Skip to main content

Cloud Token Theft Response

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.


Cloud Token Theft Response Playbook#

The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following:

Cloud Enrichment:

  • Enriches the involved resources
  • Enriches the involved identities
  • Enriches the involved IPs

Verdict Decision Tree:

  • Determines the appropriate verdict based on the investigation findings

Early Containment using the Cloud Response - Generic Playbook:

  • Implements early containment measures to prevent further impact

Cloud Persistence Threat Hunting:

  • Conducts threat hunting activities to identify any cloud persistence techniques

Enriching and Responding to Hunting Findings:

  • Performs additional enrichment and responds to the findings from threat hunting

Verdict Handling:

  • Handles false positives identified during the investigation
  • Handles true positives by initiating appropriate response actions

Supported Alerts#

Alert NameCSP
Suspicious usage of AWS Lambda’s tokenAWS
Suspicious usage of AWS Lambda’s roleAWS
Suspicious usage of EC2 tokenAWS
Remote usage of an AWS service tokenAWS
Remote usage of an AWS EKS tokenAWS
Suspicious usage of an AWS EKS tokenAWS
Suspicious usage of an AWS ECS tokenAWS
Remote usage of an AWS ECS tokenAWS
Suspicious usage of AWS service tokenAWS
Remote usage of an App engine Service Account tokenGCP
Suspicious usage of App engine Service Account tokenGCP
Remote usage of VM Service Account tokenGCP
Suspicious usage of VM Service Account tokeGCP

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Cloud Response - Generic
  • Handle False Positive Alerts
  • TIM - Indicator Relationships Analysis
  • Entity Enrichment - Generic v3
  • Cloud Threat Hunting - Persistence
  • IP Enrichment - Generic v2
  • Cloud Token Theft - Set Verdict
  • Cloud Enrichment - Generic

Integrations#

This playbook does not use any integrations.

Scripts#

  • LoadJSON
  • ParseHTMLIndicators

Commands#

  • core-get-cloud-original-alerts
  • setAlert
  • closeInvestigation

Playbook Inputs#


NameDescriptionDefault ValueRequired
alert_idThe alert ID.alert.investigationIdOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas.Optional
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).TrueOptional
earlyContainmentWhether to execute early containment.
This action allows you to respond rapidly but have higher probability for false positives.
FalseOptional
VPNIPListThis input can process to types of data:
1. A comma separated list of IP addresses assigned by the VPN provider. (using a XSIAM list or an hardcoded array)
2. A comma separated list of CIDRs.
3. A link to an IP addresses list which will be processed and extract the IP dynamically with each execution.
Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cloud Token Theft Response