Google Rapid Response (GRR)
App Vendor: Google
App Category: Forensics & Malware Analysis
Connector Version: 1.0.0
API Version: 1.0.0
About App
The Google Rapid Response (GRR) provides integration with GRR incident response application. GRR is an incident response framework focused on remote live forensics. It is based on client-server architecture, so there is an agent which is installed on target systems and a python server infrastructure that can manage and communicate with the agents.
The Google Rapid Response (GRR) app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Create Cron Job | This action creates a cron job using flow name and arguments in the Google Rapid Response (GRR) application. |
Create Hunt | This action creates new hunt using flow name and arguments from the Google Rapid Response (GRR) application. |
Create a request for VFS snapshot | This action creates a request for a new snapshot of the file in the Google Rapid Response (GRR) application. |
Delete Cron Job | This action removes a cron job using cron ID from the Google Rapid Response (GRR) application. |
Delete Hunt | This action removes/deletes hunt using hunt ID from the Google Rapid Response (GRR) application. |
Do Action for Stop Flow | This action stops an action from flow using client and flow ID from the Google Rapid Response (GRR) application. |
Fetch Notifications | This action retrieves a list of user notifications from the Google Rapid Response (GRR) application. |
Force Schedule Cron Job | This action forces a scheduled cron job using cron ID in the Google Rapid Response (GRR) application. |
Get a clients status from Hunt | This action retrieve a list of clients involved into the hunt from the Google Rapid Response (GRR) application. |
Get details of a Client | This action retrieves details of a client using the client ID from the Google Rapid Response (GRR) application. |
Get details of a Client Version | This action retrieves client version details using client ID from the Google Rapid Response (GRR) application. |
Get details of a Cron Job | This action retrieves the details of a cron job using cron job ID from the Google Rapid Response (GRR) application. |
Get details of a Cron Job Run | This action retrieves cron job running details using cron job ID and run ID from the Google Rapid Response (GRR) application. |
Get details of a Flow | This action retrieves details of client flow details using client and flow ID from the Google Rapid Response (GRR) application. |
Get details of a Flow Pending Action | This action retrieves details for pending client flow action using the client and the flow ID from the Google Rapid Response (GRR) application. |
Get details of a Hunt | This action retrieves hunt details using hunt ID from the Google Rapid Response (GRR) application. |
Get details of a Hunt Context | This action retrieves the details of the hunt context from the Google Rapid Response (GRR) application. |
Get details of the Virtual File System | This action retrieves details of a VFS file on a given client from the Google Rapid Response (GRR) application. |
Get a list of Artifacts | This action retrieves a list of artifacts from the Google Rapid Response (GRR) application. |
Get a list of Client Action Status | This action retrieves a list of client action status details from the Google Rapid Response (GRR) application. |
Get a list of Client Crash | This action retrieves a list of client crash list info using client ID from the Google Rapid Response (GRR) application. |
Get a list of Clients | This action retrieves a list of clients from the Google Rapid Response (GRR) application. |
Get a list of Cron Job | This action retrieves a list of available cron jobs from the Google Rapid Response (GRR) application. |
Get a list of Flow Results | This action retrieves the list of flows results using client and flow ID from the Google Rapid Response (GRR) application. |
Get a list of Flows | This action retrieves a flow list using client ID from the Google Rapid Response (GRR) application. |
Get a list of Hunt Crash | This action retrieves a list of all crashes caused by the hunt from the Google Rapid Response (GRR) application. |
Get a list of Hunt Error | This action retrieves a list of hunt errors from the Google Rapid Response (GRR) application. |
Get a list of Hunt Logs | This action retrieves a list of hunt logs from the Google Rapid Response (GRR) application. |
Get a list of Hunt Results | This action retrieves a list of hunt results from the Google Rapid Response (GRR) application. |
Get a list of Hunts | This action retrieves a list of hunts from the Google Rapid Response (GRR) application. |
Get logs from a Flow | This action retrieves flow logs from particular flow with client ID from the Google Rapid Response (GRR) application. |
Get a stats of Hunt | This action retrieves the state of hunt using hunt ID from the Google Rapid Response (GRR) application. |
Get status of VFS Request | This action retrieves the state of a previously started VFS refresh/snapshot operation from the Google Rapid Response (GRR) application. |
Get list of Cron Job Run | This action retrieves a list of cron jobs run using cron ID from the Google Rapid Response (GRR) application. |
Get Status of Client Interrogation Command | This action retrieves the status of a client interrogation command from the Google Rapid Response (GRR) application. |
Get Virtual File System Content | This action retrieves a text file contents of a VFS file on a given client from the Google Rapid Response (GRR) application. |
Run Flow | This action starts running flow by arguments given to a particular client and flow using client and flow ID with argument command. |
Search Clients | This action searches clients using the query from the Google Rapid Response (GRR) application. |
Send Command to Client Interrogation | This action sends a command to client for interrogation using client ID from the Google Rapid Response (GRR) application. |
Set Flow In Client | This action sets flow in a specific client, using a client ID and flow name from the Google Rapid Response (GRR) application. |
Configuration Parameters
The following configuration parameters are required for the Google Rapid Response (GRR) app to communicate with the Google Rapid Response (GRR) enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL for GRR API access. Example: "http://localdomain.tld:8000" | Text | Required | |
Username | Enter the username for accessing the GRR API. | Text | Required | |
Password | Enter the password for accessing the GRR API. | Password | Required | |
SSL Verify | Specify if you want to verify SSL for accessing GRR API. | Boolean | Optional | Default value:
|
Action: Create Cron Job
This action creates a cron job using flow name and arguments in the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Flow name | Enter the flow name. Example: "Sample Flow Name" | Text | Required | |
Flow arguments | Enter the flow arguments as key-value pairs. | Key Value | Required | |
Extra params | Specify any extra params to create Cron job as key-value pairs. | Key Value | Optional |
Action: Create Hunt
This action creates new hunt using flow name and arguments from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Flow name | Enter the flow name. Example: "Sample Flow Name" | Text | Required | |
Flow arguments | Enter the flow arguments as key-value pairs. | Key Value | Required | |
Extra params | Enter extra parameters to create hunt as key-value pairs. | Key Value | Optional | Allowed values:
|
Action: Create request for VFS snapshot
This action creates a request for a new snapshot of the file in the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to create a request for the VFS snapshot. Example: "<Example Client ID>" | Text | Required | |
Filepath | Enter the file path for the VFS file. Example: "files/examplefile.vfs" | Any | Required |
Action: Delete Cron Job
This action removes a cron job using cron ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cron job ID | Enter the cron ID to delete the corn job. Example: "Example Cron ID" | Text | Required |
Action: Delete Hunt
This action removes/deletes the hunt using hunt ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to delete. Example: "Sample Hunt ID" | Text | Required |
Action: Do Action for Stop Flow
This action stops an action from flow using client and flow ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to perform the action. Example: "Example Client ID" | Text | Required | |
Flow ID | Enter the flow ID to perform the action. Example: "Flow ID" | Text | Required |
Action: Fetch Notifications
This action retrieves a list of user notifications from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra params | Enter the extra parameters as key-value pairs to fetch notifications. | Key Value | Optional | Allowed values:
Default value:
|
Action: Force Schedule Cron Job
This action forces a scheduled cron job using cron ID in the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cron job ID | Enter the cron ID to force schedule cron job. Example: "Example Job ID" | Text | Required |
Action: Get client status from Hunt
This action retrieves a list of clients involved in the hunt from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to get the client status. Example: "Sample Hunt ID" | Text | Required | |
Client status | Enter the client status. Example: "started" | Text | Required | Allowed values:
|
Extra params | Enter the extra params to get the status. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get details of a Client
This action retrieves details of a client using the client ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the details. Example: <Sample Client ID> | Text | Required |
Action: Get details of Client Version
This action retrieves client version details using client ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the details. Example: <Example Client ID> | Text | Required | |
Start time | Enter the start time In epoch time format. Example: "1572537409" | Any | Optional | |
End time | Enter the end time in epoch time format. Example: "1635695914" | Any | Optional | |
Mode | Enter the mode details to get details of the client version. Example: "unset" | Text | Optional | Accepted value:
Default value:
|
Action: Get details of a Cron Job
This action retrieves the details of a cron job using cron job ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cron job ID | Enter the cron ID to get the details. Example: "Sample Cron Job ID" | Text | Required |
Action: Get details of a Cron Job Run
This action retrieves cron job running details using cron job ID and run ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cron job ID | Enter the cron ID. Example: "Sample Cron ID" | Text | Required | |
Run ID | Enter the run ID to get details. Example: "Example Run ID" | Text | Required |
Action: Get details of a Flow
This action retrieves details of client flow details using client and flow ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the details. Example: "Example Client ID" | Text | Required | |
Flow ID | Enter the flow ID to get the details. Example: "Example Flow ID" | Text | Required |
Action: Get details of Flow Pending Action
This action retrieves details for pending client flow action using the client and the flow ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the details. Example: "Sample Client ID" | Text | Required | |
Flow ID | Enter the flow ID to get the details. Example: "Sample Flow ID" | Text | Required |
Action: Get details of a Hunt
This action retrieves hunt details using hunt ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to get the details. Example: "Sample Hunt ID" | Text | Required |
Action: Get details of the Virtual File System
This action retrieves details of a VFS file on a given client from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the details. Example: "Sample Client ID" | Text | Required | |
Filepath | Enter the file path of the VFS file location. Example: "/files/examplefile.vfs" | Any | Required |
Action: Get a list of Artifacts
This action retrieves a list of artifacts from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query params | Enter the query params as key-value pairs to get the list of artifacts. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Client Action Status
This action retrieves a list of client action status details from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the list of client actions. Example: "Sample Client ID" | Text | Required |
Action: Get a list of Client Crash
This action retrieves a list of client crash list info using client ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the list. Example: "Example Client ID" | Text | Required | |
Query params | Enter the query params as key-value pairs to get the list. | Key Value | Optional | Default value:
|
Action: Get a list of Clients
This action retrieves a list of clients from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query params | Enter the query params as key-value pairs to get a list. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Cron Job
This action retrieves a list of available cron jobs from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query params | Enter the query params as key-value pairs. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Flow Results
This action retrieves the list of flows results using client and flow ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get a list of flow results. Example: "Sample Client ID" | Text | Required | |
Flow ID | Enter the flow ID to get a list of floe results. Example: "Sample Flow ID" | Text | Required | |
Query params | Enter the query params as key-value pairs. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Flows
This action retrieves a flow list using client ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get the list of flows. Example: "Sample Client ID" | Text | Required | |
Query params | Enter the query params as key-value pairs. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Hunt Crash
This action retrieves a list of all crashes caused by the hunt from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to get the list of hunt crash. Example: "Sample Hunt ID" | Text | Required | |
Extra params | Enter the extra params as key-value pairs to get the list of hunt crash. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Hunt Error
This action retrieves a list of hunt errors from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to get the list of hunt errors. Example: "Sample Hunt ID" | Text | Required | |
Extra params | Enter the extra params as key-value pairs to get the list of hunt errors. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Hunt Logs
This action retrieves a list of hunt logs from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to get the list of hunt logs. Example: "Example Hunt ID" | Text | Required | |
Extra params | Enter the extra params as key-value pairs. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Hunt Results
This action retrieves a list of hunt results from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to get the list. Example: "Sample Hunt ID" | Text | Required | |
Extra params | Enter the extra params as key-value pairs to get the list of hunt results. | Key Value | Optional | Allowed values:
Default value:
|
Action: Get a list of Hunts
This action retrieves a list of hunts from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query params | Enter the query params as key-value pairs to get a list. | Key Value | Optional | Allowed values:
Default values:
|
Action: Get logs from Flow
This action retrieves flow logs from a particular flow with client ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get logs. Example: "Sample Client ID" | Text | Required | |
Flow ID | Enter the flow ID to get logs. Example: "Sample Flow ID" | Text | Required |
Action: Get a stats of Hunt
This action retrieves the state of hunt using hunt ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hunt ID | Enter the hunt ID to get the stats. Example: "Example Hunt ID" | Text | Required |
Action: Get status of VFS Request
This action retrieves the state of a previously started VFS refresh/snapshot operation from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get status. Example: "Example Client ID" | Text | Required | |
Operation ID | Enter the operation ID to get status. Example: "Example Operation ID" | Text | Required |
Action: Get a list of Cron Job Run
This action retrieves a list of cron jobs run using cron ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cron job ID | Enter the cron ID to get a list. Example: "Example Cron ID" | Text | Required |
Action: Get Status of Client Interrogation Command
This action retrieves the status of a client interrogation command from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get status. Example: "Sample Client ID" | Text | Required | |
Operation ID | Enter the operation ID to get status. Example: "Sample Operation ID" | Text | Required |
Action: Get Virtual File System Content
This action retrieves a text file contents of a VFS file on a given client from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to get virtual file system content. Example: "Example Client ID" | Text | Required | |
File path | Enter the file path for the VFS file. Example: "files/examplefile.vfs" | Any | Required |
Action: Run Flow
This action starts running flow by arguments given to a particular client and flow using client and flow ID with argument command.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to run the flow. Example: "Example Client ID" | Text | Required | |
Flow name | Enter the flow name. Example: "Example Flow Name" | Text | Required | |
Arguments | Enter the arguments as a direct JSON payload. | Any | Optional | |
Runner arguments | Enter the runner arguments as a dictionary of JSON payload. | Any | Optional |
Action: Search Clients
This action searches clients using the query from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query string | Enter the query string to search clients. | Any | Required | |
Offset | Enter the offset value for search results. Example: "2" | Integer | Optional | Default value:
|
Count | Enter the default count for search results. Example: "10" | Integer | Optional | Default value:
|
Action: Send Command to Client Interrogation
This action sends a command to client for interrogation using client ID from the Google Rapid Response (GRR) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to send the command. Example: "Sample Client ID" | Text | Required |
Action: Set Flow In Client
This action can be used to set flow in specific client, using client id and flow name from the google rapid response (grr) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client id | Enter the client ID to set flow. Example: "Example Client ID" | Text | Required | |
Flow name | Enter the flow name to set flow. Example: "Sample Flow Name" | Text | Required |