Cortex XDR - Cloud Data Exfiltration Response
## Data Exfiltration Response The Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: - Enrichment involved assets. - Determines the appropriate verdict based on the data collected from the enrichment phase. - Cloud Persistence Threat Hunting: - Conducts threat hunting activities to identify any cloud persistence techniques - Verdict Handling: - Handles false positives identified during the investigation - Handles true positives by initiating appropriate response actions
Cloud Incident Response · 22 tasks · 8 inputs · 0 outputs
Inputs
alertID— The XDR alert ID.autoUserRemediation— Whether to execute the user remediation automatically. (Default: False)autoBlockIndicators— Whether to execute the block remediation automatically. (Default: False)credentialsRemediationType— The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.shouldCloneSA— Whether to clone the compromised SA before putting a deny policy to it. Supports: AWS. True/FalseAWS-newRoleName— The new role name to assign in the clone service account flow.AWS-newInstanceProfileName— The new instance profile name to assign in the clone service account flow.AWS-roleNameToRestrict— If provided, the role will be attached with a deny policy without the compute instance analysis flow.
Commands used
closeInvestigation
ip
xdr-get-alerts
xdr-get-cloud-original-alerts