Google Cloud Compute
Integration version: 4.0
Use Cases
Manage on-demand VMs in Compute Engine.
Product Permission
Create a Service Account
- Open your Google Cloud portal, on the left pane click IAM & Admin > Roles.
- Click Create Role to create a custom role that will have permissions needed for the integration.
- On the opened page provide role Title, Description, ID, Role Launch Stage to General Availability.
Add the following permissions to the created role:
- compute.instances.list
- compute.instances.start
- compute.instances.stop
- compute.instances.delete
- compute.instances.setLabels
- compute.instances.getIamPolicy
- compute.instances.setIamPolicy
- compute.instances.get
- compute.zones.list
Click Create to create a new custom role.
Next go to the Google documentation and follow the procedure in the Creating a Service Account section. After you create a service account, a Service Account Private Key file is downloaded.
Grant the role you previously created to the Service Account so Service Account will have needed permissions for the integration.
Configure Compute Engine integration with the JSON contents of the file you downloaded in step 1.
Configure Google Cloud Compute integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
Parameter Display Name | Type | Default Value | Is mandatory | Description |
---|---|---|---|---|
Account Type | String | service_account | No | Type of the Google Cloud account. Located at the "type" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Project ID | String | N/A | No | Project ID of the Google Cloud account. Located at the "project_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Private Key ID | Password | N/A | No | Private Key ID of the Google Cloud account. Located at the "private_key_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Private Key | Password | N/A | No | Private Key of the Google Cloud account. Located at the "private_key" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Client Email | String | N/A | No | Client Email of the Google Cloud account. Located at the "client_email" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Client ID | String | N/A | No | Client ID of the Google Cloud account. Located at the "client_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Auth URI | No | https://accounts.google.com/o/oauth2/auth | No | Auth URI of the Google Cloud account. Located at the "auth_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Token URI | String | https://oauth2.googleapis.com/token | No | Token URI of the Google Cloud account. Located at the "token_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Auth Provider X509 URL | No | https://www.googleapis.com/oauth2/v1/certs | No | Auth Provider X509 URL of the Google Cloud account. Located at the "auth_provider_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Client X509 URL | String | N/A | No | Client X509 URL of the Google Cloud account. Located at the "client_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Service Account Json File Content | String | N/A | No | Optional: Instead of specifying Private Key ID, Private Key and other parameters, specify here the full JSON content of the service account file. Other connection parameters are ignored if this parameter is provided. |
Verify SSL | Checkbox | Checked | No | If enabled, the integration verifies that the SSL certificate for the connection to the Google Cloud service is valid. |
Actions
Ping
Description
Test connectivity to the Compute Engine service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:if critical error, like wrong credentials or lost connectivity: "Failed to connect to the Compute Engine service! Error is {0}".format(exception.stacktrace) |
General |
List Instances
Description
List Compute Engine instances based on the specified search criteria. Note that action is not working on Google Security Operations SOAR entities.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Instance Name | CSV | N/A | No | Specify instance name to search for. Parameter accepts multiple values as a comma separated string. |
Instance Status | CSV | N/A | No | Specify instance status to search for. Parameter accepts multiple values as a comma separated string. |
Instance Labels | CSV | N/A | No | Specify instance labels to search for in the format label_key_name:label_value, for example vm_label_key:label1. Parameter accepts multiple values as a comma separated string. |
Max Rows to Return | Integer | 50 | No | Specify how many instances action should return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{ "id": "projects/silver-shift-275007/zones/us-central1-a/instances",
"items": [
{
"id": "5150223389518432640",
"creationTimestamp": "2021-04-28T21:34:57.369-07:00",
"name": "instance-1",
"description": "",
"tags": {
"fingerprint": "42WmSpB8rSM="
},
"machineType": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/machineTypes/f1-micro",
"status": "RUNNING",
"zone": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a",
"canIpForward": false,
"networkInterfaces": [
{
"network": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/global/networks/default",
"subnetwork": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/regions/us-central1/subnetworks/default",
"networkIP": "10.128.0.2",
"name": "nic0",
"accessConfigs": [
{
"type": "ONE_TO_ONE_NAT",
"name": "External NAT",
"natIP": "34.66.156.59",
"networkTier": "PREMIUM",
"kind": "compute#accessConfig"
}
],
"fingerprint": "xXUN4Zp4Dgs=",
"kind": "compute#networkInterface"
}
],
"disks": [
{
"type": "PERSISTENT",
"mode": "READ_WRITE",
"source": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/disks/instance-1",
"deviceName": "instance-1",
"index": 0,
"boot": true,
"autoDelete": true,
"licenses": [
"https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-10-buster"
],
"interface": "SCSI",
"guestOsFeatures": [
{
"type": "UEFI_COMPATIBLE"
},
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
}
],
"diskSizeGb": "10",
"kind": "compute#attachedDisk"
}
],
"metadata": {
"fingerprint": "qkn_HJrWq3Y=",
"kind": "compute#metadata"
},
"serviceAccounts": [
{
"email": "881112408707-compute@developer.gserviceaccount.com",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"selfLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/instances/instance-1",
"scheduling": {
"onHostMaintenance": "MIGRATE",
"automaticRestart": true,
"preemptible": false
},
"cpuPlatform": "Intel Haswell",
"labels": {
"vm_test_tag": "tag1"
},
"labelFingerprint": "barkrAmUbk0=",
"startRestricted": false,
"deletionProtection": false,
"reservationAffinity": {
"consumeReservationType": "ANY_RESERVATION"
},
"displayDevice": {
"enableDisplay": false
},
"shieldedInstanceConfig": {
"enableSecureBoot": false,
"enableVtpm": true,
"enableIntegrityMonitoring": true
},
"shieldedInstanceIntegrityPolicy": {
"updateAutoLearnPolicy": true
},
"confidentialInstanceConfig": {
"enableConfidentialCompute": false
},
"fingerprint": "9e4oFnAOVio=",
"lastStartTimestamp": "2021-04-28T21:35:07.865-07:00",
"kind": "compute#instance"
}
]
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Instances". Reason: {0}''.format(error.Stacktrace) |
General |
Table | Table Name: Compute Engine Instances Table Columns: Instance Name Instance ID Instance Creation Time Instance Description Instance Type Instance Status Instance Labels |
General |
Start Instance
Description
Start a previously stopped Compute Engine Instance. Note that it can take a few minutes for the instance to enter the running status.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Instance ID | String | N/A | Yes | Specify instance id to start. Instance id can be found with the "List Instances" action. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"id": "440218233881490774",
"name": "operation-1619676088845-5c11639ed45b4-4516e708-330d214a",
"zone": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a",
"operationType": "start",
"targetLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/instances/5150223389518432640",
"targetId": "5150223389518432640",
"status": "DONE",
"user": "dana@example.com",
"progress": 100,
"insertTime": "2021-04-28T23:01:29.395-07:00",
"startTime": "2021-04-28T23:01:29.397-07:00",
"endTime": "2021-04-28T23:01:29.397-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/operations/operation-1619676088845-5c11639ed45b4-4516e708-330d214a",
"kind": "compute#operation"
}
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Start Instance". Reason: {0}''.format(error.Stacktrace) |
General |
Stop Instance
Description
Stops a running instance, shutting it down cleanly, and allows you to restart the instance at a later time. Stopped instances do not incur VM usage charges while they are stopped. However, resources that the VM is using, such as persistent disks and static IP addresses, will continue to be charged until they are deleted.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Instance ID | String | N/A | Yes | Specify instance id to stop. Instance id can be found with the "List Instances" action. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"id": "6634560676812026585",
"name": "operation-1619676214361-5c11641687bca-60e48370-0f66e056",
"zone": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a",
"operationType": "stop",
"targetLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/instances/2702854851349968946",
"targetId": "2702854851349968946",
"status": "RUNNING",
"user": "dana@example.com",
"progress": 0,
"insertTime": "2021-04-28T23:03:34.736-07:00",
"startTime": "2021-04-28T23:03:34.776-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/operations/operation-1619676214361-5c11641687bca-60e48370-0f66e056",
"kind": "compute#operation"
}
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Stop Instance". Reason: {0}''.format(error.Stacktrace) |
General |
Delete Instance
Description
Delete the specified Compute Engine instance.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Instance ID | String | N/A | Yes | Specify instance id to delete. Instance id can be found with the "List Instances" action. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"id": "6229049230731244493",
"name": "operation-1619676450530-5c1164f7c243b-52ae4f6e-ab78128a",
"zone": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a",
"operationType": "delete",
"targetLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/instances/2702854851349968946",
"targetId": "2702854851349968946",
"status": "RUNNING",
"user": "dana@example.com",
"progress": 0,
"insertTime": "2021-04-28T23:07:30.902-07:00",
"startTime": "2021-04-28T23:07:30.943-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/operations/operation-1619676450530-5c1164f7c243b-52ae4f6e-ab78128a",
"kind": "compute#operation"
}
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Delete Instance". Reason: {0}''.format(error.Stacktrace) |
General |
Add Labels to Instance
Description
Add labels to the Compute Engine Instance.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Instance ID | String | N/A | Yes | Specify instance id to to add labels to. Instance id can be found with the "List Instances" action. |
Instance Labels | CSV | N/A | Yes | Specify instance labels to add to instance. Labels should be provided in the following format - label_key_name:label_value, for example vm_label_key:label1. Parameter accepts multiple values as a comma separated string. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"id": "7839725575198354144",
"name": "operation-1620284431406-5c1a3ddf814e1-a6b50fe4-ebf65d96",
"zone": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a",
"operationType": "setLabels",
"targetLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/instances/5150223389518432640",
"targetId": "5150223389518432640",
"status": "RUNNING",
"user": "dana@example.com",
"progress": 0,
"insertTime": "2021-05-06T00:00:31.858-07:00",
"startTime": "2021-05-06T00:00:31.867-07:00",
"selfLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/operations/operation-1620284431406-5c1a3ddf814e1-a6b50fe4-ebf65d96",
"kind": "compute#operation"
}
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Labels to Instance". Reason: {0}''.format(error.Stacktrace) |
General |
Get Instance IAM Policy
Description
Gets the access control policy for the resource. Note that policy may be empty if no policy is assigned to the resource.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Instance ID | String | N/A | Yes | Specify instance id to get policy for. Instance id can be found with the "List Instances" action. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"version": 1,
"etag": "BwXBfsc47MI=",
"bindings": [
{
"role": "roles/compute.networkViewer_withcond_2f0c003401ba9aa6235f",
"members": [
"user:dana@example.com"
]
}
]
}
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Get Instance IAM Policy". Reason: {0}''.format(error.Stacktrace) |
General |
Set Instance IAM Policy
Description
Sets the access control policy on the specified resource. Note that policy provided in action replaces any existing policy.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Instance ID | String | N/A | Yes | Specify instance id to set policy for. Instance id can be found with the "List Instances" action. |
Policy | String | N/A | Yes | Specify JSON policy document to set for instance. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"version": 1,
"etag": "BwXBftu99FE=",
"bindings": [
{
"role": "roles/compute.networkViewer",
"members": [
"user:dana@example.com"
]
}
]
}
Case Wall
Result Type | Value / Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Set Instance IAM Policy". Reason: {0}''.format(error.Stacktrace) |
General |
Enrich Entities
Description
Enrich Google Security Operations SOAR IP entities with instance information from Google Cloud Compute.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Instance Zone | String | N/A | Yes | Specify instance zone name to search for instances in. |
Run On
This action runs on the IP Address entity.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"id": "5150223389518432640",
"creationTimestamp": "2021-04-28T21:34:57.369-07:00",
"name": "instance-1",
"description": "",
"tags": {
"fingerprint": "42WmSpB8rSM="
},
"machineType": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/machineTypes/f1-micro",
"status": "RUNNING",
"zone": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a",
"canIpForward": false,
"networkInterfaces": [
{
"network": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/global/networks/default",
"subnetwork": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/regions/us-central1/subnetworks/default",
"networkIP": "10.128.0.2",
"name": "nic0",
"accessConfigs": [
{
"type": "ONE_TO_ONE_NAT",
"name": "External NAT",
"natIP": "34.66.156.59",
"networkTier": "PREMIUM",
"kind": "compute#accessConfig"
}
],
"fingerprint": "xXUN4Zp4Dgs=",
"kind": "compute#networkInterface"
}
],
"disks": [
{
"type": "PERSISTENT",
"mode": "READ_WRITE",
"source": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/disks/instance-1",
"deviceName": "instance-1",
"index": 0,
"boot": true,
"autoDelete": true,
"licenses": [
"https://www.googleapis.com/compute/v1/projects/debian-cloud/global/licenses/debian-10-buster"
],
"interface": "SCSI",
"guestOsFeatures": [
{
"type": "UEFI_COMPATIBLE"
},
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
}
],
"diskSizeGb": "10",
"kind": "compute#attachedDisk"
}
],
"metadata": {
"fingerprint": "qkn_HJrWq3Y=",
"kind": "compute#metadata"
},
"serviceAccounts": [
{
"email": "881112408707-compute@developer.gserviceaccount.com",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"selfLink": "https://www.googleapis.com/compute/v1/projects/silver-shift-275007/zones/us-central1-a/instances/instance-1",
"scheduling": {
"onHostMaintenance": "MIGRATE",
"automaticRestart": true,
"preemptible": false
},
"cpuPlatform": "Intel Haswell",
"labels": {
"vm_test_tag": "tag1"
},
"labelFingerprint": "barkrAmUbk0=",
"startRestricted": false,
"deletionProtection": false,
"reservationAffinity": {
"consumeReservationType": "ANY_RESERVATION"
},
"displayDevice": {
"enableDisplay": false
},
"shieldedInstanceConfig": {
"enableSecureBoot": false,
"enableVtpm": true,
"enableIntegrityMonitoring": true
},
"shieldedInstanceIntegrityPolicy": {
"updateAutoLearnPolicy": true
},
"confidentialInstanceConfig": {
"enableConfidentialCompute": false
},
"fingerprint": "9e4oFnAOVio=",
"lastStartTimestamp": "2021-04-28T21:35:07.865-07:00",
"kind": "compute#instance"
}
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
Google_Compute_instance_id | |
Google_Compute_creation_timestamp | |
Google_Compute_instance_name | |
Google_Compute_description | |
Google_Compute_tags | Tags csv list |
Google_Compute_machine_type | |
Google_Compute_instance_status | |
Google_Compute_instance_zone | |
Google_Compute_can_ip_forward | |
Google_Compute_instance_network_ |
Should add more if there are more network interfaces available |
Google_Compute_instance_network_interfaces_ |
Should add more if there are more network interfaces available |
Google_Compute_instance_network_interfaces_ |
Should add more if there are more network interfaces available |
Google_Compute_instance_network_interfaces_ |
Should add more if there are more network interfaces available |
Google_Compute_instance_metadata | CSV list of values from instance metadata |
Google_Compute_service_account_ |
Should add more if there are more service accounts available |
Google_Compute_service_account_scopes_ |
Should add more if there are more service accounts available |
Google_Compute_link_to_Google_Compute | |
Google_Compute_labels | CSV list of values |
Google_Compute_instance_last_start_timestamp | |
Google_Compute_instance_last_stop_timestamp |
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) |
General |
Table (Enrichment) | If we do entity enrichment in the action. Columns:
|
Entity |