Cloud Security Posture Management Playbooks v2.1.0
This pack provides the remediation playbooks for Cortex Cloud Issues and Cases.
- Author:
- Cortex XSOAR
- Support:
- xsoar
cloud_runtime_securityagentixcloud_posturexsiamcloud
Cloud Services
Triggers (47)
- Remediation_playbook_for_AWS_EC2_misconfigurations
- Remediation_playbook_for_AWS_IAM_password_policy_misconfiguration
- Remediation_playbook_for_AWS_S3_bucket_publicly_accessible
- Trigger_-_AWS_Network_Exposure
- Trigger_-_AWS_Public_Access_Misconfiguration
- Trigger_-_Allow_Access_by_Trusted_Services
- Trigger_-_Assign_Managed_Identity_to_Function_App
- Trigger_-_Assign_Managed_Identity_to_Web_App
- Trigger_-_Azure_Network_Exposure
- Trigger_-_Azure_Public_Access_Misconfiguration
- Trigger_-_Disable_Network_Access_to_Storage_Account
- Trigger_-_Disable_Public_&_Private_Access_to_VM_Disk
- Trigger_-_Disable_Public_Access_on_RDS
- Trigger_-_Disable_Remote_Debugging_on_Azure_App
- Trigger_-_Disable_Storage_Account_Cross_Tenant_Replication
- Trigger_-_Enable_Automatic_Backup_for_RDS_dB
- Trigger_-_Enable_Azure_App_Service_Auth
- Trigger_-_Enable_CloudTrail_Log_Validation
- Trigger_-_Enable_CloudTrail_Logging
- Trigger_-_Enable_Copy_Tags_on_RDS_Snapshot
- Trigger_-_Enable_Deletion_Protection_on_RDS
- Trigger_-_Enable_GCP_Bucket_Versioning
- Trigger_-_Enable_GKE_Cluster_Intra-node_Visibility
- Trigger_-_Enable_IAM_Authentication_on_RDS
- Trigger_-_Enable_IAM_Authentication_on_RDS_Cluster
- Trigger_-_Enable_Master_Authorized_Networks_on_GKE
- Trigger_-_Enable_RDS_Auto_Upgrade
- Trigger_-_Enable_RDS_Cluster_Deletion_Protection
- Trigger_-_Enable_S3_Versioning
- Trigger_-_Enable_Soft_Delete_on_Blob
- Trigger_-_GCP_Network_Exposure
- Trigger_-_GCP_Public_Access_Misconfiguration
- Trigger_-_Make_GCP_Bucket_Private
- Trigger_-_Remove_GCP_Bucket_AllAuthenticatedUser_Access
- Trigger_-_Remove_GCP_Bucket_AllUsers_Access
- Trigger_-_Set_AMI_to_Private
- Trigger_-_Set_Function_App_HTTP_Version_to_2.0
- Trigger_-_Set_Function_App_Min_TLS_Version
- Trigger_-_Set_GCP_Bucket_Access_to_Uniform
- Trigger_-_Set_RDS_Cluster_Snapshot_to_Private
- Trigger_-_Set_RDS_Snapshot_to_Private
- Trigger_-_Set_Secure_Transport_for_MySQL
- Trigger_-_Set_Snapshot_to_Private
- Trigger_-_Set_Storage_Account_to_HTTPS_only
- Trigger_-_Set_Web_App_Min_TLS_Version
- Trigger_-_Set_Webapp_HTTP_Version_to_2.0
- Trigger_-_Update_Azure_Monitor_Log_Retention_Period
README
Overview
This content pack helps fix common cloud misconfigurations automatically with analyst approval or performs auto-remediation without approval, optionally notifying stakeholders. It also includes two versatile, cloud-agnostic playbooks for creating tickets and sending notifications via ServiceNow, Jira, Email, Slack, or Microsoft Teams.
Key Use Cases
- Automatically remediate AWS misconfigurations with optional analyst approval.
- Automatically remediate AWS, Azure, and GCP public access misconfigurations with minimal or no manual intervention.
- Create or update issue tickets in Jira or ServiceNow.
- Notify teams through Slack, Microsoft Teams, or email.
Included Playbooks
AWS Remediation Playbooks
AWS EC2 Instance Misconfiguration Remediation
- Ensures EC2 instances are configured with Instance Metadata Service v2 (IMDSv2).
- Offers analyst-in-the-loop or fully automated remediation.
- Integrates with AWS and Cortex Core IR.
AWS IAM Password Policy Remediation
-
Remediates 9 different insecure IAM password policy configurations, such as:
- Password reuse
- Minimum password length
- Lack of complexity requirements (uppercase, symbols, etc.)
- No expiration policy
-
Supports both automated and analyst approval flows.
AWS S3 Bucket Public Access Remediation
- Detects and remediates publicly accessible S3 buckets (read or write access).
- Ensures S3 compliance with cloud security policies.
AWS Public Access Misconfiguration - Auto-remediate
- Automatically disables public access settings for RDS Database instances, EBS Snapshots and S3 buckets.
- Option to notify stakeholders about the remediation via Email, Slack or MS Teams.
- Set enableNotifications to ‘yes’ and configure inputs for the Notify Stakeholders playbook to send issue, asset and remediation details.
Azure Remediation Playbooks
Azure Public Access Misconfiguration - Auto-remediate
- Automatically remediates the misconfiguration issues for publicly accessible Azure blob containers, overly permissive Azure VM Disks or default Allow network access to Azure Storage Accounts.
- Option to notify stakeholders about the remediation via Email, Slack or MS Teams.
- Set enableNotifications to ‘yes’ and configure inputs for the Notify Stakeholders playbook to send issue, asset and remediation details.
GCP Remediation Playbooks
GCP Public Access Misconfiguration - Auto-remediate
- Automatically secure the publicly exposed GCP bucket by updating policies to block public access immediately.
- Option to notify stakeholders about the remediation via Email, Slack or MS Teams.
- Set enableNotifications to ‘yes’ and configure inputs for the Notify Stakeholders playbook to send issue, asset and remediation details.
All remediation playbooks leverage:
- AWS integrations
- Sub-playbooks for ticket creation and/or notification
- Context-aware command execution
Generic Utility Playbook
Create Ticket and Notify
- Creates or updates incident tickets using Jira V3 or ServiceNow v2.
- Notifies stakeholders via Slack, Microsoft Teams, or email.
- Customizable behavior: ticket-only, notification-only, or both.
- Detects available integrations and adapts accordingly.
Notify Stakeholders
- This is a sub-playbook that is used in the Public Access Misconfiguration remediation playbooks for AWS, Azure, and GCP.
- It is used to send issue and asset details along with the remediation action taken, in a well formatted notification message via Email, Slack or MS Teams, depending on the configured and enabled integrations.
- Configure recipients for email, slack or MS Teams notification in the Playbook Triggered header of this playbook
- If no inputs are pre-configured and enableNotifications is set to ‘yes’ in the remediation playbook, execution will pause to request at least one recipient.
Dependencies
This pack uses the following integrations:
- AWS
- Azure
- GCP
- Cortex Core - IR
- Jira V3
- ServiceNow v2
- Microsoft Teams
- SlackV3
- mail-sender
Future Roadmap
- Additional coverage for High/Critical severity AWS, Azure, and GCP misconfiguration issues
Requirements
- Active integrations for AWS, Azure, GCP, Jira, ServiceNow, Slack, Microsoft Teams (depending on use)
- Access to cloud account APIs with sufficient permissions for remediation
Pack Contributors
- Shashi Testman
- Ann Testman
- Marc Cyr
- Anmol Baansal
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.