Cortex XDR - Cloud IAM User Access Investigation
Investigate and respond to Cortex XDR Cloud alerts where a Cloud IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node
Cloud Incident Response · 16 tasks · 14 inputs · 0 outputs
Inputs
alert_id— The alert ID.autoAccessKeyRemediation— Whether to execute the user remediation flow automatically.autoBlockIndicators— Whether to block the indicators automatically.autoUserRemediation— Whether to execute the user remediation flow automatically.credentialsRemediationType— The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.AWS-accessKeyRemediationType— Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for deleting the user's access key.AWS-userRemediationType— Choose the remediation type for the user involved. AWS available types: Delete - for the user deletion. Revoke - for revoking the user's credentials.AWS-newRoleName— The name of the new role to create if the analyst decides to clone the service account.AWS-newInstanceProfileName— The name of the new instance profile to create if the analyst decides to clone the service account.AWS-roleNameToRestrict— If provided, the role will be attached with a deny policy without the compute instance analysis flow.shouldCloneSA— Whether to clone the compromised SA before putting a deny policy to it. True/FalseAzure-userRemediationType— Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user.GCP-accessKeyRemediationType— Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For deleting the user's access key.GCP-userRemediationType— Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user.
Commands used
ip
setIncident
xdr-get-cloud-original-alerts