Cortex XDR - Cloud Data Exfiltration Response

## Data Exfiltration Response The Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: - Enrichment involved assets. - Determines the appropriate verdict based on the data collected from the enrichment phase. - Cloud Persistence Threat Hunting: - Conducts threat hunting activities to identify any cloud persistence techniques - Verdict Handling: - Handles false positives identified during the investigation - Handles true positives by initiating appropriate response actions

Cloud Incident Response · 22 tasks · 8 inputs · 0 outputs

Inputs

  • alertID — The XDR alert ID.
  • autoUserRemediation — Whether to execute the user remediation automatically. (Default: False)
  • autoBlockIndicators — Whether to execute the block remediation automatically. (Default: False)
  • credentialsRemediationType — The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
  • shouldCloneSA — Whether to clone the compromised SA before putting a deny policy to it. Supports: AWS. True/False
  • AWS-newRoleName — The new role name to assign in the clone service account flow.
  • AWS-newInstanceProfileName — The new instance profile name to assign in the clone service account flow.
  • AWS-roleNameToRestrict — If provided, the role will be attached with a deny policy without the compute instance analysis flow.

Commands used

closeInvestigation ip xdr-get-alerts xdr-get-cloud-original-alerts

Flowchart

Malicious No Yes yes Start Start Entity Enrichment Entity Enrichment Enumeration Alert Search Enumeration Alert Search Search alerts for cloud enumeration activity - xdr-get-alerts Search alerts for cloud e... xdr-get-alerts Enrichment Enrichment Done Done Close Incident - closeInvestigation Close Incident closeInvestigation Found malicious evidence based on enrichment data Found malicious evidence ... Review the alert findings Review the alert findings Investigation Investigation Threat Hunting Threat Hunting No Malicious activity identified No Malicious activity ide... Check IP Reputation - ip Check IP Reputation ip Malicious Activity identified Malicious Activity identi... Get cloud extra data - xdr-get-cloud-original-alerts Get cloud extra data xdr-get-cloud-original-alerts Containment Plan Containment Plan Set Alert Verdict Set Alert Verdict Cloud Threat Hunting - Persistence - Cloud Threat Hunting - Persistence Cloud Threat Hunting - Pe... Cloud Threat Hunting - Persis... Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Cloud User Investigation - Generic - Cloud User Investigation - Generic Cloud User Investigation ... Cloud User Investigation - Ge... Found any persistence evidences or user abnormal activity? Found any persistence evi... Cloud Credentials Rotation - Generic - Cloud Credentials Rotation - Generic Cloud Credentials Rotatio... Cloud Credentials Rotation - ...