Skip to main content

Cortex XDR - Malicious Pod Response - Agent

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This playbook ensures a swift and effective response to malicious activities within Kubernetes environments, leveraging cloud-native tools to maintain cluster security and integrity.

The playbook is designed to handle agent-generated alerts due to malicious activities within Kubernetes (K8S) pods, such as mining activities, which require immediate action. The playbook also addresses scenarios where the malicious pod is killed, but the malicious K8S workload repeatedly creates new pods.

Key Features:#

AWS Function Integration: This utilizes an AWS Lambda function that can manage resources and facilitate rapid response actions within an Amazon EKS cluster without the need for third-party tools such as Kubectl.

The Lambda function can initiate the following response actions:

- Pod Termination: The playbook includes steps to safely terminate the affected pod within the K8S environment.
- Workload Suspension: If necessary, the playbook can be escalated to suspend the entire workload associated with the mining activity.

Once the Lambda function execution is completed, the playbook deletes all of the created objects to ensure undesirable usage.

Workflow:#

  1. Alert Detection: The playbook begins with the monitoring agent detecting a mining alert within a Kubernetes pod.
  2. Alert Validation: Validates the alert to ensure it is not a false positive.
  3. Response Decision:
    • Pod Termination: If the mining activity is isolated to a single pod, the AWS Lambda function is invoked to terminate the affected pod within the K8S environment.
    • Workload Suspension: If the mining activity is widespread or poses a significant threat, the AWS Lambda function suspends the entire workload within the K8S environment.
  4. Cleanup: This action initiates the complete removal of all objects created for the Lambda execution for security and hardening purposes.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • GenericPolling
  • Function Deployment - AWS
  • Function Removal - AWS

Integrations#

AWS IAM (Identity and Access Management)#

AWS EC2 (Elastic Compute Cloud)#

AWS EKS (Elastic Kubernetes Service)#

AWS Lambda#

Commands#

  • aws-lambda-invoke
  • xdr-get-cloud-original-alerts

Playbook Inputs#


NameDescriptionDefault ValueRequired
ClusterNameThe name of the cluster.Optional
regionThe resource region.Optional
AlertIDThe alert id.Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - Malicious Pod Response - Agent