Search Gmail IOC Across Emails
This automation searches for emails that have been observed by a given Indicator of Compromise (IOC). IOC is a piece of digital forensics (identification, investigation, and remediation of cyberattacks) that suggests that an account may have been breached. You can decide on the IOC from the following list: Note also the differences between the UI and the automation filters: It reports the search results to the relevant SecOps personnel. The automation requires a connection as a service account for a business account and uses the `user delegation` method. A premium business Gmail account would be better for scalability but is not mandatory. For more details about the account type:
  1. List all users in the organization.
  2. For each user, search IOC in all user's emails.
  3. For each email, get email's info.
  4. Parse the results of the search.
  5. Report results to SecOps relevant personnel via Slack.