Skip to main content

Cortex XDR - AWS IAM user access investigation

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#


Use Cortex XDR - Cloud IAM User Access Investigation instead.

Deprecated. Use Cortex XDR - Cloud IAM User Access Investigation instead. Investigate and respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments.

  • Penetration testing tool attempt
  • Penetration testing tool activity
  • Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. At the moment we support AWS but are working towards multi-cloud support. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the content to help us identify issues, fix them, and continually improve.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block IP - Generic v2
  • AWS IAM - User enrichment


  • XQLQueryingEngine
  • XDR_iocs
  • CortexXDRIR


  • Set


  • aws-iam-delete-login-profile
  • setIndicators
  • aws-iam-update-access-key
  • xdr-get-incident-extra-data
  • xdr-get-cloud-original-alerts
  • aws-iam-get-user-login-profile
  • xdr-xql-generic-query
  • setIncident
  • ip

Playbook Inputs#

NameDescriptionDefault ValueRequired
IndicatorTagTag name for bad reputation IP addresses investigated in the incident.
Use it when the EDL service is configured to add indicators to block in PANW PAN-OS.
If indicator verdict (Malicious/Bad) is used to add indicators to XSOAR EDL you don't need to use the tag. Indicators will be set as malicious automatically in the incident.
DAGThis input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used.
Specify the Dynamic Address Group tag name for IP handling.
AutoBlockIPTrue/False to initiate block IP playbook automaticallyFalseOptional
AutoDeleteProfileTrue/False to automatically delete the user login profile if it exists.FalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR - AWS IAM user access investigation