Cortex XSOAR and Google Cloud Functions, because we can

Cortex XSOAR and Google Cloud Functions, because we can

Even if you did not watch “Peaky Blinders”, the famous “Why? Because we fucking can! Because we fucking can, and if we can, we do.” should have reached you via social media anyway.

Permission overview in CloudFunctions

In that spirit, I played around a bit with Google Cloud Functions, you know the ones I use to publish the automated cloud news with:

I thought about a way to publish them regularly without me executing the functions every week.

Of course, you all now think about Cloud Scheduler or running a cron job somewhere which uses gcloud command to execute. All great ideas and I will post a blog about the Cloud Scheduler soon enough… but for now, let’s have a bit more fun.

As this job trigger will require XSOAR, you may want to take a look at the community edition, which offers an always free but limited to 166 commands/day, version of XSOAR.

https://start.paloaltonetworks.com/sign-up-for-community-edition.html

To get everything up and running, we essentially need 5 things:

  • A running XSOAR
  • A Cloud function and a service account to invoke a cloud function
  • The XSOAR “Google Cloud Functions” integration
  • A small Playbook
  • and a recurring job

Installing XSOAR

There isn’t much easier than this, once you signed up and received the link to the installer you simply do an:

jstephan@tc01:~$ sudo ./demisto.sh

what starts the installer which will handle the rest for you. During the installation it will ask you some questions:

Enter server HTTPS port:  (default: '443') 8081
Is Cortex XSOAR connecting to an elasticsearch database? [yes no] (default: 'no')
Enter name for admin user:  (default: 'admin') admin
Enter password for user 'admin': **********
Verify password: **********
Server (Secure) Web Port: 8081.
Admin user name: `admin`
Are these configurations correct? [yes no] yes

after that is done XSOAR will be ready and waiting for you on the port you’ve used. For more information on installing XSOAR, especially the sizing and hardware requirements please have a look here:

Cloud Functions Service Account

As I described the general Cloud Function already, we only need to get a service account user and api key as a next step

Permission overview in CloudFunctions

We can make our life easy (and maybe a bit less secure) by just looking at the user which is already allowed to invoke cloud run functions, in this case “myserviceaccount”

Permission overview in CloudFunctions

Here we can simply “ADD KEY”, which will provide us the needed JSON file for our configuration in XSOAR.

XSOAR Cloud Function Integration

XSOAR has a pretty huge marketplace. Here you can find integrations, playbooks and automations for almost any type of software, including Cloud Functions:

Permission overview in CloudFunctions

Once installed you can check your settings -> integrations page in XSOAR for the configuration, which simply takes the JSON file we retrieved earlier.

Permission overview in CloudFunctions
Permission overview in CloudFunctions

Now you can jump to the playground within XSOAR and play a bit with the commands offered by the integration

  • google-cloud-function-execute: Executes a Google Cloud function.
  • google-cloud-function-get-by-name: Gets the details of a specific Google Cloud function.
  • google-cloud-function-regions-list: Lists all regions in the project.
  • google-cloud-functions-list: Lists all Google Cloud functions.
Permission overview in CloudFunctions

As this would not be amazing enough, as we can now trigger our cloud functions out of XSOAR, for what I had in mind we need to do two more steps.

Creating an Incident Type and a Playbook

Incident Types in XSOAR are the glue between Layout and Playbook. So the incident type will decide which playbook will be run. So first we need a really small Playbook.

Playbooks are basically like Node-Red flows, where each task of the playbook manipulates a global JSON object.

So I created a really small playbook which simply executes the task google-cloud-function-execute

Permission overview in CloudFunctions

And I created an Incident Type so, whenever an incident is created I can ensure that the playbook runs:

Permission overview in CloudFunctions

So we are all set, if you would now create a manual incident of type “CloudNewsReposted — Job”, the playbook would run and the cloud function would be triggered as part of that.

Creating a job

The final step is to create a job.

Jobs can be triggered by changes in feeds as well as by time, like a cron job. As the purpose of this one is to create a blog post, I have chosen the time of course:

Permission overview in CloudFunctions

Keep in mind to set either type or the playbook (or both):

Permission overview in CloudFunctions

With this we have successfully enabled XSOAR and Cloud Functions.

Please leave a clap if you liked it, follow and share if you feel like

and be excellent to each other.