XCloud Cryptojacking - Set Verdict
#
This Playbook is part of the Cloud Incident Response Pack.Supported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook sets the alert's verdict as malicious if one of the following conditions is true:
- If the source IP address is malicious
- If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity)
- If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity"
- If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well.
- If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region"
If none of the conditions is true, the playbook will wait for an analyst's decision.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksThis playbook does not use any sub-playbooks.
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- SearchIncidentsV2
- Set
#
CommandsThis playbook does not use any commands.
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
sourceIP | The source IP of the attack. | Optional |
#
Playbook OutputsPath | Description | Type |
---|---|---|
alertVerdict | The alert verdict | string |