This script will extract indicators from a given AWS CloudTrail or GCP Logging event.

Entry widget that returns the region involved in the alert.

This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.

This script retrieves additional original alert information from the context.

Display the Cloud indicators found in a dynamic-section

Entry widget that returns the resource type involved in the alert.

This script retrieves the identity fields from the incident context.

Cloud Threat Hunting - Persistence Playbook

The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time.

Hunting Queries

The playbook executes hunting queries for each provider related to each of the following:

1. IAM
2. Compute Resources
3. Compute Functions

Indicator Extraction

If relevant events are found during the search, indicators will be extracted using the ExtractIndicators-CloudLogging script.

Investigates a Cortex XDR incident containing a Cloud Cryptojacking related alert.
The playbook supports AWS, Azure, and GCP and executes the following:

• Cloud enrichment:
  • Collects info about the involved resources
  • Collects info about the involved identities
  • Collects info about the involved IPs
• Verdict decision tree
• Verdict handling:
  • Handle False Positives
  • Handle True Positives
    • Cloud Response - Generic sub-playbook.
• Notifies the SOC if a malicious verdict was found

Cloud Token Theft - Set Verdict Playbook

The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious.

Event Search

The playbook searches for events based on the attacker's IP address within the last two hours.

Tests Performed

The following tests are performed on the observed activity:

1. Malicious IP Check: Determines if the IP address is malicious.
2. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs).
3. IP and ASN History Check: Verifies if the IP address and ASN have been previously observed.
4. Region Check: Determines if the API call was made from outside the recognized region.
5. Anomalous State Check: Checks if the API call was made from an anomalous state.
6. Alert Check: Looks for any related alerts around the event, including:
   • Possible cloud instance metadata service (IMDS) abuse.
   • Impossible Traveler by cloud identity.

Cloud Token Theft Response Playbook

The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following:

Cloud Enrichment:

• Enriches the involved resources.
• Enriches the involved identities.
• Enriches the involved IPs.

Verdict Decision Tree:

• Determines the appropriate verdict based on the investigation findings.

Early Containment using the Cloud Response - Generic Playbook:

• Implements early containment measures to prevent further impact.

Cloud Persistence Threat Hunting:

• Conducts threat hunting activities to identify any cloud persistence techniques.

Enriching and Responding to Hunting Findings:

• Performs additional enrichment and responds to the findings from threat hunting.

Verdict Handling:

• Handles false positives identified during the investigation.
• Handles true positives by initiating appropriate response actions.

This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout.

The playbook collects or enriches the following data:

• Resource enrichment
  • Previous activity seen in the specified region or project
• Account enrichment
• Network enrichment
  • Attacker IP
  • Geolocation
  • ASN

This playbook sets the alert's verdict as malicious if one of the following conditions is true:

1. If the source IP address is malicious
2. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity)
3. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity"
4. If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well.
5. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region"

If none of the conditions is true, the playbook will wait for an analyst's decision.

This script will extract indicators from a given AWS CloudTrail or GCP Logging event.

Entry widget that returns the region involved in the alert.

This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.

This script retrieves additional original alert information from the context.

Display the Cloud indicators found in a dynamic-section

Entry widget that returns the resource type involved in the alert.

This script retrieves the identity fields from the incident context.

Cloud Token Theft Response Playbook

The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following:

Cloud Enrichment:

• Enriches the involved resources
• Enriches the involved identities
• Enriches the involved IPs

Verdict Decision Tree:

• Determines the appropriate verdict based on the investigation findings

Early Containment using the Cloud Response - Generic Playbook:

• Implements early containment measures to prevent further impact

Cloud Persistence Threat Hunting:

• Conducts threat hunting activities to identify any cloud persistence techniques

Enriching and Responding to Hunting Findings:

• Performs additional enrichment and responds to the findings from threat hunting

Verdict Handling:

• Handles false positives identified during the investigation
• Handles true positives by initiating appropriate response actions

Investigates a Cortex XDR alert containing Cloud Cryptojacking related alert.
The playbook supports AWS, Azure, and GCP and executes the following:

• Cloud enrichment:

  -Collects info about the involved resources

  -Collects info about the involved identities

  -Collects info about the involved IPs

• Verdict decision tree

• Verdict handling:

  -Handle False Positives

  -Handle True Positives

  -Cloud Response - Generic sub-playbook.

• Notifies the SOC if a malicious verdict was found

Cloud Threat Hunting - Persistence Playbook

The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time.

Hunting Queries

The playbook executes hunting queries for each provider related to each of the following:

1. IAM
2. Compute Resources
3. Compute Functions

Indicator Extraction

If relevant events are found during the search, indicators will be extracted using the ExtractIndicators-CloudLogging script.

This playbook sets the alert's verdict as malicious if one of the following conditions is true:

1. If the source IP address is malicious
2. If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity)
3. If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity"
4. If the alert includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well.
5. If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region"

If none of the conditions is true, the playbook will wait for an analyst's decision.

Cloud Token Theft - Set Verdict Playbook

The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious.

Event Search

The playbook searches for events based on the attacker's IP address within the last two hours.

Tests Performed

The following tests are performed on the observed activity:

1. Malicious IP Check: Determines if the IP address is malicious.
2. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs).
3. IP and ASN History Check: Verifies if the IP address and ASN have been previously observed.
4. Region Check: Determines if the API call was made from outside the recognized region.
5. Anomalous State Check: Checks if the API call was made from an anomalous state.
6. Alert Check: Looks for any related alerts around the event, including:
   • Possible cloud instance metadata service (IMDS) abuse.
   • Impossible Traveler by cloud identity.

This playbook is responsible for data collection and enrichment.

The playbook collects or enriches the following data:

• Account enrichment

• Network enrichment

  -Attacker IP

  -Geolocation

  -ASN