Skip to main content

Cloud IAM Enrichment - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP).

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • AWS - IAM

Scripts#

This playbook does not use any scripts.

Commands#

  • msgraph-identity-protection-risky-user-history-list
  • aws-iam-list-access-keys-for-user
  • gsuite-user-get
  • aws-iam-get-user
  • gsuite-role-assignment-list
  • aws-iam-list-groups-for-user
  • aws-iam-list-attached-user-policies
  • gcp-iam-service-account-keys-get
  • gcp-iam-service-accounts-get
  • aws-iam-list-user-policies
  • msgraph-groups-list-groups
  • gcp-iam-project-role-list
  • msgraph-user-get

Playbook Inputs#


NameDescriptionDefault ValueRequired
usernameUser name.Optional
GCPProjectNameThe GCP project name.Optional
cloudProviderThe cloud service provider involved.Optional
cloudIdentityTypeThe cloud identity type.Optional

Playbook Outputs#


PathDescriptionType
AWS.IAM.UsersAWS AM Users include:
UserId
Arn
CreateDate
Path
PasswordLastUsed.
unknown
AWS.IAM.Users.AccessKeysAWS IAM Users Access Keys include:
AccessKeyId
Status
CreateDate
UserName.
unknown
GCPIAMGCP IAM information.unknown
GSuiteGSuite user information.unknown
GSuite.PageTokenToken to specify the next page in the list.unknown
MSGraphUserMSGraph user information.unknown
MSGraphGroupsMSGraph groups information.unknown
MSGraph.identityProtectionMSGraph identity protection - risky user history.unknown
AWS.IAM.Users.AccessKeys.CreateDateThe date when the access key was created.unknown
AWS.IAM.Users.AccessKeys.UserNameThe name of the IAM user that the key is associated with.unknown
AWS.IAM.Users.GroupsAWS IAM - User groups.unknown
AWS.IAM.UserPoliciesAWS IAM - user inline policies.unknown
AWS.IAM.AttachedUserPoliciesAWS IAM - User attached policies.unknown
MSGraphGroupMSGraph group information.unknown
MSGraph.identityProtection.RiskyUserHistoryRisky user history.unknown
MSGraph.identityProtection.RiskyUserHistory.userPrincipalNameRisky user principal name.unknown
MSGraph.identityProtection.RiskyUserHistory.userDisplayNameRisky user display name.unknown
MSGraph.identityProtection.RiskyUserHistory.riskDetailReason why the user is considered a risky user. The possible values are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue.unknown
MSGraph.identityProtection.RiskyUserHistory.riskstateState of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue.unknown
MSGraph.identityProtection.RiskyUserHistory.riskLevelRisk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFutureValue.unknown
MSGraph.identityProtection.RiskyUserHistory.riskLastUpdatedDateTimeThe date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.unknown
MSGraph.identityProtection.RiskyUserHistory.isProcessingIndicates whether a user's risky state is being processed by the backend.unknown
MSGraph.identityProtection.RiskyUserHistory.isDeletedIndicates whether the user is deleted.unknown
MSGraph.identityProtection.RiskyUserHistory.idUnique ID of the risky user.unknown

Playbook Image#


Cloud IAM Enrichment - Generic