Skip to main content

Cloud User Investigation - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Azure - User Investigation
  • GCP - User Investigation
  • AWS - User Investigation

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
UsernameThe username to investigate.Optional
AzureSearchTimeThe Search Time for the Azure Log Analytics search query. Default value: ago(1d)ago(1d)Optional
failedLogonThresholdThe threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events.20Optional
MfaAttemptThresholdThe threshold number of MFA failed logon by the user. Required to determine how many MFA failed logon events count as suspicious events.10Optional
AwsTimeSearchFromThe Search Time for the `GetTime` task used by the Aws Cloud Trail search query.
This value represents the number of days to include in the search.
Default value: 1. (1 Day)
1Optional
GcpProjectNameThe GCP project name. This is a mandatory field for GCP queries.Optional
GcpTimeSearchFromThe Search Time for the `GetTime` task used by the GCP Logging search query.
This value represents the number of days to include in the search.
Default value: 1. (1 Day)
1Optional
cloudProviderThe cloud service provider involved.Optional

Playbook Outputs#


PathDescriptionType
AwsMFAConfigCountThe number of MFA configurations performed by the user in the AWS environment.unknown
AwsUserRoleChangesCountThe number of user roles that were changed by the user in the AWS environment.unknown
AwsSuspiciousActivitiesCountThe number of suspicious activities performed by the user in the AWS environment.unknown
AwsScriptBasedUserAgentCountThe number of script-based user agent usages by the user in the AWS environment.unknown
AwsAccessKeyActivitiesCountThe number of access key activities performed by the user in the AWS environment.unknown
AwsSecurityChangesCountThe number of security rules that were changed by the user in the AWS environment.unknown
AwsAdminActivitiesCountThe number of administrative activities performed by the user in the AWS environment.unknown
AwsApiAccessDeniedCountThe number of API accesses denied by the user in the AWS environment.unknown
AwsFailedLogonCountThe number of failed logins by the user in the AWS environment.unknown
GcpAnomalousNetworkTrafficDetermines whether there are events of anomalous network traffic performed by the user in the GCP environment.unknown
GcpSuspiciousApiUsageDetermines whether there are events of suspicious API usage by the user in the GCP environment.unknown
GcpFailLogonCountThe number of failed logins by the user in the GCP environment.unknown
GsuiteFailLogonCountThe number of failed logins by the user in the G Suite environment.unknown
GsuiteUnusualLoginAllowedCountThe number of unusual logins performed by the user and allowed in the G Suite environment.unknown
GsuiteUnusualLoginBlockedCountThe number of unusual logins performed by the user and blocked in the G Suite environment.unknown
GsuiteSuspiciousLoginCountThe number of suspicious logins performed by the user in the G Suite environment.unknown
GsuiteUserPasswordLeakedDetermines whether user's password was leaked in the G Suite environment.unknown
AzureScriptBasedUserAgentEventsScript-based user agent events used by the user in the Azure environment.unknown
AzureAdminActivitiesEventsAdministrative activities performed by the user in the Azure environment.unknown
AzureSecurityRulesChangeEventsSecurity rules that were changed by the user in the Azure environment.unknown
AzureUnsuccessSecurityRulesChangeEventsUnsuccessful attempts to change security rules by the user in the Azure environment.unknown
AzureFailLoginCountThe number of failed logins by the user in the Azure environment.unknown
AzureFailLoginMFACountThe number of failed logins by the user using MFA in the Azure environment.unknown
AzureAnomaliesEventsAnomaly events on the user in the Azure environment.unknown
AzureRiskyUserCountThe number of events where the user was defined as a risky user in the Azure environment.unknown
AzureUncommonCountryLogonEventsUncommon country logon events by the user in the Azure environment.unknown
AzureUncommonVolumeEventsUncommon volume events by the user in the Azure environment.unknown
AzureUncommonActivitiesEventsUncommon activity events by the user in the Azure environment.unknown
CountAzureEvents.AzureScriptBasedUserAgentCountThe number of script-based user agent usages by the user in the Azure environment.unknown
CountAzureEvents.AzureAdminActivitiesCountThe number of administrative activities performed by the user in the Azure environment.unknown
CountAzureEvents.AzureSecurityRulesChangeCountThe number of security rules that were changed by the user in the Azure environment.unknown
CountAzureEvents.AzureUnsuccessSecurityRulesChangeCountThe number of unsuccessful attempts to change security rules by the user in the Azure environment.unknown
CountAzureEvents.AzureAnomaliesCountThe number of anomaly events on the user in the Azure environment.unknown
CountAzureEvents.AzureUncommonCountryLogonCountThe number of uncommon country logon events by the user in the Azure environment.unknown
CountAzureEvents.AzureUncommonVolumeCountThe number of uncommon volume events by the user in the Azure environment.unknown
CountAzureEvents.AzureUncommonActivitiesCountThe number of uncommon activity events by the user in the Azure environment.unknown

Playbook Image#


Cloud User Investigation - Generic