Gmail is an email service provided by Google. Gmail integrates with Google’s other services such as Google Drive, Calendar, Maps, Search, etc. which makes Gmail an even more powerful and important tool. Gmail’s built-in email security containing spam detection and virus protection engine are core components, which protect and enhance user experience.
Plenty of organizations use Gmail for their internal communication and to receive alerts from different security controls e.g. SIEM, EDR, and Firewalls.
SIRP integrates with Gmail or any other IMAP-based email server to ingest different kinds of data received over email. That ingested data is then used by security teams and automated playbooks for the response.
SIRP’s Email integration app allows you to execute the following action:
Action to read and parse JSON-based emails.
Action to read and parse Phishing emails.
Enable and Configure the Email App to read Gmail
Step 1: Configure Gmail Settings to Allow Less Secure Apps
In order to let SIRP log in to Gmail inbox and read the emails for ingestion and parsing, you need to reduce the security level a notch and also disable 2FA authentication. Follow these steps:
Log in to Gmail
Click on Apps icon in top right corner then Account
2. Click on Security
3. Scroll down to the section called “Signing in to Google” then change “2-Step Verification” settings to Off (if it’s On)
4. Next, scroll down to the section called “Less secure app access” and change the settings to On.
Step 2: Configure SIRP Email App
1. Log in to SIRP, then go to Apps from the left navigation bar
2. Locate the app named Email
3. Enable the Email app by clicking on the toggle button under the Status column
4. As soon as you enable the App, you will get an option to add the configuration details. Add the following details:
a. Host: imap.gmail.com
b. Port: 993
c. Email: <Gmail address>
d. Password: <Gmail address password>
After the last step, you should be able to use the Email actions within Apps Ingestion Source.
Ingesting Alerts over Email
In order to start ingesting alerts from emails on Gmail, you need to create a new ingestion source and enable it.
1. Go to the Administration section from the left-hand navigation bar
2. Go to Apps > Ingestion Sources
3. Click on Add Source
4. Fill the fields in the popup form as shown in the image above:
Name: Email - SIEM Alerts (This can be any name to distinguish this ingestion source)
Ingestion Method: Email
Ingestion Type: Alerts (Because we want to ingest alerts into our Incident Management module)
Widget Name: Leave blank
Frequency: Every 5 min
Opened By: Select a user from the dropdown (Optional)
Applications: Select Email application
Actions: Select parse_json_emails
Folder Name: SIEM Alerts (This can be any folder where you will save all the alerts from SIEM in Gmail. First create this folder in your email box)
Sender Information: Any reference text that you can use in the future (Optional)
Read selective emails: Leave disabled (This option is used to configure if you want to fetch emails with a certain text in the subject.)
Prepend Enter “[Email] “ (Note the extra space at the end. This is the text that will be automatically prepended to every alert ingested through this ingestion source.
Append: Leave blank (This is the text that will be automatically appended to every alert ingested through this ingestion source.
5. Click on the Create button to create the new ingestion source
After the last step, SIRP will start to read the defined Email box folder, parse the unread emails, ingest the new emails as alerts, parse the artifacts from the email, and lastly mark the email as read so that it’s not read again.