Skip to main content

AWS - User Investigation

This Playbook is part of the AWS Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user:

  • Failed login attempt
  • Suspicious activities
  • API access denied
  • Administrative user activities
  • Security rules and policies changes
  • Access keys and access token activities
  • Script-based user agent usage
  • User role changes activities
  • MFA device changes activities

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

AWS - CloudTrail

Scripts#

  • LoadJSON
  • GetTime
  • Set

Commands#

aws-cloudtrail-lookup-events

Playbook Inputs#


NameDescriptionDefault ValueRequired
UsernameThe username to investigate.
Please enter the user's email.
Optional
AwsTimeSearchFromThe Search Time for the `GetTime` task used by the AWS Cloud Trail search query.
This value represents the number of days to include in the search.
Default value: 1. (1 Day)
1Optional

Playbook Outputs#


PathDescriptionType
AwsMFAConfigCountThe number of MFA configurations performed by the user in the AWS environment.unknown
AwsUserRoleChangesCountThe number of user roles that were changed by the user in the AWS environment.unknown
AwsSuspiciousActivitiesCountThe number of suspicious activities performed by the user in the AWS environment.unknown
AwsScriptBasedUserAgentCountThe number of script-based user agent usages by the user in the AWS environment.unknown
AwsAccessKeyActivitiesCountThe number of access key activities performed by the user in the AWS environment.unknown
AwsSecurityChangesCountThe number of security rules that were changed by the user in the AWS environment.unknown
AwsAdminActivitiesCountThe number of administrative activities performed by the user in the AWS environment.unknown
AwsApiAccessDeniedCountThe number of API accesses denied by the user in the AWS environment.unknown
AwsFailedLogonCountThe number of failed logins by the user in the AWS environment.unknown

Playbook Image#


AWS - User Investigation