Skip to main content

Cloud Data Exfiltration Response

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Cloud Data Exfiltration Response#

The Cloud Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following:

  • Enrichment involved assets.
  • Determines the appropriate verdict based on the data collected from the enrichment.
  • Cloud Persistence Threat Hunting:
    • Conducts threat hunting activities to identify any cloud persistence techniques
  • Verdict Handling:
    • Handles false positives identified during the investigation
    • Handles true positives by initiating appropriate response actions


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cloud User Investigation - Generic
  • Cloud Threat Hunting - Persistence
  • Handle False Positive Alerts
  • Cloud Credentials Rotation - Generic
  • Cloud Response - Generic


This playbook does not use any integrations.


  • SearchIncidentsV2


  • ip
  • closeInvestigation
  • core-get-cloud-original-alerts
  • core-get-IP-analytics-prevalence

Playbook Inputs#

NameDescriptionDefault ValueRequired
autoUserRemediationWhether to execute the user remediation automatically. (Default: False)FalseOptional
autoBlockIndicatorsWhether to execute the block remediation automatically. (Default: False)FalseOptional
credentialsRemediationTypeThe response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin:

Reset: By entering "Reset" in the input, the playbook will execute password reset.
Supports: AWS, MSGraph Users, GCP and GSuite Admin.

Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session.
Supports: GCP, GSuite Admin and MSGraph Users.

Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation.
Supports: AWS.

ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
shouldCloneSAWhether to clone the compromised SA before putting a deny policy to it.
Supports: AWS.
newInstanceProfileNameThe new instance profile name to assign in the clone service account flow.Optional
AWS-newRoleNameThe new role name to assign in the clone service account flow.Optional
AWS-roleNameToRestrictIf provided, the role will be attached with a deny policy without the compute instance analysis flow.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cloud Data Exfiltration Response