Cloud Threat Hunting - Persistence
--- ## Cloud Threat Hunting - Persistence Playbook The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time. ### Hunting Queries The playbook executes hunting queries for each provider related to each of the following: 1. IAM 2. Compute Resources 3. Compute Functions ### Indicator Extraction If relevant events are found during the search, indicators will be extracted using the `ExtractIndicators-CloudLogging` script. ---
Cloud Incident Response · 23 tasks · 8 inputs · 7 outputs
Inputs
cloudProvider— The cloud service provider involved. The supported CSPs are AWS, Azure and GCP.AWSAccessKeyID— The AWS access key ID.username— The username that initiated the API call.region— The region to search for events in. e.g. us-east-1, us-west-2, etc.AzureTimespan— The timespan to limit by the hunting query. e.g., Use 2d for timespan of 2 days Use 1.5h for timespan of 1.5 hour Use 30m for timespan of 30 minutesAWSTimespan— Date and time in the following format - yyyy-mm-ddThh:mm:ss e.g., 2022-05-29T12:00:00 2021-01-01T12:00:00GCPTimespan— Date in ISO. e.g. 2022-05-29T12:00:00.123Z 2021-01-01T12:00:00.234ZGCPProjectName— The GCP project name.
Outputs
CloudIndicators.arn— The ARN.CloudIndicators.access_key_id— The AWS access key ID.CloudIndicators.resource_name— The resource name.CloudIndicators.source_ip— The source IP.CloudIndicators.username— The username used by the attacker.CloudIndicators.event_name— The name of the event.CloudIndicators.user_agent— The user agent used by the attacker.
Commands used
aws-cloudtrail-lookup-events
azure-log-analytics-execute-query
gcp-logging-log-entries-list