Details
Content
Dependencies
Version History

This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.

Cloud Incident Response

As enterprise resources are moving to the cloud, attackers develop dedicated attacks to be able to access, manipulate, and exfiltrate cloud information and resources. Adequate response and remediation of such attacks requires cloud knowledge and extensive context.

This content pack helps you automate collection from cloud logs and then perform investigation and automated remediation of incidents based on cloud infrastructure activities in AWS, Azure, and GCP. It does not require an agent, resulting in a shorter time to resolution for cloud incidents.

To analyze cloud infrastructure alerts, a XSIAM license or a Cortex XDR Pro per TB license is required. Audit logs from the cloud provider should be ingested. The configuration varies between the different cloud providers:

Set up cloud audit logs for Azure
Set up cloud audit logs for AWS
Set up cloud audit logs for GCP

What does this pack do?

This pack includes a collection of investigation and response playbooks for cloud alerts, aiding analyst investigations. The playbooks can also be used as templates to enrich, hunt, and block indicators.

The playbooks included in this pack help save time and automate repetitive tasks:

Extract and enrich all relevant indicators from the alert.
Automate alert triage.
Investigate and hunt for additional activities by running advanced queries across major CSPs.
Interact with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
Hunt for related IOCs.
Remediate the alerts by blocking malicious indicators, terminating newly created resources, and more.

As part of this pack, you will also get an out-of-the-box layout to facilitate analyst investigation. All of these components are easily customizable to suit the needs of your organization.

Playbooks

The pack consists of three comprehensive playbooks tailored for handling common cloud security incidents

1. Cloud Token Theft

The Cloud Token Theft playbook is designed to guide security analysts through the response process in cases of compromised cloud access tokens. These tokens are crucial for accessing cloud resources and are often targeted by attackers to gain unauthorized access.

Cortex XDR - Cloud Token Theft Response

2. Cryptojacking Response

The Cryptojacking Response playbook assists security teams in detecting and mitigating cryptojacking incidents, where attackers illicitly use an organization's cloud resources to mine cryptocurrencies.

Cortex XDR - Cloud Cryptojacking

3. IAM User Investigation

The IAM User Investigation playbook provides step-by-step instructions for investigating suspicious activities related to IAM (Identity and Access Management) users in the cloud environment. It aids in identifying potential account compromises and unauthorized access.

Cortex XDR - Cloud IAM User Access Investigation

Investigative Playbooks

How to Use the Playbooks

Each playbook is provided in a user-friendly format, detailing the necessary actions, procedures, and tools required for effective incident response. To use the playbooks, follow the respective links provided above.

Cloud Incident Response

Set up cloud audit logs for Azure
Set up cloud audit logs for AWS
Set up cloud audit logs for GCP

What does this pack do?

The playbooks included in this pack help save time and automate repetitive tasks:

Extract and enrich all relevant indicators from the alert.
Automate alert triage.
Investigate and hunt for additional activities by running advanced queries across major CSPs.
Interact with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
Hunt for related IOCs.
Remediate the alerts by blocking malicious indicators, terminating newly created resources, and more.

As part of this pack, you will also get an out-of-the-box layout to facilitate analyst investigation. All of these components are easily customizable to suit the needs of your organization.

The playbooks are also included in the "Playbook Recommendation".

Playbooks

The pack consists of three comprehensive playbooks tailored for handling common cloud security incidents

Investigative Playbooks

How to Use the Playbooks

Automations

Name	Description
displayCloudIndicators	Display the Cloud indicators found in a dynamic-section
XCloudRelatedAlertsWidget	This script retrieves additional original alert information from the context.
ExtractIndicators-CloudLogging	This script will extract indicators from a given AWS CloudTrail or GCP Logging event.
XCloudProviderWidget	This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.

Incident Fields

Name	Description
Is VPN IP Address

Layouts

Name	Description
Cortex XDR - XCLOUD Cryptojacking

Playbooks

Name	Description
Cloud Threat Hunting - Persistence	Cloud Threat Hunting - Persistence Playbook The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time. Hunting Queries The playbook executes hunting queries for each provider related to each of the following: IAM Compute Resources Compute Functions Indicator Extraction If relevant events are found during the search, indicators will be extracted using the `ExtractIndicators-CloudLogging` script.
Cortex XDR - Cloud IAM User Access Investigation	Investigate and respond to Cortex XDR Cloud alerts where a Cloud IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node
Cortex XDR - XCloud Token Theft - Set Verdict	Cloud Token Theft - Set Verdict Playbook The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. Event Search The playbook searches for events based on the attacker's IP address within the last two hours. Tests Performed The following tests are performed on the observed activity: Malicious IP Check: Determines if the IP address is malicious. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). IP and ASN History Check: Verifies if the IP address and ASN have been previously observed. Region Check: Determines if the API call was made from outside the recognized region. Anomalous State Check: Checks if the API call was made from an anomalous state. Alert Check: Looks for any related alerts around the event, including: Possible cloud instance metadata service (IMDS) abuse. Impossible Traveler by cloud identity.
Cortex XDR - Cloud Data Exfiltration Response	Data Exfiltration Response The Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: Enrichment involved assets. Determines the appropriate verdict based on the data collected from the enrichment phase. Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques Verdict Handling: Handles false positives identified during the investigation Handles true positives by initiating appropriate response actions
Cortex XDR - Cloud Enrichment	This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout. The playbook collects or enriches the following data: Resource enrichment Previous activity seen in the specified region or project Account enrichment Network enrichment Attacker IP Geolocation ASN
Cortex XDR - XCloud Cryptojacking	Investigates a Cortex XDR incident containing a Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: Cloud enrichment: Collects info about the involved resources Collects info about the involved identities Collects info about the involved IPs Verdict decision tree Verdict handling: Handle False Positives Handle True Positives Cloud Response - Generic sub-playbook. Notifies the SOC if a malicious verdict was found
Cortex XDR - XCloud Cryptojacking - Set Verdict	This playbook sets the alert's verdict as malicious if one of the following conditions is true: If the source IP address is malicious If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity) If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity" If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region" If none of the conditions is true, the playbook will wait for an analyst's decision.
Cortex XDR - XCloud Token Theft Response	Cloud Token Theft Response Playbook The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: Cloud Enrichment: Enriches the involved resources. Enriches the involved identities. Enriches the involved IPs. Verdict Decision Tree: Determines the appropriate verdict based on the investigation findings. Early Containment using the Cloud Response - Generic Playbook: Implements early containment measures to prevent further impact. Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques. Enriching and Responding to Hunting Findings: Performs additional enrichment and responds to the findings from threat hunting. Verdict Handling: Handles false positives identified during the investigation. Handles true positives by initiating appropriate response actions.

Automations

Name	Description
XCloudRelatedAlertsWidget	This script retrieves additional original alert information from the context.
displayCloudIndicators	Display the Cloud indicators found in a dynamic-section
EntryWidgetResourceTypeXCLOUD	Entry widget that returns the resource type involved in the alert.
ExtractIndicators-CloudLogging	This script will extract indicators from a given AWS CloudTrail or GCP Logging event.
XCloudAdditionalAlertInformationWidget	This script retrieves additional original alert information from the context.
EntryWidgetRegionNameXCLOUD	Entry widget that returns the region involved in the alert.
XCloudProviderWidget	This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.
XCloudIdentitiesWidget	This script retrieves the identity fields from the incident context.

Incident Fields

Name	Description
Is VPN IP Address

Layoutrule

Name	Description
Cloud Alerts Layout Rule	Default display for Cloud Alerts generated by XDR Analytics.

Layouts

Name	Description
Cloud Alerts
CLOUD Token Theft

Playbooks

Name	Description
Cloud Threat Hunting - Persistence	Cloud Threat Hunting - Persistence Playbook The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time. Hunting Queries The playbook executes hunting queries for each provider related to each of the following: IAM Compute Resources Compute Functions Indicator Extraction If relevant events are found during the search, indicators will be extracted using the `ExtractIndicators-CloudLogging` script.
XCloud Cryptojacking - Set Verdict	This playbook sets the alert's verdict as malicious if one of the following conditions is true: If the source IP address is malicious If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity) If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity" If the alert includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well. If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region" If none of the conditions is true, the playbook will wait for an analyst's decision.
Cloud Token Theft - Set Verdict	Cloud Token Theft - Set Verdict Playbook The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. Event Search The playbook searches for events based on the attacker's IP address within the last two hours. Tests Performed The following tests are performed on the observed activity: Malicious IP Check: Determines if the IP address is malicious. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). IP and ASN History Check: Verifies if the IP address and ASN have been previously observed. Region Check: Determines if the API call was made from outside the recognized region. Anomalous State Check: Checks if the API call was made from an anomalous state. Alert Check: Looks for any related alerts around the event, including: Possible cloud instance metadata service (IMDS) abuse. Impossible Traveler by cloud identity.
Cloud Data Exfiltration Response	Cloud Data Exfiltration Response The Cloud Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: Enrichment involved assets. Determines the appropriate verdict based on the data collected from the enrichment. Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques Verdict Handling: Handles false positives identified during the investigation Handles true positives by initiating appropriate response actions
Cloud Token Theft Response	Cloud Token Theft Response Playbook The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: Cloud Enrichment: Enriches the involved resources Enriches the involved identities Enriches the involved IPs Verdict Decision Tree: Determines the appropriate verdict based on the investigation findings Early Containment using the Cloud Response - Generic Playbook: Implements early containment measures to prevent further impact Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques Enriching and Responding to Hunting Findings: Performs additional enrichment and responds to the findings from threat hunting Verdict Handling: Handles false positives identified during the investigation Handles true positives by initiating appropriate response actions
XCloud Alert Enrichment	This playbook is responsible for data collection and enrichment. The playbook collects or enriches the following data: Account enrichment Network enrichment -Attacker IP -Geolocation -ASN
XCloud Cryptojacking	Investigates a Cortex XDR alert containing Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: Cloud enrichment: -Collects info about the involved resources -Collects info about the involved identities -Collects info about the involved IPs Verdict decision tree Verdict handling: -Handle False Positives -Handle True Positives -Cloud Response - Generic sub-playbook. Notifies the SOC if a malicious verdict was found
Cloud IAM User Access Investigation	Investigate and respond to Cortex XSIAM alerts where a Cloud IAM user access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node

Trigger

Name	Description
Cloud Token Theft	This trigger is responsible for handling Cloud Token Theft alerts
Cloud Data Exfiltration	This trigger is responsible for handling cloud data exfiltration alerts
Cloud IAM User Access Investigation	This trigger is responsible for handling Cloud IAM user access investigation alerts
XCloud Cryptojacking	This trigger is responsible for handling Cryptojacking alerts

Required Content Packs (7)

Pack Name	Pack By
AWS - CloudTrail	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Google Cloud Logging	By: Cortex XSOAR
Identity	By: Cortex XSOAR

All level dependencies (12)

Pack Name	Pack By
MITRE ATT&CK	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR
AWS - CloudTrail	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

1.0.16 - 897231 (March 18, 2024)

Playbooks

Cortex XDR - XCloud Token Theft Response

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Cortex XDR - XCloud Cryptojacking

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Cortex XDR - Cloud Enrichment

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

1.0.15 - 836299 (February 18, 2024)

Scripts

XCloudProviderWidget

Updated the Docker image to: demisto/python3:3.10.13.86272.

displayCloudIndicators

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32446

Download

1.0.14 - 827009 (February 14, 2024)

Scripts

ExtractIndicators-CloudLogging

Updated the Docker image to: demisto/bs4-tld:1.0.0.87460.

Related pull requests:
- 32918

Download

1.0.13 - 798475 (February 1, 2024)

Playbooks

Cortex XDR - Cloud Data Exfiltration Response

Improved remediation capabilities using the Cloud Credentials Rotation playbook.

Cortex XDR - XCloud Token Theft Response

Improved remediation capabilities using the Cloud Credentials Rotation playbook.

Cortex XDR - XCloud Token Theft - Set Verdict

Improved remediation capabilities using the Cloud Credentials Rotation playbook.

Cortex XDR - XCloud Cryptojacking - Set Verdict

Improved remediation capabilities using the Cloud Credentials Rotation playbook.

Cortex XDR - XCloud Cryptojacking

Improved remediation capabilities using the Cloud Credentials Rotation playbook.

Cortex XDR - Cloud IAM User Access Investigation

Improved remediation capabilities using the Cloud Credentials Rotation playbook.

Cortex XDR - Cloud Enrichment

Improved remediation capabilities using the Cloud Credentials Rotation playbook.

Related pull requests:
- 32000

Download

1.0.12 - 753737 (January 10, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 31893

Download

1.0.11 - 749444 (January 8, 2024)

Playbooks

Cortex XDR - XCloud Cryptojacking

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSOAR 8.5.0).

Cortex XDR - Cloud IAM User Access Investigation

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSOAR 8.5.0).

Related pull requests:
- 31890

Download

1.0.10 - 7254058 (December 24, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 31118
- 31513

Download

1.0.9 - 7216131 (December 20, 2023)

Scripts

XCloudRelatedAlertsWidget

Added a check to validate if the Context key "foundIncidents" exists.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31191

Download

1.0.8 - R6899385 (November 15, 2023)

Playbooks

Cortex XDR - Cloud IAM User Access Investigation

Moved from the Cortex XDR pack

Triggers Recommendations

New: Cloud IAM User Access Investigation

Related pull requests:
- 28650

Download

1.0.7 - 6864790 (November 12, 2023)

Scripts

ExtractIndicators-CloudLogging

Updated the Docker image to: demisto/bs4-tld:1.0.0.80208.

Related pull requests:
- 30842

Download

1.0.6 - 6735458 (October 29, 2023)

Playbooks

Cloud Threat Hunting - Persistence

Fixed a typo in the GCP query tasks.

New: Cortex XDR - Cloud Data Exfiltration Response

New: ## Data Exfiltration Response
The Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert.
The playbook supports AWS, GCP, and Azure and executes the following:
Enrichment involved assets.
Determines the appropriate verdict based on the data collected from the enrichment phase.
Cloud Persistence Threat Hunting:
- Conducts threat hunting activities to identify any cloud persistence techniques
Verdict Handling:
- Handles false positives identified during the investigation
- Handles true positives by initiating appropriate response actions (Available for XSOAR).

Triggers Recommendations

New: Cloud Data Exfiltration

Related pull requests:
- 30384

Download

1.0.5 - 6721193 (October 27, 2023)

Scripts

ExtractIndicators-CloudLogging

Updated the Docker image to: demisto/bs4-tld:1.0.0.79303.

Related pull requests:
- 30457

Download

1.0.4 - 5760561 (July 13, 2023)

Layouts

New: Cortex XDR - XCLOUD Cryptojacking
Moved the layout from the Cortex XDR pack to the Cloud Incident Response pack.

Playbooks

New: Cortex XDR - Cloud Enrichment

Moved the playbook from the Cortex XDR pack to the Cloud Incident Response pack.

New: Cortex XDR - XCloud Cryptojacking

Moved the playbook from the Cortex XDR pack to the Cloud Incident Response pack.

New: Cortex XDR - XCloud Cryptojacking - Set Verdict

Moved the playbook from the Cortex XDR pack to the Cloud Incident Response pack.

Triggers Recommendations

New: XCloud Cryptojacking

Related pull requests:
- 28058

Download

1.0.3 - 5698017 (July 6, 2023)

This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.

Related pull requests:
- 27808

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 6, 2023
Last Release	March 18, 2024

Incident Response

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Cloud Incident Response

Cloud Incident Response

What does this pack do?