SSH

Integration version: 16.0

Configure SSH integration in Google Security Operations

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.

Actions

Block IP Address in IPtables

Description

Add a rule to IPtables to block an IP address.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	x.x.x.x	Remote server address.
Remote Username	String	root	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Block IP Address	String	N/A	IP address to block.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Delete Firewall Rule

Description

Delete IPtables Firewall rule (Example: INPUT -s 10.0.0.10 -j DROP).

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	Remote server address (example: x.x.x.x).	N/A
Remote Username	String	root	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
IPtables Rule	String	N/A	Rule value (example: INPUT -s 10.0.0.10 -j DROP).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Execute Program

Description

Run a script on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Remote Program Path	String	N/A	The path to the program in the remote host.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	N/A	N/A

JSON Result

N/A

List Connections

Description

List all connections on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

{
    "Results": [
        "Proto,Recv-Q,SendQ,Local,Address,Foreign,Address,State,PID/Program,name",
        "tcp,0,0,0.0.0.0:111,0.0.0.0:*,LISTEN,1/systemd",
        "tcp,0,0,0.0.0.0:22,0.0.0.0:*,LISTEN,10624/sshd"
    ]
}

List Processes

Description

List the running processes on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	22	The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	N/A	N/A

JSON Result

{
    "Processes": [
      "USER,PID,%CPU,%MEM,VSZ,RSS,TTY,STAT,START,TIME,COMMAND",
      "root,1,0.0,0.0,193656,6656,?,Ss,Jan16,0:24,/usr/lib/systemd/systemd --system --deserialize 24",
      "root,32142,0.0,0.0,0,0,?,S,Jan22,0:32,[kworker/3:1]"
    ]
}

List IPtables Rules

Description

List IPtable rules on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Chain	String	N/A	The IPtables chain that you wish to see (example: INPUT, OUTPUT, etc.).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

{
    "-,Chain,Rule": [
        "-P,INPUT,ACCEPT",
        "-P,FORWARD,ACCEPT",
        "-P,OUTPUT,ACCEPT"
    ]
}

Logoff User

Description

Logoff a remote user.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Logoff Username	String	N/A	The username to log off.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

‌Reboot Machine

Description

Reboot a remote server.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Run Command

Description

Run a command on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Command	String	N/A	Command content (example: ifconfig).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

{
    "ifconfig":
        "ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500
        Ninet1.1.1.1netmask1.1.1.1broadcast1.1.1.1
        ninet6fe80: : 2156: 9c37: 7a0d:
        87eprefixlen64scopeid0x20<link>
        nether00: 50: 56: b5: 70: e3txqueuelen1000(Ethernet)
        nRXpackets7448423bytes1077754116(1.0GiB)
        nRXerrors0dropped0overruns0frame0
        nTXpackets370155bytes44300304(42.2MiB)
        nTXerrors0dropped0overruns0carrier0collisions0
        nlo: flags=73<UP,LOOPBACK,RUNNING>mtu65536
        Ninet1.1.1.1netmask1.1.1.1
        ninet6: : 1prefixlen128scopeid0x10<host>
        nlooptxqueuelen1000(LocalLoopback)
        nRXpackets86bytes4780(4.6KiB)
        nRXerrors0dropped0overruns0frame0
        nTXpackets86bytes4780(4.6KiB)
        nTXerrors0dropped0overruns0carrier0collisions0"
}

Shutdown Machine

Description

Shutdown a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Wait Time	String	N/A	Time to wait before shutdown in minutes (example: now).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Terminate Process

Description

Terminate a process on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Process	String	N/A	Process to terminate.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Need more help? Get answers from Community members and Google SecOps professionals.