Skip to main content

XCloud Cryptojacking

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

Investigates a Cortex XDR incident containing Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following:

  • Cloud enrichment:

    -Collects info about the involved resources

    -Collects info about the involved identities

    -Collects info about the involved IPs

  • Verdict decision tree
  • Verdict handling:

    -Handle False Positives

    -Handle True Positives

    -Cloud Response - Generic sub-playbook.

  • Notifies the SOC if a malicious verdict was found

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Cloud Response - Generic
  • XCloud Cryptojacking - Set Verdict
  • Ticket Management - Generic
  • Cloud Credentials Rotation - Generic
  • Handle False Positive Alerts
  • XCloud Alert Enrichment

Integrations#

This playbook does not use any integrations.

Scripts#

  • IncreaseAlertSeverity
  • LoadJSON

Commands#

  • closeInvestigation
  • core-get-cloud-original-alerts
  • send-mail
  • setParentIncidentFields

Playbook Inputs#


NameDescriptionDefault ValueRequired
SOCEmailAddressThe SOC email address to use for the alert status notification.Optional
requireAnalystReviewWhether to require an analyst review after the alert remediation.TrueOptional
ShouldCloseAutomaticallyShould we automatically close false positive alerts? Specify true/false.FalseOptional
ShouldHandleFPautomaticallyShould we automatically handle false positive alerts? Specify true/false.FalseOptional
cloudProviderThe cloud service provider involved.alert.cloudproviderOptional
alert_idThe alert ID.Optional
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).TrueOptional
InternalRangeA list of internal IP ranges to check IP addresses against.
For IP Enrichment - Generic v2 playbook.
Optional
autoAccessKeyRemediationWhether to execute the user remediation flow automatically.FalseOptional
autoBlockIndicatorsWhether to block the indicators automatically.FalseOptional
autoResourceRemediationWhether to execute the resource remediation flow automatically.FalseOptional
autoUserRemediationWhether to execute the user remediation flow automatically.FalseOptional
credentialsRemediationTypeThe response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin:

Reset: By entering "Reset" in the input, the playbook will execute password reset.
Supports: AWS, MSGraph Users, GCP and GSuite Admin.

Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session.
Supports: GCP, GSuite Admin and MSGraph Users.

Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation.
Supports: AWS.

ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
Optional
AWS-accessKeyRemediationTypeChoose the remediation type for the user's access key.

AWS available types:
Disable - for disabling the user's access key.
Delete - for the user's access key deletion.
DisableOptional
AWS-resourceRemediationTypeChoose the remediation type for the instances created.

AWS available types:
Stop - for stopping the instances.
Terminate - for terminating the instances.
StopOptional
AWS-userRemediationTypeChoose the remediation type for the user involved.

AWS available types:
Delete - for the user deletion.
Revoke - for revoking the user's credentials.
RevokeOptional
shouldCloneSAWhether to clone the compromised SA before putting a deny policy to it.
True/False
Optional
AWS-newRoleNameThe name of the new role to create if the analyst decides to clone the service account.Optional
AWS-newInstanceProfileNameThe name of the new instance profile to create if the analyst decides to clone the service account.Optional
AWS-roleNameToRestrictIf provided, the role will be attached with a deny policy without the compute instance analysis flow.Optional
Azure-resourceRemediationTypeChoose the remediation type for the instances created.

Azure available types:
Poweroff - for shutting down the instances.
Delete - for deleting the instances.
PoweroffOptional
Azure-userRemediationTypeChoose the remediation type for the user involved.

Azure available types:
Disable - for disabling the user.
Delete - for deleting the user.
DisableOptional
GCP-accessKeyRemediationTypeChoose the remediation type for the user's access key.

GCP available types:
Disable - For disabling the user's access key.
Delete - For the deleting user's access key.
DisableOptional
GCP-resourceRemediationTypeChoose the remediation type for the instances created.

GCP available types:
Stop - For stopping the instances.
Delete - For deleting the instances.
StopOptional
GCP-userRemediationTypeChoose the remediation type for the user involved.

GCP available types:
Delete - For deleting the user.
Disable - For disabling the user.
DisableOptional
ShouldOpenTicketWhether to open a ticket automatically in a ticketing system. (True/False).FalseOptional
serviceNowShortDescriptionA short description of the ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
serviceNowImpactThe impact for the new ticket. Leave empty for ServiceNow default impact.Optional
serviceNowUrgencyThe urgency of the new ticket. Leave empty for ServiceNow default urgency.Optional
serviceNowSeverityThe severity of the new ticket. Leave empty for ServiceNow default severity.Optional
serviceNowTicketTypeThe ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
serviceNowCategoryThe category of the ServiceNow ticket.Optional
serviceNowAssignmentGroupThe group to which to assign the new ticket.Optional
ZendeskPriorityThe urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".Optional
ZendeskRequesterThe user who requested this ticket.Optional
ZendeskStatusThe state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".Optional
ZendeskSubjectThe value of the subject field for this ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
ZendeskTagsThe array of tags applied to this ticket.Optional
ZendeskTypeThe type of this ticket. Allowed values are "problem", "incident", "question", or "task".Optional
ZendeskAssigneThe agent currently assigned to the ticket.Optional
ZendeskCollaboratorsThe users currently CC'ed on the ticket.Optional
descriptionThe ticket description.${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}Optional
addCommentPerEndpointWhether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.TrueOptional
CommentToAddComment for the ticket.${alert.name}. Alert ID: ${alert.id}Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


XCloud Cryptojacking