GMail to TheHive (using Google script)

Usually into the company where we act as security operation we found a mailbox named irt,cert,csirt ecc where all indicidents arrives and it’s used also to communicate with users.

With new (good!) policies it’s no more possibile to connect using IMAP to account mail so we’re not able to retrieve incidents.

Into this account we normaly found:

• antivirus notification
• antispam/phishing alert
• firewall / IPS alert
• SIEM alert
• incident notification from various source (also human)

So we’ve developed a script using Google script that send to our TheHive (incident response platform) every message that come into mailbox.

By using content in subject and body it can detect the case template (Phishing, Antivirus, Vulnerability, locked account..) and import all observables like IP, URL, DOMAIN, HASH to be analyzed with Cortex

To detect also the entired thread and replies from users it use reference header to link at the same case.

Bellow an example of the results:

Project are available at https://github.com/backloop-biz/Mail_to_TheHive and we’re happy to support other SOC to implement this solution.

For who needs support write to support@backloop.biz

We’re using this connector to manage automatically this alerts:

• Office365 native Phishing notification
• KnowBe4 Phishing notification
• Proofpoint alert
• Sophos XG and InterceptX notification
• AlienVault SIEM alarm
• MalwareBytes Nebula incidents
• TrendMicro antivirus notification
• Office365 security notification
• Workspace security notification
• Cisco Umbrella alert
• ServiceNow ticket