Skip to main content

Cortex XDR - XCloud Cryptojacking

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Investigates a Cortex XDR incident containing a Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following:

  • Cloud enrichment:
    • Collects info about the involved resources
    • Collects info about the involved identities
    • Collects info about the involved IPs
  • Verdict decision tree
  • Verdict handling:
    • Handle False Positives
    • Handle True Positives
      • Cloud Response - Generic sub-playbook.
  • Notifies the SOC if a malicious verdict was found

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Cortex XDR - XCloud Cryptojacking - Set Verdict
  • Cortex XDR - Cloud Enrichment
  • Cloud Response - Generic

Integrations#

  • CortexXDRIR

Scripts#

  • IncreaseIncidentSeverity
  • LoadJSON

Commands#

  • xdr-get-incident-extra-data
  • setIncident
  • closeInvestigation
  • xdr-get-cloud-original-alerts
  • xdr-update-incident
  • send-mail

Playbook Inputs#


NameDescriptionDefault ValueRequired
incident_idThe incident ID.Optional
alert_idThe alert ID.Optional
SOCEmailAddressThe SOC email address to use for the alert status notification.NoneOptional
requireAnalystReviewWhether to require an analyst review after the alert remediation.TrueOptional
cloudProviderThe cloud service provider involved.PaloAltoNetworksXDR.OriginalAlert.event.cloud_providerOptional
autoResourceRemediationWhether to execute the resource remediation flow automatically.FalseOptional
AWS-resourceRemediationTypeChoose the remediation type for the instances created.

AWS available types:
Stop - for stopping the instances.
Terminate - for terminating the instances.
StopOptional
Azure-resourceRemediationTypeChoose the remediation type for the instances created.

Azure available types:
Poweroff - for shutting down the instances.
Delete - for deleting the instances.
PoweroffOptional
GCP-resourceRemediationTypeChoose the remediation type for the instances created.

GCP available types:
Stop - For stopping the instances.
Delete - For deleting the instances.
StopOptional
autoAccessKeyRemediationWhether to execute the user remediation flow automatically.FalseOptional
AWS-accessKeyRemediationTypeChoose the remediation type for the user's access key.

AWS available types:
Disable - for disabling the user's access key.
Delete - for the user's access key deletion.
DisableOptional
GCP-accessKeyRemediationTypeChoose the remediation type for the user's access key.

GCP available types:
Disable - For disabling the user's access key.
Delete - For the deleting user's access key.
DisableOptional
autoUserRemediationWhether to execute the user remediation flow automatically.FalseOptional
AWS-userRemediationTypeChoose the remediation type for the user involved.

AWS available types:
Delete - for the user deletion.
Revoke - for revoking the user's credentials.
RevokeOptional
Azure-userRemediationTypeChoose the remediation type for the user involved.

Azure available types:
Disable - for disabling the user.
Delete - for deleting the user.
DisableOptional
GCP-userRemediationTypeChoose the remediation type for the user involved.

GCP available types:
Delete - For deleting the user.
Disable - For disabling the user.
DisableOptional
autoBlockIndicatorsWhether to block the indicators automatically.FalseOptional
InternalRangeA list of internal IP ranges to check IP addresses against.
For IP Enrichment - Generic v2 playbook.
Optional
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).TrueOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - XCloud Cryptojacking