SSH

This document provides guidance on how to integrate SSH with Google SecOps.

Configure SSH integration in Google Security Operations

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.

Actions

Block IP Address in IPtables

Description

Add a rule to IPtables to block an IP address.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	x.x.x.x	Remote server address.
Remote Username	String	root	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Block IP Address	String	N/A	IP address to block.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Delete Firewall Rule

Description

Delete IPtables Firewall rule (Example: INPUT -s 10.0.0.10 -j DROP).

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	Remote server address (example: x.x.x.x).	N/A
Remote Username	String	root	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
IPtables Rule	String	N/A	Rule value (example: INPUT -s 10.0.0.10 -j DROP).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Execute Program

Description

Run a script on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Remote Program Path	String	N/A	The path to the program in the remote host.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	N/A	N/A

JSON Result

N/A

List Connections

Description

List all connections on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

{
    "Results": [
        "Proto,Recv-Q,SendQ,Local,Address,Foreign,Address,State,PID/Program,name",
        "tcp,0,0,0.0.0.0:111,0.0.0.0:*,LISTEN,1/systemd",
        "tcp,0,0,0.0.0.0:22,0.0.0.0:*,LISTEN,10624/sshd"
    ]
}

List Processes

Description

List the running processes on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	22	The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	N/A	N/A

JSON Result

{
    "Processes": [
      "USER,PID,%CPU,%MEM,VSZ,RSS,TTY,STAT,START,TIME,COMMAND",
      "root,1,0.0,0.0,193656,6656,?,Ss,Jan16,0:24,/usr/lib/systemd/systemd --system --deserialize 24",
      "root,32142,0.0,0.0,0,0,?,S,Jan22,0:32,[kworker/3:1]"
    ]
}

List IPtables Rules

Description

List IPtable rules on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Chain	String	N/A	The IPtables chain that you wish to see (example: INPUT, OUTPUT, etc.).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

{
    "-,Chain,Rule": [
        "-P,INPUT,ACCEPT",
        "-P,FORWARD,ACCEPT",
        "-P,OUTPUT,ACCEPT"
    ]
}

Logoff User

Description

Logoff a remote user.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Logoff Username	String	N/A	The username to log off.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

‌Reboot Machine

Description

Reboot a remote server.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Run Command

Description

Run a command on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Command	String	N/A	Command content (example: ifconfig).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

{
    "ifconfig":
        "ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500
        Ninet1.1.1.1netmask1.1.1.1broadcast1.1.1.1
        ninet6fe80: : 2156: 9c37: 7a0d:
        87eprefixlen64scopeid0x20<link>
        nether00: 50: 56: b5: 70: e3txqueuelen1000(Ethernet)
        nRXpackets7448423bytes1077754116(1.0GiB)
        nRXerrors0dropped0overruns0frame0
        nTXpackets370155bytes44300304(42.2MiB)
        nTXerrors0dropped0overruns0carrier0collisions0
        nlo: flags=73<UP,LOOPBACK,RUNNING>mtu65536
        Ninet1.1.1.1netmask1.1.1.1
        ninet6: : 1prefixlen128scopeid0x10<host>
        nlooptxqueuelen1000(LocalLoopback)
        nRXpackets86bytes4780(4.6KiB)
        nRXerrors0dropped0overruns0frame0
        nTXpackets86bytes4780(4.6KiB)
        nTXerrors0dropped0overruns0carrier0collisions0"
}

Shutdown Machine

Description

Shutdown a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Wait Time	String	N/A	Time to wait before shutdown in minutes (example: now).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Terminate Process

Description

Terminate a process on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Process	String	N/A	Process to terminate.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Need more help? Get answers from Community members and Google SecOps professionals.