Supported Cortex XSOAR versions: 6.9.0 and later.
Secure compromised accounts by taking swift action:
Reset Password: Resets the user password to halt any unauthorized access.
Access Key Deactivation: Deactivate any suspicious or known-compromised access keys.
Combo Action: In some cases, you may want to reset both the password and deactivate the access key for absolute security.
If a role is suspected to be compromised:
Deny Policy Implementation: Attach a deny-all policy to the compromised role, thus preventing it from performing any further actions.
Role Cloning: Before outright remediation, clone the role. This ensures that you have a backup with the same permissions, making transition smoother.
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
This playbook does not use any integrations.
|IAMRemediationType||The response playbook provides the following remediation actions for IAM users:|
Reset - By entering "Reset" in the input, the playbook will execute password reset.
Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation.
ALL - By entering "ALL" in the input, the playbook will execute both password reset and access key deactivation.
|shouldCloneSA||Whether to clone the compromised SA before putting a deny policy to it.|
|identityType||The type of identity involved. Usually mapped to the incident field named 'cloudidentitytype'.|
|newRoleName||The new role name to assign in the clone service account flow.||tempNewRoleName||Optional|
|newInstanceProfileName||The new instance profile name to assign in the clone service account flow.||tempNewInstanceProfileName||Optional|
|accessKeyID||The access key ID.||Optional|
|username||The user name.||Optional|
|instanceID||The instance ID.||Optional|
|roleNameToRestrict||If provided, the role will be attached with a deny policy without the compute instance analysis flow.||Optional|
|AWS.EC2.Instances||AWS EC2 instance information.||unknown|
|AWS.IAM.InstanceProfiles||AWS IAM instance profile information.||unknown|
|AWS.IAM.Roles.AttachedPolicies.Policies||A list of managed policy names.||unknown|
|AWS.IAM.Roles.RoleName.Policies||A list of policy names.||unknown|