SSH

Integration version: 16.0

Configure SSH integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Block IP Address in IPtables

Description

Add a rule to IPtables to block an IP address.

Parameters

Parameter Type Default Value Description
Remote Server String x.x.x.x Remote server address.
Remote Username String root N/A
Remote Password String N/A N/A
Remote Port String N/A N/A
Block IP Address String N/A IP address to block.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Delete Firewall Rule

Description

Delete IPtables Firewall rule (Example: INPUT -s 10.0.0.10 -j DROP).

Parameters

Parameter Type Default Value Description
Remote Server String Remote server address (example: x.x.x.x). N/A
Remote Username String root N/A
Remote Password String N/A N/A
Remote Port String N/A N/A
IPtables Rule String N/A Rule value (example: INPUT -s 10.0.0.10 -j DROP).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Execute Program

Description

Run a script on a remote machine.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A N/A
Remote Program Path String N/A The path to the program in the remote host.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
results N/A N/A
JSON Result
N/A

List Connections

Description

List all connections on a remote machine.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
results True/False results:False
JSON Result
{
    "Results": [
        "Proto,Recv-Q,SendQ,Local,Address,Foreign,Address,State,PID/Program,name",
        "tcp,0,0,0.0.0.0:111,0.0.0.0:*,LISTEN,1/systemd",
        "tcp,0,0,0.0.0.0:22,0.0.0.0:*,LISTEN,10624/sshd"
    ]
}

List Processes

Description

List the running processes on a remote machine.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String 22 The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
results N/A N/A
JSON Result
{
    "Processes": [
      "USER,PID,%CPU,%MEM,VSZ,RSS,TTY,STAT,START,TIME,COMMAND",
      "root,1,0.0,0.0,193656,6656,?,Ss,Jan16,0:24,/usr/lib/systemd/systemd --system --deserialize 24",
      "root,32142,0.0,0.0,0,0,?,S,Jan22,0:32,[kworker/3:1]"
    ]
}

List IPtables Rules

Description

List IPtable rules on a remote machine.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A The default port will be 22.
Chain String N/A The IPtables chain that you wish to see (example: INPUT, OUTPUT, etc.).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
results True/False results:False
JSON Result
{
    "-,Chain,Rule": [
        "-P,INPUT,ACCEPT",
        "-P,FORWARD,ACCEPT",
        "-P,OUTPUT,ACCEPT"
    ]
}

Logoff User

Description

Logoff a remote user.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A The default port will be 22.
Logoff Username String N/A The username to log off.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

N/A

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

N/A

‌Reboot Machine

Description

Reboot a remote server.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Run Command

Description

Run a command on a remote machine.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A N/A
Command String N/A Command content (example: ifconfig).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
results True/False results:False
JSON Result
{
    "ifconfig":
        "ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500
        Ninet1.1.1.1netmask1.1.1.1broadcast1.1.1.1
        ninet6fe80: : 2156: 9c37: 7a0d:
        87eprefixlen64scopeid0x20<link>
        nether00: 50: 56: b5: 70: e3txqueuelen1000(Ethernet)
        nRXpackets7448423bytes1077754116(1.0GiB)
        nRXerrors0dropped0overruns0frame0
        nTXpackets370155bytes44300304(42.2MiB)
        nTXerrors0dropped0overruns0carrier0collisions0
        nlo: flags=73<UP,LOOPBACK,RUNNING>mtu65536
        Ninet1.1.1.1netmask1.1.1.1
        ninet6: : 1prefixlen128scopeid0x10<host>
        nlooptxqueuelen1000(LocalLoopback)
        nRXpackets86bytes4780(4.6KiB)
        nRXerrors0dropped0overruns0frame0
        nTXpackets86bytes4780(4.6KiB)
        nTXerrors0dropped0overruns0carrier0collisions0"
}

Shutdown Machine

Description

Shutdown a remote machine.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A The default port will be 22.
Wait Time String N/A Time to wait before shutdown in minutes (example: now).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Terminate Process

Description

Terminate a process on a remote machine.

Parameters

Parameter Type Default Value Description
Remote Server String N/A Remote server address (example: x.x.x.x).
Remote Username String N/A N/A
Remote Password String N/A N/A
Remote Port String N/A N/A
Process String N/A Process to terminate.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A