Details
Content
Dependencies
Version History

This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.

Cloud Incident Response

As enterprise resources are moving to the cloud, attackers develop dedicated attacks to be able to access, manipulate, and exfiltrate cloud information and resources. Adequate response and remediation of such attacks requires cloud knowledge and extensive context.

This content pack helps you automate collection from cloud logs and then perform investigation and automated remediation of incidents based on cloud infrastructure activities in AWS, Azure, and GCP. It does not require an agent, resulting in a shorter time to resolution for cloud incidents.

To analyze cloud infrastructure alerts, a XSIAM license or a Cortex XDR Pro per TB license is required. Audit logs from the cloud provider should be ingested. The configuration varies between the different cloud providers:

Set up cloud audit logs for Azure
Set up cloud audit logs for AWS
Set up cloud audit logs for GCP

What does this pack do?

This pack includes a collection of investigation and response playbooks for cloud alerts, aiding analyst investigations. The playbooks can also be used as templates to enrich, hunt, and block indicators.

The playbooks included in this pack help save time and automate repetitive tasks:

Extract and enrich all relevant indicators from the alert.
Automate alert triage.
Investigate and hunt for additional activities by running advanced queries across major CSPs.
Interact with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
Hunt for related IOCs.
Remediate the alerts by blocking malicious indicators, terminating newly created resources, and more.

As part of this pack, you will also get an out-of-the-box layout to facilitate analyst investigation. All of these components are easily customizable to suit the needs of your organization.

Playbooks

The pack consists of three comprehensive playbooks tailored for handling common cloud security incidents

1. Cloud Token Theft

The Cloud Token Theft playbook is designed to guide security analysts through the response process in cases of compromised cloud access tokens. These tokens are crucial for accessing cloud resources and are often targeted by attackers to gain unauthorized access.

Cortex XDR - Cloud Token Theft Response

2. Cryptojacking Response

The Cryptojacking Response playbook assists security teams in detecting and mitigating cryptojacking incidents, where attackers illicitly use an organization's cloud resources to mine cryptocurrencies.

Cortex XDR - Cloud Cryptojacking

3. IAM User Investigation

The IAM User Investigation playbook provides step-by-step instructions for investigating suspicious activities related to IAM (Identity and Access Management) users in the cloud environment. It aids in identifying potential account compromises and unauthorized access.

Cortex XDR - Cloud IAM User Access Investigation

Investigative Playbooks

How to Use the Playbooks

Each playbook is provided in a user-friendly format, detailing the necessary actions, procedures, and tools required for effective incident response. To use the playbooks, follow the respective links provided above.

Cloud Incident Response

Set up cloud audit logs for Azure
Set up cloud audit logs for AWS
Set up cloud audit logs for GCP

What does this pack do?

The playbooks included in this pack help save time and automate repetitive tasks:

Extract and enrich all relevant indicators from the alert.
Automate alert triage.
Investigate and hunt for additional activities by running advanced queries across major CSPs.
Interact with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
Hunt for related IOCs.
Remediate the alerts by blocking malicious indicators, terminating newly created resources, and more.

As part of this pack, you will also get an out-of-the-box layout to facilitate analyst investigation. All of these components are easily customizable to suit the needs of your organization.

The playbooks are also included in the "Playbook Recommendation".

Playbooks

The pack consists of three comprehensive playbooks tailored for handling common cloud security incidents

Investigative Playbooks

How to Use the Playbooks

Automations

Name	Description
XCloudRelatedAlertsWidget	This script retrieves additional original alert information from the context.
displayCloudIndicators	Display the Cloud indicators found in a dynamic-section
ExtractIndicators-CloudLogging	This script will extract indicators from a given AWS CloudTrail or GCP Logging event.
XCloudProviderWidget	This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.

Incident Fields

Name	Description
Is VPN IP Address

Layouts

Name	Description
Cortex XDR - XCLOUD Cryptojacking

Playbooks

Name	Description
Cortex XDR - Cloud Data Exfiltration Response	Data Exfiltration Response The Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: Enrichment involved assets. Determines the appropriate verdict based on the data collected from the enrichment phase. Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques Verdict Handling: Handles false positives identified during the investigation Handles true positives by initiating appropriate response actions
Cortex XDR - Cloud Enrichment	This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout. The playbook collects or enriches the following data: Resource enrichment Previous activity seen in the specified region or project Account enrichment Network enrichment Attacker IP Geolocation ASN
Cortex XDR - XCloud Token Theft - Set Verdict	Cloud Token Theft - Set Verdict Playbook The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. Event Search The playbook searches for events based on the attacker's IP address within the last two hours. Tests Performed The following tests are performed on the observed activity: Malicious IP Check: Determines if the IP address is malicious. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). IP and ASN History Check: Verifies if the IP address and ASN have been previously observed. Region Check: Determines if the API call was made from outside the recognized region. Anomalous State Check: Checks if the API call was made from an anomalous state. Alert Check: Looks for any related alerts around the event, including: Possible cloud instance metadata service (IMDS) abuse. Impossible Traveler by cloud identity.
Cortex XDR - XCloud Cryptojacking - Set Verdict	This playbook sets the alert's verdict as malicious if one of the following conditions is true: If the source IP address is malicious If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity) If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity" If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region" If none of the conditions is true, the playbook will wait for an analyst's decision.
Cortex XDR - Malicious Pod Response - Agent	This playbook ensures a swift and effective response to malicious activities within Kubernetes environments, leveraging cloud-native tools to maintain cluster security and integrity. The playbook is designed to handle agent-generated alerts due to malicious activities within Kubernetes (K8S) pods, such as mining activities, which require immediate action. The playbook also addresses scenarios where the malicious pod is killed, but the malicious K8S workload repeatedly creates new pods. Key Features: AWS Function Integration: This utilizes an AWS Lambda function that can manage resources and facilitate rapid response actions within an Amazon EKS cluster without the need for third-party tools such as Kubectl. The Lambda function can initiate the following response actions: `- Pod Termination: The playbook includes steps to safely terminate the affected pod within the K8S environment. - Workload Suspension: If necessary, the playbook can be escalated to suspend the entire workload associated with the mining activity.` Once the Lambda function execution is completed, the playbook deletes all of the created objects to ensure undesirable usage. Workflow: Alert Detection: The playbook begins with the monitoring agent detecting a mining alert within a Kubernetes pod. Alert Validation: Validates the alert to ensure it is not a false positive. Response Decision: Pod Termination: If the mining activity is isolated to a single pod, the AWS Lambda function is invoked to terminate the affected pod within the K8S environment. Workload Suspension: If the mining activity is widespread or poses a significant threat, the AWS Lambda function suspends the entire workload within the K8S environment. Cleanup: This action initiates the complete removal of all objects created for the Lambda execution for security and hardening purposes. Required Integration AWS IAM (Identity and Access Management) AWS IAM API Documentation Cortex XSOAR AWS IAM Integration AWS EC2 (Elastic Compute Cloud) AWS EC2 API Documentation Cortex XSOAR AWS EC2 Integration AWS EKS (Elastic Kubernetes Service) AWS EKS API Documentation Cortex XSOAR AWS EKS Integration AWS Lambda AWS Lambda API Documentation Cortex XSOAR AWS Lambda Integration.
Cortex XDR - XCloud Token Theft Response	Cloud Token Theft Response Playbook The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: Cloud Enrichment: Enriches the involved resources. Enriches the involved identities. Enriches the involved IPs. Verdict Decision Tree: Determines the appropriate verdict based on the investigation findings. Early Containment using the Cloud Response - Generic Playbook: Implements early containment measures to prevent further impact. Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques. Enriching and Responding to Hunting Findings: Performs additional enrichment and responds to the findings from threat hunting. Verdict Handling: Handles false positives identified during the investigation. Handles true positives by initiating appropriate response actions.
Cortex XDR - XCloud Cryptojacking	Investigates a Cortex XDR incident containing a Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: Cloud enrichment: Collects info about the involved resources Collects info about the involved identities Collects info about the involved IPs Verdict decision tree Verdict handling: Handle False Positives Handle True Positives Cloud Response - Generic sub-playbook. Notifies the SOC if a malicious verdict was found
Cloud Threat Hunting - Persistence	Cloud Threat Hunting - Persistence Playbook The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time. Hunting Queries The playbook executes hunting queries for each provider related to each of the following: IAM Compute Resources Compute Functions Indicator Extraction If relevant events are found during the search, indicators will be extracted using the `ExtractIndicators-CloudLogging` script.
Cortex XDR - Cloud IAM User Access Investigation	Investigate and respond to Cortex XDR Cloud alerts where a Cloud IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node

Automations

Name	Description
EntryWidgetResourceTypeXCLOUD	Entry widget that returns the resource type involved in the alert.
XCloudProviderWidget	This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.
displayCloudIndicators	Display the Cloud indicators found in a dynamic-section
EntryWidgetRegionNameXCLOUD	Entry widget that returns the region involved in the alert.
ExtractIndicators-CloudLogging	This script will extract indicators from a given AWS CloudTrail or GCP Logging event.
XCloudAdditionalAlertInformationWidget	This script retrieves additional original alert information from the context.
XCloudIdentitiesWidget	This script retrieves the identity fields from the incident context.
XCloudRelatedAlertsWidget	This script retrieves additional original alert information from the context.

Incident Fields

Name	Description
Is VPN IP Address

Layoutrule

Name	Description
Cloud Alerts Layout Rule	Default display for Cloud Alerts generated by XDR Analytics.

Layouts

Name	Description
CLOUD Token Theft
Cloud Alerts

Playbooks

Name	Description
XCloud Cryptojacking	Investigates a Cortex XDR alert containing Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: Cloud enrichment: -Collects info about the involved resources -Collects info about the involved identities -Collects info about the involved IPs Verdict decision tree Verdict handling: -Handle False Positives -Handle True Positives -Cloud Response - Generic sub-playbook. Notifies the SOC if a malicious verdict was found
Cloud Token Theft Response	Cloud Token Theft Response Playbook The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: Cloud Enrichment: Enriches the involved resources Enriches the involved identities Enriches the involved IPs Verdict Decision Tree: Determines the appropriate verdict based on the investigation findings Early Containment using the Cloud Response - Generic Playbook: Implements early containment measures to prevent further impact Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques Enriching and Responding to Hunting Findings: Performs additional enrichment and responds to the findings from threat hunting Verdict Handling: Handles false positives identified during the investigation Handles true positives by initiating appropriate response actions
XCloud Cryptojacking - Set Verdict	This playbook sets the alert's verdict as malicious if one of the following conditions is true: If the source IP address is malicious If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity) If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity" If the alert includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well. If the alert includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region" If none of the conditions is true, the playbook will wait for an analyst's decision.
XCloud Alert Enrichment	This playbook is responsible for data collection and enrichment. The playbook collects or enriches the following data: Account enrichment Network enrichment -Attacker IP -Geolocation -ASN
Cloud Token Theft - Set Verdict	Cloud Token Theft - Set Verdict Playbook The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. Event Search The playbook searches for events based on the attacker's IP address within the last two hours. Tests Performed The following tests are performed on the observed activity: Malicious IP Check: Determines if the IP address is malicious. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). IP and ASN History Check: Verifies if the IP address and ASN have been previously observed. Region Check: Determines if the API call was made from outside the recognized region. Anomalous State Check: Checks if the API call was made from an anomalous state. Alert Check: Looks for any related alerts around the event, including: Possible cloud instance metadata service (IMDS) abuse. Impossible Traveler by cloud identity.
Cloud Threat Hunting - Persistence	Cloud Threat Hunting - Persistence Playbook The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time. Hunting Queries The playbook executes hunting queries for each provider related to each of the following: IAM Compute Resources Compute Functions Indicator Extraction If relevant events are found during the search, indicators will be extracted using the `ExtractIndicators-CloudLogging` script.
Cloud Data Exfiltration Response	Cloud Data Exfiltration Response The Cloud Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: Enrichment involved assets. Determines the appropriate verdict based on the data collected from the enrichment. Cloud Persistence Threat Hunting: Conducts threat hunting activities to identify any cloud persistence techniques Verdict Handling: Handles false positives identified during the investigation Handles true positives by initiating appropriate response actions
Cloud IAM User Access Investigation	Investigate and respond to Cortex XSIAM alerts where a Cloud IAM user access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node

Trigger

Name	Description
Cloud Token Theft	This trigger is responsible for handling Cloud Token Theft alerts
Cloud IAM User Access Investigation	This trigger is responsible for handling Cloud IAM user access investigation alerts
Cloud Data Exfiltration	This trigger is responsible for handling cloud data exfiltration alerts
XCloud Cryptojacking	This trigger is responsible for handling Cryptojacking alerts

Required Content Packs (9)

Pack Name	Pack By
AWS - CloudTrail	By: Cortex XSOAR
AWS Enrichment and Remediation	By: Cortex XSOAR
AWS - Lambda	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Google Cloud Logging	By: Cortex XSOAR
Identity	By: Cortex XSOAR

All level dependencies (20)

Pack Name	Pack By
AWS Enrichment and Remediation	By: Cortex XSOAR
AWS - S3	By: Cortex XSOAR
AWS - CloudTrail	By: Cortex XSOAR
AWS - EC2	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
AWS - IAM	By: Cortex XSOAR
AWS - EKS	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
AWS - Lambda	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
AWS Systems Manager	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
AWS Organizations	By: Cortex XSOAR

1.0.25 - 3042633 (April 2, 2025)

Scripts

displayCloudIndicators

Metadata and documentation improvements.

XCloudRelatedAlertsWidget

Metadata and documentation improvements.

XCloudProviderWidget

Metadata and documentation improvements.

ExtractIndicators-CloudLogging

Metadata and documentation improvements.

Related pull requests:
- 39096

Download

1.0.24 - R2988287 (March 26, 2025)

Cloud Incident Response

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

1.0.23 - 2139494 (February 4, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 38478

Download

1.0.22 - 1855875 (December 23, 2024)

Playbooks

Cortex XDR - Cloud Enrichment

Documentation and metadata improvements.

Related pull requests:
- 37696

Download

1.0.21 - 1780397 (December 9, 2024)

Scripts

ExtractIndicators-CloudLogging

Updated the Docker image to: demisto/bs4-tld:1.0.0.117606.

Related pull requests:
- 37620
- 37619
- 37618
- 37617

Download

1.0.20 - 1718057 (November 28, 2024)

Scripts

XCloudProviderWidget

Updated the Docker image to: demisto/python3:3.11.10.115186.

XCloudRelatedAlertsWidget

Updated the Docker image to: demisto/python3:3.11.10.115186.

displayCloudIndicators

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

1.0.19 - 1423289 (September 23, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36392

Download

1.0.18 - 1370357 (September 11, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36021

Download

1.0.17 - R1316088 (August 27, 2024)

Playbooks

New: Cortex XDR - Malicious Pod Response - Agent

New: This playbook ensures a swift and effective response to malicious activities within Kubernetes environments, leveraging cloud-native tools to maintain cluster security and integrity.
(Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 35269

Download

1.0.25 - 3042633 (April 2, 2025)

Scripts

XCloudIdentitiesWidget

Metadata and documentation improvements.

displayCloudIndicators

Metadata and documentation improvements.

XCloudRelatedAlertsWidget

Metadata and documentation improvements.

XCloudProviderWidget

Metadata and documentation improvements.

ExtractIndicators-CloudLogging

Metadata and documentation improvements.

EntryWidgetResourceTypeXCLOUD

Metadata and documentation improvements.

XCloudAdditionalAlertInformationWidget

Metadata and documentation improvements.

EntryWidgetRegionNameXCLOUD

Metadata and documentation improvements.

Related pull requests:
- 39096

Download

1.0.24 - R2988287 (March 26, 2025)

Cloud Incident Response

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

1.0.23 - 2139494 (February 4, 2025)

Layouts

CLOUD Token Theft
Fixed an issue where the dynamic section used the wrong script ID, causing the panel not to render correctly.

Related pull requests:
- 38478

Download

1.0.22 - 1855875 (December 23, 2024)

Playbooks

XCloud Cryptojacking - Set Verdict

Documentation and metadata improvements.

Cloud Data Exfiltration Response

Documentation and metadata improvements.

Related pull requests:
- 37696

Download

1.0.21 - 1780397 (December 9, 2024)

Scripts

ExtractIndicators-CloudLogging

Updated the Docker image to: demisto/bs4-tld:1.0.0.117606.

Related pull requests:
- 37620
- 37619
- 37618
- 37617

Download

1.0.20 - 1718057 (November 28, 2024)

Scripts

EntryWidgetRegionNameXCLOUD

Updated the Docker image to: demisto/python3:3.11.10.115186.

XCloudAdditionalAlertInformationWidget

Updated the Docker image to: demisto/python3:3.11.10.115186.

XCloudProviderWidget

Updated the Docker image to: demisto/python3:3.11.10.115186.

EntryWidgetResourceTypeXCLOUD

Updated the Docker image to: demisto/python3:3.11.10.115186.

XCloudRelatedAlertsWidget

Updated the Docker image to: demisto/python3:3.11.10.115186.

XCloudIdentitiesWidget

Updated the Docker image to: demisto/python3:3.11.10.115186.

displayCloudIndicators

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

1.0.19 - 1423289 (September 23, 2024)

Layouts

Cloud Alerts
Replaced the "CortexXDRAdditionalAlertInformationWidget" with "XCloudAdditionalAlertInformationWidget".
Replaced XDR incident fields with common alert fields.

Related pull requests:
- 36392

Download

1.0.18 - 1370357 (September 11, 2024)

Layouts

CLOUD Token Theft
Updated layout with canvas tab.
Cloud Alerts
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

1.0.17 - R1316088 (August 27, 2024)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 35269

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 6, 2023
Last Release	April 2, 2025

Incident Response

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Cloud Incident Response

Cloud Incident Response

What does this pack do?