Cloud Security Posture Management Playbooks v2.1.0

This pack provides the remediation playbooks for Cortex Cloud Issues and Cases.

Author:
Cortex XSOAR
Support:
xsoar
URL:
https://www.paloaltonetworks.com/cortex
cloud_runtime_securityagentixcloud_posturexsiamcloud
Cloud Services

Triggers (47)

  • Remediation_playbook_for_AWS_EC2_misconfigurations
  • Remediation_playbook_for_AWS_IAM_password_policy_misconfiguration
  • Remediation_playbook_for_AWS_S3_bucket_publicly_accessible
  • Trigger_-_AWS_Network_Exposure
  • Trigger_-_AWS_Public_Access_Misconfiguration
  • Trigger_-_Allow_Access_by_Trusted_Services
  • Trigger_-_Assign_Managed_Identity_to_Function_App
  • Trigger_-_Assign_Managed_Identity_to_Web_App
  • Trigger_-_Azure_Network_Exposure
  • Trigger_-_Azure_Public_Access_Misconfiguration
  • Trigger_-_Disable_Network_Access_to_Storage_Account
  • Trigger_-_Disable_Public_&_Private_Access_to_VM_Disk
  • Trigger_-_Disable_Public_Access_on_RDS
  • Trigger_-_Disable_Remote_Debugging_on_Azure_App
  • Trigger_-_Disable_Storage_Account_Cross_Tenant_Replication
  • Trigger_-_Enable_Automatic_Backup_for_RDS_dB
  • Trigger_-_Enable_Azure_App_Service_Auth
  • Trigger_-_Enable_CloudTrail_Log_Validation
  • Trigger_-_Enable_CloudTrail_Logging
  • Trigger_-_Enable_Copy_Tags_on_RDS_Snapshot
  • Trigger_-_Enable_Deletion_Protection_on_RDS
  • Trigger_-_Enable_GCP_Bucket_Versioning
  • Trigger_-_Enable_GKE_Cluster_Intra-node_Visibility
  • Trigger_-_Enable_IAM_Authentication_on_RDS
  • Trigger_-_Enable_IAM_Authentication_on_RDS_Cluster
  • Trigger_-_Enable_Master_Authorized_Networks_on_GKE
  • Trigger_-_Enable_RDS_Auto_Upgrade
  • Trigger_-_Enable_RDS_Cluster_Deletion_Protection
  • Trigger_-_Enable_S3_Versioning
  • Trigger_-_Enable_Soft_Delete_on_Blob
  • Trigger_-_GCP_Network_Exposure
  • Trigger_-_GCP_Public_Access_Misconfiguration
  • Trigger_-_Make_GCP_Bucket_Private
  • Trigger_-_Remove_GCP_Bucket_AllAuthenticatedUser_Access
  • Trigger_-_Remove_GCP_Bucket_AllUsers_Access
  • Trigger_-_Set_AMI_to_Private
  • Trigger_-_Set_Function_App_HTTP_Version_to_2.0
  • Trigger_-_Set_Function_App_Min_TLS_Version
  • Trigger_-_Set_GCP_Bucket_Access_to_Uniform
  • Trigger_-_Set_RDS_Cluster_Snapshot_to_Private
  • Trigger_-_Set_RDS_Snapshot_to_Private
  • Trigger_-_Set_Secure_Transport_for_MySQL
  • Trigger_-_Set_Snapshot_to_Private
  • Trigger_-_Set_Storage_Account_to_HTTPS_only
  • Trigger_-_Set_Web_App_Min_TLS_Version
  • Trigger_-_Set_Webapp_HTTP_Version_to_2.0
  • Trigger_-_Update_Azure_Monitor_Log_Retention_Period

README

Overview

This content pack helps fix common cloud misconfigurations automatically with analyst approval or performs auto-remediation without approval, optionally notifying stakeholders. It also includes two versatile, cloud-agnostic playbooks for creating tickets and sending notifications via ServiceNow, Jira, Email, Slack, or Microsoft Teams.

Key Use Cases

  • Automatically remediate AWS misconfigurations with optional analyst approval.
  • Automatically remediate AWS, Azure, and GCP public access misconfigurations with minimal or no manual intervention.
  • Create or update issue tickets in Jira or ServiceNow.
  • Notify teams through Slack, Microsoft Teams, or email.

Included Playbooks

AWS Remediation Playbooks

AWS EC2 Instance Misconfiguration Remediation

  • Ensures EC2 instances are configured with Instance Metadata Service v2 (IMDSv2).
  • Offers analyst-in-the-loop or fully automated remediation.
  • Integrates with AWS and Cortex Core IR.

AWS IAM Password Policy Remediation

  • Remediates 9 different insecure IAM password policy configurations, such as:

    • Password reuse
    • Minimum password length
    • Lack of complexity requirements (uppercase, symbols, etc.)
    • No expiration policy
  • Supports both automated and analyst approval flows.

AWS S3 Bucket Public Access Remediation

  • Detects and remediates publicly accessible S3 buckets (read or write access).
  • Ensures S3 compliance with cloud security policies.

AWS Public Access Misconfiguration - Auto-remediate

  • Automatically disables public access settings for RDS Database instances, EBS Snapshots and S3 buckets.
  • Option to notify stakeholders about the remediation via Email, Slack or MS Teams.
    • Set enableNotifications to ‘yes’ and configure inputs for the Notify Stakeholders playbook to send issue, asset and remediation details.

Azure Remediation Playbooks

Azure Public Access Misconfiguration - Auto-remediate

  • Automatically remediates the misconfiguration issues for publicly accessible Azure blob containers, overly permissive Azure VM Disks or default Allow network access to Azure Storage Accounts.
  • Option to notify stakeholders about the remediation via Email, Slack or MS Teams.
    • Set enableNotifications to ‘yes’ and configure inputs for the Notify Stakeholders playbook to send issue, asset and remediation details.

GCP Remediation Playbooks

GCP Public Access Misconfiguration - Auto-remediate

  • Automatically secure the publicly exposed GCP bucket by updating policies to block public access immediately.
  • Option to notify stakeholders about the remediation via Email, Slack or MS Teams.
    • Set enableNotifications to ‘yes’ and configure inputs for the Notify Stakeholders playbook to send issue, asset and remediation details.

All remediation playbooks leverage:

  • AWS integrations
  • Sub-playbooks for ticket creation and/or notification
  • Context-aware command execution

Generic Utility Playbook

Create Ticket and Notify

  • Creates or updates incident tickets using Jira V3 or ServiceNow v2.
  • Notifies stakeholders via Slack, Microsoft Teams, or email.
  • Customizable behavior: ticket-only, notification-only, or both.
  • Detects available integrations and adapts accordingly.

Notify Stakeholders

  • This is a sub-playbook that is used in the Public Access Misconfiguration remediation playbooks for AWS, Azure, and GCP.
  • It is used to send issue and asset details along with the remediation action taken, in a well formatted notification message via Email, Slack or MS Teams, depending on the configured and enabled integrations.
  • Configure recipients for email, slack or MS Teams notification in the Playbook Triggered header of this playbook
  • If no inputs are pre-configured and enableNotifications is set to ‘yes’ in the remediation playbook, execution will pause to request at least one recipient.

Dependencies

This pack uses the following integrations:

  • AWS
  • Azure
  • GCP
  • Cortex Core - IR
  • Jira V3
  • ServiceNow v2
  • Microsoft Teams
  • SlackV3
  • mail-sender

Future Roadmap

  • Additional coverage for High/Critical severity AWS, Azure, and GCP misconfiguration issues

Requirements

  • Active integrations for AWS, Azure, GCP, Jira, ServiceNow, Slack, Microsoft Teams (depending on use)
  • Access to cloud account APIs with sufficient permissions for remediation

Pack Contributors


  • Shashi Testman
  • Ann Testman
  • Marc Cyr
  • Anmol Baansal

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.