Google Rapid Response (GRR)

Integration version: 5.0

Use Cases

  1. Joe saw something weird, check his machine
  2. Forensically acquire 25 machines for analysis
  3. Tell me if this machine is compromised

Configure Google Rapid Response (GRR) integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https://<IP>:8000 Yes Server URL including port.
Username String N/A Yes The username of the GRR server.
Password Password N/A Yes The password for GRR connection.
Verify SSL Checkbox unchecked No If enabled, verify the SSL certificate for the connection to the GRR server.

Actions

Ping

Description

Test connectivity to the GRR with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if successful: print "Successfully connected to the GRR server with the provided connection parameters!"

The action should fail and stop a playbook execution: (wrong creds, no internet connection, etc)
if not successful: print "Failed to connect to the GRR server! Error is {0}".format(exception.stacktrace)

 General

List Clients

Description

Search Clients in order to start interacting with them.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Offset String N/A No Specify Found clients starting offset.
Max Results To Return String 5 No Specify how many clients to return in the response.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{
    "Client_ID": "C.d5d864717e679364",
    "Agent_Info":{
       "Client_Name": "grr",
       "Client_Version": 3420}
    "OS_Info":{
       "System": "Linux",
       "Release": "Ubuntu",
       "Architecture": "x86_64",
       "Installation_Time": "2020-04-09 13:44:17 UTC",
       "Kernel": "4.15.0-96-generic",
       "Version": "18.04"}
    "Client_Last_Booted_At": "",
    "Client_First_Seen_At": "2020-09-25 14:26:38 UTC",
    "Client_Last_Seen": "2020-11-19 10:12:52 UTC",
    "Client_Last_Clock": "2020-11-19 10:12:52 UTC",
    "Memory_Size": "985.6MiB",
    "Client_Labels": []
   }]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful: print "Successfully listed available clients in GRR"

If nothing found (no clients available): Print: "No clients are available in GRR"

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Clients". Reason: {0}''.format(error.Stacktrace)

 General
CSV

Table Name: GRR Clients

Table columns:

Client ID

Host

OS Version

First Seen

Client Version

Labels

Last Check In

OS Install Date

 General

Get Client Details

Description

Get client full details.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Client ID String N/A Yes ID of the client. Comma separated.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[
        {
            "HardwareInfo": {
                "system_product_name": "HVM domU",
                "bios_rom_size": "64 kB",
                "bios_vendor": "Xen",
                "system_sku_number": "Not Specified",
                "system_family": "Not Specified",
                "system_uuid": "EC2EDE26-BB13-B80C-1915-DC53118B923F",
                "system_manufacturer": "Xen",
                "bios_release_date": "08/24/2006",
                "bios_version": "4.2.amazon",
                "serial_number": "ec2ede26-bb13-b80c-1915-dc53118b923f",
                "bios_revision": "4.2"
            },
            "LastClock": 1535907460060247,
            "Interfaces": [
                {
                    "ifname": "lo",
                    "addresses": [
                        {
                            "packed_bytes": "fwAAAQ==",
                            "address_type": "INET"
                        },
                        {
                            "packed_bytes": "AAAAAAAAAAAAAAAAAAAAAQ==",
                            "address_type": "INET6"
                        }
                    ],
                    "mac_address": "AAAAAAAA"
                },
                {
                    "ifname": "eth0",
                    "addresses": [
                        {
                            "packed_bytes": "rB8sWw==",
                            "address_type": "INET"
                        },
                        {
                            "packed_bytes": "/oAAAAAAAAAE1kv//h5yfg==",
                            "address_type": "INET6"
                        }
                    ],
                    "mac_address": "BtZLHnJ+"
                }
            ],
            "OS": {
                "kernel": "4.4.0-1065-aws",
                "install_date": 1534280169000000,
                "system": "Linux",
                "fqdn": "ip-172-31-44-91.eu-central-1.compute.internal",
                "machine": "x86_64",
                "version": "16.4",
                "release": "Ubuntu"
            },
            "AgentInfo": {
                "client_name": "grr",
                "client_description": "grr linux amd64",
                "client_version": 3232,
                "build_time": "2018-06-28 09:37:57"
            },
            "Labels": [],
            "LastBootedAt": 1535292604000000,
            "FirstSeenAt": 1535293827970976,
            "User": [],
            "Volumes": [
                {
                    "total_allocation_units": 50808745,
                    "bytes_per_sector": 4096,
                    "sectors_per_allocation_unit": 1,
                    "unixvolume": {
                        "mount_point": "/"
                    },
                    "actual_available_allocation_units": 50027766
                }
            ],
            "LastCrashAt": null,
            "LastSeenAt": 1535907460075229,
            "ID": "C.d824a5afc0ee6a46"
        }
]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print (f"Successfully fetched details for the following clients: {client_ids_list}")
  • if one/some client ids are invalid: print (f"Could not fetch details for the specified clients. {client_ids list} does not exist")


The action should fail and stop a playbook execution:

  • if fatal error, like wrong credentials, no connection to server, other:

    print "Error executing action "Get Client Details". Reason: {1}''.format( error.Stacktrace)

 General
CSV

Table Name: GRR Clients Details

Table columns:

Client ID

Host

OS Version

Labels

Memory Size

Client Version

First Seen

Last Seen

OS Install Date

 General

List Launched Flows

Description

List flows launched on a specified client.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Offset String N/A No Specify Found flows starting offset
Max Results To Return String 5 No Specify how many flows to return in the response.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
 {
            "Creator": "admin",
            "NestedFlow": [],
            "LastActiveAt": 1535900632278975,
            "Args": {
               Flat dict of runner_args - only values
            },
            "State": "TERMINATED",
            "StartedAt": 1535900542745106,
            "Flow_ID": "B4E564CC",
            "Flow_Name": "AnalyzeClientMemory"
        }
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print (f"Successfully listed flows launched on {client_id} client")
  • if no entities: print (f"Could not list flows. No entities were found.")
  • if one successfully and one not - is_sucess=True msg: "Successfully listed flows launched on the following entities: {entity identifier} " "Could not list flows on the following entities: {entity identifier}"
  • If no entities (IPs& Hostnames): Print(f"Could not list flows. IPs or Hosts entities were not found in current scope")

The action should fail and stop a playbook execution:

  • if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Launched Flows" for {0} client. Reason: {1}''.format(client_id, error.Stacktrace)
 General
CSV

Table Name: GRR Launched Flows

Table columns:

Flow Name
Flow ID
State
Creation Time
Last Active
Creator

 General

List Hunts

Description

Get all available hunts.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Creator String N/A No Return hunts created by a specified user.
Offset String N/A No Specify Found hunts starting offset
Max Results To Return String 5 No Specify how many hunts to return in the response.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[
        {
            "Hunt_Description": "Interrogate run by cron to keep host info fresh.",
            "Creator": "GRRCron",
            "Is_Robot": false,
            "State": "STARTED",
            "Creation Time": "1605690387510082",
            "Start Time (initial)": "1605690387678448",
            "Start Time (last)": "1605690387678448",
            "Duration": " ",
            "Client Limit": 0,
            "Expiration Time": " ",
            "Hunt_ID": "86C0ADF9",
         }
]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print (f"Successfully listed hunts")
  • if creator is invalid: print (f"Could not list hunts for the specified creator. {creator} does not exist") is_success=false
  • If creator is valid, but offset is high so there are no results: print (f"Could not list hunts for the specified creator. Please check the Offset value."

The action should fail and stop a playbook execution:

  • if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Hunts. Reason: {0}''.format(error.Stacktrace)
 General
CSV

Table Name: Hunts

Table columns:

Hunt ID

Status

Creation Time

Start Time

Duration

Client Limit

Expiration time

Creator

Description

 General

Get Hunt Details

Description

Get Hunt details.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Hunt ID String N/A Yes ID of the hunt to fetch. Comma separated.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[
        {
            "Name": "GenericHunt",
            "Expires": 1537063517000000,
            "Description": "ziv test",
            "Creator": "admin",
            "IsRobot": false,
            "Status": "PAUSED",
            "Hunt_ID": "3E9D4606",
            "Created": 1535853917657925,
            "Start_Time": 1535853917657925,
            "Duration": "2w",
            "Expiration time": " ",
            "Crash_limit": 100,
            "Client_limit": 100,
            "Client_rate (clients/min)": "20.5",
            "Client_Queued": "20.5",
            "Client_Scheduled": "20.5",
            "Client_Outstanding": "20.5",
            "Client_Completed": "20.5",
            "Client_with Results": "20.5",
            "Results": "20.5",
            "Total_CPU_Time_Used": "20.5",
            "Total_Network_Traffic": "20.5",
            "Flow_Name": "KeepAlive",
            "Flow_Arguments": "20.5",
            "Client_Rule_Set": " "
        }
]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: print (f"Successfully fetched details for {hunt_id} hunt")
  • if one/some hunt ids are invalid: print (f"Could not fetch details for the specified hunts. {hunt_ids list} does not exist")

The action should fail and stop a playbook execution:

  • if fatal error, like wrong credentials, no connection to server, other:

    print "Error executing action "Get Hunt Details" for {0} hunt. Reason: {1}''.format(hunt_ids, error.Stacktrace)

 General
Link

The structure of the link is the following:

{api_root}/#/hunts/{hunt_id}

 General

Stop a Hunt

Description

Stopping a hunt will prevent new clients from being scheduled and interrupt in-progress flows the next time they change state. This is a hard stop, so in-progress results will be lost, but results already reported are unaffected. Once a hunt is stopped, there is no way to start it again.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Hunt ID String N/A Yes ID of the hunt to stop. Comma separated.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{ "Hunt_ID": "5C1D041C", "State": STOPPED}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: (valid hunt ID and hunt current state is STARTED or PAUSED) - print (f"Successfully stopped the following hunts: {hunt_id list}")
  • if one/some hunt ids is invalid: print (f"Could not stop the following hunts. {hunt_ids list} could not be found in GRR")
  • If one/some of the hunts is not in STARTED or PAUSED states - print(f"Could not stop the following hunts: {hunt_ids list}. Hunt can only be stopped from STARTED or PAUSED states.")
  • NOTE: IS_SUCCESS should be set to true if at least one of the hunts stopped.

The action should fail and stop a playbook execution:

  • if fatal error, like wrong credentials, no connection to server, other: print - "Error executing action "Stop a Hunt" for {0} hunt. Reason: {1}''.format(hunt_ids, error.Stacktrace)
 General

Start a Hunt

Description

Use this to start a newly created hunt. New hunts are created in the PAUSED state, so you'll need to do this to run them. Hunts that reach their client limit will also be set to PAUSED, use this to restart them after you have removed the client limit.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Hunt ID String N/A Yes ID of the hunt to start. Comma separated.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[{ "Hunt_ID": "5C1D041C", "State": STARTED}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: (valid hunt ID and hunt current state is PAUSED) - print (f"Successfully started the following hunts: {hunt_id list}")
  • if one/some hunt ids is invalid: print (f"Could not start the following hunts. {hunt_ids list} could not be found in GRR")
  • If one/some of the hunts is not in PAUSED state - print(f"Could not stop the following hunts: {hunt_ids list}. Hunt can only be started from PAUSED state.")
  • NOTE: IS_SUCCESS should be set to true if at least one of the hunts started.

The action should fail and stop a playbook execution:

  • if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Start a Hunt" for {0} hunt. Reason: {1}''.format(hunt_ids, error.Stacktrace)
 General