Cloud user investigation #28843

OmriItzhak · 2023-08-08T11:19:53Z

Status

In Progress
Ready
In Hold - (Reason for hold)

Related Issues

Description

These playbooks perform an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.

Must have

Tests
Documentation

…loud_User_Investigation

content-bot · 2023-08-08T11:29:12Z

This PR was automatically updated by a GitHub Action

CommonPlaybooks pack version was bumped to 2.3.88.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot · 2023-08-08T15:06:33Z

This PR was automatically updated by a GitHub Action

CommonPlaybooks pack version was bumped to 2.3.89.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot · 2023-08-09T06:32:23Z

This PR was automatically updated by a GitHub Action

GCP-Enrichment-Remediation pack version was bumped to 1.1.6.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml

Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic.yml

Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation_README.md

Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic_README.md

Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml

Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_6.md

ShirleyDenkberg · 2023-08-09T11:27:06Z

@melamedbn Doc review completed.

…nvestigation � Conflicts: � Packs/CommonPlaybooks/ReleaseNotes/2_3_88.md � Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_5.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

… into Cloud_User_Investigation

Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml

melamedbn · 2023-08-13T09:45:16Z

For all of the AWS filters (API Access, Failed Login, etc.) I think we should elaborate in the task details what's our goal and what are we searching for.

Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml

melamedbn · 2023-08-13T09:49:43Z

Azure -
Did you choose a specific index on purpose? '[0].[1]' for the Set tasks?

Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml

melamedbn · 2023-08-13T09:51:39Z

Azure, AWS and GCP - all of the playbook descriptions should be formatted and more informative.

content-bot · 2023-08-14T11:24:36Z

This PR was automatically updated by a GitHub Action

CommonPlaybooks pack version was bumped to 2.3.90.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml

Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml

Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation_README.md

Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml

ShirleyDenkberg · 2023-08-14T11:40:21Z

@melamedbn Doc review completed.

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

…_Investigation.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* PB + RM cloud user investigation * RN for the Playbooks cloud user investigation * update skipifunavailable * Bump pack from version CommonPlaybooks to 2.3.88. * Bump pack from version CommonPlaybooks to 2.3.89. * Bump pack from version GCP-Enrichment-Remediation to 1.1.6. * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * fix after doc review * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * fix after review * fix after review * fix after review * Bump pack from version CommonPlaybooks to 2.3.90. * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update playbook-AWS_-_User_Investigation.yml --------- Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

OmriItzhak added 4 commits August 7, 2023 19:29

PB + RM cloud user investigation

37f8d33

RN for the Playbooks cloud user investigation

76a20cc

update skipifunavailable

87343ba

update skipifunavailable

e4143fd

OmriItzhak requested review from michalgold and idovandijk as code owners August 8, 2023 11:19

OmriItzhak requested review from melamedbn and removed request for michalgold and idovandijk August 8, 2023 11:20

OmriItzhak assigned ShirleyDenkberg Aug 8, 2023

Content Bot and others added 3 commits August 8, 2023 11:29

Merged master into current branch.

84da502

Bump pack from version CommonPlaybooks to 2.3.88.

f49ef25

Merge remote-tracking branch 'origin/Cloud_User_Investigation' into C…

4a7cf59

…loud_User_Investigation

Content Bot added 2 commits August 8, 2023 15:06

Merged master into current branch.

4e708ac

Bump pack from version CommonPlaybooks to 2.3.89.

e517c67

Content Bot added 2 commits August 9, 2023 06:32

Merged master into current branch.

db36047

Bump pack from version GCP-Enrichment-Remediation to 1.1.6.

7a483a3

ShirleyDenkberg reviewed Aug 9, 2023

View reviewed changes

ShirleyDenkberg added the docs-approved label Aug 9, 2023

OmriItzhak and others added 6 commits August 13, 2023 10:30

Merge branch 'master' of github.com:demisto/content into Cloud_User_I…

3fe6bbe

…nvestigation � Conflicts: � Packs/CommonPlaybooks/ReleaseNotes/2_3_88.md � Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_5.md

Apply suggestions from code review

1c71b73

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

Apply suggestions from code review

dd4d85f

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

fix after doc review

fdbaaf9

Apply suggestions from code review

e751c9c

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

Apply suggestions from code review

fb1a34e

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

OmriItzhak and others added 2 commits August 13, 2023 11:25

Apply suggestions from code review

d70e7b2

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

Merge branch 'Cloud_User_Investigation' of github.com:demisto/content…

7fb850d

… into Cloud_User_Investigation