Integrate EmailV2 with Google SecOps

Integration version: 36.0

This document explains how to integrate EmailV2with Google Security Operations (Google SecOps).

Note: This integration uses one or more open source components.You can download a copy of the full source code of this integration from the storage bucket.

Use cases

TheEmailV2 integration uses the Google SecOpscapabilities to support the following use cases:

Phishing triage and notification: Automate the process of sendingnotification emails to recipients, including external users, and setting upasynchronous playbooks to wait for user responses (such as confirmation of aphishing attempt).
Incident data enrichment and retention: Search a mailbox for relatedmessages based on criteria (like sender or subject) and save all fileattachments from suspicious emails directly to the case wall for forensicanalysis and data retention.
Mailbox management and containment: Automatically move malicious ortriaged emails from the inbox to quarantine or archive folders, orpermanently delete emails that match specific filters (such as deleting allcopies of a known malware email across multiple folders).
Threaded response and collaboration: Send an immediate reply or astructured response within an existing email thread using theSend Thread Reply action, ensuring all necessary parties are kept in theloop with relevant security updates.

Before you begin

To enable theEmailV2 integration to successfully connect to your mailserver, you must ensure the configured mailbox grants access to third-partyapplications using IMAP/SMTP.

If you are using a Gmail account, note the following access options:

OAuth 2.0 (Recommended): The most secure method, allowing applicationsto access mail data using tokens without requiring direct password exposure.For more details, seeThird-party apps & your Google Account.
App password (Recommended for 2FA): A 16-digit passcode used as apassword substitute for third-party applications when 2-Step Verification isenabled. For more details, seeSign in with app passwords.
Less secure apps (Deprecated): This legacy option allows access for appsthat don't meet Google's latest security standards. For more details, seeLess secure apps & your Google Account.
Important: Use this option with extreme caution, as it makes your account lesssecure.

Note: We recommend you configure the security access method during the setup stageto ensure uninterrupted connector and action functionality.

Network Access to IMAP/SMTP

Accessing and processing received email using IMAP and sending outgoingemail using SMTP requires network access using the configured accountcredentials.

Note: If you are using an account requiring legacy access, ensure the mailboxconfiguration, such asLess Secure App Access, is enabled.

Network Requirements

The following table details the network access required for the integration tocommunicate with the mail server:

Function	Default Port	Direction	Protocol
Mail Server Communication	Multivalues	Outbound	IMAP/SMTP

Integration parameters

TheEmailV2 integration requires the following parameters:

Parameter	Description
`IMAP - Use SSL`	Optional. If selected, the action enables secure communication (SSL/TLS) when connecting to the IMAP server. Enabled by default.
`SMTP - Use Authentication`	Optional. If selected, the action enables authentication for the SMTP connection. This is required when the SMTP server isn't in an "open relay" configuration and requires credentials to send outgoing emails. Enabled by default.
`Sender's Address`	Required. The email address of the mailbox used by the integration for both sending and receiving messages.
`Sender's Display Name`	Required. The name that appears as the sender when the integration sends emails.
`SMTP Server Address`	Optional. The DNS hostname or IP address of the SMTP server used for sending emails, such as`smtp.hmail.com`.
`SMTP Port`	Optional. The port number used to connect to the SMTP server, such as`565`.
`IMAP Server Address`	Optional. The DNS hostname or IP address of the IMAP server required to retrieve received emails, such as`imap.hmail.com`.
`IMAP Port`	Optional. The port number used to connect to the IMAP server, such as`995`.
`Username`	Required. The username required for authenticating with the mail server.
`Password`	Required. The password required for authenticating with the mail server.

For instructions about how to configure an integration inGoogle SecOps, see Configureintegrations.

You can make changes at a later stage, if needed. After you configure anintegration instance, you can use it in playbooks. For more information abouthow to configure and support multiple instances, seeSupportingmultiple instances.

Actions

For more information about actions, seeRespond to pending actions from Your Workdesk andPerform amanual action.

Delete Email

Use theDelete Email action to remove emails from themailbox that match specified search criteria. You can utilize this action toeither delete the first matching email found or delete all matching emails.

This action doesn't run on Google SecOps entities.

Action inputs

TheDelete Email action requires the following parameters:

Parameter	Description
`Folder Name`	Required. A comma-separated list of the mailbox folders where the action searches for emails.
`Message IDs`	Optional. A comma-separated list of specific Message IDs to search for and delete. If provided, this list overrides the`Subject Filter`,`Sender Filter`, and`Recipient Filter`.
`Subject Filter`	Optional. A subject line used to narrow the search for matching emails.
`Sender Filter`	Optional. A sender's address used to search for matching emails.
`Recipient Filter`	Optional. A recipient's address used to search for matching emails.
`Days Back`	Optional. The time window (in days) the action searches for emails to delete. The timeframe is calculated with day granularity. Using a value of`0` restricts the search to emails received only within the current day. The default value is`0`.
`Delete all matching emails`	Optional. If selected, the action deletes all emails that match the specified criteria; otherwise, it only deletes the first match. Disabled by default.

Action outputs

TheDelete Email action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theDelete Email action:

{"deleted_emails":{"email_1_deleted":{"message_id":"<a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0@mail.example.com>","deleted_from_folder":"Inbox","subject":"Suspicious Login Alert - Deleted","sender":"noreply@system.com","timestamp":"2025-11-20T14:30:00Z"},"email_2_deleted":{"message_id":"<u1v2w3x4y5z6a7b8c9d0e1f2g3h4i5j6k7l8m9n0@mail.example.com>","deleted_from_folder":"Spam","subject":"Phishing Offer","sender":"scam@badsite.net","timestamp":"2025-11-15T09:15:00Z"}}}

Output messages

TheDelete Email action can return the following outputmessages:

Output message Message description

Output message	Message description
`NUMBER_OF_DELETED_EMAILS email(s) were deleted successfully` `Failed to find emails for deletion!`	The action succeeded.
`Error deleting emailsERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

NUMBER_OF_DELETED_EMAILS email(s) were deleted successfully

Failed to find emails for deletion!

The action succeeded.

Error deleting emailsERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheDelete Email action:

Script result name	Value
`is_success`	`true` or`false`

DownloadEmailAttachments

Use theDownload Email Attachments action to retrieve attachments fromspecific emails and save them to a designated path on theGoogle SecOps server.

This action doesn't run on Google SecOps entities.

Action inputs

TheDownload Email Attachments action requires the following parameters:

Parameter	Description
`Folder Name`	Required. A comma-separated list of the mailbox folders where the action searches for the email. The default value is`Inbox`.
`Download Path`	Required. The path on the Google SecOps server where the downloaded attachments are saved.
`Message IDs`	Optional. A comma-separated list of message IDs from which to download attachments.
`Subject filter`	Optional. A subject line used to narrow the search for the email.

Action outputs

TheDownload Email Attachments action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

TheDownload Email Attachments action can return the following outputmessages:

Output message Message description

Output message	Message description
`DownloadedNUMBER_OF_ATTACHMENTS attachments.ATTACHMENT_PATHS`	The action succeeded.
`failed to download email attachments, the error is:ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

DownloadedNUMBER_OF_ATTACHMENTS attachments.ATTACHMENT_PATHS

The action succeeded.

failed to download email attachments, the error is:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheDownload Email Attachments action:

Script result name	Value
`attachments_local_paths`	A string of comma-separated full paths to the saved attachments.

Forward Email

Use theForward Email action to send an existing email, including itsprevious thread content, to new recipients by providing the original email'sunique Message ID.

This action doesn't run on Google SecOps entities.

Action inputs

TheForward Email action requires the following parameters:

Parameter	Description
`Folder Name`	Required. The mailbox folders where the original email is located. Provide a comma-separated list if checking multiple folders. The folder name must match the IMAP folder exactly. If the folder name contains spaces, it must be wrapped in double quotes. The default value is`Inbox`.
`Message ID of the email to forward`	Required. The unique`message_id` of the existing email that the action forwards.
`Recipients`	Required. A comma-separated list of the primary email addresses for the new recipients.
`CC`	Optional. A comma-separated list of email addresses to include in the CC field.
`BCC`	Optional. A comma-separated list of email addresses to include in the BCC field.
`Subject`	Required. The subject line for the forwarded email.
`Content`	Optional. Additional body content to include in the forwarded email.
`Return message id for the forwarded email`	Optional. If selected, the action returns the unique Message ID of the newly forwarded email in the JSON result. Disabled by default.
`Attachment Paths`	Optional. A comma-separated list of file paths on the server for additional attachments.

Action outputs

TheForward Email action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theForward Email action:

{"Date""message_id""Recipient"}

Output messages

TheForward Email action can return the following output messages:

Output message Message description

Output message	Message description
`Email was forwarded successfully.` `Mail was forwarded successfully. Mail message ID is:MESSAGE_ID`	The action succeeded.
`Failed to forward the email! The Error isERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Email was forwarded successfully.

Mail was forwarded successfully. Mail message ID is:MESSAGE_ID

The action succeeded.

Failed to forward the email! The Error isERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheForward Email action:

Script result name	Value
`is_success`	`true` or`false`

Move Email to Folder

Use theMove Email to Folder action to transfer emails from a specified sourcefolder to a different destination folder within the mailbox.

This action doesn't run on Google SecOps entities.

Action inputs

TheMove Email to Folder action requires the following parameters:

Parameter	Description
`Source Folder Name`	Required. The name of the source folder from which the emails are moved.
`Destination Folder Name`	Required. The name of the destination folder where the emails are moved.
`Message IDs`	Optional. A comma-separated list of specific Message IDs to search for and move. If provided, this list overrides`Subject Filter`.
`Subject Filter`	Optional. A subject line used to narrow the search for matching emails.
`Only Unread`	Optional. If selected, the search restricts results to only unread emails. Disabled by default.

Action outputs

TheMove Email to Folder action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theMove Email to Folder action:

{"emails":{"email_1":{"message_id":"<4f1e50e8f4027d187a2385a39b83cde46e5b53c1@mail.example.com>","received":"Mon, 24 Nov 2025 10:00:00 +0000","sender":"security-alert@example.com","recipients":"user@example.com","subject":"Phishing Alert: Urgent Action Required","plaintext_body":"Original alert content...","moved_from_folder":"Inbox","moved_to_folder":"Quarantine"},"email_2":{"message_id":"<a5b6c7d8e9f01g2h3i4j5k6l7m8n9o0p1q2r3s4t@mail.example.com>","received":"Sun, 23 Nov 2025 14:30:00 +0000","sender":"noreply@system.com","recipients":"user@example.com","subject":"System Update Notification","plaintext_body":"System update successful...","moved_from_folder":"Inbox","moved_to_folder":"Archive"}}}

Output messages

TheMove Email to Folder action can return the following outputmessages:

Output message Message description

Output message	Message description
`NUMBER_OF_MOVED_EMAILS mails were successfully moved fromSOURCE_FOLDER` to`DESTINATION_FOLDER` `No mails were found matching the search criteria!`	The action succeeded.
`Error search emails:ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

NUMBER_OF_MOVED_EMAILS mails were successfully moved fromSOURCE_FOLDER toDESTINATION_FOLDER

No mails were found matching the search criteria!

The action succeeded.

Error search emails:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheMove Email to Folder action:

Script result name	Value
`is_success`	`true` or`false`

Ping

Use thePing action to test the connectivity to Email V2.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

ThePing action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

ThePing action can return the following output messages:

Note: This action performs separate connectivity checks for IMAP and SMTP.

The action returns an overall success if at least one server is configured and passes the check, while noting any skipped or unconfigured parts.

It returns an overall failure if all configured checks fail, printing allassociated errors.

If both IMAP and SMTP aren't configured, it returns an error.

Output message Message description

Output message	Message description
`Successfully connected to the email server server with the provided connection parameters!`	The action succeeded.
`Failed to connect to the IMAP server! Error isERROR_REASON` `Failed to connect to the SMTP server! Error isERROR_REASON` `SMTP (or IMAP) configuration is needed to execute action. Please configure STMP (or IMAP) on integration configuration page in Marketplace.`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully connected to the email server server with the provided connection parameters!

The action succeeded.

Failed to connect to the IMAP server! Error isERROR_REASON

Failed to connect to the SMTP server! Error isERROR_REASON

SMTP (or IMAP) configuration is needed to execute action. Please configure STMP (or IMAP) on integration configuration page in Marketplace.

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingthePing action:

Script result name	Value
`is_success`	`true` or`false`

Save Email Attachments to Case

Use theSave Email Attachments to Case action to retrieve and automaticallysave attachments from specific emails in the mailbox directly onto the currentcase's Case Wall.

This action doesn't run on Google SecOps entities.

Action inputs

TheSave Email Attachments to Case action requires the following parameters:

Parameter Description

Parameter	Description
`Folder Name`	Required. A comma-separated list of the mailbox folders where the action searches for the email.
`Message ID`	Optional. The unique Message ID of the email from which to download attachments.
`Attachment To Save`	Optional. The specific name of the attachment being saved. If no value is provided, the action saves all attachments from the email to the Case Wall.

Folder Name

Required.

A comma-separated list of the mailbox folders where the action searches for the email.

Message ID

Optional.

The unique Message ID of the email from which to download attachments.

Attachment To Save

Optional.

The specific name of the attachment being saved.

If no value is provided, the action saves all attachments from the email to the Case Wall.

Action outputs

TheSave Email Attachments to Case action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theSave Email Attachments to Case action:

{"saved_attachments_from_email":{"message_id":"<a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0@mail.example.com>","subject":"Email with Malicious Attachment","sender":"external@suspicious.com","attachments_saved":[{"file_name":"Invoice_Q3_2025.pdf","file_hash_md5":"3bd4a36cc0ed0bfc12ae5e2ece929e82","saved_to_case_wall":"True"},{"file_name":"Report_Data.docx","file_hash_md5":"b3e0c1a9f8d7c6b5a4e3d2c1b0a9f8e7","saved_to_case_wall":"True"}]}}

Output messages

TheSave Email Attachments to Case action can return the following outputmessages:

Output message Message description

Output message	Message description
`Successfully saved the following attachments from the emailMESSAGE_ID:MESSAGE_INFO`	The action succeeded.
`Failed to save the email attachments to the case, the error is:ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully saved the following attachments from the emailMESSAGE_ID:MESSAGE_INFO

The action succeeded.

Failed to save the email attachments to the case, the error is:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheSave Email Attachments to Case action:

Script result name	Value
`is_success`	`true` or`false`

Search Email

Use theSearch Email action to find specific emails within the configuredmailbox using various filtering criteria.

The action retrieves details about the matching messages in a JSON file, whichcan be used for subsequent automated or manual analysis.

This action doesn't run on Google SecOps entities.

Action inputs

TheSearch Email action requires the following parameters:

Parameter	Description
`Folder Name`	Required. A comma-separated list of the mailbox folders where the action searches for emails. The default value is`Inbox`.
`Subject Filter`	Optional. A subject line used to narrow the search for matching emails.
`Sender Filter`	Optional. A sender's address used to search for matching emails.
`Recipient Filter`	Optional. A recipient's address used to search for matching emails.
`Time frame (minutes)`	Required. The time window (in minutes) the search looks back for emails. The default value is`60`.
`Only Unread`	Optional. If selected, the search retrieves only unread emails. Disabled by default
`Max Emails To Return`	Required. The maximum number of emails the action returns as a result. The default value is`100`.

Action outputs

TheSearch Email action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theSearch Email action:

{"emails":{"email_1":{"message id":"<CAJP=A_uGkttoWc1eahvP43rWVEsdk77nMu1FomhgRjRSmySLLg@mail.example.com>","received":"Mon, 26 Aug 2019 03:20:13 -0700 (PDT)","sender":"user@test.example","recipients":"user1@example.com,user2@example.com","subject":"Cool offer","plaintext_body":"Hi, ...","attachmment_1":"pdfdocument.pdf","attachment_1_file_hash_md5":"3bd4a36cc0ed0bfc12ae5e2ece929e82"},"email_2":{"message id":"<WEAA=D_uGkttoWc1eahvP43rWVEsdk77nMu1FomhgRjRSmySLLg@mail.example.com>","received":"Wen, 21 Aug 2019 03:20:13 -0700 (PDT)","sender":"user@test.example","recipients":"user3@example.com","subject":"Cool offer","plaintext_body":"Hi, ...","attachmment_1":"photo.jpg","attachment_1_file_hash_md5":"3bd4a36cc0ed0bfc12ae5e2ece929e82","attachmment_2":"word_document.docx","attachment_2_file_hash_md5":"3bd4a36cc0ed0bfc12ae5e2ece929e82"}}}

Output messages

TheSearch Email action can return the following outputmessages:

Output message Message description

Output message	Message description
`Search foundNUMBER_OF_FOUND_EMAILS emails based on the provided search criteria` `Search didn't found any matching emails`	The action succeeded.
`Search didn't completed successfully due to error:ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Search foundNUMBER_OF_FOUND_EMAILS emails based on the provided search criteria

Search didn't found any matching emails

The action succeeded.

Search didn't completed successfully due to error:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheSearch Email action:

Script result name	Value
`is_success`	`true` or`false`

Send Email

Use theSend Email action to send emails from the configured mailbox tomultiple recipients.

This action optionally returns the Message ID, which can then be used by theWait for Email From User action to trackuser responses and control playbook execution.

This action doesn't run on Google SecOps entities.

Action inputs

TheSend Email action requires the following parameters:

Parameter	Description
`Recipients`	Required. The primary recipient email addresses. Multiple addresses must be separated by commas.
`CC`	Optional. The email addresses to include in the Carbon Copy (CC) field. Multiple addresses must be separated by commas.
`Bcc`	Optional. The email addresses to include in the Blind Carbon Copy (Bcc) field. Multiple addresses must be separated by commas.
`Subject`	Required. The subject line of the email message.
`Content`	Required. The body content of the email message.
`Return message id for the sent email`	Optional. If selected, the action returns the unique Message ID in the JSON result. This ID can be used bytheWait for Email From User action to track responses. Disabled by default.
`Attachments Paths`	Optional. A comma-separated list of absolute file paths on the server for attachments.

Action outputs

TheSend Email action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theSend Email action:

Note: EnablingReturn message id for the sent email is required toretrieve the uniquemessage_id in the JSON result, which is required fordependent actions.

{"message_id":"<4f1e50e8f4027d187a2385a39b83cde46e5b53c1-10013525-100078757@example.com>"}

Output messages

TheSend Email action can return the following output messages:

Note: This action performs separate connectivity checks for IMAP and SMTP.

The action returns an overall success if at least one server is configuredand passes the check, while noting any skipped or unconfigured parts.

It returns an overall failure if all configured checks fail, printing allassociated errors.

If neither IMAP nor SMTP are configured, it returns an error.

Output message Message description

Output message	Message description
`Mail sent successfully.` `Mail sent successfully. Mail message ID is:MESSAGE_ID`	The action succeeded.
`Execution Failed:ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Mail sent successfully.

Mail sent successfully. Mail message ID is:MESSAGE_ID

The action succeeded.

Execution Failed:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheSend Email action:

Script result name	Value
`is_success`	`true` or`false`

Send Thread Reply

Use theSend Thread Reply action to send a new message as a response withinan existing email thread using the original message ID.

This action doesn't run on Google SecOps entities.

Action inputs

TheSend Thread Reply action requires the following parameters:

Parameter	Description
`Message ID`	Required. The unique ID of the message to which the reply is sent.
`Folder Name`	Required. A comma-separated list of the mailbox folders where the action searches for the original email. The folder name must match the IMAP folder exactly. If the name contains spaces, it must be wrapped in double quotes (such as "[Gmail]/All Mail"). The default value is`Inbox`.
`Content`	Required. The body content of the reply message.
`Attachment Paths`	Optional. A comma-separated list of file paths on the server for attachments to include in the reply.
`Reply All`	Optional. If selected, the reply is sent to all recipients of the original email thread. This parameter takes priority over`Reply To`. Enabled by default.
`Reply To`	Optional. A comma-separated list of specific email addresses to receive the reply. If`Reply All` is disabled and no value is provided, the reply is sent only to the sender of the original email.

Action outputs

TheSend Thread Reply action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theSend Thread Reply action:

{"message_id":"<162556278608.14165.480701790user@example>","recipients":"test@example.com"}

Output messages

TheSend Thread Reply action can return the following outputmessages:

Output message Message description

Output message	Message description
`Successfully sent reply to the message with IDMESSAGE_ID in Exchange.`	The action succeeded.
`Error executing action "Send Thread Reply". Reason:ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully sent reply to the message with IDMESSAGE_ID in Exchange.

The action succeeded.

Error executing action "Send Thread Reply". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheSend Thread Reply action:

Script result name	Value
`is_success`	`true` or`false`

Wait for Email From User

Use theWait for Email From User action to pause the playbook's executionand monitor a mailbox for a reply to a message previously sent by theSend Email action.

This action doesn't run on Google SecOps entities.

Note: This action is asynchronous. Adjust the script timeout value in theGoogle SecOps IDE as needed.

Action inputs

TheWait for Email From User action requires the following parameters:

Parameter	Description
`Email Message_id`	Required. The unique Message ID of the sent email for which the action tracks replies. If the message has been sent using the Send Email action, please select`SendEmail.JSONResult.message_id` as a placeholder.
`Email Date`	Required. The timestamp indicating when the original email was sent. The action uses this value to calculate the reply window. If the message was sent using the Send Email action, use the placeholder`SendEmail.JSONResult.email_date`.
`Email Recipients`	Required. A comma-separated list of recipient email addresses from which the action waits for a reply. If the message was sent using the Send Email action, use the placeholder`SendEmail.JSONResult.email_date`.
`Wait stage timeout (minutes)`	Optional. The duration (in minutes) the action waits for a reply before marking the wait stage as timed out. The default value is`1440`.
`Wait for all recipients to reply?`	Optional. If selected, the playbook waits for responses from all recipients to proceed; otherwise, it proceeds after receiving the first reply. Enabled by default.
`Wait stage exclude pattern`	Optional. A regular expression pattern used to exclude specific replies (such as automated Out-of-Office messages) from being considered valid responses.
`Folder to check for reply`	Optional. A comma-separated list of the mailbox folders where the action searches for the user's reply. This parameter is case-sensitive. The default value is`Inbox`.
`Fetch Response Attachments`	Optional. If selected, any attachments included in the recipient's reply are saved as attachments for the action result. Disabled by default.

Action outputs

TheWait for Email From User action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result outputs received when using theWait for Email From User action:

{"Responses":{["user1@example.com":"Approved","user2@example.com":"","user3@example.com":""]}}

Script result

The following table lists the value for the script result output when usingtheWait for Email From User action:

Script result name	Value
`is_success`	`true` or`false`

Connectors

To learn more about configuring connectors in Google SecOps,see Ingest your data (connectors).Note: To prevent data loss, connectors utilizeEvent Flattening. If a raw alert contains a list of entities (such as multiple email addresses, hostnames, or IP addresses), connectors automatically flatten them into separate, unique events.

For example, a single raw alert containing three different email addresses is ingested as three separate events, each containing one distinct email address.

This process ensures that every entity is correctly indexed as a unique asset, making it fully searchable and actionable in playbooks.

Parameter	Description
`Default Environment`	Optional. The name of the environment to which ingested alerts are assigned.
`Run Every`	Optional. The frequency at which the connector runs to check for new emails. The default value is`00:00:10:00` (10 minutes).
`Product Field Name`	Required. The name of the field where the product name is stored. The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default. The default value is`Product Name`.
`Event Field Name`	Required. The name of the field that determines the event name (subtype). The default value is`event_name_mail_type`.
`Additional headers to extract from emails`	Optional. A comma-separated list of custom header fields to be extracted from the email message during connector processing.
`Script Timeout (Seconds)`	Required. The timeout limit, in seconds, for the Python process that runs thecurrent script. The default value is`60`.
`IMAP Server Address`	Required. The IP address or DNS hostname of the IMAP server to connect to.
`IMAP Port`	Required. The port number used to connect to the IMAP server.
`Username`	Required. The username for the mailbox from which the connector pulls emails such as`user@example.com`.
`Password`	Required. The password for the mailbox used to pull emails.
`Folder to check for emails`	Required. A comma-separated list of mailbox folders where the connector searches for emails. This parameter is case-sensitive. The default value is`Inbox`.
`Server Time Zone`	Optional. The timezone configured in the mail server. The default value is`UTC`.
`Environment Regex Pattern`	Optional. A regular expression pattern used to manipulate the event field data and extract the environment name.
`IMAP USE SSL`	Optional. If selected, the connector uses SSL/TLS to establish a secure IMAP connection to the mail server. Enabled by default.
`Unread Emails Only`	Optional. If selected, the connector pulls only unread emails. Enabled by default.
`Mark Emails as Read`	Optional. If selected, emails are marked as read after being successfully pulled by the connector. Enabled by default.
`Attach Original EML`	Optional. If selected, the original message is attached to the created alert as an .eml file. Disabled by default.
`Regex expressions to handle forwarded emails`	Optional. A JSON one-liner string containing regular expression patterns to extract original subject, sender, and recipient fields from forwarded emails.
`Exclusion Body Regex`	Optional. A regular expression pattern used to exclude emails from ingestion if the body content matches the pattern, such as`([N\|n]ewsletter)\|([O\|o]ut of office)`.
`Exclusion Subject Regex`	Optional. A regular expression pattern used to exclude emails from ingestion if the subject line matches the pattern, such as`([N\|n]ewsletter)\|([O\|o]ut of office)`.
`Offset Time In Days`	Required. The maximum number of days backwards the connector fetches mail from (max time window). This value also serves as a fallback for the initial run or if the connector timestamp expires, ensuring alerts are ingested for the disabled period. The default value is`5`.
`Max Emails Per Cycle`	Required. The maximum number of emails the connector processes in a single polling cycle. The default value is`10`.
`Proxy Server Address`	Optional. The address of the proxy server to use.
`Proxy Username`	Optional. The username for proxy server authentication.
`Proxy Password`	Optional. The password for proxy server authentication.
`Create a Separate Siemplify Alert per Attached Mail File?`	Optional. If selected, the connector creates a separate alert for every attached email file found within a message. This is useful when event mapping is set to create entities from attached email files. Disabled by default.
`Original Received Mail Prefix`	Optional. A prefix (such as`orig`) added to extracted keys (to, from, subject, etc.) from the original email received in the monitored mailbox. The default value is`orig`.
`Attached Mail File Prefix`	Optional. A prefix (such as`attach`) added to extracted keys (to, from, subject, etc.) from attached mail files found within the email. The default value is`attach`.

Note: The connector supports extracting specific values from emails usingRegular Expressions defined in theDynamic List area (often labeled"Extraction Rules"). To extract a value, use the format:Desired Display Name: matching regex.

To extract URLs from the email body for creation as entities, insert:

noneurls: http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*(),]|(?:%0-9a-fA-F))+

Need more help?Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.

Movatterモバイル変換

Integrate EmailV2 with Google SecOps

Use cases

Before you begin

Network Access to IMAP/SMTP

Network Requirements

Integration parameters

Actions

Delete Email

Action inputs

Action outputs

JSON result

Output messages

Script result

DownloadEmailAttachments

Action inputs

Action outputs

Output messages

Script result

Forward Email

Action inputs

Action outputs

JSON result

Output messages

Script result

Move Email to Folder

Action inputs

Action outputs

JSON result

Output messages

Script result

Ping

Action inputs

Action outputs

Output messages

Script result

Save Email Attachments to Case

Action inputs

Action outputs

JSON result

Output messages

Script result

Search Email

Action inputs

Action outputs

JSON result

Output messages

Script result

Send Email

Action inputs

Action outputs

JSON result

Output messages

Script result

Send Thread Reply

Action inputs

Action outputs

JSON result

Output messages

Script result

Wait for Email From User

Action inputs

Action outputs

JSON result

Script result

Connectors

Generic IMAP Email Connector

Known Issues and Limitations

Email Case Forwarding

Connector Rules

Connector inputs