Cortex XDR - XCloud Cryptojacking

Investigates a Cortex XDR incident containing a Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: - Cloud enrichment: - Collects info about the involved resources - Collects info about the involved identities - Collects info about the involved IPs - Verdict decision tree - Verdict handling: - Handle False Positives - Handle True Positives - Cloud Response - Generic sub-playbook. - Notifies the SOC if a malicious verdict was found

Cloud Incident Response · 23 tasks · 24 inputs · 0 outputs

Inputs

  • SOCEmailAddress — The SOC email address to use for the alert status notification.
  • requireAnalystReview — Whether to require an analyst review after the alert remediation.
  • incident_id — The incident ID.
  • alert_id — The alert ID.
  • cloudProvider — The cloud service provider involved.
  • ResolveIP — Determines whether to convert the IP address to a hostname using a DNS query (True/ False).
  • InternalRange — A list of internal IP ranges to check IP addresses against. For IP Enrichment - Generic v2 playbook.
  • autoBlockIndicators — Whether to block the indicators automatically.
  • autoAccessKeyRemediation — Whether to execute the user remediation flow automatically.
  • autoResourceRemediation — Whether to execute the resource remediation flow automatically.
  • autoUserRemediation — Whether to execute the user remediation flow automatically.
  • credentialsRemediationType — The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
  • AWS-accessKeyRemediationType — Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for the user's access key deletion.
  • AWS-resourceRemediationType — Choose the remediation type for the instances created. AWS available types: Stop - for stopping the instances. Terminate - for terminating the instances.
  • AWS-userRemediationType — Choose the remediation type for the user involved. AWS available types: Delete - for the user deletion. Revoke - for revoking the user's credentials.
  • AWS-newRoleName — The name of the new role to create if the analyst decides to clone the service account.
  • AWS-newInstanceProfileName — The name of the new instance profile to create if the analyst decides to clone the service account.
  • AWS-roleNameToRestrict — If provided, the role will be attached with a deny policy without the compute instance analysis flow.
  • shouldCloneSA — Whether to clone the compromised SA before putting a deny policy to it. True/False
  • Azure-resourceRemediationType — Choose the remediation type for the instances created. Azure available types: Poweroff - for shutting down the instances. Delete - for deleting the instances.
  • Azure-userRemediationType — Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user.
  • GCP-accessKeyRemediationType — Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For the deleting user's access key.
  • GCP-resourceRemediationType — Choose the remediation type for the instances created. GCP available types: Stop - For stopping the instances. Delete - For deleting the instances.
  • GCP-userRemediationType — Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user.

Commands used

closeInvestigation send-mail setIncident xdr-get-cloud-original-alerts xdr-get-incident-extra-data xdr-update-incident

Flowchart

APPROVED UNAPPROVED yes Yes Malicious User Verification Yes Start Start Set verdict Set verdict Set the incident severity - IncreaseIncidentSeverity Set the incident severity IncreaseIncidentSeverity Set the incident severity - IncreaseIncidentSeverity Set the incident severity IncreaseIncidentSeverity Manual verdict verification Manual verdict verification Set SOC message for malicious activity - send-mail Set SOC message for malic... send-mail Cortex XDR - Cloud Enrichment - Cortex XDR - Cloud Enrichment Cortex XDR - Cloud Enrich... Cortex XDR - Cloud Enrichment Enrichment & Investigation Enrichment & Investigation Fetch alert extra data - xdr-get-cloud-original-alerts Fetch alert extra data xdr-get-cloud-original-alerts Should wait for the analyst's review? Should wait for the analy... Analyst review - Should close as True Positive? Analyst review - Should c... Done Done Cortex XDR - XCloud Cryptojacking - Set Verdict - Cortex XDR - XCloud Cryptojacking - Set Verdict Cortex XDR - XCloud Crypt... Cortex XDR - XCloud Cryptojac... Check alert verdict Check alert verdict Fetch all of the incident alerts - xdr-get-incident-extra-data Fetch all of the incident... xdr-get-incident-extra-data Closer XDR incident as False Positive - xdr-update-incident Closer XDR incident as Fa... xdr-update-incident Should close as False Positive? Should close as False Pos... Set incident type - setIncident Set incident type setIncident Closer XDR incident as True Positive - xdr-update-incident Closer XDR incident as Tr... xdr-update-incident Close XSOAR incident as False Positive - closeInvestigation Close XSOAR incident as F... closeInvestigation Close XSOAR incident as False Positive - closeInvestigation Close XSOAR incident as F... closeInvestigation Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Cloud Credentials Rotation - Generic - Cloud Credentials Rotation - Generic Cloud Credentials Rotatio... Cloud Credentials Rotation - ...