Skip to main content

Cortex XDR - Cloud Data Exfiltration Response

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

Data Exfiltration Response#

The Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following:

  • Enrichment involved assets.
  • Determines the appropriate verdict based on the data collected from the enrichment phase.
  • Cloud Persistence Threat Hunting:
    • Conducts threat hunting activities to identify any cloud persistence techniques
  • Verdict Handling:
    • Handles false positives identified during the investigation
    • Handles true positives by initiating appropriate response actions


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cloud User Investigation - Generic
  • Cloud Threat Hunting - Persistence
  • Cloud Response - Generic


  • ip
  • xdr-get-cloud-original-alerts
  • xdr-get-alerts
  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
alertIDThe XDR alert IDOptional
autoUserRemediationWhether to execute the user remediation automatically. (Default: False)FalseOptional
autoBlockIndicatorsWhether to execute the block remediation automatically. (Default: False)FalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR - Cloud Data Exfiltration Response