Skip to main content

Cortex XDR - Cloud IAM User Access Investigation

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Investigate and respond to Cortex XDR Cloud alerts where a Cloud IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments.

  • Penetration testing tool attempt
  • Penetration testing tool activity
  • Suspicious API call from a Tor exit node

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Account Enrichment - Generic v2.1
  • Cloud IAM Enrichment - Generic
  • Cloud Response - Generic

Integrations#

  • CortexXDRIR

Scripts#

  • LoadJSON

Commands#

  • ip
  • xdr-get-cloud-original-alerts
  • setIncident

Playbook Inputs#


NameDescriptionDefault ValueRequired
alert_idThe alert ID.Optional
autoBlockIndicatorsWhether to block the indicators automatically.FalseOptional
autoAccessKeyRemediationWhether to execute the user remediation flow automatically.FalseOptional
AWS-accessKeyRemediationTypeChoose the remediation type for the user's access key.

AWS available types:
Disable - for disabling the user's access key.
Delete - for deleting the user's access key.
DisableOptional
GCP-accessKeyRemediationTypeChoose the remediation type for the user's access key.

GCP available types:
Disable - For disabling the user's access key.
Delete - For deleting the user's access key.
DisableOptional
autoUserRemediationWhether to execute the user remediation flow automatically.FalseOptional
AWS-userRemediationTypeChoose the remediation type for the user involved.

AWS available types:
Delete - for the user deletion.
Revoke - for revoking the user's credentials.
RevokeOptional
Azure-userRemediationTypeChoose the remediation type for the user involved.

Azure available types:
Disable - for disabling the user.
Delete - for deleting the user.
DisableOptional
GCP-userRemediationTypeChoose the remediation type for the user involved.

GCP available types:
Delete - For deleting the user.
Disable - For disabling the user.
DisableOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - Cloud IAM User Access Investigation