Cortex XSOAR and Google Cloud Functions, because we can
Even if you did not watch “Peaky Blinders”, the famous “Why? Because we fucking can! Because we fucking can, and if we can, we do.” should have reached you via social media anyway.
In that spirit, I played around a bit with Google Cloud Functions, you know the ones I use to publish the automated cloud news with:
My CloudNewsReposted, after being pretty dormant for a while, I needed a new home and while I am waiting to get a new…cybernotdienst.de
I thought about a way to publish them regularly without me executing the functions every week.
Of course, you all now think about Cloud Scheduler or running a cron job somewhere which uses gcloud command to execute. All great ideas and I will post a blog about the Cloud Scheduler soon enough… but for now, let’s have a bit more fun.
As this job trigger will require XSOAR, you may want to take a look at the community edition, which offers an always free but limited to 166 commands/day, version of XSOAR.
To get everything up and running, we essentially need 5 things:
- A running XSOAR
- A Cloud function and a service account to invoke a cloud function
- The XSOAR “Google Cloud Functions” integration
- A small Playbook
- and a recurring job
There isn’t much easier than this, once you signed up and received the link to the installer you simply do an:
jstephan@tc01:~$ sudo ./demisto.sh
what starts the installer which will handle the rest for you. During the installation it will ask you some questions:
Enter server HTTPS port: (default: '443') 8081
Is Cortex XSOAR connecting to an elasticsearch database? [yes no] (default: 'no')
Enter name for admin user: (default: 'admin') admin
Enter password for user 'admin': **********
Verify password: **********
Server (Secure) Web Port: 8081.
Admin user name: `admin`
Are these configurations correct? [yes no] yes
after that is done XSOAR will be ready and waiting for you on the port you’ve used. For more information on installing XSOAR, especially the sizing and hardware requirements please have a look here:
Cortex XSOAR combines security orchestration, incident management, and interactive investigation into a seamless…docs.paloaltonetworks.com
Cloud Functions Service Account
As I described the general Cloud Function already, we only need to get a service account user and api key as a next step
We can make our life easy (and maybe a bit less secure) by just looking at the user which is already allowed to invoke cloud run functions, in this case “myserviceaccount”
Here we can simply “ADD KEY”, which will provide us the needed JSON file for our configuration in XSOAR.
XSOAR Cloud Function Integration
XSOAR has a pretty huge marketplace. Here you can find integrations, playbooks and automations for almost any type of software, including Cloud Functions:
Once installed you can check your settings -> integrations page in XSOAR for the configuration, which simply takes the JSON file we retrieved earlier.
Now you can jump to the playground within XSOAR and play a bit with the commands offered by the integration
- google-cloud-function-execute: Executes a Google Cloud function.
- google-cloud-function-get-by-name: Gets the details of a specific Google Cloud function.
- google-cloud-function-regions-list: Lists all regions in the project.
- google-cloud-functions-list: Lists all Google Cloud functions.
As this would not be amazing enough, as we can now trigger our cloud functions out of XSOAR, for what I had in mind we need to do two more steps.
Creating an Incident Type and a Playbook
Incident Types in XSOAR are the glue between Layout and Playbook. So the incident type will decide which playbook will be run. So first we need a really small Playbook.
Playbooks are basically like Node-Red flows, where each task of the playbook manipulates a global JSON object.
So I created a really small playbook which simply executes the task google-cloud-function-execute
And I created an Incident Type so, whenever an incident is created I can ensure that the playbook runs:
So we are all set, if you would now create a manual incident of type “CloudNewsReposted — Job”, the playbook would run and the cloud function would be triggered as part of that.
Creating a job
The final step is to create a job.
Jobs can be triggered by changes in feeds as well as by time, like a cron job. As the purpose of this one is to create a blog post, I have chosen the time of course:
Keep in mind to set either type or the playbook (or both):
With this we have successfully enabled XSOAR and Cloud Functions.
Please leave a clap if you liked it, follow and share if you feel like
and be excellent to each other.