Cortex XDR - XCloud Cryptojacking
This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
Investigates a Cortex XDR incident containing a Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following:
- Cloud enrichment:
- Collects info about the involved resources
- Collects info about the involved identities
- Collects info about the involved IPs
- Verdict decision tree
- Verdict handling:
- Handle False Positives
- Handle True Positives
- Cloud Response - Generic sub-playbook.
- Notifies the SOC if a malicious verdict was found
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Cortex XDR - XCloud Cryptojacking - Set Verdict
- Cortex XDR - Cloud Enrichment
- Cloud Response - Generic
Integrations#
- CortexXDRIR
Scripts#
- IncreaseIncidentSeverity
- LoadJSON
Commands#
- xdr-get-incident-extra-data
- setIncident
- closeInvestigation
- xdr-get-cloud-original-alerts
- xdr-update-incident
- send-mail
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| incident_id | The incident ID. | Optional | |
| alert_id | The alert ID. | Optional | |
| SOCEmailAddress | The SOC email address to use for the alert status notification. | None | Optional |
| requireAnalystReview | Whether to require an analyst review after the alert remediation. | True | Optional |
| cloudProvider | The cloud service provider involved. | PaloAltoNetworksXDR.OriginalAlert.event.cloud_provider | Optional |
| autoResourceRemediation | Whether to execute the resource remediation flow automatically. | False | Optional |
| AWS-resourceRemediationType | Choose the remediation type for the instances created. AWS available types: Stop - for stopping the instances. Terminate - for terminating the instances. | Stop | Optional |
| Azure-resourceRemediationType | Choose the remediation type for the instances created. Azure available types: Poweroff - for shutting down the instances. Delete - for deleting the instances. | Poweroff | Optional |
| GCP-resourceRemediationType | Choose the remediation type for the instances created. GCP available types: Stop - For stopping the instances. Delete - For deleting the instances. | Stop | Optional |
| autoAccessKeyRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
| AWS-accessKeyRemediationType | Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for the user's access key deletion. | Disable | Optional |
| GCP-accessKeyRemediationType | Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For the deleting user's access key. | Disable | Optional |
| autoUserRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
| AWS-userRemediationType | Choose the remediation type for the user involved. AWS available types: Delete - for the user deletion. Revoke - for revoking the user's credentials. | Revoke | Optional |
| Azure-userRemediationType | Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user. | Disable | Optional |
| GCP-userRemediationType | Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user. | Disable | Optional |
| autoBlockIndicators | Whether to block the indicators automatically. | False | Optional |
| InternalRange | A list of internal IP ranges to check IP addresses against. For IP Enrichment - Generic v2 playbook. | Optional | |
| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query (True/ False). | True | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
