Cortex XDR - Cloud IAM User Access Investigation

Investigate and respond to Cortex XDR Cloud alerts where a Cloud IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node

Cloud Incident Response · 16 tasks · 14 inputs · 0 outputs

Inputs

  • alert_id — The alert ID.
  • autoAccessKeyRemediation — Whether to execute the user remediation flow automatically.
  • autoBlockIndicators — Whether to block the indicators automatically.
  • autoUserRemediation — Whether to execute the user remediation flow automatically.
  • credentialsRemediationType — The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
  • AWS-accessKeyRemediationType — Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for deleting the user's access key.
  • AWS-userRemediationType — Choose the remediation type for the user involved. AWS available types: Delete - for the user deletion. Revoke - for revoking the user's credentials.
  • AWS-newRoleName — The name of the new role to create if the analyst decides to clone the service account.
  • AWS-newInstanceProfileName — The name of the new instance profile to create if the analyst decides to clone the service account.
  • AWS-roleNameToRestrict — If provided, the role will be attached with a deny policy without the compute instance analysis flow.
  • shouldCloneSA — Whether to clone the compromised SA before putting a deny policy to it. True/False
  • Azure-userRemediationType — Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user.
  • GCP-accessKeyRemediationType — Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For deleting the user's access key.
  • GCP-userRemediationType — Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user.

Commands used

ip setIncident xdr-get-cloud-original-alerts

Flowchart

yes No Yes Start Start Analysis Analysis IP Enrichment - ip IP Enrichment ip malicious? malicious? Decision making - true/false-positive alert Decision making - true/fa... Remediation Remediation Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic Done Done Cloud IAM Enrichment - Generic - Cloud IAM Enrichment - Generic Cloud IAM Enrichment - Ge... Cloud IAM Enrichment - Generic Investigate collected data Investigate collected data Verdict Verdict Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Remediation Complete Remediation Complete Fetch alert extra data - xdr-get-cloud-original-alerts Fetch alert extra data xdr-get-cloud-original-alerts Set incident type - setIncident Set incident type setIncident Cloud Credentials Rotation - Generic - Cloud Credentials Rotation - Generic Cloud Credentials Rotatio... Cloud Credentials Rotation - ...