Skip to main content

Cloud IAM User Access Investigation

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

Investigate and respond to Cortex XSIAM alerts where a Cloud IAM user access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Handle False Positive Alerts
  • Cloud IAM Enrichment - Generic
  • Cloud Response - Generic
  • Enrichment for Verdict

Integrations#

CortexCoreIR

Scripts#

LoadJSON

Commands#

  • core-get-cloud-original-alerts
  • closeInvestigation

Playbook Inputs#


NameDescriptionDefault ValueRequired
autoAccessKeyRemediationWhether to execute the user remediation flow automatically.FalseOptional
autoBlockIndicatorsWhether to block the indicators automatically.FalseOptional
autoUserRemediationWhether to execute the user remediation flow automatically.FalseOptional
AWS-accessKeyRemediationTypeChoose the remediation type for the user's access key.

AWS available types:
Disable - for disabling the user's access key.
Delete - for deleting the user's access key.
DisableOptional
AWS-userRemediationTypeChoose the remediation type for the user involved.

AWS available types:
Delete - for deleting the user.
Revoke - for revoking the user's credentials.
RevokeOptional
Azure-userRemediationTypeChoose the remediation type for the user involved.

Azure available types:
Disable - for disabling the user.
Delete - for deleting the user.
DisableOptional
GCP-accessKeyRemediationTypeChoose the remediation type for the user's access key.

GCP available types:
Disable - For disabling the user's access key.
Delete - For deleting the user's access key.
DisableOptional
GCP-userRemediationTypeChoose the remediation type for the user involved.

GCP available types:
Delete - For deleting the user.
Disable - For disabling the user.
DisableOptional
ShouldCloseAutomaticallyWhether to close alerts automatically as a false positive. (True/False).FalseOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cloud IAM User Access Investigation