Resmo Documentation
SupportStatuspageTwitterLinkedIn
  • Welcome!
  • Getting Started
    • Quick Start Guide for Admins
    • SaaS Security Guide for Employees
    • Glossary
    • FAQ
    • Support
    • Resources documentation (automated)
  • Guides
    • Query Your First Resources
    • Create Your First Rule
  • Resources
    • Resources
    • Resource Changes
  • Notebooks
    • Notebooks
  • Audit Logs
    • Audit Logs
  • API
    • Basics
    • Query API
  • Resource Tags
    • Tag Rules
    • Manual Tagging
  • Queries
    • Query Types
    • Standard SQL Queries
    • Change SQL Queries
  • SaaS Discovery
    • SaaS Discovery Methods
    • Browser Extension Admin Guide
    • AI Email Scanning
    • Resmo Agent (Beta)
    • Apps Page
    • Users Page
  • Rules
    • Rules
    • Suppression
    • AWS Config Rules vs Resmo Rules
  • Dashboards
    • Dashboards
  • Packs (Compliance and Security Best Practices)
    • Packs
    • Pack Exports
  • Alerts
    • Alerts
  • Variables
    • Variables
  • integrations
    • Integrations Guide
    • Custom Data Integration
    • AWS Integration
    • Azure Integration
    • GCP Integration
    • Google Drive Integration
    • Kubernetes Integration
    • Google Workspace Integration
    • GitHub Integration
    • Slack Integration
    • GitLab Integration
    • New Relic Integration
    • Jira Integration
    • PagerDuty Integration
    • Opsgenie Integration
    • MongoDB Atlas Integration
    • Azure Active Directory Integration
    • Cloudflare Integration
    • Confluence Integration
    • Bitbucket Integration
    • Okta Integration
    • Datadog Integration
    • Gandi Integration
    • Snyk Integration
    • Duo Integration
    • Jamf Integration
    • Snowflake Integration
    • Heroku Integration
    • Fastly Integration
    • Hubspot Integration
    • BambooHR Integration
    • Azure DevOps Integration
    • Kolide Integration
    • Flyio Integration
    • Upstash Integration
    • Qualys Integration
    • Sentry Integration
    • Brex Integration
    • JumpCloud Integration
    • Webflow Integration
    • Tenable Integration
    • SonarCloud Integration
    • Salesforce Integration
    • LastPass Integration
    • Microsoft Teams Integration
    • Zendesk Integration
    • Segment Integration
    • Terraform Cloud Integration
    • Tailscale Integration
    • Vercel Integration
    • GoDaddy Integration
    • Kandji Integration
    • LaunchDarkly Integration
    • PlanetScale Integration
    • Zoom Integration
    • Jotform Integration
    • Auth0 Integration
    • Wizer Integration
    • Linear Integration
    • Figma Integration
    • Trello Integration
    • Mixpanel Integration
    • Trivy Integration
    • CSV Integration
    • DocuSign Integration
    • Tinybird Integration
    • MonoSign Integration
    • DigitalOcean Integration
    • Sophos Integration
    • Firebase Integration
    • MySQL Integration
    • PostgreSQL Integration
    • MongoDB Integration
    • ClickHouse Integration
    • Help Scout Integration
    • Intercom Integration
    • Atlassian Integration
    • Drata Integration
    • Hetzner Cloud Integration
    • Vanta Integration
    • Microsoft Intune Integration
    • Microsoft Defender Integration
    • Microsoft 365 Integration
    • NPM Integration
    • CrowdStrike Integration
    • 1Password Integration
    • Lucid Integration
    • OneDrive Integration
    • JetBrains Integration
    • Google Analytics Integration
    • Hexnode Integration
    • SendGrid Integration
    • WordPress Integration
  • Notifications
    • Notification Channels
    • Email Notification Channel
    • Slack Notification Channel
    • Webhook Notification Channel
    • Opsgenie Notification Channel
    • PagerDuty Notification Channel
    • Amazon SNS Notification Channel
    • Parny Notification Channel
    • Linear Notification Channel
    • Jira Notification Channel
    • Microsoft Teams Notification Channel
  • Plugins
    • Raycast
  • Users and Permissions
    • User
    • User Roles
    • RBAC (Role-Based Access Control)
      • Custom Roles and Policies
    • SSO - Social Login
  • Settings
    • Accounts
    • Billing Policy
    • Pricing
      • Resource Count Calculation
Powered by GitBook
On this page
  • How the Scan Process Works
  • How to Create a Service Account
  • How to Add Domain-Wide Delegation
  • How to Use

Was this helpful?

  1. SaaS Discovery

AI Email Scanning

AI-powered email scanning

PreviousBrowser Extension Admin GuideNextResmo Agent (Beta)

Last updated 1 year ago

Was this helpful?

Resmo Email Scanning checks your emails to find where you might have signed up for new accounts. It looks for emails that are about joining or subscribing to something. This way, you can easily see what accounts you've made through emails and manage them with Resmo.

How the Scan Process Works

Currently, email scanning supports Google Workspace only.

The first step in the process is downloading Gmail emails for all users in your organization. To achieve this step successfully you will need to create a service account and configure domain-wide delegation for this account.

How to Create a Service Account

  • Credentials and super admin rights are required in Google Workspace is provided by service account.

  • To configure service account, you can check documentation from .

  1. Open the Google Cloud Console ().

  2. Select a project. If there are no existing projects, create a project.

  3. Enable the API.

  • On the navigation menu, select API & Services > Library option if it is not already selected.

  • In the displayed list of APIs, click Admin SDK API and Gmail API . Enable these options if they are not already enabled.

  1. On the navigation menu, select Credentials.

  2. To create a new service account click Create Credentials.

    • From the drop-down menu, select Service Account.

    • Enter the account name. The ID is automatically populated.

    • To furnish a new private key, select the json key type.

    • Click Create. You are prompted to download the key.

How to Add Domain-Wide Delegation

  • Domain-wide delegation provides credentials are required to read all emails.

  1. In the Admin console, go to Menu -> Security -> Access and data control -> API controls -> Manage Domain Wide Delegation.

  1. Click Add new and enter your service account client ID.

  • You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in Google Cloud (click IAM & Admin -> Service accounts -> the name of your service account).

  1. Enter the client ID of the service account or OAuth2 client ID of the app.

  2. In OAuth Scopes, add each scope that the application can access.

a. https://www.googleapis.com/auth/admin.directory.user.readonly
b. https://www.googleapis.com/auth/gmail.readonly
  1. Click Authorize.

  2. Point to the new client ID, click View details, and make sure that every scope is listed. If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

After that, AI takes part in the process to achieve the best results in identifying possible account creations from emails. The scan process uses AI-based classification practices and labels emails into several categories. With the help of labeling, unrelated emails eliminated and the others processed in Resmo as related users and apps.

How to Use

# Ensure you have git and Python 3.7 installed in your environment. AI Labeling can take time.

# Clone the repository
$ git clone https://github.com/resmoio/email-app-scanner.git

# Install the dependencies
$ cd email-app-scanner
$ pip install -r requirements.txt

# Set variables
ADMIN_EMAIL="admin@yourdomain.com"
INGEST_KEY="b80b2cb6-2036-471d-85be-0f250ad435f8"
SERVICE_ACCOUNT="service-account.json"

# Run the code for downloading emails for all users, it will take a while depending on your internet connection and number of users
$ python gmail-download-mails.py \
  --admin-email $ADMIN_EMAIL \
  --service-account $SERVICE_ACCOUNT

# Run the code for AI labeling emails for all users. It's recommended to use a machine with GPU for this step. It will take a while depending on your machine and number of users
$ python label-emails.py

# After the execution is done, you can see the results in the JSON file
# To upload this file to Resmo, run the following code
$ python send-to-resmo.py --ingest-key $INGEST_KEY

You can see results in Resmo by checking accounts with email sources:

To configure domain-wide delegation, you can check documentation from .

to your . Sign in using an account with (does not end in @gmail.com).

You must be signed in as a for this task.

here
Sign in
Google Admin console
super administrator privileges
super administrator
here
https://console.developers.google.com