Skip to main content

Cloud Incident Response

Download With Dependencies

This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.

Cloud Incident Response

As enterprise resources are moving to the cloud, attackers develop dedicated attacks to be able to access, manipulate, and exfiltrate cloud information and resources. Adequate response and remediation of such attacks requires cloud knowledge and extensive context.

This content pack helps you automate collection from cloud logs and then perform investigation and automated remediation of incidents based on cloud infrastructure activities in AWS, Azure, and GCP. It does not require an agent, resulting in a shorter time to resolution for cloud incidents.

To analyze cloud infrastructure alerts, a XSIAM license or a Cortex XDR Pro per TB license is required. Audit logs from the cloud provider should be ingested. The configuration varies between the different cloud providers:

Set up cloud audit logs for Azure
Set up cloud audit logs for AWS
Set up cloud audit logs for GCP

What does this pack do?

This pack includes a collection of investigation and response playbooks for cloud alerts, aiding analyst investigations. The playbooks can also be used as templates to enrich, hunt, and block indicators.

The playbooks included in this pack help save time and automate repetitive tasks:

  • Extract and enrich all relevant indicators from the alert.
  • Automate alert triage.
  • Investigate and hunt for additional activities by running advanced queries across major CSPs.
  • Interact with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
  • Hunt for related IOCs.
  • Remediate the alerts by blocking malicious indicators, terminating newly created resources, and more.

As part of this pack, you will also get an out-of-the-box layout to facilitate analyst investigation. All of these components are easily customizable to suit the needs of your organization.

For XSIAM, the playbooks are also included in the "Playbook Recommendation".

Cloud Token Theft Response




Cortex XSOARCortex XSIAM


CertificationRead more
Supported ByCortex
CreatedJuly 6, 2023
Last ReleaseJuly 13, 2023
Incident Response

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.