thehive instance |
thehive_api_key |
API key for TheHive instance |
gmail_domain |
Gsuite Domain |
gmail_project_id |
GCP Project ID |
gmail_private_key_id |
Service account private key id |
gmail_private_key |
Service Account private key (PEM Format) |
gmail_client_email |
Service Account E-Mail address |
gmail_client_id |
OAuth Client ID |
Additional details from the README file:
Gmail responder
This responder allows mailbox manipulation of Gsuite / Google Workspace accounts. The responder can be used to implement message filters and delete message in a mailbox of a Gmail user.
Usage:
You can block
mail
anddomain
observablesOperations are carried out against all gmail addresses (dataType
mail
) in the caseExample:
john.doe@gmail.com
orpeter.parker@custom.domain
Custom domain can be set in the responder config
The message ID of deleted messages is added as tag to the respective gmail address (dataType
mail
)Messages can only be deleted via Gmail query syntax (datatype
other
); this enables one to bulk delete a lot of messages
The filter ID of a blocked
domain
ormail
gets added as tag to respective gmail address (dataTypemail
)All observables that get blocked/unblocked get a
gmail:handled
tag
Constrains:
TheHive API key needs to provide read AND write permissions
The Gmail user MUST be part of a Gsuite domain.
Gsuite domain MUST have an service account enabled with domain-wide delegation.
The service account MUST be configured with the following OAuth Scopes:
https://mail.google.com/
https://www.googleapis.com/auth/gmail.settings.basic
How to setup a Gmail service account
The responder needs a Gmail service account with domain-wide delegation. The rough setup steps are:
enable a service account via GCP
enable Gmail API
get service account
client_id
(oauth approval screens + domain-wide delegation needed)change to Gsuite Admin panel
add third party app (security->API controls) with
client_id
add domain-wide delegation with
client_id
A detailed guideline for a service account setup can be found in the Google OAuth Python Client Docs.