Cloud Token Theft Response

--- ## Cloud Token Theft Response Playbook The **Cloud Token Theft Response Playbook** provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: **Cloud Enrichment:** - Enriches the involved resources - Enriches the involved identities - Enriches the involved IPs **Verdict Decision Tree:** - Determines the appropriate verdict based on the investigation findings **Early Containment using the Cloud Response - Generic Playbook:** - Implements early containment measures to prevent further impact **Cloud Persistence Threat Hunting:** - Conducts threat hunting activities to identify any cloud persistence techniques **Enriching and Responding to Hunting Findings:** - Performs additional enrichment and responds to the findings from threat hunting **Verdict Handling:** - Handles false positives identified during the investigation - Handles true positives by initiating appropriate response actions ---

Cloud Incident Response · 42 tasks · 11 inputs · 0 outputs

Inputs

  • alert_id — The alert ID.
  • InternalRange — A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in a CIDR notation.
  • ResolveIP — Determines whether to convert the IP address to a hostname using a DNS query (True/ False).
  • earlyContainment — Whether to execute early containment. This action allows you to respond rapidly but have higher probability for false positives.
  • VPNIPList — This input can process to types of data: 1. A comma separated list of IP addresses assigned by the VPN provider. (using a XSIAM list or an hardcoded array) 2. A comma separated list of CIDRs. 3. A link to an IP addresses list which will be processed and extract the IP dynamically with each execution.
  • AWS-newInstanceProfileName — The new instance profile name to assign in the clone service account flow.
  • AWS-newRoleName — The new role name to assign in the clone service account flow.
  • AWS-roleNameToRestrict — If provided, the role will be attached with a deny policy without the compute instance analysis flow.
  • shouldCloneSA — Whether to clone the compromised SA before putting a deny policy to it. Supports: AWS. True/False
  • autoCredentialsRotation — Whether to rotate the identity credentials automatically.
  • credentialsRemediationType — The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.

Commands used

closeInvestigation core-get-cloud-original-alerts setAlert

Flowchart

Malicious true true true true Malicious true URL true true true true Start Start Fetch alert extra data - core-get-cloud-original-alerts Fetch alert extra data core-get-cloud-original-alerts Check VPN Check VPN Cloud Enrichment - Generic - Cloud Enrichment - Generic Cloud Enrichment - Generic Cloud Enrichment - Generic Threat Hunting Threat Hunting Analysis Analysis Check verdict resolution Check verdict resolution Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Early Containment Early Containment Enrich IoCs Enrich IoCs Containment Containment Persistence activity or suspicious IoCs found? Persistence activity or s... Manual invetigation Manual invetigation Investigate the data collected Investigate the data coll... Should contain the threats? Should contain the threats? Eradication Eradication Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Should eradicate the threats? Should eradicate the thre... Resolution Resolution Is manual investigation required to complete the resolution process? Is manual investigation r... Investigate further Investigate further Resolve the alert - closeInvestigation Resolve the alert closeInvestigation Done Done Cloud Token Theft - Set Verdict - Cloud Token Theft - Set Verdict Cloud Token Theft - Set V... Cloud Token Theft - Set Verdict IP Enrichment - Generic v2 - IP Enrichment - Generic v2 IP Enrichment - Generic v2 IP Enrichment - Generic v2 Cloud Threat Hunting - Persistence - Cloud Threat Hunting - Persistence Cloud Threat Hunting - Pe... Cloud Threat Hunting - Persis... Entity Enrichment - Generic v3 - Entity Enrichment - Generic v3 Entity Enrichment - Gener... Entity Enrichment - Generic v3 Cloud Enrichment - Generic - Cloud Enrichment - Generic Cloud Enrichment - Generic Cloud Enrichment - Generic Investigate and set verdict Investigate and set verdict Should execute early containment? Should execute early cont... Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Check the VPN list type Check the VPN list type Process the VPN IP list - ParseHTMLIndicators Process the VPN IP list ParseHTMLIndicators Was a VPN list provided? Was a VPN list provided? Should continue and investigate a known VPN IP address? Should continue and inves... Set Is VPN IP Address to true - setAlert Set Is VPN IP Address to ... setAlert TIM - Indicator Relationships Analysis - TIM - Indicator Relationships Analysis TIM - Indicator Relations... TIM - Indicator Relationships... Enrichment Enrichment Is the attacker IP matches a VPN IP? Is the attacker IP matche... Cloud Credentials Rotation - Generic - Cloud Credentials Rotation - Generic Cloud Credentials Rotatio... Cloud Credentials Rotation - ... Should rotate the credentials automatically? Should rotate the credent...