Cloud Response - Generic
This playbook provides response playbooks for: - AWS - Azure - GCP The response actions available are: - Terminate/Shut down/Power off an instance - Delete/Disable a user - Delete/Revoke/Disable credentials - Block indicators
Common Playbooks · 12 tasks · 23 inputs · 0 outputs
Inputs
cloudProvider— The cloud service provider involved.autoResourceRemediation— Whether to execute the resource remediation flow automatically.AWS-resourceRemediationType— Choose the remediation type for the instances created. AWS available types: Stop - for stopping the instances. Terminate - for terminating the instances.Azure-resourceRemediationType— Choose the remediation type for the instances created. Azure available types: Poweroff - for shutting down the instances. Delete - for deleting the instances.GCP-resourceRemediationType— Choose the remediation type for the instances created. GCP available types: Stop - For stopping the instances. Delete - For deleting the instances.autoAccessKeyRemediation— Whether to execute the access key remediation flow automatically.AWS-accessKeyRemediationType— Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for the user's access key deletion.GCP-accessKeyRemediationType— Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For the deleting user's access key.autoUserRemediation— Whether to execute the user remediation flow automatically.AWS-userRemediationType— Choose the remediation type for the user involved. AWS available types: Delete - for the user deletion. Revoke - for revoking the user's credentials.Azure-userRemediationType— Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user.GCP-userRemediationType— Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user.autoBlockIndicators— Whether to block the indicators automatically.resourceName— The resource name to take action on. Supports: AWS, GCP and AzureresourceZone— The resource's zone to take action on. Supports: GCPresourceGroup— Supports: Azure The resource group to take action on.accessKeyName— The access key name in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}. Supports: GCPaccessKeyId— The user's access key ID. Supports: AWSregion— The resource's region. Supports: AWSusername— The username to take action on. Supports: AWS, GCP and AzuresourceIP— The source IP address of the attacker.GCPprojectID— The GCP Project ID for the event scope.accountType— The account type GCP - "user" / "service_account"