AWS IAM User Access Investigation Deprecated

Deprecated. Use `Cloud IAM User Access Investigation` instead. Investigate and respond to Cortex XSIAM alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.

Core · 15 tasks · 5 inputs · 0 outputs

Inputs

  • AutoDeleteProfile — Whether to automatically delete the user login profile if it exists (True/False).
  • AutoBlockIP — Whether to initiate block IP playbook automatically (True/False).
  • IndicatorTag — The tag name for bad reputation IP addresses investigated in the incident. Use this when the EDL service is configured to add indicators to block in PANW PAN-OS. If the indicator verdict (Malicious/Bad) is used to add indicators to Cortex XSIAM EDL you don't need to use the tag. Indicators are set as malicious, automatically in the incident.
  • DAG — This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. Specify the Dynamic Address Group tag name for IP handling.
  • ShouldCloseAutomatically — Whether to close alerts automatically as a false positive (True/False).

Commands used

closeInvestigation core-get-cloud-original-alerts

Flowchart

False Positive True positive yes yes Start Start Remediation Remediation Done Done Manual decision making - true/false-positive alert Manual decision making - ... False Positive - Done False Positive - Done Enrichment Enrichment Verdict Verdict AWS IAM User Access Investigation - Remediation - AWS IAM User Access Investigation - Remediation AWS IAM User Access Inves... AWS IAM User Access Investiga... Close the alert and finish the investigation? Close the alert and finis... Close alert after remediation - closeInvestigation Close alert after remedia... closeInvestigation Enrichment for Verdict - Enrichment for Verdict Enrichment for Verdict Enrichment for Verdict Get cloud original alert - core-get-cloud-original-alerts Get cloud original alert core-get-cloud-original-alerts Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts Continue the investigation Continue the investigation Is it a suspicious or Tor IP? Is it a suspicious or Tor...