SSH

Integration version: 16.0

Configure SSH integration in Google Security Operations

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .

Actions

Block IP Address in IPtables

Description

Add a rule to IPtables to block an IP address.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	x.x.x.x	Remote server address.
Remote Username	String	root	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Block IP Address	String	N/A	IP address to block.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  N 
 / 
 A

Delete Firewall Rule

Description

Delete IPtables Firewall rule (Example: INPUT -s 10.0.0.10 -j DROP).

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	Remote server address (example: x.x.x.x).	N/A
Remote Username	String	root	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
IPtables Rule	String	N/A	Rule value (example: INPUT -s 10.0.0.10 -j DROP).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  N 
 / 
 A

Execute Program

Description

Run a script on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Remote Program Path	String	N/A	The path to the program in the remote host.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	N/A	N/A

JSON Result

  N 
 / 
 A

List Connections

Description

List all connections on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

  { 
  
 "Results" 
 : 
  
 [ 
  
 "Proto,Recv-Q,SendQ,Local,Address,Foreign,Address,State,PID/Program,name" 
 , 
  
 "tcp,0,0,0.0.0.0:111,0.0.0.0:*,LISTEN,1/systemd" 
 , 
  
 "tcp,0,0,0.0.0.0:22,0.0.0.0:*,LISTEN,10624/sshd" 
  
 ] 
 }

List Processes

Description

List the running processes on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	22	The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	N/A	N/A

JSON Result

  { 
  
 "Processes" 
 : 
  
 [ 
  
 "USER,PID,%CPU,%MEM,VSZ,RSS,TTY,STAT,START,TIME,COMMAND" 
 , 
  
 "root,1,0.0,0.0,193656,6656,?,Ss,Jan16,0:24,/usr/lib/systemd/systemd --system --deserialize 24" 
 , 
  
 "root,32142,0.0,0.0,0,0,?,S,Jan22,0:32,[kworker/3:1]" 
  
 ] 
 }

List IPtables Rules

Description

List IPtable rules on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Chain	String	N/A	The IPtables chain that you wish to see (example: INPUT, OUTPUT, etc.).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

  { 
  
 "-,Chain,Rule" 
 : 
  
 [ 
  
 "-P,INPUT,ACCEPT" 
 , 
  
 "-P,FORWARD,ACCEPT" 
 , 
  
 "-P,OUTPUT,ACCEPT" 
  
 ] 
 }

Logoff User

Description

Logoff a remote user.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Logoff Username	String	N/A	The username to log off.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

‌Reboot Machine

Description

Reboot a remote server.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  N 
 / 
 A

Run Command

Description

Run a command on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Command	String	N/A	Command content (example: ifconfig).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	True/False	results:False

JSON Result

  { 
  
 "ifconfig" 
 : 
  
 "ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500 
 Ninet1.1.1.1netmask1.1.1.1broadcast1.1.1.1 
 ninet6fe80: : 2156: 9c37: 7a0d: 
 87eprefixlen64scopeid0x20<link> 
 nether00: 50: 56: b5: 70: e3txqueuelen1000(Ethernet) 
 nRXpackets7448423bytes1077754116(1.0GiB) 
 nRXerrors0dropped0overruns0frame0 
 nTXpackets370155bytes44300304(42.2MiB) 
 nTXerrors0dropped0overruns0carrier0collisions0 
 nlo: flags=73<UP,LOOPBACK,RUNNING>mtu65536 
 Ninet1.1.1.1netmask1.1.1.1 
 ninet6: : 1prefixlen128scopeid0x10<host> 
 nlooptxqueuelen1000(LocalLoopback) 
 nRXpackets86bytes4780(4.6KiB) 
 nRXerrors0dropped0overruns0frame0 
 nTXpackets86bytes4780(4.6KiB) 
 nTXerrors0dropped0overruns0carrier0collisions0" 
 }

Shutdown Machine

Description

Shutdown a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	The default port will be 22.
Wait Time	String	N/A	Time to wait before shutdown in minutes (example: now).

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  N 
 / 
 A

Terminate Process

Description

Terminate a process on a remote machine.

Parameters

Parameter	Type	Default Value	Description
Remote Server	String	N/A	Remote server address (example: x.x.x.x).
Remote Username	String	N/A	N/A
Remote Password	String	N/A	N/A
Remote Port	String	N/A	N/A
Process	String	N/A	Process to terminate.

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  N 
 / 
 A

Need more help? Get answers from Community members and Google SecOps professionals.