Cloud IAM User Access Investigation

Investigate and respond to Cortex XSIAM alerts where a Cloud IAM user access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node

Cloud Incident Response · 23 tasks · 33 inputs · 0 outputs

Inputs

  • ShouldCloseAutomatically — Whether to close alerts automatically as a false positive. (True/False).
  • autoAccessKeyRemediation — Whether to execute the user remediation flow automatically.
  • autoBlockIndicators — Whether to block the indicators automatically.
  • autoUserRemediation — Whether to execute the user remediation flow automatically.
  • credentialsRemediationType — The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
  • AWS-accessKeyRemediationType — Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for deleting the user's access key.
  • AWS-userRemediationType — Choose the remediation type for the user involved. AWS available types: Delete - for deleting the user. Revoke - for revoking the user's credentials.
  • shouldCloneSA — Whether to clone the compromised SA before putting a deny policy to it. True/False
  • AWS-newRoleName — The name of the new role to create if the analyst decides to clone the service account.
  • AWS-newInstanceProfileName — The name of the new instance profile to create if the analyst decides to clone the service account.
  • AWS-roleNameToRestrict — If provided, the role will be attached with a deny policy without the compute instance analysis flow.
  • Azure-userRemediationType — Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user.
  • GCP-accessKeyRemediationType — Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For deleting the user's access key.
  • GCP-userRemediationType — Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • description — The ticket description.
  • CommentToAdd — Comment for the ticket.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.

Commands used

closeInvestigation core-get-cloud-original-alerts setParentIncidentFields

Flowchart

False Positive True positive yes yes yes yes Start Start Remediation Remediation Done Done Manual verdict decision Manual verdict decision False Positive False Positive Verdict Verdict Close the alert and finish the investigation? Close the alert and finis... Close alert after remediation - closeInvestigation Close alert after remedia... closeInvestigation Fetch alert extra data - core-get-cloud-original-alerts Fetch alert extra data core-get-cloud-original-alerts Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts Continue the investigation Continue the investigation Is activity malicious? Is activity malicious? Load alert JSON - LoadJSON Load alert JSON LoadJSON Analysis Analysis Investigate collected data Investigate collected data Enrichment for Verdict - Enrichment for Verdict Enrichment for Verdict Enrichment for Verdict Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Cloud IAM Enrichment - Generic - Cloud IAM Enrichment - Generic Cloud IAM Enrichment - Ge... Cloud IAM Enrichment - Generic Set Alert Severity to High - setParentIncidentFields Set Alert Severity to High setParentIncidentFields Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic Cloud Credentials Rotation - Generic - Cloud Credentials Rotation - Generic Cloud Credentials Rotatio... Cloud Credentials Rotation - ... Should rotate the credentials automatically? Should rotate the credent...