Integrate GRR Rapid Response with Google SecOps
This document explains how to configure and integrate GRR Rapid Response with Google Security Operations (Google SecOps).
Integration version: 8.0
Integration parameters
The GRR Rapid Response integration requires the following parameters:
| Parameter | Description |
|---|---|
API Root
|
Required. A server URL. The default value is |
Username
|
Required. The GRR Rapid Response server username. |
Password
|
Required. The GRR Rapid Response server password. |
Verify SSL
|
Optional. If selected, the integration validates the SSL certificate when connecting to the GRR Rapid Response server. Not selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Get Client Details
Use the Get Client Detailsaction to get the client full details.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Client Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Client ID
|
Required. The ID of the client. This parameter accepts multiple values as a comma-separated string. |
Action outputs
The Get Client Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get Client Detailsaction can generate the following table:
Table name: GRR Clients Details
Table columns:
- Client ID
- Host
- OS Version
- Labels
- Memory Size
- Client Version
- First Seen
- Last Seen
- OS Install Date
JSON result
The following example shows the JSON result output received when using the Get Client Detailsaction:
[
{
"HardwareInfo"
:
{
"system_product_name"
:
"HVM domU"
,
"bios_rom_size"
:
"64 kB"
,
"bios_vendor"
:
"Xen"
,
"system_sku_number"
:
"Not Specified"
,
"system_family"
:
"Not Specified"
,
"system_uuid"
:
" UUID
"
,
"system_manufacturer"
:
"Xen"
,
"bios_release_date"
:
"08/24/2006"
,
"bios_version"
:
"4.2.amazon"
,
"serial_number"
:
" UUID
"
,
"bios_revision"
:
"4.2"
},
"LastClock"
:
1535907460060247
,
"Interfaces"
:
[
{
"ifname"
:
"lo"
,
"addresses"
:
[
{
"packed_bytes"
:
"fwAAAQ=="
,
"address_type"
:
"INET"
},
{
"packed_bytes"
:
"AAAAAAAAAAAAAAAAAAAAAQ=="
,
"address_type"
:
"INET6"
}
],
"mac_address"
:
" MAC_ADDRESS
"
},
{
"ifname"
:
"eth0"
,
"addresses"
:
[
{
"packed_bytes"
:
"rB8sWw=="
,
"address_type"
:
"INET"
},
{
"packed_bytes"
:
"/oAAAAAAAAAE1kv//h5yfg=="
,
"address_type"
:
"INET6"
}
],
"mac_address"
:
" MAC_ADDRESS
"
}
],
"OS"
:
{
"kernel"
:
"4.4.0-1065-aws"
,
"install_date"
:
1534280169000000
,
"system"
:
"Linux"
,
"fqdn"
:
"ip-192-0-2-91.example"
,
"machine"
:
"x86_64"
,
"version"
:
"16.4"
,
"release"
:
"Ubuntu"
},
"AgentInfo"
:
{
"client_name"
:
"grr"
,
"client_description"
:
"grr linux amd64"
,
"client_version"
:
3232
,
"build_time"
:
"2018-06-28 09:37:57"
},
"Labels"
:
[],
"LastBootedAt"
:
1535292604000000
,
"FirstSeenAt"
:
1535293827970976
,
"User"
:
[],
"Volumes"
:
[
{
"total_allocation_units"
:
50808745
,
"bytes_per_sector"
:
4096
,
"sectors_per_allocation_unit"
:
1
,
"unixvolume"
:
{
"mount_point"
:
"/"
},
"actual_available_allocation_units"
:
50027766
}
],
"LastCrashAt"
:
null
,
"LastSeenAt"
:
1535907460075229
,
"ID"
:
" CLIENT_ID
"
}
]
Output messages
The Get Client Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Client Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Client Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Hunt Details
Use the Get Hunt Detailsaction to retrieve hunt details.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Hunt Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Hunt ID
|
Required. The ID of a hunt to retrieve. This parameter accepts multiple values as a comma-separated string. |
Action outputs
The Get Hunt Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall link
The Get Hunt Detailsaction can generate the following link:
API_ROOT
/#/hunts/ HUNT_ID
JSON result
The following example shows the JSON result output received when using the Get Hunt Detailsaction:
[
{
"Name"
:
"ExampleHunt"
,
"Expires"
:
1537063517000000
,
"Description"
:
"test"
,
"Creator"
:
"admin"
,
"IsRobot"
:
false
,
"Status"
:
"PAUSED"
,
"Hunt_ID"
:
" HUNT_ID
"
,
"Created"
:
1535853917657925
,
"Start_Time"
:
1535853917657925
,
"Duration"
:
"2w"
,
"Expiration time"
:
" "
,
"Crash_limit"
:
100
,
"Client_limit"
:
100
,
"Client_rate (clients/min)"
:
"20.5"
,
"Client_Queued"
:
"20.5"
,
"Client_Scheduled"
:
"20.5"
,
"Client_Outstanding"
:
"20.5"
,
"Client_Completed"
:
"20.5"
,
"Client_with Results"
:
"20.5"
,
"Results"
:
"20.5"
,
"Total_CPU_Time_Used"
:
"20.5"
,
"Total_Network_Traffic"
:
"20.5"
,
"Flow_Name"
:
"KeepAlive"
,
"Flow_Arguments"
:
"20.5"
,
"Client_Rule_Set"
:
" "
}
]
Output messages
The Get Hunt Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Hunt Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Hunt Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Clients
Use the List Clientsaction to search for clients and interact with them.
This action doesn't run on Google SecOps entities.
Action inputs
The List Clientsaction requires the following parameters:
| Parameter | Description |
|---|---|
Offset
|
Optional. The starting point (offset) to search for clients. |
Max Results To Return
|
Optional. The maximum number of clients to return in in every response. The default value is |
Action outputs
The List Clientsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List Clientsaction can generate the following table:
Table name: GRR Clients
Table columns:
- Client ID
- Host
- OS Version
- First Seen
- Client Version
- Labels
- Last Check In
- OS Install Date
JSON result
The following example shows the JSON result output received when using the List Clientsaction:
[{
"Client_ID"
:
" CLIENT_ID
"
,
"Agent_Info"
:{
"Client_Name"
:
"example"
,
"Client_Version"
:
3420
}
"OS_Info"
:{
"System"
:
"Linux"
,
"Release"
:
"Ubuntu"
,
"Architecture"
:
"x86_64"
,
"Installation_Time"
:
"2020-04-09 13:44:17 UTC"
,
"Kernel"
:
"4.15.0-96-generic"
,
"Version"
:
"18.04"
}
"Client_Last_Booted_At"
:
""
,
"Client_First_Seen_At"
:
"2020-09-25 14:26:38 UTC"
,
"Client_Last_Seen"
:
"2020-11-19 10:12:52 UTC"
,
"Client_Last_Clock"
:
"2020-11-19 10:12:52 UTC"
,
"Memory_Size"
:
"985.6MiB"
,
"Client_Labels"
:
[]
}]
Output messages
The List Clientsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "List Clients". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Clientsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Hunts
Use the List Huntsaction to retrieve information about all available hunts.
This action doesn't run on Google SecOps entities.
Action inputs
The List Huntsaction requires the following parameters:
| Parameter | Description |
|---|---|
Creator
|
Optional. A user who created a hunt. |
Offset
|
Optional. The starting point (offset) to search for hunts. |
Max Results To Return
|
Optional. The maximum number of hunts to return in every response. The default value is |
Action outputs
The List Huntsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List Huntsaction can generate the following table:
Table name: Hunts
Table columns:
- Hunt ID
- Status
- Creation Time
- Start Time
- Duration
- Client Limit
- Expiration Time
- Creator
- Description
JSON result
The following example shows the JSON result output received when using the List Huntsaction:
[
{
"Hunt_Description"
:
"Interrogate run by cron to keep host info fresh."
,
"Creator"
:
"GRRCron"
,
"Is_Robot"
:
false
,
"State"
:
"STARTED"
,
"Creation Time"
:
"1605690387510082"
,
"Start Time (initial)"
:
"1605690387678448"
,
"Start Time (last)"
:
"1605690387678448"
,
"Duration"
:
" "
,
"Client Limit"
:
0
,
"Expiration Time"
:
" "
,
"Hunt_ID"
:
" HUNT_ID
"
,
}
]
Output messages
The List Huntsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "List Hunts". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Huntsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Launched Flows
Use the List Launched Flowsaction to list the flows launched on a specified client.
This action runs on the following Google SecOps entities:
-
IP Address -
Hostname
Action inputs
The List Launched Flowsaction requires the following parameters:
| Parameter | Description |
|---|---|
Offset
|
Optional. The starting point (offset) to search for flows. |
Max Results To Return
|
Optional. A maximum number of flows to return in every response. The default value is |
Action outputs
The List Launched Flowsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List Launched Flowsaction can generate the following table:
Table name: GRR Launch Flows
Table columns:
- Flow Name
- Flow ID
- State
- Creation Time
- Last Active
- Creator
JSON result
The following example shows the JSON result output received when using the List Launched Flowsaction:
{
"Creator"
:
"admin"
,
"NestedFlow"
:
[],
"LastActiveAt"
:
1535900632278975
,
"Args"
:
{
" ARGUMENTS
"
},
"State"
:
"TERMINATED"
,
"StartedAt"
:
1535900542745106
,
"Flow_ID"
:
" FLOW_ID
"
,
"Flow_Name"
:
" FLOW_NAME
"
}
Output messages
The List Launched Flowsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "List Launched Flows". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Launched Flowsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test the connectivity to GRR Rapid Response.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the GRR server with the provided
connection parameters!
|
The action succeeded. |
Failed to connect to the GRR server! Error is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Start A Hunt
Use the Start A Huntaction to start a newly created hunt. By default,
the GRR Rapid Response assigns the PAUSED
state to all new hunts.
The GRR Rapid Response sets all hunts that reached their client limit to the PAUSED
state. After you remove the client limit, you can use the Start A
Huntaction to restart paused hunts.
This action doesn't run on Google SecOps entities.
Action inputs
The Start A Huntaction requires the following parameters:
| Parameter | Description |
|---|---|
Hunt ID
|
Required. The ID of a the hunt to start. This parameter accepts multiple values as a comma-separated string. |
Action outputs
The Start A Huntaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Start A Huntaction:
[{
"Hunt_ID"
:
" HUNT_ID
"
,
"State"
:
STARTED
}]
Output messages
The Start A Huntaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Start A Hunt". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Stop A Hunt
Use the Stop A Huntaction to prevent new clients from scheduling and interrupt current flows at the moment when their state changes.
After you stop a hunt, you cannot resume it. This action deletes all current results that are in progress and doesn't affect the results that are already reported.
This action doesn't run on Google SecOps entities.
Action inputs
The Stop A Huntaction requires the following parameters:
| Parameter | Description |
|---|---|
Hunt ID
|
Required. The ID of a hunt to stop. This parameter accepts multiple values as a comma-separated string. |
Action outputs
The Stop A Huntaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Stop A Huntaction:
[{
"Hunt_ID"
:
" HUNT_ID
"
,
"State"
:
STOPPED
}]
Output messages
The Stop A Huntaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Stop A Hunt". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Stop A Huntaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
