Cortex XDR - Cloud IAM User Access Investigation
Cloud Incident Response Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
Investigate and respond to Cortex XDR Cloud alerts where a Cloud IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments.
- Penetration testing tool attempt
- Penetration testing tool activity
- Suspicious API call from a Tor exit node
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- Account Enrichment - Generic v2.1
- Cloud IAM Enrichment - Generic
- Cloud Response - Generic
#
Integrations- CortexXDRIR
#
Scripts- LoadJSON
#
Commands- ip
- xdr-get-cloud-original-alerts
- setIncident
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
alert_id | The alert ID. | Optional | |
autoBlockIndicators | Whether to block the indicators automatically. | False | Optional |
autoAccessKeyRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
AWS-accessKeyRemediationType | Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for deleting the user's access key. | Disable | Optional |
GCP-accessKeyRemediationType | Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For deleting the user's access key. | Disable | Optional |
autoUserRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
AWS-userRemediationType | Choose the remediation type for the user involved. AWS available types: Delete - for the user deletion. Revoke - for revoking the user's credentials. | Revoke | Optional |
Azure-userRemediationType | Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user. | Disable | Optional |
GCP-userRemediationType | Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user. | Disable | Optional |
#
Playbook OutputsThere are no outputs for this playbook.