Details
| Author | David Strassegger, @oscd_initiative |
| Version | 1.0 |
| License | MIT |
| Requires Registration | No |
| Requires Subscription | No |
| Free Subscription Available | No |
| DataType Supported | thehive:case_artifact |
Description
Move emails from a given domain to trash
Configuration
| Name | Description |
| thehive_url | URL for thehive instance |
| thehive_api_key | API key for TheHive instance |
| gmail_domain | Gsuite Domain |
| gmail_project_id | GCP Project ID |
| gmail_private_key_id | Service account private key id |
| gmail_private_key | Service Account private key (PEM Format) |
| gmail_client_email | Service Account E-Mail address |
| gmail_client_id | OAuth Client ID |
Details
| Author | David Strassegger, @oscd_initiative |
| Version | 1.0 |
| License | MIT |
| Requires Registration | No |
| Requires Subscription | No |
| Free Subscription Available | No |
| DataType Supported | thehive:case_artifact |
Description
Move emails from a given sender to trash
Configuration
| Name | Description |
| thehive_url | URL for thehive instance |
| thehive_api_key | API key for TheHive instance |
| gmail_domain | Gsuite Domain |
| gmail_project_id | GCP Project ID |
| gmail_private_key_id | Service account private key id |
| gmail_private_key | Service Account private key (PEM Format) |
| gmail_client_email | Service Account E-Mail address |
| gmail_client_id | OAuth Client ID |
Details
| Author | David Strassegger, @oscd_initiative |
| Version | 1.0 |
| License | MIT |
| Requires Registration | No |
| Requires Subscription | No |
| Free Subscription Available | No |
| DataType Supported | thehive:case_artifact |
Description
Move a given message into the trash folder
Configuration
| Name | Description |
| thehive_url | URL for thehive instance |
| thehive_api_key | API key for TheHive instance |
| gmail_domain | Gsuite Domain |
| gmail_project_id | GCP Project ID |
| gmail_private_key_id | Service account private key id |
| gmail_private_key | Service Account private key (PEM Format) |
| gmail_client_email | Service Account E-Mail address |
| gmail_client_id | OAuth Client ID |
Details
| Author | David Strassegger, @oscd_initiative |
| Version | 1.0 |
| License | MIT |
| Requires Registration | No |
| Requires Subscription | No |
| Free Subscription Available | No |
| DataType Supported | thehive:case_artifact |
Description
Remove a message filter for a given domain
Configuration
| Name | Description |
| thehive_url | URL for thehive instance |
| thehive_api_key | API key for TheHive instance |
| gmail_domain | Gsuite Domain |
| gmail_project_id | GCP Project ID |
| gmail_private_key_id | Service account private key id |
| gmail_private_key | Service Account private key (PEM Format) |
| gmail_client_email | Service Account E-Mail address |
| gmail_client_id | OAuth Client ID |
Details
| Author | David Strassegger, @oscd_initiative |
| Version | 1.0 |
| License | MIT |
| Requires Registration | No |
| Requires Subscription | No |
| Free Subscription Available | No |
| DataType Supported | thehive:case_artifact |
Description
Remove a message filter for a given sender
Configuration
| Name | Description |
| thehive_url | URL for thehive instance |
| thehive_api_key | API key for TheHive instance |
| gmail_domain | Gsuite Domain |
| gmail_project_id | GCP Project ID |
| gmail_private_key_id | Service account private key id |
| gmail_private_key | Service Account private key (PEM Format) |
| gmail_client_email | Service Account E-Mail address |
| gmail_client_id | OAuth Client ID |
Additional details from the README file:
This responder allows mailbox manipulation of Gsuite / Google Workspace accounts. The responder can be used to implement message filters and delete message in a mailbox of a Gmail user.
Usage:
- You can block
mailanddomainobservables - Operations are carried out against all gmail addresses (dataType
mail) in the case- Example:
john.doe@gmail.comorpeter.parker@custom.domain - Custom domain can be set in the responder config
- Example:
- The message ID of deleted messages is added as tag to the respective gmail address (dataType
mail)- Messages can only be deleted via Gmail query syntax (datatype
other); this enables one to bulk delete a lot of messages
- Messages can only be deleted via Gmail query syntax (datatype
- The filter ID of a blocked
domainormailgets added as tag to respective gmail address (dataTypemail) - All observables that get blocked/unblocked get a
gmail:handledtag
Constrains:
- TheHive API key needs to provide read AND write permissions
- The Gmail user MUST be part of a Gsuite domain.
- Gsuite domain MUST have an service account enabled with domain-wide delegation.
- The service account MUST be configured with the following OAuth Scopes:
https://mail.google.com/https://www.googleapis.com/auth/gmail.settings.basic
The responder needs a Gmail service account with domain-wide delegation. The rough setup steps are:
- enable a service account via GCP
- enable Gmail API
- get service account
client_id(oauth approval screens + domain-wide delegation needed) - change to Gsuite Admin panel
- add third party app (security->API controls) with
client_id - add domain-wide delegation with
client_id
A detailed guideline for a service account setup can be found in the Google OAuth Python Client Docs.