Cloud IAM Enrichment - Generic
This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP).
Common Playbooks · 25 tasks · 4 inputs · 24 outputs
Inputs
username— User name.GCPProjectName— The GCP project name.cloudProvider— The cloud service provider involved.cloudIdentityType— The cloud identity type.
Outputs
AWS.IAM.Users— AWS AM Users include: UserId Arn CreateDate Path PasswordLastUsed.AWS.IAM.Users.AccessKeys— AWS IAM Users Access Keys include: AccessKeyId Status CreateDate UserName.GCPIAM— GCP IAM information.GSuite— GSuite user information.GSuite.PageToken— Token to specify the next page in the list.MSGraphUser— MSGraph user information.MSGraphGroups— MSGraph groups information.MSGraph.identityProtection— MSGraph identity protection - risky user history.AWS.IAM.Users.AccessKeys.CreateDate— The date when the access key was created.AWS.IAM.Users.AccessKeys.UserName— The name of the IAM user that the key is associated with.AWS.IAM.Users.Groups— AWS IAM - User groups.AWS.IAM.UserPolicies— AWS IAM - user inline policies.AWS.IAM.AttachedUserPolicies— AWS IAM - User attached policies.MSGraphGroup— MSGraph group information.MSGraph.identityProtection.RiskyUserHistory— Risky user history.MSGraph.identityProtection.RiskyUserHistory.userPrincipalName— Risky user principal name.MSGraph.identityProtection.RiskyUserHistory.userDisplayName— Risky user display name.MSGraph.identityProtection.RiskyUserHistory.riskDetail— Reason why the user is considered a risky user. The possible values are limited to none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, and unknownFutureValue.MSGraph.identityProtection.RiskyUserHistory.riskstate— State of the user's risk. The possible values are none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, and unknownFutureValue.MSGraph.identityProtection.RiskyUserHistory.riskLevel— Risk level of the detected risky user. The possible values are low, medium, high, hidden, none, and unknownFutureValue.MSGraph.identityProtection.RiskyUserHistory.riskLastUpdatedDateTime— The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using the ISO 8601 format and is always in UTC time.MSGraph.identityProtection.RiskyUserHistory.isProcessing— Indicates whether a user's risky state is being processed by the backend.MSGraph.identityProtection.RiskyUserHistory.isDeleted— Indicates whether the user is deleted.MSGraph.identityProtection.RiskyUserHistory.id— Unique ID of the risky user.
Commands used
aws-iam-get-user
aws-iam-list-access-keys-for-user
aws-iam-list-attached-user-policies
aws-iam-list-groups-for-user
aws-iam-list-user-policies
gcp-iam-project-role-list
gcp-iam-service-account-keys-get
gcp-iam-service-accounts-get
gsuite-role-assignment-list
gsuite-user-get
msgraph-groups-list-groups
msgraph-identity-protection-risky-user-history-list
msgraph-user-get