XCloud Cryptojacking

Investigates a Cortex XDR incident containing Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: - Cloud enrichment: -Collects info about the involved resources -Collects info about the involved identities -Collects info about the involved IPs - Verdict decision tree - Verdict handling: -Handle False Positives -Handle True Positives -Cloud Response - Generic sub-playbook. - Notifies the SOC if a malicious verdict was found

Cloud Incident Response · 22 tasks · 44 inputs · 0 outputs

Inputs

  • SOCEmailAddress — The SOC email address to use for the alert status notification.
  • requireAnalystReview — Whether to require an analyst review after the alert remediation.
  • ShouldCloseAutomatically — Should we automatically close false positive alerts? Specify true/false.
  • ShouldHandleFPautomatically — Should we automatically handle false positive alerts? Specify true/false.
  • cloudProvider — The cloud service provider involved.
  • alert_id — The alert ID.
  • ResolveIP — Determines whether to convert the IP address to a hostname using a DNS query (True/ False).
  • InternalRange — A list of internal IP ranges to check IP addresses against. For IP Enrichment - Generic v2 playbook.
  • autoAccessKeyRemediation — Whether to execute the user remediation flow automatically.
  • autoBlockIndicators — Whether to block the indicators automatically.
  • autoResourceRemediation — Whether to execute the resource remediation flow automatically.
  • autoUserRemediation — Whether to execute the user remediation flow automatically.
  • credentialsRemediationType — The response playbook provides the following remediation actions using AWS, MSGraph Users, GCP and GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Supports: AWS, MSGraph Users, GCP and GSuite Admin. Revoke: By entering "Revoke" in the input, the GCP will revoke the access key, GSuite Admin will revoke the access token and the MSGraph Users will revoke the session. Supports: GCP, GSuite Admin and MSGraph Users. Deactivate - By entering "Deactivate" in the input, the playbook will execute access key deactivation. Supports: AWS. ALL: By entering "ALL" in the input, the playbook will execute the all remediation actions provided for each CSP.
  • AWS-accessKeyRemediationType — Choose the remediation type for the user's access key. AWS available types: Disable - for disabling the user's access key. Delete - for the user's access key deletion.
  • AWS-resourceRemediationType — Choose the remediation type for the instances created. AWS available types: Stop - for stopping the instances. Terminate - for terminating the instances.
  • AWS-userRemediationType — Choose the remediation type for the user involved. AWS available types: Delete - for the user deletion. Revoke - for revoking the user's credentials.
  • shouldCloneSA — Whether to clone the compromised SA before putting a deny policy to it. True/False
  • AWS-newRoleName — The name of the new role to create if the analyst decides to clone the service account.
  • AWS-newInstanceProfileName — The name of the new instance profile to create if the analyst decides to clone the service account.
  • AWS-roleNameToRestrict — If provided, the role will be attached with a deny policy without the compute instance analysis flow.
  • Azure-resourceRemediationType — Choose the remediation type for the instances created. Azure available types: Poweroff - for shutting down the instances. Delete - for deleting the instances.
  • Azure-userRemediationType — Choose the remediation type for the user involved. Azure available types: Disable - for disabling the user. Delete - for deleting the user.
  • GCP-accessKeyRemediationType — Choose the remediation type for the user's access key. GCP available types: Disable - For disabling the user's access key. Delete - For the deleting user's access key.
  • GCP-resourceRemediationType — Choose the remediation type for the instances created. GCP available types: Stop - For stopping the instances. Delete - For deleting the instances.
  • GCP-userRemediationType — Choose the remediation type for the user involved. GCP available types: Delete - For deleting the user. Disable - For disabling the user.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • description — The ticket description.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • CommentToAdd — Comment for the ticket.

Commands used

closeInvestigation core-get-cloud-original-alerts send-mail setParentIncidentFields

Flowchart

APPROVED UNAPPROVED yes Yes Malicious User Verification yes yes Start Start Set verdict Set verdict Set Incident Severity to High - setParentIncidentFields Set Incident Severity to ... setParentIncidentFields Set the alert severity to Low - IncreaseIncidentSeverity Set the alert severity to... IncreaseIncidentSeverity Manual verdict verification Manual verdict verification Set SOC message for malicious activity - send-mail Set SOC message for malic... send-mail Cloud Response - Generic - Cloud Response - Generic Cloud Response - Generic Cloud Response - Generic XCloud Alert Enrichment - XCloud Alert Enrichment XCloud Alert Enrichment XCloud Alert Enrichment Enrichment & Investigation Enrichment & Investigation Fetch alert extra data - core-get-cloud-original-alerts Fetch alert extra data core-get-cloud-original-alerts Should wait for the analyst's review? Should wait for the analy... Analyst review - Should close as True Positive? Analyst review - Should c... Done Done Load alert JSON - LoadJSON Load alert JSON LoadJSON XCloud Cryptojacking - Set Verdict - XCloud Cryptojacking - Set Verdict XCloud Cryptojacking - Se... XCloud Cryptojacking - Set Ve... Check alert verdict Check alert verdict Close incident as True Positive - closeInvestigation Close incident as True Po... closeInvestigation Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic Should rotate the credentials automatically? Should rotate the credent... Cloud Credentials Rotation - Generic - Cloud Credentials Rotation - Generic Cloud Credentials Rotatio... Cloud Credentials Rotation - ...