diff --git a/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml
new file mode 100644
index 000000000000..9b5febea8825
--- /dev/null
+++ b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml
@@ -0,0 +1,1693 @@
+id: AWS - User Investigation
+version: -1
+name: AWS - User Investigation
+description: "This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user:\n- Failed login attempt\n- Suspicious activities \n- API access denied\n- Administrative user activities\n- Security rules and policies changes\n- Access keys and access token activities\n- Script-based user agent usage\n- User role changes activities\n- MFA device changes activities\n"
+starttaskid: "0"
+tasks:
+ "0":
+ id: "0"
+ taskid: f3f2d42d-6426-4fa1-8645-5ca37e8b8676
+ type: start
+ task:
+ id: f3f2d42d-6426-4fa1-8645-5ca37e8b8676
+ version: -1
+ name: ""
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "46"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": -340
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "1":
+ id: "1"
+ taskid: e0e47d55-d099-4e4e-8a63-b950e8e06ca0
+ type: condition
+ task:
+ id: e0e47d55-d099-4e4e-8a63-b950e8e06ca0
+ version: -1
+ name: Is AWS CloudTrail enabled and is the user name defined?
+ description: Checks if the AWS CloudTrail integration is enabled.
+ type: condition
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#default#':
+ - "8"
+ "yes":
+ - "5"
+ separatecontext: false
+ conditions:
+ - label: "yes"
+ condition:
+ - - operator: isEqualString
+ left:
+ value:
+ complex:
+ root: modules
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: modules.brand
+ iscontext: true
+ right:
+ value:
+ simple: AWS - CloudTrail
+ ignorecase: true
+ accessor: state
+ iscontext: true
+ right:
+ value:
+ simple: active
+ ignorecase: true
+ - - operator: isNotEmpty
+ left:
+ value:
+ complex:
+ root: inputs.Username
+ iscontext: true
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": 130
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "2":
+ id: "2"
+ taskid: 51206f1f-295e-4aee-8fb6-23a6c7b74613
+ type: title
+ task:
+ id: 51206f1f-295e-4aee-8fb6-23a6c7b74613
+ version: -1
+ name: AWS CloudTrail
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "1"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": -30
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "5":
+ id: "5"
+ taskid: 49213749-81ae-4feb-86d6-23fed8a9848b
+ type: regular
+ task:
+ id: 49213749-81ae-4feb-86d6-23fed8a9848b
+ version: -1
+ name: Aws-CloudTrail-lookup-events
+ description: Looks up API activity events captured by CloudTrail that create, update, or delete resources in your account. Events for a region can be looked up for the times in which you had CloudTrail turned on in that region during the last seven days.
+ script: AWS - CloudTrail|||aws-cloudtrail-lookup-events
+ type: regular
+ iscommand: true
+ brand: AWS - CloudTrail
+ nexttasks:
+ '#none#':
+ - "41"
+ scriptarguments:
+ attributeKey:
+ simple: Username
+ attributeValue:
+ complex:
+ root: inputs.Username
+ startTime:
+ complex:
+ root: TimeNow
+ transformers:
+ - operator: RegexExtractAll
+ args:
+ error_if_no_match: {}
+ ignore_case: {}
+ multi_line: {}
+ period_matches_newline: {}
+ regex:
+ value:
+ simple: (.*)\.
+ unpack_matches: {}
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": 315
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "8":
+ id: "8"
+ taskid: 56cd8ece-a7ce-463f-8cfe-dfa186935c86
+ type: title
+ task:
+ id: 56cd8ece-a7ce-463f-8cfe-dfa186935c86
+ version: -1
+ name: Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 360,
+ "y": 1430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "9":
+ id: "9"
+ taskid: 23cde925-a031-4457-8bbd-1b96f438d390
+ type: regular
+ task:
+ id: 23cde925-a031-4457-8bbd-1b96f438d390
+ version: -1
+ name: Load alerts JSON
+ description: Loads a JSON from a string input, and returns a JSON object result.
+ scriptName: LoadJSON
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "12"
+ - "11"
+ - "30"
+ - "32"
+ - "36"
+ - "35"
+ - "38"
+ - "44"
+ - "45"
+ scriptarguments:
+ input:
+ complex:
+ root: AWS.CloudTrail.Events
+ accessor: CloudTrailEvent
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": 700
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "10":
+ id: "10"
+ taskid: db70a4ed-7f97-4a5e-847f-544c05584d94
+ type: regular
+ task:
+ id: db70a4ed-7f97-4a5e-847f-544c05584d94
+ version: -1
+ name: 'API Access denied Count '
+ description: Set the `access denied` API calls, if it exists.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsApiAccessDeniedCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.errorCode
+ iscontext: true
+ right:
+ value:
+ simple: AccessDenied
+ ignorecase: true
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventType
+ iscontext: true
+ right:
+ value:
+ simple: AwsApiCall
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -370,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "11":
+ id: "11"
+ taskid: 7cb0546e-9cdc-4087-8510-1316faedee62
+ type: title
+ task:
+ id: 7cb0546e-9cdc-4087-8510-1316faedee62
+ version: -1
+ name: Administrative User Activities
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "13"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "12":
+ id: "12"
+ taskid: 600a27b1-37ee-4e3b-838b-86430e372820
+ type: title
+ task:
+ id: 600a27b1-37ee-4e3b-838b-86430e372820
+ version: -1
+ name: API Access Denied
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "10"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -370,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "13":
+ id: "13"
+ taskid: 5eeb31d6-8b7d-4301-8230-b91158122a71
+ type: regular
+ task:
+ id: 5eeb31d6-8b7d-4301-8230-b91158122a71
+ version: -1
+ name: 'Set Administrative User Activities Count '
+ description: |-
+ Set the administrative activities performed by the user, if it exists.
+ The task sets the following activities:
+ ResetAccountPassword, CreateUser, DeleteUser, AddUserToGroup, RemoveUserFromGroup, EnableUser, DisableUser, CreateGroup, DeleteGroup, UpdateGroup, UpdateUser, CreateRole, DeleteRole, UpdateRole, ActivateUser, ActivateUsers.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsAdminActivitiesCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: ResetAccountPassword
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateUser
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteUser
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: AddUserToGroup
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: RemoveUserFromGroup
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: EnableUser
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DisableUser
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateGroup
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteGroup
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateGroup
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateUser
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateRole
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteRole
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateRole
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: ActivateUser
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: ActivateUsers
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "29":
+ id: "29"
+ taskid: e6dc04b1-a814-4b96-8490-b3abeb0fb356
+ type: regular
+ task:
+ id: e6dc04b1-a814-4b96-8490-b3abeb0fb356
+ version: -1
+ name: Security rules and policies were changed
+ description: |-
+ Set the security rules and policy changes made by the user if they exist.
+ The task sets the following activities:
+ CreatePolicy, DeletePolicy, UpdatePolicy, CreateAccessPolicy, DeleteAccessPolicy, UpdateAccessPolicy, CreateFirewall, DeleteFirewall, CreateFirewallRule, DeleteFirewallRule, UpdateFirewallRule, CreateFirewallPolicy, UpdateFirewallPolicy, DeleteFirewallPolicy.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsSecurityChangesCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreatePolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeletePolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdatePolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateAccessPolicy
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateAccessPolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteAccessPolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateFirewall
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteFirewall
+ ignorecase: true
+ - operator: containsGeneral
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateFirewallRule
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteFirewallRule
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateFirewallRule
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateFirewallPolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: |
+ UpdateFirewallPolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteFirewallPolicy
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1250,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "30":
+ id: "30"
+ taskid: 100e1858-9375-4062-86ec-bd60f4609a28
+ type: title
+ task:
+ id: 100e1858-9375-4062-86ec-bd60f4609a28
+ version: -1
+ name: Security rules were changed
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "29"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1250,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "31":
+ id: "31"
+ taskid: f3211bb9-1f9b-4b60-8c8c-2b8afa8b16c7
+ type: regular
+ task:
+ id: f3211bb9-1f9b-4b60-8c8c-2b8afa8b16c7
+ version: -1
+ name: Access Keys and Access Token activities
+ description: |-
+ Set the access keys and access token activities performed by the user, if it exists.
+ The task sets the following activities:
+ CreateAccessKey, DeleteAccessKey, UpdateAccessKey, CreateApiKey, DeleteApiKey, UpdateApiKey, CreateKeyPair, DeleteKeyPair, CreateKey, DeleteKey, DeleteSSHPublicKey, CreateCliToken, CreateToken, DeleteOAuthToken, CreateEnrollmentToken.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsAccessKeyActivitiesCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateAccessKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteAccessKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateAccessKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateApiKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteApiKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateApiKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateKeyPair
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteKeyPair
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteSSHPublicKey
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateCliToken
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateToken
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteOAuthToken
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: CreateEnrollmentToken
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1670,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "32":
+ id: "32"
+ taskid: 5664ffb4-5474-49bc-8d99-504706acabeb
+ type: title
+ task:
+ id: 5664ffb4-5474-49bc-8d99-504706acabeb
+ version: -1
+ name: Access Keys and Access Tokens Modification
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "31"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1670,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "33":
+ id: "33"
+ taskid: cd66a3d7-ef8b-4be3-8c03-d07a227f0739
+ type: title
+ task:
+ id: cd66a3d7-ef8b-4be3-8c03-d07a227f0739
+ version: -1
+ name: AWS CloudTrail Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "8"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": 1200
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "34":
+ id: "34"
+ taskid: 2c26000e-beeb-4d19-880e-5f417fbdcdf0
+ type: regular
+ task:
+ id: 2c26000e-beeb-4d19-880e-5f417fbdcdf0
+ version: -1
+ name: Failed logon attempt
+ description: Set the console failed logon performed by the user, if it exists.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsFailedLogonCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: ConsoleLogin
+ ignorecase: true
+ - - operator: isNotEqualString
+ left:
+ value:
+ simple: JsonObject.responseElements.registryId
+ iscontext: true
+ right:
+ value:
+ simple: Success
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 60,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "35":
+ id: "35"
+ taskid: 35364c42-1631-409d-8887-f13308c77128
+ type: title
+ task:
+ id: 35364c42-1631-409d-8887-f13308c77128
+ version: -1
+ name: User Agent
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "37"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -2090,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "36":
+ id: "36"
+ taskid: 3a85deae-c6aa-421d-8c4e-6892fb967e7e
+ type: title
+ task:
+ id: 3a85deae-c6aa-421d-8c4e-6892fb967e7e
+ version: -1
+ name: Failed Login Attempt
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "34"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 60,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "37":
+ id: "37"
+ taskid: d2a5d9c4-fda6-47bf-8505-002fbb79b918
+ type: regular
+ task:
+ id: d2a5d9c4-fda6-47bf-8505-002fbb79b918
+ version: -1
+ name: 'Script-based User Agent '
+ description: |-
+ Set the script-based user agent used by the user, if it exists.
+ The task sets the following script-based user agents :
+ Jakarta Commons-HttpClient, Python-urllib, Wget, curl.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsScriptBasedUserAgentCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: containsGeneral
+ left:
+ value:
+ simple: JsonObject.userAgent
+ iscontext: true
+ right:
+ value:
+ simple: Wget
+ ignorecase: true
+ - operator: containsGeneral
+ left:
+ value:
+ simple: JsonObject.userAgent
+ iscontext: true
+ right:
+ value:
+ simple: Jakarta Commons-HttpClient
+ ignorecase: true
+ - operator: containsGeneral
+ left:
+ value:
+ simple: JsonObject.userAgent
+ iscontext: true
+ right:
+ value:
+ simple: Python-urllib
+ ignorecase: true
+ - operator: containsGeneral
+ left:
+ value:
+ simple: JsonObject.userAgent
+ iscontext: true
+ right:
+ value:
+ simple: curl
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -2090,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "38":
+ id: "38"
+ taskid: 2968d186-b0ce-43af-8b72-c78aaf3c3507
+ type: title
+ task:
+ id: 2968d186-b0ce-43af-8b72-c78aaf3c3507
+ version: -1
+ name: Suspicious Activities
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "40"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -2520,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "40":
+ id: "40"
+ taskid: 3ea2ac79-77fd-4cea-8942-240abd7b46fe
+ type: regular
+ task:
+ id: 3ea2ac79-77fd-4cea-8942-240abd7b46fe
+ version: -1
+ name: Suspicious Activities
+ description: |-
+ Set the suspicious activities performed by the user, if it exists.
+ The task sets the following activities:
+ DeleteAlert ,DeleteAlarms ,DeleteCertificate ,DeleteCACertificate ,DeleteCertificateAuthority, DeleteLoggingConfiguration, DeleteWatchlist, StopLogging ,UpdateLoggingConfiguration, DeleteUser.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsSuspiciousActivitiesCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteAlert
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteAlarms
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteCertificate
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteCACertificate
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteCertificateAuthority
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteLoggingConfiguration
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteWatchlist
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: StopLogging
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: UpdateLoggingConfiguration
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteUser
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -2520,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "41":
+ id: "41"
+ taskid: 8b328b9f-aaf6-48ce-8ebd-31408b7b7255
+ type: condition
+ task:
+ id: 8b328b9f-aaf6-48ce-8ebd-31408b7b7255
+ version: -1
+ name: Is cloud Trail Event exist?
+ description: Checks if the CloudTrail events were found.
+ type: condition
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#default#':
+ - "8"
+ "yes":
+ - "9"
+ separatecontext: false
+ conditions:
+ - label: "yes"
+ condition:
+ - - operator: isExists
+ left:
+ value:
+ complex:
+ root: AWS.CloudTrail.Events
+ accessor: CloudTrailEvent
+ iscontext: true
+ right:
+ value: {}
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": 500
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "42":
+ id: "42"
+ taskid: 9830080e-0e31-4cfe-8deb-5ef4677e6951
+ type: regular
+ task:
+ id: 9830080e-0e31-4cfe-8deb-5ef4677e6951
+ version: -1
+ name: User Role Changes
+ description: |-
+ Set the user role changes made by the user if they exist.
+ The task sets the following activities:
+ AttachRolePolicy, DetachRolePolicy, DeleteRolePolicy.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsUserRoleChangesCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: AttachRolePolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DetachRolePolicy
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DeleteRolePolicy
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -2940,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "43":
+ id: "43"
+ taskid: 93659738-177b-492a-86d0-6d98c044ffef
+ type: regular
+ task:
+ id: 93659738-177b-492a-86d0-6d98c044ffef
+ version: -1
+ name: User MFA Device Changes
+ description: Set the MFA device change event if performed by the user, if it exists.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ key:
+ simple: AwsMFAConfigCount
+ value:
+ complex:
+ root: JsonObject
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: DisableMFADevice
+ ignorecase: true
+ - operator: isEqualString
+ left:
+ value:
+ simple: JsonObject.eventName
+ iscontext: true
+ right:
+ value:
+ simple: EnableMFADevice
+ ignorecase: true
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -3360,
+ "y": 1020
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "44":
+ id: "44"
+ taskid: 7c5f87ad-a130-4bd7-8ec2-254eb3384c65
+ type: title
+ task:
+ id: 7c5f87ad-a130-4bd7-8ec2-254eb3384c65
+ version: -1
+ name: User Role
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "42"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -2940,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "45":
+ id: "45"
+ taskid: 52ca1b40-b83d-4c0d-8b91-446b15d8a2fb
+ type: title
+ task:
+ id: 52ca1b40-b83d-4c0d-8b91-446b15d8a2fb
+ version: -1
+ name: Multi-Factor Authentication
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "43"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -3360,
+ "y": 880
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "46":
+ id: "46"
+ taskid: 7c2069a9-5b8c-4c03-8c6f-fe93558c93b7
+ type: regular
+ task:
+ id: 7c2069a9-5b8c-4c03-8c6f-fe93558c93b7
+ version: -1
+ name: Get Time for a search
+ description: |
+ Retrieves the current date and time.
+ scriptName: GetTime
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "2"
+ scriptarguments:
+ dateFormat:
+ simple: ISO
+ daysAgo:
+ complex:
+ root: inputs.AwsTimeSearchFrom
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1460,
+ "y": -210
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+view: |-
+ {
+ "linkLabelsPosition": {
+ "1_5_yes": 0.37,
+ "1_8_#default#": 0.13,
+ "41_8_#default#": 0.15,
+ "41_9_yes": 0.51
+ },
+ "paper": {
+ "dimensions": {
+ "height": 1835,
+ "width": 4100,
+ "x": -3360,
+ "y": -340
+ }
+ }
+ }
+inputs:
+- key: Username
+ value: {}
+ required: false
+ description: "The username to investigate. \nPlease enter the user's email."
+ playbookInputQuery:
+- key: AwsTimeSearchFrom
+ value:
+ simple: "1"
+ required: false
+ description: "The Search Time for the `GetTime` task used by the AWS Cloud Trail search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)"
+ playbookInputQuery:
+outputs:
+- contextPath: AwsMFAConfigCount
+ description: The number of MFA configurations performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsUserRoleChangesCount
+ description: The number of user roles that were changed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsSuspiciousActivitiesCount
+ description: The number of suspicious activities performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsScriptBasedUserAgentCount
+ description: The number of script-based user agent usages by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsAccessKeyActivitiesCount
+ description: The number of access key activities performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsSecurityChangesCount
+ description: The number of security rules that were changed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsAdminActivitiesCount
+ description: The number of administrative activities performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsApiAccessDeniedCount
+ description: The number of API accesses denied by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsFailedLogonCount
+ description: The number of failed logins by the user in the AWS environment.
+ type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md
new file mode 100644
index 000000000000..5460489e8767
--- /dev/null
+++ b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md
@@ -0,0 +1,64 @@
+This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user:
+- Failed login attempt
+- Suspicious activities
+- API access denied
+- Administrative user activities
+- Security rules and policies changes
+- Access keys and access token activities
+- Script-based user agent usage
+- User role changes activities
+- MFA device changes activities
+
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+AWS - CloudTrail
+
+### Scripts
+
+* LoadJSON
+* GetTime
+* Set
+
+### Commands
+
+aws-cloudtrail-lookup-events
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Username | The username to investigate.
Please enter the user's email. | | Optional |
+| AwsTimeSearchFrom | The Search Time for the \`GetTime\` task used by the AWS Cloud Trail search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| AwsMFAConfigCount | The number of MFA configurations performed by the user in the AWS environment. | unknown |
+| AwsUserRoleChangesCount | The number of user roles that were changed by the user in the AWS environment. | unknown |
+| AwsSuspiciousActivitiesCount | The number of suspicious activities performed by the user in the AWS environment. | unknown |
+| AwsScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the AWS environment. | unknown |
+| AwsAccessKeyActivitiesCount | The number of access key activities performed by the user in the AWS environment. | unknown |
+| AwsSecurityChangesCount | The number of security rules that were changed by the user in the AWS environment. | unknown |
+| AwsAdminActivitiesCount | The number of administrative activities performed by the user in the AWS environment. | unknown |
+| AwsApiAccessDeniedCount | The number of API accesses denied by the user in the AWS environment. | unknown |
+| AwsFailedLogonCount | The number of failed logins by the user in the AWS environment. | unknown |
+
+## Playbook Image
+
+---
+
+![AWS - User Investigation](../doc_files/AWS_-_User_Investigation.png)
diff --git a/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md b/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md
new file mode 100644
index 000000000000..a68dfa501468
--- /dev/null
+++ b/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md
@@ -0,0 +1,7 @@
+
+#### Playbooks
+
+##### New: AWS - User Investigation
+
+New: This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail.
+ (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png b/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png
new file mode 100644
index 000000000000..310bc46839ce
Binary files /dev/null and b/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png differ
diff --git a/Packs/AWS-Enrichment-Remediation/pack_metadata.json b/Packs/AWS-Enrichment-Remediation/pack_metadata.json
index 0ce76f59c4c3..2ad4843773a4 100644
--- a/Packs/AWS-Enrichment-Remediation/pack_metadata.json
+++ b/Packs/AWS-Enrichment-Remediation/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "AWS Enrichment and Remediation",
"description": "Playbooks using multiple AWS content packs for enrichment and remediation purposes",
"support": "xsoar",
- "currentVersion": "1.1.2",
+ "currentVersion": "1.1.3",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml
new file mode 100644
index 000000000000..6c3403d6addc
--- /dev/null
+++ b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml
@@ -0,0 +1,1387 @@
+id: Azure - User Investigation
+version: -1
+name: Azure - User Investigation
+description: |-
+ This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user:
+ - Script-based user agent usage
+ - Administrative user activities
+ - Security rules and policies changes
+ - Failed login attempt
+ - MFA failed login attempt
+ - Login attempt from an uncommon country
+ - Anomalies activities
+ - Risky users
+ - Uncommon high volume of actions
+ - Action uncommonly performed by the user
+starttaskid: "0"
+tasks:
+ "0":
+ id: "0"
+ taskid: 5aee39e8-c3e3-4825-8b99-253c7d8ddabc
+ type: start
+ task:
+ id: 5aee39e8-c3e3-4825-8b99-253c7d8ddabc
+ version: -1
+ name: ""
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "1"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 270,
+ "y": 70
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "1":
+ id: "1"
+ taskid: 4286364d-bd10-43b7-8838-3d2f13d1eb87
+ type: condition
+ task:
+ id: 4286364d-bd10-43b7-8838-3d2f13d1eb87
+ version: -1
+ name: Is Azure Log Analytics enabled and the user name is defined?
+ description: Checks if the Azure Log Analytics integration is enabled.
+ type: condition
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#default#':
+ - "22"
+ "yes":
+ - "6"
+ - "4"
+ - "5"
+ - "9"
+ - "8"
+ - "7"
+ separatecontext: false
+ conditions:
+ - label: "yes"
+ condition:
+ - - operator: isEqualString
+ left:
+ value:
+ complex:
+ root: modules
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: modules.brand
+ iscontext: true
+ right:
+ value:
+ simple: Azure Log Analytics
+ ignorecase: true
+ accessor: state
+ iscontext: true
+ right:
+ value:
+ simple: active
+ ignorecase: true
+ - - operator: isNotEmpty
+ left:
+ value:
+ complex:
+ root: inputs.Username
+ iscontext: true
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 270,
+ "y": 210
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "2":
+ id: "2"
+ taskid: c793822a-6a73-4cef-87b4-cf6363c0b4ac
+ type: regular
+ task:
+ id: c793822a-6a73-4cef-87b4-cf6363c0b4ac
+ version: -1
+ name: 'Logon attempt from uncommon country'
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "29"
+ scriptarguments:
+ extend-context:
+ simple: AzureUncommonCountryLogon=
+ query:
+ simple: "BehaviorAnalytics\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "4":
+ id: "4"
+ taskid: e3afb9b9-75b2-40da-8154-347de63aaedb
+ type: title
+ task:
+ id: e3afb9b9-75b2-40da-8154-347de63aaedb
+ version: -1
+ name: BehaviorAnalytics (Sentinel)
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "2"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "5":
+ id: "5"
+ taskid: 251ebe3b-f61c-4a7f-8173-6b3207bb53b5
+ type: title
+ task:
+ id: 251ebe3b-f61c-4a7f-8173-6b3207bb53b5
+ version: -1
+ name: IdentityInfo (Sentinel)
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "12"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -390,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "6":
+ id: "6"
+ taskid: 5a31e359-3437-4f0c-8580-2940c2532994
+ type: title
+ task:
+ id: 5a31e359-3437-4f0c-8580-2940c2532994
+ version: -1
+ name: Anomalies (Sentinel)
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "13"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 30,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "7":
+ id: "7"
+ taskid: 4b3731b9-77c7-4702-8cad-a6e33593e1ed
+ type: title
+ task:
+ id: 4b3731b9-77c7-4702-8cad-a6e33593e1ed
+ version: -1
+ name: SigninLogs
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "14"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 510,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "8":
+ id: "8"
+ taskid: b1c902eb-61da-4b74-8ac4-e37f117a93d2
+ type: title
+ task:
+ id: b1c902eb-61da-4b74-8ac4-e37f117a93d2
+ version: -1
+ name: AzureActivity
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "18"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 930,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "9":
+ id: "9"
+ taskid: 72248260-9922-4787-8a99-52eab98184e5
+ type: title
+ task:
+ id: 72248260-9922-4787-8a99-52eab98184e5
+ version: -1
+ name: AuditLogs
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "15"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1350,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "10":
+ id: "10"
+ taskid: a1fb3fb9-345e-4457-86bc-68967d850bf8
+ type: regular
+ task:
+ id: a1fb3fb9-345e-4457-86bc-68967d850bf8
+ version: -1
+ name: Uncommon high volume of actions
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "30"
+ scriptarguments:
+ extend-context:
+ simple: AzureUncommonVolume=
+ query:
+ simple: "BehaviorAnalytics\n| where ActivityInsights.UncommonHighVolumeOfActions == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 940
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "11":
+ id: "11"
+ taskid: 003261b4-1cbb-4e46-86db-7ddc89bd98ef
+ type: regular
+ task:
+ id: 003261b4-1cbb-4e46-86db-7ddc89bd98ef
+ version: -1
+ name: Action uncommonly performed by user
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "31"
+ scriptarguments:
+ extend-context:
+ simple: AzureUncommonActivities=
+ query:
+ simple: |-
+ BehaviorAnalytics
+ | where ActivityInsights.ActionUncommonlyPerformedByUser == "True"
+ | where UserPrincipalName == "${inputs.Username}"
+ | where TimeGenerated > ${inputs.AzureSearchTime}
+ | summarize Count = count(), Events = make_list(ActionType)
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 1300
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "12":
+ id: "12"
+ taskid: fdbda8a8-0c68-41ff-8383-b234f5796ebe
+ type: regular
+ task:
+ id: fdbda8a8-0c68-41ff-8383-b234f5796ebe
+ version: -1
+ name: Check if the user is defined as a risky user
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "35"
+ scriptarguments:
+ extend-context:
+ simple: AzureRiskyUser=
+ query:
+ simple: |-
+ IdentityInfo
+ | where RiskState contains "Risk"
+ | where RiskLevel == "High"
+ | where AccountUPN == "${inputs.Username}"
+ | where TimeGenerated > ${inputs.AzureSearchTime}
+ | summarize Count = count()
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -390,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "13":
+ id: "13"
+ taskid: 5f98b4bb-04f8-4322-8552-6811832e17a4
+ type: regular
+ task:
+ id: 5f98b4bb-04f8-4322-8552-6811832e17a4
+ version: -1
+ name: Anomalies for the user
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "28"
+ scriptarguments:
+ extend-context:
+ simple: AzureAnomalies=
+ query:
+ simple: "Anomalies \n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AnomalyDetails)"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 30,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "14":
+ id: "14"
+ taskid: c9c89daa-d7bf-48cc-8efd-16ce1ac02113
+ type: regular
+ task:
+ id: c9c89daa-d7bf-48cc-8efd-16ce1ac02113
+ version: -1
+ name: Failed login attempts by the user
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "33"
+ scriptarguments:
+ extend-context:
+ simple: AzureNumOfFailLogin=
+ query:
+ simple: "SigninLogs \n| where parse_json(Status) contains \"fail\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.failedLogonThreshold}\n| summarize Count = count()"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 510,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "15":
+ id: "15"
+ taskid: 3f60ee79-cdd8-4732-8bf0-1eb7494a072f
+ type: regular
+ task:
+ id: 3f60ee79-cdd8-4732-8bf0-1eb7494a072f
+ version: -1
+ name: Check for script-based user agent
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "24"
+ scriptarguments:
+ extend-context:
+ simple: AzureScriptBasedUserAgent=
+ ignore-outputs:
+ simple: "false"
+ query:
+ simple: "AuditLogs \n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == \"${inputs.Username}\" \n| where AdditionalDetails[0].value contains \"python\" or AdditionalDetails[0].value contains \"curl\" or AdditionalDetails[0].value contains \"axios\" or AdditionalDetails[0].value contains \"httpie\" or AdditionalDetails[0].value contains \"wget\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AdditionalDetails)"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1350,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "18":
+ id: "18"
+ taskid: 231a71b4-5b1f-4b2b-8a38-864e0c704167
+ type: regular
+ task:
+ id: 231a71b4-5b1f-4b2b-8a38-864e0c704167
+ version: -1
+ name: Security rules were changed successfully
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "26"
+ scriptarguments:
+ extend-context:
+ simple: AzureSuccessSecurityRulesChange=
+ query:
+ simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus == \"Succeeded\"\n| where Caller == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 930,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "19":
+ id: "19"
+ taskid: 2c78c73a-079c-4c66-884d-c30be565c963
+ type: regular
+ task:
+ id: 2c78c73a-079c-4c66-884d-c30be565c963
+ version: -1
+ name: An unsuccessful attempt to change security rules
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "27"
+ scriptarguments:
+ extend-context:
+ simple: AzureUnsuccessSecurityRulesChange=
+ query:
+ simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus != \"Succeeded\"\n| where Caller == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 930,
+ "y": 940
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "21":
+ id: "21"
+ taskid: a4968328-3479-4eef-80f1-f42aab2c6fe4
+ type: regular
+ task:
+ id: a4968328-3479-4eef-80f1-f42aab2c6fe4
+ version: -1
+ name: Search for administrative user activities
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "25"
+ scriptarguments:
+ extend-context:
+ simple: AzureAdminActivities=
+ ignore-outputs:
+ simple: "false"
+ query:
+ simple: "AuditLogs\n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == \"${inputs.Username}\" \n| where Category in (\"ApplicationManagement\", \"UserManagement\", \"PolicyManagement\", \"GroupManagement\")| where Result == \"success\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1350,
+ "y": 940
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "22":
+ id: "22"
+ taskid: 2a2bf514-43ab-4e9b-8e9f-c76ba315d16a
+ type: regular
+ task:
+ id: 2a2bf514-43ab-4e9b-8e9f-c76ba315d16a
+ version: -1
+ name: Set events count
+ description: Set multiple keys/values to the context.
+ scriptName: SetMultipleValues
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "32"
+ scriptarguments:
+ keys:
+ simple: AzureScriptBasedUserAgentCount,AzureAdminActivitiesCount,AzureSecurityRulesChangeCount,AzureUnsuccessSecurityRulesChangeCount,AzureAnomaliesCount,AzureUncommonCountryLogonCount,AzureUncommonVolumeCount,AzureUncommonActivitiesCount
+ parent:
+ simple: CountAzureEvents
+ values:
+ simple: ${AzureScriptBasedUserAgent.tables.rows.[0].[0]},${AzureAdminActivities.tables.rows.[0].[0]},${AzureSuccessSecurityRulesChange.tables.rows.[0].[0]},${AzureUnsuccessSecurityRulesChange.tables.rows.[0].[0]},${AzureAnomalies.tables.rows.[0].[0]},${AzureUncommonCountryLogon.tables.rows.[0].[0]},${AzureUncommonVolume.tables.rows.[0].[0]},${AzureUncommonActivities.tables.rows.[0].[0]}
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 270,
+ "y": 1670
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "23":
+ id: "23"
+ taskid: 87060e96-667d-49a4-8b5a-3072fd4553a1
+ type: regular
+ task:
+ id: 87060e96-667d-49a4-8b5a-3072fd4553a1
+ version: -1
+ name: The user did not pass the MFA challenge
+ description: Executes an Analytics query for data.
+ script: Azure Log Analytics|||azure-log-analytics-execute-query
+ type: regular
+ iscommand: true
+ brand: Azure Log Analytics
+ nexttasks:
+ '#none#':
+ - "34"
+ scriptarguments:
+ extend-context:
+ simple: AzureNumOfFailMFA=
+ query:
+ simple: "SigninLogs \n| where ResultType =~ \"50074\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.MfaAttemptThreshold}"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 510,
+ "y": 940
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "24":
+ id: "24"
+ taskid: e54197e5-9cf6-4f4f-8875-7e43bdef9808
+ type: regular
+ task:
+ id: e54197e5-9cf6-4f4f-8875-7e43bdef9808
+ version: -1
+ name: Set script-based user agent events
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "21"
+ scriptarguments:
+ key:
+ simple: AzureScriptBasedUserAgentEvents
+ value:
+ complex:
+ root: AzureScriptBasedUserAgent.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1350,
+ "y": 760
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "25":
+ id: "25"
+ taskid: 69fa497d-ca2e-4891-8b51-842262dc8cfe
+ type: regular
+ task:
+ id: 69fa497d-ca2e-4891-8b51-842262dc8cfe
+ version: -1
+ name: Set administrative events
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "22"
+ scriptarguments:
+ key:
+ simple: AzureAdminActivitiesEvents
+ value:
+ complex:
+ root: AzureAdminActivities.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1350,
+ "y": 1120
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "26":
+ id: "26"
+ taskid: 632abf51-3069-4d39-8307-d88729788b94
+ type: regular
+ task:
+ id: 632abf51-3069-4d39-8307-d88729788b94
+ version: -1
+ name: Set security rules changed events
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "19"
+ scriptarguments:
+ key:
+ simple: AzureSecurityRulesChangeEvents
+ value:
+ complex:
+ root: AzureSuccessSecurityRulesChange.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 930,
+ "y": 760
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "27":
+ id: "27"
+ taskid: 47fae1fd-4922-4eab-8b29-8577018f047a
+ type: regular
+ task:
+ id: 47fae1fd-4922-4eab-8b29-8577018f047a
+ version: -1
+ name: Set attempt to change security rules events
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "22"
+ scriptarguments:
+ key:
+ simple: AzureUnsuccessSecurityRulesChangeEvents
+ value:
+ complex:
+ root: AzureUnsuccessSecurityRulesChange.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 930,
+ "y": 1120
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "28":
+ id: "28"
+ taskid: 7f8e214d-c0df-4d8b-8867-3fd95e597d66
+ type: regular
+ task:
+ id: 7f8e214d-c0df-4d8b-8867-3fd95e597d66
+ version: -1
+ name: Set anomalies events
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "22"
+ scriptarguments:
+ key:
+ simple: AzureAnomaliesEvents
+ value:
+ complex:
+ root: AzureAnomalies.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 30,
+ "y": 760
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "29":
+ id: "29"
+ taskid: ad023e29-8a0d-4c84-87cf-bec720378b87
+ type: regular
+ task:
+ id: ad023e29-8a0d-4c84-87cf-bec720378b87
+ version: -1
+ name: Set event of logon attempt from uncommon country
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "10"
+ scriptarguments:
+ key:
+ simple: AzureUncommonCountryLogonEvents
+ value:
+ complex:
+ root: AzureUncommonCountryLogon.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 760
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "30":
+ id: "30"
+ taskid: 532d2390-6293-4c2c-8873-cbe620c21414
+ type: regular
+ task:
+ id: 532d2390-6293-4c2c-8873-cbe620c21414
+ version: -1
+ name: Set events of uncommon high volume of actions
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "11"
+ scriptarguments:
+ key:
+ simple: AzureUncommonVolumeEvents
+ value:
+ complex:
+ root: AzureUncommonVolume.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 1120
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "31":
+ id: "31"
+ taskid: 2add1b66-34d3-4c95-8697-2403d56660a7
+ type: regular
+ task:
+ id: 2add1b66-34d3-4c95-8697-2403d56660a7
+ version: -1
+ name: Set events of action uncommonly performed by the user
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "22"
+ scriptarguments:
+ key:
+ simple: AzureUncommonActivitiesEvents
+ value:
+ complex:
+ root: AzureUncommonActivities.tables.rows.[0]
+ accessor: '[1]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -810,
+ "y": 1490
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "32":
+ id: "32"
+ taskid: b8af36fa-0211-4310-866b-cb9f58e16115
+ type: title
+ task:
+ id: b8af36fa-0211-4310-866b-cb9f58e16115
+ version: -1
+ name: Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 270,
+ "y": 1850
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "33":
+ id: "33"
+ taskid: 982caec5-ce0d-46e0-81d4-54f83b6378d7
+ type: regular
+ task:
+ id: 982caec5-ce0d-46e0-81d4-54f83b6378d7
+ version: -1
+ name: Set the number of failed login attempts by the user
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "23"
+ scriptarguments:
+ key:
+ simple: AzureFailLoginCount
+ value:
+ complex:
+ root: AzureNumOfFailLogin.tables.rows.[0]
+ accessor: '[0]'
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 510,
+ "y": 760
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "34":
+ id: "34"
+ taskid: 881466ef-da2a-461a-8ee3-81c1d7504eb8
+ type: regular
+ task:
+ id: 881466ef-da2a-461a-8ee3-81c1d7504eb8
+ version: -1
+ name: Set the number of failed login MFA by the user
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "22"
+ scriptarguments:
+ key:
+ simple: AzureFailLoginMFACount
+ value:
+ complex:
+ root: AzureNumOfFailMFA.tables.rows.[0]
+ accessor: '[0]'
+ transformers:
+ - operator: SetIfEmpty
+ args:
+ applyIfEmpty: {}
+ defaultValue:
+ value:
+ simple: "0"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 510,
+ "y": 1120
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "35":
+ id: "35"
+ taskid: 752b0d29-0d1f-4985-814f-72d96252984b
+ type: regular
+ task:
+ id: 752b0d29-0d1f-4985-814f-72d96252984b
+ version: -1
+ name: Set the number that the user was defined as a risky user
+ description: |-
+ Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
+
+ This automation runs using the default Limited User role, unless you explicitly change the permissions.
+ For more information, see the section about permissions here:
+ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+ scriptName: SetAndHandleEmpty
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "22"
+ scriptarguments:
+ key:
+ simple: AzureRiskyUserCount
+ value:
+ complex:
+ root: AzureRiskyUser.tables.rows.[0]
+ accessor: '[0]'
+ transformers:
+ - operator: SetIfEmpty
+ args:
+ applyIfEmpty: {}
+ defaultValue:
+ value:
+ simple: "0"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -390,
+ "y": 760
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+view: |-
+ {
+ "linkLabelsPosition": {
+ "1_22_#default#": 0.1
+ },
+ "paper": {
+ "dimensions": {
+ "height": 1845,
+ "width": 2540,
+ "x": -810,
+ "y": 70
+ }
+ }
+ }
+inputs:
+- key: Username
+ value: {}
+ required: false
+ description: The username to investigate.
+ playbookInputQuery:
+- key: AzureSearchTime
+ value:
+ simple: ago(7d)
+ required: false
+ description: 'The Search Time for the Azure Log Analytics search query. Default value: ago(1d)'
+ playbookInputQuery:
+- key: failedLogonThreshold
+ value:
+ simple: "20"
+ required: false
+ description: The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events.
+ playbookInputQuery:
+- key: MfaAttemptThreshold
+ value:
+ simple: "10"
+ required: false
+ description: The threshold number of MFA failed logons by the user. Required to determine how many MFA failed logon events count as suspicious events.
+ playbookInputQuery:
+outputs:
+- contextPath: AzureScriptBasedUserAgentEvents
+ description: Script-based user agent events used by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureScriptBasedUserAgentCount
+ description: The number of script-based user agent usages by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureAdminActivitiesEvents
+ description: Administrative activities performed by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureAdminActivitiesCount
+ description: The number of administrative activities performed by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureSecurityRulesChangeEvents
+ description: Security rules that were changed by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureSecurityRulesChangeCount
+ description: The number of security rules that were changed by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureUnsuccessSecurityRulesChangeEvents
+ description: Unsuccessful attempts to change security rules by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount
+ description: The number of unsuccessful attempts to change security rules by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureFailLoginCount
+ description: The number of failed logins by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureFailLoginMFACount
+ description: The number of failed logins by the user using MFA in the Azure environment.
+ type: unknown
+- contextPath: AzureAnomaliesEvents
+ description: Anomaly events on the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureAnomaliesCount
+ description: The number of anomaly events on the user in the Azure environment.
+ type: unknown
+- contextPath: AzureRiskyUserCount
+ description: The number of events where the user was defined as a risky user in the Azure environment.
+ type: unknown
+- contextPath: AzureUncommonCountryLogonEvents
+ description: Uncommon country logon events by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUncommonCountryLogonCount
+ description: The number of uncommon country logon events by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureUncommonVolumeEvents
+ description: Uncommon volume events by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUncommonVolumeCount
+ description: The number of uncommon volume events by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureUncommonActivitiesEvents
+ description: Uncommon activity events by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUncommonActivitiesCount
+ description: The number of uncommon activity events by the user in the Azure environment.
+ type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
\ No newline at end of file
diff --git a/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation_README.md b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation_README.md
new file mode 100644
index 000000000000..278d41f62af1
--- /dev/null
+++ b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation_README.md
@@ -0,0 +1,75 @@
+This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user:
+- Script-based user agent usage
+- Administrative user activities
+- Security rules and policies changes
+- Failed login attempt
+- MFA failed login attempt
+- Login attempt from an uncommon country.
+- Anomalies activities
+- Risky users
+- Uncommon high volume of actions
+- Action uncommonly performed by the user
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+Azure Log Analytics
+
+### Scripts
+
+* SetMultipleValues
+* SetAndHandleEmpty
+
+### Commands
+
+azure-log-analytics-execute-query
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Username | The username to investigate. | | Optional |
+| AzureSearchTime | The Search Time for the Azure Log Analytics search query. Default value: ago\(1d\) | ago(7d) | Optional |
+| failedLogonThreshold | The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events. | 20 | Optional |
+| MfaAttemptThreshold | The threshold number of MFA failed logons by the user. Required to determine how many MFA failed logon events count as suspicious events. | 10 | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| AzureScriptBasedUserAgentEvents | Script-based user agent events used by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the Azure environment. | unknown |
+| AzureAdminActivitiesEvents | Administrative activities performed by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureAdminActivitiesCount | The number of administrative activities performed by the user in the Azure environment. | unknown |
+| AzureSecurityRulesChangeEvents | Security rules that were changed by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureSecurityRulesChangeCount | The number of security rules that were changed by the user in the Azure environment. | unknown |
+| AzureUnsuccessSecurityRulesChangeEvents | Unsuccessful attempts to change security rules by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount | The number of unsuccessful attempts to change security rules by the user in the Azure environment. | unknown |
+| AzureFailLoginCount | The number of failed logins by the user in the Azure environment. | unknown |
+| AzureFailLoginMFACount | The number of failed logins by the user using MFA in the Azure environment. | unknown |
+| AzureAnomaliesEvents | Anomaly events on the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureAnomaliesCount | The number of anomaly events on the user in the Azure environment. | unknown |
+| AzureRiskyUserCount | The number of events where the user was defined as a risky user in the Azure environment. | unknown |
+| AzureUncommonCountryLogonEvents | Uncommon country logon events by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUncommonCountryLogonCount | The number of uncommon country logon events by the user in the Azure environment. | unknown |
+| AzureUncommonVolumeEvents | Uncommon volume events by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUncommonVolumeCount | The number of uncommon volume events by the user in the Azure environment. | unknown |
+| AzureUncommonActivitiesEvents | Uncommon activity events by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUncommonActivitiesCount | The number of uncommon activity events by the user in the Azure environment. | unknown |
+
+## Playbook Image
+
+---
+
+![Azure - User Investigation](../doc_files/Azure_-_User_Investigation.png)
diff --git a/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_5.md b/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_5.md
new file mode 100644
index 000000000000..0dfc5f8e0828
--- /dev/null
+++ b/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_5.md
@@ -0,0 +1,7 @@
+
+#### Playbooks
+
+##### New: Azure - User Investigation
+
+New: This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics.
+ (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/Azure-Enrichment-Remediation/doc_files/Azure_-_User_Investigation.png b/Packs/Azure-Enrichment-Remediation/doc_files/Azure_-_User_Investigation.png
new file mode 100644
index 000000000000..f6f80c5ba644
Binary files /dev/null and b/Packs/Azure-Enrichment-Remediation/doc_files/Azure_-_User_Investigation.png differ
diff --git a/Packs/Azure-Enrichment-Remediation/pack_metadata.json b/Packs/Azure-Enrichment-Remediation/pack_metadata.json
index 50ab6e2ad6af..1ad2a508efac 100644
--- a/Packs/Azure-Enrichment-Remediation/pack_metadata.json
+++ b/Packs/Azure-Enrichment-Remediation/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Azure Enrichment and Remediation",
"description": "Playbooks using multiple Azure content packs for enrichment and remediation purposes",
"support": "xsoar",
- "currentVersion": "1.1.4",
+ "currentVersion": "1.1.5",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic.yml
new file mode 100644
index 000000000000..f566d1f60aae
--- /dev/null
+++ b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic.yml
@@ -0,0 +1,643 @@
+id: Cloud User Investigation - Generic
+version: -1
+name: Cloud User Investigation - Generic
+description: |
+ This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
+starttaskid: "0"
+tasks:
+ "0":
+ id: "0"
+ taskid: db23b5f7-f28b-42e3-8f4f-4234f2a278c7
+ type: start
+ task:
+ id: db23b5f7-f28b-42e3-8f4f-4234f2a278c7
+ version: -1
+ name: ""
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "23"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 450,
+ "y": -330
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "2":
+ id: "2"
+ taskid: 656084fe-70c1-46ba-8bdd-7c314aa79c2c
+ type: title
+ task:
+ id: 656084fe-70c1-46ba-8bdd-7c314aa79c2c
+ version: -1
+ name: AWS Investigation
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "31"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 220,
+ "y": 40
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "3":
+ id: "3"
+ taskid: 76699a1b-adf1-4889-8426-d75e94cc7090
+ type: title
+ task:
+ id: 76699a1b-adf1-4889-8426-d75e94cc7090
+ version: -1
+ name: Azure Investigation
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "33"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -230,
+ "y": 40
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "4":
+ id: "4"
+ taskid: 1a6bad15-9ad9-42a3-8023-e7c2d30a3277
+ type: title
+ task:
+ id: 1a6bad15-9ad9-42a3-8023-e7c2d30a3277
+ version: -1
+ name: GCP Investigation
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "32"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 680,
+ "y": 40
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "12":
+ id: "12"
+ taskid: 6e5e5dbb-0643-4235-851a-e670a45e5e15
+ type: title
+ task:
+ id: 6e5e5dbb-0643-4235-851a-e670a45e5e15
+ version: -1
+ name: Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 450,
+ "y": 535
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "23":
+ id: "23"
+ taskid: 0171fbe2-82e1-4357-8254-60419c406ac5
+ type: condition
+ task:
+ id: 0171fbe2-82e1-4357-8254-60419c406ac5
+ version: -1
+ name: Select cloud provider
+ description: Checks the cloud provider.
+ type: condition
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#default#':
+ - "12"
+ AWS:
+ - "2"
+ Azure:
+ - "3"
+ GCP:
+ - "4"
+ separatecontext: false
+ conditions:
+ - label: AWS
+ condition:
+ - - operator: isEqualString
+ left:
+ value:
+ complex:
+ root: inputs.cloudProvider
+ iscontext: true
+ right:
+ value:
+ simple: AWS
+ ignorecase: true
+ - label: Azure
+ condition:
+ - - operator: isEqualString
+ left:
+ value:
+ complex:
+ root: inputs.cloudProvider
+ iscontext: true
+ right:
+ value:
+ simple: Azure
+ ignorecase: true
+ - label: GCP
+ condition:
+ - - operator: isEqualString
+ left:
+ value:
+ complex:
+ root: inputs.cloudProvider
+ iscontext: true
+ right:
+ value:
+ simple: GCP
+ ignorecase: true
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 450,
+ "y": -190
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "24":
+ id: "24"
+ taskid: 6455ca38-87d5-49ba-8bf9-3aa0c9e8fc17
+ type: title
+ task:
+ id: 6455ca38-87d5-49ba-8bf9-3aa0c9e8fc17
+ version: -1
+ name: Azure Investigation Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "12"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -230,
+ "y": 370
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "25":
+ id: "25"
+ taskid: 4eae44c2-2d06-47fd-868e-b9b186e653b6
+ type: title
+ task:
+ id: 4eae44c2-2d06-47fd-868e-b9b186e653b6
+ version: -1
+ name: AWS Investigation Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "12"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 220,
+ "y": 370
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "27":
+ id: "27"
+ taskid: c72ac51f-28a1-4721-8504-9708e120897f
+ type: title
+ task:
+ id: c72ac51f-28a1-4721-8504-9708e120897f
+ version: -1
+ name: GCP Investigation Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "12"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 680,
+ "y": 370
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "31":
+ id: "31"
+ taskid: c9691f70-47a1-450c-8dcc-11b0aec1c07e
+ type: playbook
+ task:
+ id: c9691f70-47a1-450c-8dcc-11b0aec1c07e
+ version: -1
+ name: AWS - User Investigation
+ description: |
+ This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail.
+ playbookName: AWS - User Investigation
+ type: playbook
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "25"
+ scriptarguments:
+ AwsTimeSearchFrom:
+ complex:
+ root: inputs.AwsTimeSearchFrom
+ Username:
+ complex:
+ root: inputs.Username
+ separatecontext: true
+ continueonerrortype: ""
+ loop:
+ iscommand: false
+ exitCondition: ""
+ wait: 1
+ max: 100
+ view: |-
+ {
+ "position": {
+ "x": 220,
+ "y": 190
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "32":
+ id: "32"
+ taskid: 539ff9cb-ec93-4373-83b2-1e60c7e75240
+ type: playbook
+ task:
+ id: 539ff9cb-ec93-4373-83b2-1e60c7e75240
+ version: -1
+ name: GCP - User Investigation
+ description: |
+ This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging.
+ playbookName: GCP - User Investigation
+ type: playbook
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "27"
+ scriptarguments:
+ GcpProjectName:
+ complex:
+ root: inputs.GcpProjectName
+ GcpTimeSearchFrom:
+ complex:
+ root: inputs.GcpTimeSearchFrom
+ Username:
+ complex:
+ root: inputs.Username
+ separatecontext: true
+ continueonerrortype: ""
+ loop:
+ iscommand: false
+ exitCondition: ""
+ wait: 1
+ max: 100
+ view: |-
+ {
+ "position": {
+ "x": 680,
+ "y": 190
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "33":
+ id: "33"
+ taskid: 42fecd76-1d2a-4ed2-84b6-5a0701d7d569
+ type: playbook
+ task:
+ id: 42fecd76-1d2a-4ed2-84b6-5a0701d7d569
+ version: -1
+ name: Azure - User Investigation
+ description: |
+ This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics.
+ playbookName: Azure - User Investigation
+ type: playbook
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "24"
+ scriptarguments:
+ AzureSearchTime:
+ complex:
+ root: inputs.AzureSearchTime
+ MfaAttemptThreshold:
+ complex:
+ root: inputs.MfaAttemptThreshold
+ Username:
+ complex:
+ root: inputs.Username
+ failedLogonThreshold:
+ complex:
+ root: inputs.failedLogonThreshold
+ separatecontext: true
+ continueonerrortype: ""
+ loop:
+ iscommand: false
+ exitCondition: ""
+ wait: 1
+ max: 100
+ view: |-
+ {
+ "position": {
+ "x": -230,
+ "y": 190
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+view: |-
+ {
+ "linkLabelsPosition": {
+ "23_12_#default#": 0.16,
+ "23_2_AWS": 0.68,
+ "23_3_Azure": 0.79
+ },
+ "paper": {
+ "dimensions": {
+ "height": 930,
+ "width": 1290,
+ "x": -230,
+ "y": -330
+ }
+ }
+ }
+inputs:
+- key: Username
+ value: {}
+ required: false
+ description: The username to investigate.
+ playbookInputQuery:
+- key: AzureSearchTime
+ value:
+ simple: ago(1d)
+ required: false
+ description: 'The Search Time for the Azure Log Analytics search query. Default value: ago(1d)'
+ playbookInputQuery:
+- key: failedLogonThreshold
+ value:
+ simple: "20"
+ required: false
+ description: The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events.
+ playbookInputQuery:
+- key: MfaAttemptThreshold
+ value:
+ simple: "10"
+ required: false
+ description: The threshold number of MFA failed logon by the user. Required to determine how many MFA failed logon events count as suspicious events.
+ playbookInputQuery:
+- key: AwsTimeSearchFrom
+ value:
+ simple: "1"
+ required: false
+ description: "The Search Time for the `GetTime` task used by the Aws Cloud Trail search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)"
+ playbookInputQuery:
+- key: GcpProjectName
+ value: {}
+ required: false
+ description: The GCP project name. This is a mandatory field for GCP queries.
+ playbookInputQuery:
+- key: GcpTimeSearchFrom
+ value:
+ simple: "1"
+ required: false
+ description: "The Search Time for the `GetTime` task used by the GCP Logging search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)"
+ playbookInputQuery:
+- key: cloudProvider
+ value: {}
+ required: false
+ description: The cloud service provider involved.
+ playbookInputQuery:
+outputs:
+- contextPath: AwsMFAConfigCount
+ description: The number of MFA configurations performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsUserRoleChangesCount
+ description: The number of user roles that were changed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsSuspiciousActivitiesCount
+ description: The number of suspicious activities performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsScriptBasedUserAgentCount
+ description: The number of script-based user agent usages by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsAccessKeyActivitiesCount
+ description: The number of access key activities performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsSecurityChangesCount
+ description: The number of security rules that were changed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsAdminActivitiesCount
+ description: The number of administrative activities performed by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsApiAccessDeniedCount
+ description: The number of API accesses denied by the user in the AWS environment.
+ type: unknown
+- contextPath: AwsFailedLogonCount
+ description: The number of failed logins by the user in the AWS environment.
+ type: unknown
+- contextPath: GcpAnomalousNetworkTraffic
+ description: Determines whether there are events of anomalous network traffic performed by the user in the GCP environment.
+ type: unknown
+- contextPath: GcpSuspiciousApiUsage
+ description: Determines whether there are events of suspicious API usage by the user in the GCP environment.
+ type: unknown
+- contextPath: GcpFailLogonCount
+ description: The number of failed logins by the user in the GCP environment.
+ type: unknown
+- contextPath: GsuiteFailLogonCount
+ description: The number of failed logins by the user in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteUnusualLoginAllowedCount
+ description: The number of unusual logins performed by the user and allowed in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteUnusualLoginBlockedCount
+ description: The number of unusual logins performed by the user and blocked in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteSuspiciousLoginCount
+ description: The number of suspicious logins performed by the user in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteUserPasswordLeaked
+ description: Determines whether user's password was leaked in the G Suite environment.
+ type: unknown
+- contextPath: AzureScriptBasedUserAgentEvents
+ description: Script-based user agent events used by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureAdminActivitiesEvents
+ description: Administrative activities performed by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureSecurityRulesChangeEvents
+ description: Security rules that were changed by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureUnsuccessSecurityRulesChangeEvents
+ description: Unsuccessful attempts to change security rules by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureFailLoginCount
+ description: The number of failed logins by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureFailLoginMFACount
+ description: The number of failed logins by the user using MFA in the Azure environment.
+ type: unknown
+- contextPath: AzureAnomaliesEvents
+ description: Anomaly events on the user in the Azure environment.
+ type: unknown
+- contextPath: AzureRiskyUserCount
+ description: The number of events where the user was defined as a risky user in the Azure environment.
+ type: unknown
+- contextPath: AzureUncommonCountryLogonEvents
+ description: Uncommon country logon events by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureUncommonVolumeEvents
+ description: Uncommon volume events by the user in the Azure environment.
+ type: unknown
+- contextPath: AzureUncommonActivitiesEvents
+ description: Uncommon activity events by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureScriptBasedUserAgentCount
+ description: The number of script-based user agent usages by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureAdminActivitiesCount
+ description: The number of administrative activities performed by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureSecurityRulesChangeCount
+ description: The number of security rules that were changed by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount
+ description: The number of unsuccessful attempts to change security rules by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureAnomaliesCount
+ description: The number of anomaly events on the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUncommonCountryLogonCount
+ description: The number of uncommon country logon events by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUncommonVolumeCount
+ description: The number of uncommon volume events by the user in the Azure environment.
+ type: unknown
+- contextPath: CountAzureEvents.AzureUncommonActivitiesCount
+ description: The number of uncommon activity events by the user in the Azure environment.
+ type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
\ No newline at end of file
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic_README.md
new file mode 100644
index 000000000000..4d9a4f812e03
--- /dev/null
+++ b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic_README.md
@@ -0,0 +1,88 @@
+This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
+
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Azure - User Investigation
+* GCP - User Investigation
+* AWS - User Investigation
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+This playbook does not use any scripts.
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Username | The username to investigate. | | Optional |
+| AzureSearchTime | The Search Time for the Azure Log Analytics search query. Default value: ago\(1d\) | ago(1d) | Optional |
+| failedLogonThreshold | The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events. | 20 | Optional |
+| MfaAttemptThreshold | The threshold number of MFA failed logon by the user. Required to determine how many MFA failed logon events count as suspicious events. | 10 | Optional |
+| AwsTimeSearchFrom | The Search Time for the \`GetTime\` task used by the Aws Cloud Trail search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional |
+| GcpProjectName | The GCP project name. This is a mandatory field for GCP queries. | | Optional |
+| GcpTimeSearchFrom | The Search Time for the \`GetTime\` task used by the GCP Logging search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional |
+| cloudProvider | The cloud service provider involved. | | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| AwsMFAConfigCount | The number of MFA configurations performed by the user in the AWS environment. | unknown |
+| AwsUserRoleChangesCount | The number of user roles that were changed by the user in the AWS environment. | unknown |
+| AwsSuspiciousActivitiesCount | The number of suspicious activities performed by the user in the AWS environment. | unknown |
+| AwsScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the AWS environment. | unknown |
+| AwsAccessKeyActivitiesCount | The number of access key activities performed by the user in the AWS environment. | unknown |
+| AwsSecurityChangesCount | The number of security rules that were changed by the user in the AWS environment. | unknown |
+| AwsAdminActivitiesCount | The number of administrative activities performed by the user in the AWS environment. | unknown |
+| AwsApiAccessDeniedCount | The number of API accesses denied by the user in the AWS environment. | unknown |
+| AwsFailedLogonCount | The number of failed logins by the user in the AWS environment. | unknown |
+| GcpAnomalousNetworkTraffic | Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. | unknown |
+| GcpSuspiciousApiUsage | Determines whether there are events of suspicious API usage by the user in the GCP environment. | unknown |
+| GcpFailLogonCount | The number of failed logins by the user in the GCP environment. | unknown |
+| GsuiteFailLogonCount | The number of failed logins by the user in the G Suite environment. | unknown |
+| GsuiteUnusualLoginAllowedCount | The number of unusual logins performed by the user and allowed in the G Suite environment. | unknown |
+| GsuiteUnusualLoginBlockedCount | The number of unusual logins performed by the user and blocked in the G Suite environment. | unknown |
+| GsuiteSuspiciousLoginCount | The number of suspicious logins performed by the user in the G Suite environment. | unknown |
+| GsuiteUserPasswordLeaked | Determines whether user's password was leaked in the G Suite environment. | unknown |
+| AzureScriptBasedUserAgentEvents | Script-based user agent events used by the user in the Azure environment. | unknown |
+| AzureAdminActivitiesEvents | Administrative activities performed by the user in the Azure environment. | unknown |
+| AzureSecurityRulesChangeEvents | Security rules that were changed by the user in the Azure environment. | unknown |
+| AzureUnsuccessSecurityRulesChangeEvents | Unsuccessful attempts to change security rules by the user in the Azure environment. | unknown |
+| AzureFailLoginCount | The number of failed logins by the user in the Azure environment. | unknown |
+| AzureFailLoginMFACount | The number of failed logins by the user using MFA in the Azure environment. | unknown |
+| AzureAnomaliesEvents | Anomaly events on the user in the Azure environment. | unknown |
+| AzureRiskyUserCount | The number of events where the user was defined as a risky user in the Azure environment. | unknown |
+| AzureUncommonCountryLogonEvents | Uncommon country logon events by the user in the Azure environment. | unknown |
+| AzureUncommonVolumeEvents | Uncommon volume events by the user in the Azure environment. | unknown |
+| AzureUncommonActivitiesEvents | Uncommon activity events by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureAdminActivitiesCount | The number of administrative activities performed by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureSecurityRulesChangeCount | The number of security rules that were changed by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount | The number of unsuccessful attempts to change security rules by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureAnomaliesCount | The number of anomaly events on the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUncommonCountryLogonCount | The number of uncommon country logon events by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUncommonVolumeCount | The number of uncommon volume events by the user in the Azure environment. | unknown |
+| CountAzureEvents.AzureUncommonActivitiesCount | The number of uncommon activity events by the user in the Azure environment. | unknown |
+
+## Playbook Image
+
+---
+
+![Cloud User Investigation - Generic](../doc_files/Cloud_User_Investigation_-_Generic.png)
diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_3_90.md b/Packs/CommonPlaybooks/ReleaseNotes/2_3_90.md
new file mode 100644
index 000000000000..c992f7a851c5
--- /dev/null
+++ b/Packs/CommonPlaybooks/ReleaseNotes/2_3_90.md
@@ -0,0 +1,7 @@
+
+#### Playbooks
+
+##### New: Cloud User Investigation - Generic
+
+New: This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
+ (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/CommonPlaybooks/doc_files/Cloud_User_Investigation_-_Generic.png b/Packs/CommonPlaybooks/doc_files/Cloud_User_Investigation_-_Generic.png
new file mode 100644
index 000000000000..78b22caa4697
Binary files /dev/null and b/Packs/CommonPlaybooks/doc_files/Cloud_User_Investigation_-_Generic.png differ
diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json
index 2cac6694a181..a5551ed8aeda 100644
--- a/Packs/CommonPlaybooks/pack_metadata.json
+++ b/Packs/CommonPlaybooks/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Common Playbooks",
"description": "Frequently used playbooks pack.",
"support": "xsoar",
- "currentVersion": "2.3.89",
+ "currentVersion": "2.3.90",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml
new file mode 100644
index 000000000000..962c5f9dc9f7
--- /dev/null
+++ b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml
@@ -0,0 +1,1199 @@
+id: GCP - User Investigation
+version: -1
+name: GCP - User Investigation
+description: |-
+ This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user:
+ - Failed login attempt
+ - Suspicious API usage by the user
+ - Anomalous network traffic by the user
+ - Unusual and suspicious login attempt
+ - User's password leaked
+starttaskid: "0"
+tasks:
+ "0":
+ id: "0"
+ taskid: b27cfc98-c986-48f1-81f5-57a7f1ef7d05
+ type: start
+ task:
+ id: b27cfc98-c986-48f1-81f5-57a7f1ef7d05
+ version: -1
+ name: ""
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "28"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 450,
+ "y": -270
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "6":
+ id: "6"
+ taskid: dadc9fcb-5a06-46e0-8ab0-90af4b540ab0
+ type: condition
+ task:
+ id: dadc9fcb-5a06-46e0-8ab0-90af4b540ab0
+ version: -1
+ name: Is Google Cloud Logging enabled and the user name is defined?
+ description: Checks if the Google Cloud Logging integration is enabled.
+ type: condition
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#default#':
+ - "8"
+ "yes":
+ - "14"
+ separatecontext: false
+ conditions:
+ - label: "yes"
+ condition:
+ - - operator: isEqualString
+ left:
+ value:
+ complex:
+ root: modules
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: modules.brand
+ iscontext: true
+ right:
+ value:
+ simple: GoogleCloudLogging
+ ignorecase: true
+ accessor: state
+ iscontext: true
+ right:
+ value:
+ simple: active
+ ignorecase: true
+ - - operator: isNotEmpty
+ left:
+ value:
+ complex:
+ root: inputs.Username
+ iscontext: true
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1210,
+ "y": 230
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "7":
+ id: "7"
+ taskid: 6d9cbf17-12c3-4665-8982-a8f9cab6f8bb
+ type: condition
+ task:
+ id: 6d9cbf17-12c3-4665-8982-a8f9cab6f8bb
+ version: -1
+ name: Is G Suite Auditor enabled and the user name is defined?
+ description: Checks if the G Suite Auditor integration is enabled.
+ type: condition
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#default#':
+ - "8"
+ "yes":
+ - "13"
+ separatecontext: false
+ conditions:
+ - label: "yes"
+ condition:
+ - - operator: isEqualString
+ left:
+ value:
+ complex:
+ root: modules
+ filters:
+ - - operator: isEqualString
+ left:
+ value:
+ simple: modules.brand
+ iscontext: true
+ right:
+ value:
+ simple: GSuiteAuditor
+ ignorecase: true
+ accessor: state
+ iscontext: true
+ right:
+ value:
+ simple: active
+ ignorecase: true
+ - - operator: isExists
+ left:
+ value:
+ complex:
+ root: inputs.Username
+ iscontext: true
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -720,
+ "y": 230
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "8":
+ id: "8"
+ taskid: e54c43ff-8afb-4223-800b-86aaeac9073f
+ type: title
+ task:
+ id: e54c43ff-8afb-4223-800b-86aaeac9073f
+ version: -1
+ name: Done
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 450,
+ "y": 980
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "10":
+ id: "10"
+ taskid: 6dae067b-06cb-43e0-8226-842cf95bf639
+ type: regular
+ task:
+ id: 6dae067b-06cb-43e0-8226-842cf95bf639
+ version: -1
+ name: Failed login
+ description: Retrieves a list of activities for a specific customer's account and application.
+ script: '|||gsuite-activity-search'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "12"
+ scriptarguments:
+ application_name:
+ simple: login
+ end_time:
+ complex:
+ root: TimeNow
+ event_name:
+ simple: login_failure
+ extend-context:
+ simple: GsuiteFailLogon=
+ ignore-outputs:
+ simple: "true"
+ start_time:
+ complex:
+ root: SearchFromTime
+ user_key:
+ complex:
+ root: inputs.Username
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 80,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "12":
+ id: "12"
+ taskid: e7ae2ca7-97fb-43a9-8b46-56b6c48c49ee
+ type: regular
+ task:
+ id: e7ae2ca7-97fb-43a9-8b46-56b6c48c49ee
+ version: -1
+ name: 'A count of login failure '
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GsuiteFailLogonCount
+ value:
+ complex:
+ root: GsuiteFailLogon.items.events
+ accessor: name
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 80,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "13":
+ id: "13"
+ taskid: bbf3382b-d462-45e3-8492-d2c860dbb660
+ type: title
+ task:
+ id: bbf3382b-d462-45e3-8492-d2c860dbb660
+ version: -1
+ name: G Suite Auditor
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "10"
+ - "16"
+ - "17"
+ - "18"
+ - "19"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -720,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "14":
+ id: "14"
+ taskid: 56251e8f-bbc7-4764-8729-da592377f6fc
+ type: title
+ task:
+ id: 56251e8f-bbc7-4764-8729-da592377f6fc
+ version: -1
+ name: Google Cloud Logging
+ type: title
+ iscommand: false
+ brand: ""
+ description: ''
+ nexttasks:
+ '#none#':
+ - "15"
+ - "25"
+ - "26"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1210,
+ "y": 430
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "15":
+ id: "15"
+ taskid: 3a68adeb-b97e-4308-8ad8-0e64b816b2ad
+ type: regular
+ task:
+ id: 3a68adeb-b97e-4308-8ad8-0e64b816b2ad
+ version: -1
+ name: Multiple failed login attempts by the service account
+ description: Lists log entries. Use this method to retrieve log entries that originated from a project/folder/organization/billing account.
+ script: '|||gcp-logging-log-entries-list'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "29"
+ scriptarguments:
+ extend-context:
+ simple: GcpFailLogon=
+ filter:
+ simple: |-
+ resource.type="audited_resource" AND protoPayload.methodName="google.cloud.audit.login" AND protoPayload.status.code!=0
+ AND protoPayload.methodName="google.cloud.audit.AuthenticationInfo.AuthenticationFailed"
+ AND protoPayload.authenticationInfo.principalEmail="${inputs.Username}"
+ AND timestamp>="${SearchFromTime}"
+ ignore-outputs:
+ simple: "true"
+ project_name:
+ complex:
+ root: inputs.GcpProjectName
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 800,
+ "y": 590
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "16":
+ id: "16"
+ taskid: d87966fb-9f6e-4fed-8f90-7912f1969ff8
+ type: regular
+ task:
+ id: d87966fb-9f6e-4fed-8f90-7912f1969ff8
+ version: -1
+ name: An unusual login was performed by the user
+ description: The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address.
+ script: '|||gsuite-activity-search'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "22"
+ scriptarguments:
+ application_name:
+ simple: login
+ end_time:
+ complex:
+ root: TimeNow
+ event_name:
+ simple: risky_sensitive_action_allowed
+ extend-context:
+ simple: UnusualLoginAllowed=
+ ignore-outputs:
+ simple: "true"
+ start_time:
+ complex:
+ root: SearchFromTime
+ user_key:
+ complex:
+ root: inputs.Username
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -320,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "17":
+ id: "17"
+ taskid: 651f89f0-a093-4922-80a3-10dfba47413f
+ type: regular
+ task:
+ id: 651f89f0-a093-4922-80a3-10dfba47413f
+ version: -1
+ name: An unusual login attempt was performed by the user and blocked
+ description: Retrieves a list of activities for a specific customer's account and application.
+ script: '|||gsuite-activity-search'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "21"
+ scriptarguments:
+ application_name:
+ simple: login
+ end_time:
+ complex:
+ root: TimeNow
+ event_name:
+ simple: risky_sensitive_action_blocked
+ extend-context:
+ simple: GsuiteUnusualLoginBlocked=
+ ignore-outputs:
+ simple: "true"
+ start_time:
+ complex:
+ root: SearchFromTime
+ user_key:
+ complex:
+ root: inputs.Username
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -720,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "18":
+ id: "18"
+ taskid: 76c3f3ce-9072-4074-8565-2f4f5e24c649
+ type: regular
+ task:
+ id: 76c3f3ce-9072-4074-8565-2f4f5e24c649
+ version: -1
+ name: Suspicious login was performed by the user
+ description: Retrieves a list of activities for a specific customer's account and application.
+ script: '|||gsuite-activity-search'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "20"
+ scriptarguments:
+ application_name:
+ simple: login
+ end_time:
+ complex:
+ root: TimeNow
+ event_name:
+ simple: suspicious_login
+ extend-context:
+ simple: GsuiteSuspiciousLogin=
+ ignore-outputs:
+ simple: "true"
+ start_time:
+ complex:
+ root: SearchFromTime
+ user_key:
+ complex:
+ root: inputs.Username
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1120,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "19":
+ id: "19"
+ taskid: bcb78ae5-5768-41a7-84d5-043809656e5d
+ type: regular
+ task:
+ id: bcb78ae5-5768-41a7-84d5-043809656e5d
+ version: -1
+ name: The user disabled and the user's password leaked
+ description: Retrieves a list of activities for a specific customer's account and application.
+ script: '|||gsuite-activity-search'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "23"
+ scriptarguments:
+ application_name:
+ simple: login
+ end_time:
+ complex:
+ root: TimeNow
+ event_name:
+ simple: account_disabled_password_leak
+ extend-context:
+ simple: GsuiteLeakedpassword=
+ ignore-outputs:
+ simple: "true"
+ start_time:
+ complex:
+ root: SearchFromTime
+ user_key:
+ complex:
+ root: inputs.Username
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1520,
+ "y": 580
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "20":
+ id: "20"
+ taskid: 4e139f69-d44c-437c-85a5-37bc0b5b362d
+ type: regular
+ task:
+ id: 4e139f69-d44c-437c-85a5-37bc0b5b362d
+ version: -1
+ name: A count of Suspicious login performed by the user
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GsuiteSuspiciousLoginCount
+ value:
+ complex:
+ root: GoogleUserLogs.items.events
+ accessor: name
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1120,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "21":
+ id: "21"
+ taskid: 1a06c391-b315-44cb-81b0-99908ac77676
+ type: regular
+ task:
+ id: 1a06c391-b315-44cb-81b0-99908ac77676
+ version: -1
+ name: A count of unusual logins attempts performed by the user and blocked
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GsuiteUnusualLoginBlockedCount
+ value:
+ complex:
+ root: GoogleUserLogs.items.events
+ accessor: name
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -720,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "22":
+ id: "22"
+ taskid: 2b3aba1d-0642-4246-8a7b-d3823f405798
+ type: regular
+ task:
+ id: 2b3aba1d-0642-4246-8a7b-d3823f405798
+ version: -1
+ name: A count of unusual logins performed by the user
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GsuiteUnusualLoginAllowedCount
+ value:
+ complex:
+ root: GoogleUserLogs.items.events
+ accessor: name
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -320,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "23":
+ id: "23"
+ taskid: 02c4cc95-abd1-4c0e-8b21-daeff88959a2
+ type: regular
+ task:
+ id: 02c4cc95-abd1-4c0e-8b21-daeff88959a2
+ version: -1
+ name: Set If User's password was leaked
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GsuiteUserPasswordLeaked
+ value:
+ complex:
+ root: inputs.Username
+ transformers:
+ - operator: If-Then-Else
+ args:
+ condition:
+ value:
+ simple: lhs!=rhs
+ conditionB: {}
+ conditionInBetween: {}
+ else:
+ value:
+ simple: "False"
+ equals: {}
+ lhs:
+ value:
+ simple: LeakedPassword.items.events.name
+ iscontext: true
+ lhsB: {}
+ options: {}
+ optionsB: {}
+ rhs: {}
+ rhsB: {}
+ then:
+ value:
+ simple: "True"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": -1520,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "25":
+ id: "25"
+ taskid: acebc7b1-fc43-4027-8ad2-e8b236ca8ab6
+ type: regular
+ task:
+ id: acebc7b1-fc43-4027-8ad2-e8b236ca8ab6
+ version: -1
+ name: ' Suspicious API usage by the service account'
+ description: Lists log entries. Use this method to retrieve log entries that originated from a project/folder/organization/billing account.
+ script: '|||gcp-logging-log-entries-list'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "30"
+ scriptarguments:
+ extend-context:
+ simple: GcpApi=
+ filter:
+ simple: "resource.type=\"api\" AND \nprotoPayload.type=\"type.googleapis.com/google.cloud.audit.AuditLog\" AND protoPayload.authenticationInfo.principalEmail=\"${inputs.Username}\" AND protoPayload.status.code!=OK AND timestamp>=\"${SearchFromTime}\""
+ ignore-outputs:
+ simple: "true"
+ project_name:
+ complex:
+ root: inputs.GcpProjectName
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1210,
+ "y": 590
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "26":
+ id: "26"
+ taskid: 485e7aad-cfa0-4d76-8b57-7909630b2217
+ type: regular
+ task:
+ id: 485e7aad-cfa0-4d76-8b57-7909630b2217
+ version: -1
+ name: Anomalous network traffic by the service account
+ description: Lists log entries. Use this method to retrieve log entries that originated from a project/folder/organization/billing account.
+ script: '|||gcp-logging-log-entries-list'
+ type: regular
+ iscommand: true
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "31"
+ scriptarguments:
+ extend-context:
+ simple: GcpAnomalousTraffic=
+ filter:
+ simple: |-
+ resource.type="gce_network" AND
+ logName="projects/${inputs.GcpProjectName}/logs/compute.googleapis.com%2Fvpc_flows" AND
+ protoPayload.authenticationInfo.principalEmail="${inputs.Username}" AND
+ protoPayload.status.details="ANOMALOUS_TRAFFIC" AND timestamp>="${SearchFromTime}"
+ ignore-outputs:
+ simple: "true"
+ project_name:
+ complex:
+ root: inputs.GcpProjectName
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1620,
+ "y": 590
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: true
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "27":
+ id: "27"
+ taskid: ecdd0724-1f54-46dc-8ca3-195f7106c933
+ type: regular
+ task:
+ id: ecdd0724-1f54-46dc-8ca3-195f7106c933
+ version: -1
+ name: Get Time for a search
+ description: |
+ Retrieves the current date and time.
+ scriptName: GetTime
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "6"
+ - "7"
+ scriptarguments:
+ contextKey:
+ simple: SearchFromTime
+ dateFormat:
+ simple: ISO
+ daysAgo:
+ complex:
+ root: inputs.GcpTimeSearchFrom
+ extend-context:
+ simple: SearchFromTime=
+ ignore-outputs:
+ simple: "true"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 450,
+ "y": 45
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "28":
+ id: "28"
+ taskid: ff2101fc-3346-4b65-86f6-aff69984940e
+ type: regular
+ task:
+ id: ff2101fc-3346-4b65-86f6-aff69984940e
+ version: -1
+ name: Get TimeNow for a search
+ description: |
+ Retrieves the current date and time.
+ scriptName: GetTime
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "27"
+ scriptarguments:
+ dateFormat:
+ simple: ISO
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 450,
+ "y": -135
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 0
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "29":
+ id: "29"
+ taskid: 70b6ec52-aa56-47c2-822c-cbadf7ff93cc
+ type: regular
+ task:
+ id: 70b6ec52-aa56-47c2-822c-cbadf7ff93cc
+ version: -1
+ name: Count of login failure by the service account
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GcpFailLogonCount
+ value:
+ complex:
+ root: GcpFailLogon.items.events
+ accessor: name
+ transformers:
+ - operator: count
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 800,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "30":
+ id: "30"
+ taskid: b3ca8f19-3b42-492d-85b9-b88e69668194
+ type: regular
+ task:
+ id: b3ca8f19-3b42-492d-85b9-b88e69668194
+ version: -1
+ name: Set If there suspicious API usage by the service account
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GcpSuspiciousApiUsage
+ value:
+ complex:
+ root: inputs.Username
+ transformers:
+ - operator: If-Then-Else
+ args:
+ condition:
+ value:
+ simple: lhs!=rhs
+ conditionB: {}
+ conditionInBetween: {}
+ else:
+ value:
+ simple: "False"
+ equals: {}
+ lhs:
+ value:
+ simple: GcpApi.items.events.name
+ iscontext: true
+ lhsB: {}
+ options: {}
+ optionsB: {}
+ rhs: {}
+ rhsB: {}
+ then:
+ value:
+ simple: "True"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1210,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+ "31":
+ id: "31"
+ taskid: 1180b12d-2fa5-44eb-8379-0396652b579e
+ type: regular
+ task:
+ id: 1180b12d-2fa5-44eb-8379-0396652b579e
+ version: -1
+ name: Set If there is anomalous network traffic by the service account
+ description: Set a value in context under the key you entered.
+ scriptName: Set
+ type: regular
+ iscommand: false
+ brand: ""
+ nexttasks:
+ '#none#':
+ - "8"
+ scriptarguments:
+ ignore-outputs:
+ simple: "false"
+ key:
+ simple: GcpAnomalousNetworkTraffic
+ value:
+ complex:
+ root: inputs.Username
+ transformers:
+ - operator: If-Then-Else
+ args:
+ condition:
+ value:
+ simple: lhs!=rhs
+ conditionB: {}
+ conditionInBetween: {}
+ else:
+ value:
+ simple: "False"
+ equals: {}
+ lhs:
+ value:
+ simple: GcpAnomalousTraffic.items.events.name
+ iscontext: true
+ lhsB: {}
+ options: {}
+ optionsB: {}
+ rhs: {}
+ rhsB: {}
+ then:
+ value:
+ simple: "True"
+ separatecontext: false
+ continueonerrortype: ""
+ view: |-
+ {
+ "position": {
+ "x": 1620,
+ "y": 755
+ }
+ }
+ note: false
+ timertriggers: []
+ ignoreworker: false
+ skipunavailable: false
+ quietmode: 2
+ isoversize: false
+ isautoswitchedtoquietmode: false
+view: |-
+ {
+ "linkLabelsPosition": {
+ "6_14_yes": 0.52,
+ "6_8_#default#": 0.21,
+ "7_13_yes": 0.41,
+ "7_8_#default#": 0.15
+ },
+ "paper": {
+ "dimensions": {
+ "height": 1315,
+ "width": 3520,
+ "x": -1520,
+ "y": -270
+ }
+ }
+ }
+inputs:
+- key: Username
+ value: {}
+ required: false
+ description: The username to investigate.
+ playbookInputQuery:
+- key: GcpProjectName
+ value: {}
+ required: false
+ description: The GCP project name. This is a mandatory field for GCP queries.
+ playbookInputQuery:
+- key: GcpTimeSearchFrom
+ value:
+ simple: "1"
+ required: false
+ description: "The Search Time for the `GetTime` task used by the GCP Logging search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)"
+ playbookInputQuery:
+outputs:
+- contextPath: GcpAnomalousNetworkTraffic
+ description: Determines whether there are events of anomalous network traffic performed by the user in the GCP environment.
+ type: unknown
+- contextPath: GcpSuspiciousApiUsage
+ description: Determines whether there are events of suspicious API usage by the user in the GCP environment.
+ type: unknown
+- contextPath: GcpFailLogonCount
+ description: The number of failed logins by the user in the GCP environment.
+ type: unknown
+- contextPath: GsuiteFailLogonCount
+ description: The number of failed logins by the user in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteUnusualLoginAllowedCount
+ description: The number of unusual logins performed by the user and allowed in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteUnusualLoginBlockedCount
+ description: The number of unusual logins performed by the user and blocked in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteSuspiciousLoginCount
+ description: The number of suspicious logons performed by the user in the G Suite environment.
+ type: unknown
+- contextPath: GsuiteUserPasswordLeaked
+ description: Determines whether the user's password was leaked in the G Suite environment.
+ type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
\ No newline at end of file
diff --git a/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation_README.md b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation_README.md
new file mode 100644
index 000000000000..634ffffaeef2
--- /dev/null
+++ b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation_README.md
@@ -0,0 +1,59 @@
+This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user:
+- Failed login attempt
+- Suspicious API usage by the user
+- Anomalous network traffic by the user
+- Unusual and suspicious login attempt
+- User's password leaked
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* GetTime
+* Set
+
+### Commands
+
+* gcp-logging-log-entries-list
+* gsuite-activity-search
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Username | The username to investigate. | | Optional |
+| GcpProjectName | The GCP project name. This is a mandatory field for GCP queries. | | Optional |
+| GcpTimeSearchFrom | The Search Time for the \`GetTime\` task used by the GCP Logging search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| GcpAnomalousNetworkTraffic | Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. | unknown |
+| GcpSuspiciousApiUsage | Determines whether there are events of suspicious API usage by the user in the GCP environment. | unknown |
+| GcpFailLogonCount | The number of failed logins by the user in the GCP environment. | unknown |
+| GsuiteFailLogonCount | The number of failed logins by the user in the G Suite environment. | unknown |
+| GsuiteUnusualLoginAllowedCount | The number of unusual logins performed by the user and allowed in the G Suite environment. | unknown |
+| GsuiteUnusualLoginBlockedCount | The number of unusual logins performed by the user and blocked in the G Suite environment. | unknown |
+| GsuiteSuspiciousLoginCount | The number of suspicious logons performed by the user in the G Suite environment. | unknown |
+| GsuiteUserPasswordLeaked | Determines whether the user's password was leaked in the G Suite environment. | unknown |
+
+## Playbook Image
+
+---
+
+![GCP - User Investigation](../doc_files/GCP_-_User_Investigation.png)
diff --git a/Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_6.md b/Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_6.md
new file mode 100644
index 000000000000..23769634e862
--- /dev/null
+++ b/Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_6.md
@@ -0,0 +1,7 @@
+
+#### Playbooks
+
+##### New: GCP - User Investigation
+
+New: This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging.
+ (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/GCP-Enrichment-Remediation/doc_files/GCP_-_User_Investigation.png b/Packs/GCP-Enrichment-Remediation/doc_files/GCP_-_User_Investigation.png
new file mode 100644
index 000000000000..7ca075e966fd
Binary files /dev/null and b/Packs/GCP-Enrichment-Remediation/doc_files/GCP_-_User_Investigation.png differ
diff --git a/Packs/GCP-Enrichment-Remediation/pack_metadata.json b/Packs/GCP-Enrichment-Remediation/pack_metadata.json
index 559099170a14..cd36f82c2bb1 100644
--- a/Packs/GCP-Enrichment-Remediation/pack_metadata.json
+++ b/Packs/GCP-Enrichment-Remediation/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "GCP Enrichment and Remediation",
"description": "Playbooks using multiple GCP content packs for enrichment and remediation purposes",
"support": "xsoar",
- "currentVersion": "1.1.5",
+ "currentVersion": "1.1.6",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",