Cloud User Investigation - Generic
This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
Common Playbooks · 12 tasks · 8 inputs · 36 outputs
Inputs
Username— The username to investigate.cloudProvider— The cloud service provider involved.AzureSearchTime— The Search Time for the Azure Log Analytics search query. Default value: ago(1d)failedLogonThreshold— The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events.MfaAttemptThreshold— The threshold number of MFA failed logon by the user. Required to determine how many MFA failed logon events count as suspicious events.AwsTimeSearchFrom— The Search Time for the `GetTime` task used by the Aws Cloud Trail search query. This value represents the number of days to include in the search. Default value: 1. (1 Day)GcpTimeSearchFrom— The Search Time for the `GetTime` task used by the GCP Logging search query. This value represents the number of days to include in the search. Default value: 1. (1 Day)GcpProjectName— The GCP project name. This is a mandatory field for GCP queries.
Outputs
AwsMFAConfigCount— The number of MFA configurations performed by the user in the AWS environment.AwsUserRoleChangesCount— The number of user roles that were changed by the user in the AWS environment.AwsSuspiciousActivitiesCount— The number of suspicious activities performed by the user in the AWS environment.AwsScriptBasedUserAgentCount— The number of script-based user agent usages by the user in the AWS environment.AwsAccessKeyActivitiesCount— The number of access key activities performed by the user in the AWS environment.AwsSecurityChangesCount— The number of security rules that were changed by the user in the AWS environment.AwsAdminActivitiesCount— The number of administrative activities performed by the user in the AWS environment.AwsApiAccessDeniedCount— The number of API accesses denied by the user in the AWS environment.AwsFailedLogonCount— The number of failed logins by the user in the AWS environment.GcpAnomalousNetworkTraffic— Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. Possible values: True/False.GcpSuspiciousApiUsage— Determines whether there are events of suspicious API usage by the user in the GCP environment. Possible values: True/False.GcpFailLogonCount— The number of failed logins by the user in the GCP environment.GsuiteFailLogonCount— The number of failed logins by the user in the G Suite environment.GsuiteUnusualLoginAllowedCount— The number of unusual logins performed by the user and allowed in the G Suite environment.GsuiteUnusualLoginBlockedCount— The number of unusual logins performed by the user and blocked in the G Suite environment.GsuiteSuspiciousLoginCount— The number of suspicious logins performed by the user in the G Suite environment.GsuiteUserPasswordLeaked— Determines whether user's password was leaked in the G Suite environment. Possible values: True/False.AzureScriptBasedUserAgentEvents— Script-based user agent events used by the user in the Azure environment.AzureAdminActivitiesEvents— Administrative activities performed by the user in the Azure environment.AzureSecurityRulesChangeEvents— Security rules that were changed by the user in the Azure environment.AzureUnsuccessSecurityRulesChangeEvents— Unsuccessful attempts to change security rules by the user in the Azure environment.AzureFailLoginCount— The number of failed logins by the user in the Azure environment.AzureFailLoginMFACount— The number of failed logins by the user using MFA in the Azure environment.AzureAnomaliesEvents— Anomaly events on the user in the Azure environment.AzureRiskyUserCount— The number of events where the user was defined as a risky user in the Azure environment.AzureUncommonCountryLogonEvents— Uncommon country logon events by the user in the Azure environment.AzureUncommonVolumeEvents— Uncommon volume events by the user in the Azure environment.AzureUncommonActivitiesEvents— Uncommon activity events by the user in the Azure environment.CountAzureEvents.AzureScriptBasedUserAgentCount— The number of script-based user agent usages by the user in the Azure environment.CountAzureEvents.AzureAdminActivitiesCount— The number of administrative activities performed by the user in the Azure environment.CountAzureEvents.AzureSecurityRulesChangeCount— The number of security rules that were changed by the user in the Azure environment.CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount— The number of unsuccessful attempts to change security rules by the user in the Azure environment.CountAzureEvents.AzureAnomaliesCount— The number of anomaly events on the user in the Azure environment.CountAzureEvents.AzureUncommonCountryLogonCount— The number of uncommon country logon events by the user in the Azure environment.CountAzureEvents.AzureUncommonVolumeCount— The number of uncommon volume events by the user in the Azure environment.CountAzureEvents.AzureUncommonActivitiesCount— The number of uncommon activity events by the user in the Azure environment.