This project is currently under development.
These streamlined modules and scripts are designed to efficiently mitigate phishing threats across multiple Google Workspaces automatically. The system loads and processes data from Google Email Log Search exports, enabling quick detection, analysis, and resolution. Azure support will come in the future.
- Automated Graphs and Summaries: Generate insightful graphs and summaries of the provided phishing attack based on exports from Google’s Email Log Search tool.
- Preset Remediation Scripts: Quickly delete phishing emails and suspend affected user access with ready-to-use scripts.
- Incident Response Email Templates: Use customizable templates to streamline communication with internal and external users about phishing incidents.
- Suspicious Sign-In Monitoring: Check phishing victims for recent suspicious sign-ins to assess potential account compromise.
- Comprehensive Action Logging: Ensure full transparency with detailed logs of all actions performed by this tool for auditing and accountability.
- Multi-Instance Google Workspace Processing: Seamlessly manage multiple Google Workspace environments and perform bulk email deletions across all instances with a single script.
- Finish
Google()
Class - Other Google Authentication methods
- Build a framework for handling arguments and building the log_entries from the provided file
- Create email sender class and build script to send warnings to recipents
- Create documentation for each library
- Finish README
- Improve report generation
- Azure Support
- Django Website (idk)
- Google Drive file Stealer
- Email Reader (idk)
- Create user
- Suspend/Unsuspend User
- Delete User
- Credential file permission enumerater
$ python .\gmailLogReporter.py --logfile .\LogSearchResults.csv --docx report.docx --wizard
____ ____ ___ ____ __ __
| _ \| _ \|_ _/ ___|| \/ |
| |_) | |_) || |\___ \| |\/| | Script: Google: Log Reporter
| __/| _ < | | ___) | | | | Version: dev 0.0.0
|_| |_| \_\___|____/|_| |_| Github: https://github.com/Drew-Alleman/PRISM
Did apply any mitigations and would you like to display them in your report? (y/n): y
Please provided a quick bullet point sentence (type 'stop' to quit) Implemented a recipient limit for outgoing emails to prevent mass distribution of malicious content.
Please provided a quick bullet point sentence (type 'stop' to quit) Suspended accounts associated with detected suspicious login activity to contain potential threats.
Please provided a quick bullet point sentence (type 'stop' to quit) Strengthened spam detection policies to identify and quarantine potentially harmful messages more effectively.
Please provided a quick bullet point sentence (type 'stop' to quit) stop
Would you like to add custom title? (y/n): n
Would you like to add additional information about the author? (y/n): y
Author Name: Drew Alleman
Authors Job Title:
Authors Email:
Date of Report:
google_client = Google()
log_parser = GoogleLogParser()
log_parser.read_exports(["export1.csv", "export2.csv"])
for user in log_parser.get_entries():
google_client.delete_email(user.message_id, user.email)
if user.opened_email:
google_client.suspend(user.email)
The Google Python Class is able to automatically determine what authentication to use. All we need to do is fill out /configurations/config.yaml
with the service account information.
Field | Description | Example Value |
---|---|---|
name |
A friendly identifier for the Google Workspace instance, used for distinguishing accounts in logs and reports. | ExampleWorkspace1 |
secret_file |
The path to the JSON credentials file for the service account, allowing PRISM to authenticate with Google. | /path/to/service_account1.json |
domains |
A list of domains managed by this workspace. PRISM will use this service account for actions on any of these domains. | example.com , store.example.com |
google_service_accounts:
- name: ExampleWorkspace1
secret_file: /path/to/service_account1.json
domains:
- example.com
- store.example.com
- name: ExampleWorkspace2
secret_file: /path/to/service_account2.json
domains:
- github.com
- docs.github.com
Log in to your Google Workspace Admin account and navigate to the Google Cloud Console. Click on the "Select a project" button in the top left corner, then choose "New Project" to create a new one. Feel free to name it anything you like.
Now We need to enable the GMAIL and Admin API to manage emails and users.
Now we need to generate the JSON secret file to allow PRISM to authenticate to Google.
Now we need to paste the client ID we copied from the cloud console and we need to input the following scopes