XCloud Cryptojacking - Set Verdict
This playbook sets the alert's verdict as malicious if one of the following conditions is true: 1. If the source IP address is malicious 2. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity) 3. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity" 4. If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well. 5. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region" If none of the conditions is true, the playbook will wait for an analyst's decision.
Cloud Incident Response · 10 tasks · 1 input · 1 output
Inputs
sourceIP— The source IP of the attack.
Outputs
alertVerdict— The alert verdict