Quarantine email using SOAR playbooks

Hey @Akshay04 

In Gmail everything is done via labels.

So, if you want to move a message to trash, then you would add a label "Trash". What you can do is, create a special label called "quarantine" and move the messages to it. In parallel to this, you can create a filter that, if the message has label "quarantine", then it skips the inbox, so that users will not accidentally make a mistake.

We have an action called "Add Email Label" that can be used for this. Let me know, if this makes sense.

Hey, just to confirm — so what you mean is, if we label an email as "quarantine", it gets moved out of the user’s inbox and into a SOC quarantine inbox (or label), right?

That way, we (SOC) can review it safely, and if it's clean, we can just remove the "quarantine" label and re-add "INBOX" to return it to the user?

Just want to make sure I got the flow right. Sounds like a neat way to isolate suspicious emails without fully deleting or archiving them.

Quarantine workflow is not natively supported in Gmail and its API. You will need to build it manually with Gmail Filters.

If the goal is to just hide messages from the inbox, then it's more simple to move the messages to "Trash" aka add a "Trash" label. If everything is good and the emails are benign, then you can remove the "Trash" label, which will make it reappear in the Inbox.

Moving to Trash != deleting. Emails in the "Trash" will be automatically deleted only after 30 days, so that give you a lot of time for triaging.