diff --git a/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml new file mode 100644 index 000000000000..9b5febea8825 --- /dev/null +++ b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml @@ -0,0 +1,1693 @@ +id: AWS - User Investigation +version: -1 +name: AWS - User Investigation +description: "This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user:\n- Failed login attempt\n- Suspicious activities \n- API access denied\n- Administrative user activities\n- Security rules and policies changes\n- Access keys and access token activities\n- Script-based user agent usage\n- User role changes activities\n- MFA device changes activities\n" +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: f3f2d42d-6426-4fa1-8645-5ca37e8b8676 + type: start + task: + id: f3f2d42d-6426-4fa1-8645-5ca37e8b8676 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "46" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": -340 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: e0e47d55-d099-4e4e-8a63-b950e8e06ca0 + type: condition + task: + id: e0e47d55-d099-4e4e-8a63-b950e8e06ca0 + version: -1 + name: Is AWS CloudTrail enabled and is the user name defined? + description: Checks if the AWS CloudTrail integration is enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: AWS - CloudTrail + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.Username + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": 130 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 51206f1f-295e-4aee-8fb6-23a6c7b74613 + type: title + task: + id: 51206f1f-295e-4aee-8fb6-23a6c7b74613 + version: -1 + name: AWS CloudTrail + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": -30 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 49213749-81ae-4feb-86d6-23fed8a9848b + type: regular + task: + id: 49213749-81ae-4feb-86d6-23fed8a9848b + version: -1 + name: Aws-CloudTrail-lookup-events + description: Looks up API activity events captured by CloudTrail that create, update, or delete resources in your account. Events for a region can be looked up for the times in which you had CloudTrail turned on in that region during the last seven days. + script: AWS - CloudTrail|||aws-cloudtrail-lookup-events + type: regular + iscommand: true + brand: AWS - CloudTrail + nexttasks: + '#none#': + - "41" + scriptarguments: + attributeKey: + simple: Username + attributeValue: + complex: + root: inputs.Username + startTime: + complex: + root: TimeNow + transformers: + - operator: RegexExtractAll + args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (.*)\. + unpack_matches: {} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": 315 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 56cd8ece-a7ce-463f-8cfe-dfa186935c86 + type: title + task: + id: 56cd8ece-a7ce-463f-8cfe-dfa186935c86 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 360, + "y": 1430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 23cde925-a031-4457-8bbd-1b96f438d390 + type: regular + task: + id: 23cde925-a031-4457-8bbd-1b96f438d390 + version: -1 + name: Load alerts JSON + description: Loads a JSON from a string input, and returns a JSON object result. + scriptName: LoadJSON + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "12" + - "11" + - "30" + - "32" + - "36" + - "35" + - "38" + - "44" + - "45" + scriptarguments: + input: + complex: + root: AWS.CloudTrail.Events + accessor: CloudTrailEvent + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": 700 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: db70a4ed-7f97-4a5e-847f-544c05584d94 + type: regular + task: + id: db70a4ed-7f97-4a5e-847f-544c05584d94 + version: -1 + name: 'API Access denied Count ' + description: Set the `access denied` API calls, if it exists. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsApiAccessDeniedCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.errorCode + iscontext: true + right: + value: + simple: AccessDenied + ignorecase: true + - - operator: isEqualString + left: + value: + simple: JsonObject.eventType + iscontext: true + right: + value: + simple: AwsApiCall + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -370, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 7cb0546e-9cdc-4087-8510-1316faedee62 + type: title + task: + id: 7cb0546e-9cdc-4087-8510-1316faedee62 + version: -1 + name: Administrative User Activities + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "13" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: 600a27b1-37ee-4e3b-838b-86430e372820 + type: title + task: + id: 600a27b1-37ee-4e3b-838b-86430e372820 + version: -1 + name: API Access Denied + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "10" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -370, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 5eeb31d6-8b7d-4301-8230-b91158122a71 + type: regular + task: + id: 5eeb31d6-8b7d-4301-8230-b91158122a71 + version: -1 + name: 'Set Administrative User Activities Count ' + description: |- + Set the administrative activities performed by the user, if it exists. + The task sets the following activities: + ResetAccountPassword, CreateUser, DeleteUser, AddUserToGroup, RemoveUserFromGroup, EnableUser, DisableUser, CreateGroup, DeleteGroup, UpdateGroup, UpdateUser, CreateRole, DeleteRole, UpdateRole, ActivateUser, ActivateUsers. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsAdminActivitiesCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: ResetAccountPassword + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateUser + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteUser + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: AddUserToGroup + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: RemoveUserFromGroup + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: EnableUser + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DisableUser + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateGroup + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteGroup + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateGroup + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateUser + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateRole + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteRole + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateRole + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: ActivateUser + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: ActivateUsers + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: e6dc04b1-a814-4b96-8490-b3abeb0fb356 + type: regular + task: + id: e6dc04b1-a814-4b96-8490-b3abeb0fb356 + version: -1 + name: Security rules and policies were changed + description: |- + Set the security rules and policy changes made by the user if they exist. + The task sets the following activities: + CreatePolicy, DeletePolicy, UpdatePolicy, CreateAccessPolicy, DeleteAccessPolicy, UpdateAccessPolicy, CreateFirewall, DeleteFirewall, CreateFirewallRule, DeleteFirewallRule, UpdateFirewallRule, CreateFirewallPolicy, UpdateFirewallPolicy, DeleteFirewallPolicy. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsSecurityChangesCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreatePolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeletePolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdatePolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateAccessPolicy + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateAccessPolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteAccessPolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateFirewall + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteFirewall + ignorecase: true + - operator: containsGeneral + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateFirewallRule + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteFirewallRule + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateFirewallRule + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateFirewallPolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: | + UpdateFirewallPolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteFirewallPolicy + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1250, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 100e1858-9375-4062-86ec-bd60f4609a28 + type: title + task: + id: 100e1858-9375-4062-86ec-bd60f4609a28 + version: -1 + name: Security rules were changed + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1250, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: f3211bb9-1f9b-4b60-8c8c-2b8afa8b16c7 + type: regular + task: + id: f3211bb9-1f9b-4b60-8c8c-2b8afa8b16c7 + version: -1 + name: Access Keys and Access Token activities + description: |- + Set the access keys and access token activities performed by the user, if it exists. + The task sets the following activities: + CreateAccessKey, DeleteAccessKey, UpdateAccessKey, CreateApiKey, DeleteApiKey, UpdateApiKey, CreateKeyPair, DeleteKeyPair, CreateKey, DeleteKey, DeleteSSHPublicKey, CreateCliToken, CreateToken, DeleteOAuthToken, CreateEnrollmentToken. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsAccessKeyActivitiesCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateAccessKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteAccessKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateAccessKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateApiKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteApiKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateApiKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateKeyPair + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteKeyPair + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteSSHPublicKey + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateCliToken + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateToken + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteOAuthToken + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: CreateEnrollmentToken + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1670, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 5664ffb4-5474-49bc-8d99-504706acabeb + type: title + task: + id: 5664ffb4-5474-49bc-8d99-504706acabeb + version: -1 + name: Access Keys and Access Tokens Modification + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1670, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: cd66a3d7-ef8b-4be3-8c03-d07a227f0739 + type: title + task: + id: cd66a3d7-ef8b-4be3-8c03-d07a227f0739 + version: -1 + name: AWS CloudTrail Done + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "8" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": 1200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 2c26000e-beeb-4d19-880e-5f417fbdcdf0 + type: regular + task: + id: 2c26000e-beeb-4d19-880e-5f417fbdcdf0 + version: -1 + name: Failed logon attempt + description: Set the console failed logon performed by the user, if it exists. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsFailedLogonCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: ConsoleLogin + ignorecase: true + - - operator: isNotEqualString + left: + value: + simple: JsonObject.responseElements.registryId + iscontext: true + right: + value: + simple: Success + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 35364c42-1631-409d-8887-f13308c77128 + type: title + task: + id: 35364c42-1631-409d-8887-f13308c77128 + version: -1 + name: User Agent + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "37" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2090, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 3a85deae-c6aa-421d-8c4e-6892fb967e7e + type: title + task: + id: 3a85deae-c6aa-421d-8c4e-6892fb967e7e + version: -1 + name: Failed Login Attempt + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "34" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: d2a5d9c4-fda6-47bf-8505-002fbb79b918 + type: regular + task: + id: d2a5d9c4-fda6-47bf-8505-002fbb79b918 + version: -1 + name: 'Script-based User Agent ' + description: |- + Set the script-based user agent used by the user, if it exists. + The task sets the following script-based user agents : + Jakarta Commons-HttpClient, Python-urllib, Wget, curl. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsScriptBasedUserAgentCount + value: + complex: + root: JsonObject + filters: + - - operator: containsGeneral + left: + value: + simple: JsonObject.userAgent + iscontext: true + right: + value: + simple: Wget + ignorecase: true + - operator: containsGeneral + left: + value: + simple: JsonObject.userAgent + iscontext: true + right: + value: + simple: Jakarta Commons-HttpClient + ignorecase: true + - operator: containsGeneral + left: + value: + simple: JsonObject.userAgent + iscontext: true + right: + value: + simple: Python-urllib + ignorecase: true + - operator: containsGeneral + left: + value: + simple: JsonObject.userAgent + iscontext: true + right: + value: + simple: curl + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2090, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 2968d186-b0ce-43af-8b72-c78aaf3c3507 + type: title + task: + id: 2968d186-b0ce-43af-8b72-c78aaf3c3507 + version: -1 + name: Suspicious Activities + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "40" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2520, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 3ea2ac79-77fd-4cea-8942-240abd7b46fe + type: regular + task: + id: 3ea2ac79-77fd-4cea-8942-240abd7b46fe + version: -1 + name: Suspicious Activities + description: |- + Set the suspicious activities performed by the user, if it exists. + The task sets the following activities: + DeleteAlert ,DeleteAlarms ,DeleteCertificate ,DeleteCACertificate ,DeleteCertificateAuthority, DeleteLoggingConfiguration, DeleteWatchlist, StopLogging ,UpdateLoggingConfiguration, DeleteUser. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsSuspiciousActivitiesCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteAlert + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteAlarms + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteCertificate + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteCACertificate + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteCertificateAuthority + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteLoggingConfiguration + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteWatchlist + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: StopLogging + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: UpdateLoggingConfiguration + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteUser + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2520, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 8b328b9f-aaf6-48ce-8ebd-31408b7b7255 + type: condition + task: + id: 8b328b9f-aaf6-48ce-8ebd-31408b7b7255 + version: -1 + name: Is cloud Trail Event exist? + description: Checks if the CloudTrail events were found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: AWS.CloudTrail.Events + accessor: CloudTrailEvent + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": 500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 9830080e-0e31-4cfe-8deb-5ef4677e6951 + type: regular + task: + id: 9830080e-0e31-4cfe-8deb-5ef4677e6951 + version: -1 + name: User Role Changes + description: |- + Set the user role changes made by the user if they exist. + The task sets the following activities: + AttachRolePolicy, DetachRolePolicy, DeleteRolePolicy. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsUserRoleChangesCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: AttachRolePolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DetachRolePolicy + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DeleteRolePolicy + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2940, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 93659738-177b-492a-86d0-6d98c044ffef + type: regular + task: + id: 93659738-177b-492a-86d0-6d98c044ffef + version: -1 + name: User MFA Device Changes + description: Set the MFA device change event if performed by the user, if it exists. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + key: + simple: AwsMFAConfigCount + value: + complex: + root: JsonObject + filters: + - - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: DisableMFADevice + ignorecase: true + - operator: isEqualString + left: + value: + simple: JsonObject.eventName + iscontext: true + right: + value: + simple: EnableMFADevice + ignorecase: true + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3360, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 7c5f87ad-a130-4bd7-8ec2-254eb3384c65 + type: title + task: + id: 7c5f87ad-a130-4bd7-8ec2-254eb3384c65 + version: -1 + name: User Role + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "42" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2940, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 52ca1b40-b83d-4c0d-8b91-446b15d8a2fb + type: title + task: + id: 52ca1b40-b83d-4c0d-8b91-446b15d8a2fb + version: -1 + name: Multi-Factor Authentication + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "43" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3360, + "y": 880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 7c2069a9-5b8c-4c03-8c6f-fe93558c93b7 + type: regular + task: + id: 7c2069a9-5b8c-4c03-8c6f-fe93558c93b7 + version: -1 + name: Get Time for a search + description: | + Retrieves the current date and time. + scriptName: GetTime + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + complex: + root: inputs.AwsTimeSearchFrom + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1460, + "y": -210 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "1_5_yes": 0.37, + "1_8_#default#": 0.13, + "41_8_#default#": 0.15, + "41_9_yes": 0.51 + }, + "paper": { + "dimensions": { + "height": 1835, + "width": 4100, + "x": -3360, + "y": -340 + } + } + } +inputs: +- key: Username + value: {} + required: false + description: "The username to investigate. \nPlease enter the user's email." + playbookInputQuery: +- key: AwsTimeSearchFrom + value: + simple: "1" + required: false + description: "The Search Time for the `GetTime` task used by the AWS Cloud Trail search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)" + playbookInputQuery: +outputs: +- contextPath: AwsMFAConfigCount + description: The number of MFA configurations performed by the user in the AWS environment. + type: unknown +- contextPath: AwsUserRoleChangesCount + description: The number of user roles that were changed by the user in the AWS environment. + type: unknown +- contextPath: AwsSuspiciousActivitiesCount + description: The number of suspicious activities performed by the user in the AWS environment. + type: unknown +- contextPath: AwsScriptBasedUserAgentCount + description: The number of script-based user agent usages by the user in the AWS environment. + type: unknown +- contextPath: AwsAccessKeyActivitiesCount + description: The number of access key activities performed by the user in the AWS environment. + type: unknown +- contextPath: AwsSecurityChangesCount + description: The number of security rules that were changed by the user in the AWS environment. + type: unknown +- contextPath: AwsAdminActivitiesCount + description: The number of administrative activities performed by the user in the AWS environment. + type: unknown +- contextPath: AwsApiAccessDeniedCount + description: The number of API accesses denied by the user in the AWS environment. + type: unknown +- contextPath: AwsFailedLogonCount + description: The number of failed logins by the user in the AWS environment. + type: unknown +tests: +- No tests (auto formatted) +fromversion: 6.9.0 diff --git a/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md new file mode 100644 index 000000000000..5460489e8767 --- /dev/null +++ b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md @@ -0,0 +1,64 @@ +This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user: +- Failed login attempt +- Suspicious activities +- API access denied +- Administrative user activities +- Security rules and policies changes +- Access keys and access token activities +- Script-based user agent usage +- User role changes activities +- MFA device changes activities + + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +AWS - CloudTrail + +### Scripts + +* LoadJSON +* GetTime +* Set + +### Commands + +aws-cloudtrail-lookup-events + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| Username | The username to investigate.
Please enter the user's email. | | Optional | +| AwsTimeSearchFrom | The Search Time for the \`GetTime\` task used by the AWS Cloud Trail search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| AwsMFAConfigCount | The number of MFA configurations performed by the user in the AWS environment. | unknown | +| AwsUserRoleChangesCount | The number of user roles that were changed by the user in the AWS environment. | unknown | +| AwsSuspiciousActivitiesCount | The number of suspicious activities performed by the user in the AWS environment. | unknown | +| AwsScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the AWS environment. | unknown | +| AwsAccessKeyActivitiesCount | The number of access key activities performed by the user in the AWS environment. | unknown | +| AwsSecurityChangesCount | The number of security rules that were changed by the user in the AWS environment. | unknown | +| AwsAdminActivitiesCount | The number of administrative activities performed by the user in the AWS environment. | unknown | +| AwsApiAccessDeniedCount | The number of API accesses denied by the user in the AWS environment. | unknown | +| AwsFailedLogonCount | The number of failed logins by the user in the AWS environment. | unknown | + +## Playbook Image + +--- + +![AWS - User Investigation](../doc_files/AWS_-_User_Investigation.png) diff --git a/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md b/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md new file mode 100644 index 000000000000..a68dfa501468 --- /dev/null +++ b/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md @@ -0,0 +1,7 @@ + +#### Playbooks + +##### New: AWS - User Investigation + +New: This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail. + (Available from Cortex XSOAR 6.9.0). diff --git a/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png b/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png new file mode 100644 index 000000000000..310bc46839ce Binary files /dev/null and b/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png differ diff --git a/Packs/AWS-Enrichment-Remediation/pack_metadata.json b/Packs/AWS-Enrichment-Remediation/pack_metadata.json index 0ce76f59c4c3..2ad4843773a4 100644 --- a/Packs/AWS-Enrichment-Remediation/pack_metadata.json +++ b/Packs/AWS-Enrichment-Remediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS Enrichment and Remediation", "description": "Playbooks using multiple AWS content packs for enrichment and remediation purposes", "support": "xsoar", - "currentVersion": "1.1.2", + "currentVersion": "1.1.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml new file mode 100644 index 000000000000..6c3403d6addc --- /dev/null +++ b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml @@ -0,0 +1,1387 @@ +id: Azure - User Investigation +version: -1 +name: Azure - User Investigation +description: |- + This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user: + - Script-based user agent usage + - Administrative user activities + - Security rules and policies changes + - Failed login attempt + - MFA failed login attempt + - Login attempt from an uncommon country + - Anomalies activities + - Risky users + - Uncommon high volume of actions + - Action uncommonly performed by the user +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 5aee39e8-c3e3-4825-8b99-253c7d8ddabc + type: start + task: + id: 5aee39e8-c3e3-4825-8b99-253c7d8ddabc + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 70 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 4286364d-bd10-43b7-8838-3d2f13d1eb87 + type: condition + task: + id: 4286364d-bd10-43b7-8838-3d2f13d1eb87 + version: -1 + name: Is Azure Log Analytics enabled and the user name is defined? + description: Checks if the Azure Log Analytics integration is enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "22" + "yes": + - "6" + - "4" + - "5" + - "9" + - "8" + - "7" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Azure Log Analytics + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.Username + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 210 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: c793822a-6a73-4cef-87b4-cf6363c0b4ac + type: regular + task: + id: c793822a-6a73-4cef-87b4-cf6363c0b4ac + version: -1 + name: 'Logon attempt from uncommon country' + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "29" + scriptarguments: + extend-context: + simple: AzureUncommonCountryLogon= + query: + simple: "BehaviorAnalytics\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: e3afb9b9-75b2-40da-8154-347de63aaedb + type: title + task: + id: e3afb9b9-75b2-40da-8154-347de63aaedb + version: -1 + name: BehaviorAnalytics (Sentinel) + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "2" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 251ebe3b-f61c-4a7f-8173-6b3207bb53b5 + type: title + task: + id: 251ebe3b-f61c-4a7f-8173-6b3207bb53b5 + version: -1 + name: IdentityInfo (Sentinel) + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "12" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 5a31e359-3437-4f0c-8580-2940c2532994 + type: title + task: + id: 5a31e359-3437-4f0c-8580-2940c2532994 + version: -1 + name: Anomalies (Sentinel) + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "13" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 4b3731b9-77c7-4702-8cad-a6e33593e1ed + type: title + task: + id: 4b3731b9-77c7-4702-8cad-a6e33593e1ed + version: -1 + name: SigninLogs + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "14" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 510, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: b1c902eb-61da-4b74-8ac4-e37f117a93d2 + type: title + task: + id: b1c902eb-61da-4b74-8ac4-e37f117a93d2 + version: -1 + name: AzureActivity + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "18" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 930, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 72248260-9922-4787-8a99-52eab98184e5 + type: title + task: + id: 72248260-9922-4787-8a99-52eab98184e5 + version: -1 + name: AuditLogs + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "15" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1350, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: a1fb3fb9-345e-4457-86bc-68967d850bf8 + type: regular + task: + id: a1fb3fb9-345e-4457-86bc-68967d850bf8 + version: -1 + name: Uncommon high volume of actions + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "30" + scriptarguments: + extend-context: + simple: AzureUncommonVolume= + query: + simple: "BehaviorAnalytics\n| where ActivityInsights.UncommonHighVolumeOfActions == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 003261b4-1cbb-4e46-86db-7ddc89bd98ef + type: regular + task: + id: 003261b4-1cbb-4e46-86db-7ddc89bd98ef + version: -1 + name: Action uncommonly performed by user + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "31" + scriptarguments: + extend-context: + simple: AzureUncommonActivities= + query: + simple: |- + BehaviorAnalytics + | where ActivityInsights.ActionUncommonlyPerformedByUser == "True" + | where UserPrincipalName == "${inputs.Username}" + | where TimeGenerated > ${inputs.AzureSearchTime} + | summarize Count = count(), Events = make_list(ActionType) + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 1300 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: fdbda8a8-0c68-41ff-8383-b234f5796ebe + type: regular + task: + id: fdbda8a8-0c68-41ff-8383-b234f5796ebe + version: -1 + name: Check if the user is defined as a risky user + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "35" + scriptarguments: + extend-context: + simple: AzureRiskyUser= + query: + simple: |- + IdentityInfo + | where RiskState contains "Risk" + | where RiskLevel == "High" + | where AccountUPN == "${inputs.Username}" + | where TimeGenerated > ${inputs.AzureSearchTime} + | summarize Count = count() + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 5f98b4bb-04f8-4322-8552-6811832e17a4 + type: regular + task: + id: 5f98b4bb-04f8-4322-8552-6811832e17a4 + version: -1 + name: Anomalies for the user + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "28" + scriptarguments: + extend-context: + simple: AzureAnomalies= + query: + simple: "Anomalies \n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AnomalyDetails)" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: c9c89daa-d7bf-48cc-8efd-16ce1ac02113 + type: regular + task: + id: c9c89daa-d7bf-48cc-8efd-16ce1ac02113 + version: -1 + name: Failed login attempts by the user + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "33" + scriptarguments: + extend-context: + simple: AzureNumOfFailLogin= + query: + simple: "SigninLogs \n| where parse_json(Status) contains \"fail\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.failedLogonThreshold}\n| summarize Count = count()" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 510, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 3f60ee79-cdd8-4732-8bf0-1eb7494a072f + type: regular + task: + id: 3f60ee79-cdd8-4732-8bf0-1eb7494a072f + version: -1 + name: Check for script-based user agent + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "24" + scriptarguments: + extend-context: + simple: AzureScriptBasedUserAgent= + ignore-outputs: + simple: "false" + query: + simple: "AuditLogs \n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == \"${inputs.Username}\" \n| where AdditionalDetails[0].value contains \"python\" or AdditionalDetails[0].value contains \"curl\" or AdditionalDetails[0].value contains \"axios\" or AdditionalDetails[0].value contains \"httpie\" or AdditionalDetails[0].value contains \"wget\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AdditionalDetails)" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1350, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 231a71b4-5b1f-4b2b-8a38-864e0c704167 + type: regular + task: + id: 231a71b4-5b1f-4b2b-8a38-864e0c704167 + version: -1 + name: Security rules were changed successfully + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "26" + scriptarguments: + extend-context: + simple: AzureSuccessSecurityRulesChange= + query: + simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus == \"Succeeded\"\n| where Caller == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 930, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 2c78c73a-079c-4c66-884d-c30be565c963 + type: regular + task: + id: 2c78c73a-079c-4c66-884d-c30be565c963 + version: -1 + name: An unsuccessful attempt to change security rules + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "27" + scriptarguments: + extend-context: + simple: AzureUnsuccessSecurityRulesChange= + query: + simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus != \"Succeeded\"\n| where Caller == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 930, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: a4968328-3479-4eef-80f1-f42aab2c6fe4 + type: regular + task: + id: a4968328-3479-4eef-80f1-f42aab2c6fe4 + version: -1 + name: Search for administrative user activities + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "25" + scriptarguments: + extend-context: + simple: AzureAdminActivities= + ignore-outputs: + simple: "false" + query: + simple: "AuditLogs\n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == \"${inputs.Username}\" \n| where Category in (\"ApplicationManagement\", \"UserManagement\", \"PolicyManagement\", \"GroupManagement\")| where Result == \"success\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1350, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 2a2bf514-43ab-4e9b-8e9f-c76ba315d16a + type: regular + task: + id: 2a2bf514-43ab-4e9b-8e9f-c76ba315d16a + version: -1 + name: Set events count + description: Set multiple keys/values to the context. + scriptName: SetMultipleValues + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "32" + scriptarguments: + keys: + simple: AzureScriptBasedUserAgentCount,AzureAdminActivitiesCount,AzureSecurityRulesChangeCount,AzureUnsuccessSecurityRulesChangeCount,AzureAnomaliesCount,AzureUncommonCountryLogonCount,AzureUncommonVolumeCount,AzureUncommonActivitiesCount + parent: + simple: CountAzureEvents + values: + simple: ${AzureScriptBasedUserAgent.tables.rows.[0].[0]},${AzureAdminActivities.tables.rows.[0].[0]},${AzureSuccessSecurityRulesChange.tables.rows.[0].[0]},${AzureUnsuccessSecurityRulesChange.tables.rows.[0].[0]},${AzureAnomalies.tables.rows.[0].[0]},${AzureUncommonCountryLogon.tables.rows.[0].[0]},${AzureUncommonVolume.tables.rows.[0].[0]},${AzureUncommonActivities.tables.rows.[0].[0]} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 1670 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 87060e96-667d-49a4-8b5a-3072fd4553a1 + type: regular + task: + id: 87060e96-667d-49a4-8b5a-3072fd4553a1 + version: -1 + name: The user did not pass the MFA challenge + description: Executes an Analytics query for data. + script: Azure Log Analytics|||azure-log-analytics-execute-query + type: regular + iscommand: true + brand: Azure Log Analytics + nexttasks: + '#none#': + - "34" + scriptarguments: + extend-context: + simple: AzureNumOfFailMFA= + query: + simple: "SigninLogs \n| where ResultType =~ \"50074\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.MfaAttemptThreshold}" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 510, + "y": 940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: e54197e5-9cf6-4f4f-8875-7e43bdef9808 + type: regular + task: + id: e54197e5-9cf6-4f4f-8875-7e43bdef9808 + version: -1 + name: Set script-based user agent events + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "21" + scriptarguments: + key: + simple: AzureScriptBasedUserAgentEvents + value: + complex: + root: AzureScriptBasedUserAgent.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1350, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 69fa497d-ca2e-4891-8b51-842262dc8cfe + type: regular + task: + id: 69fa497d-ca2e-4891-8b51-842262dc8cfe + version: -1 + name: Set administrative events + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + key: + simple: AzureAdminActivitiesEvents + value: + complex: + root: AzureAdminActivities.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1350, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: 632abf51-3069-4d39-8307-d88729788b94 + type: regular + task: + id: 632abf51-3069-4d39-8307-d88729788b94 + version: -1 + name: Set security rules changed events + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + key: + simple: AzureSecurityRulesChangeEvents + value: + complex: + root: AzureSuccessSecurityRulesChange.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 930, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 47fae1fd-4922-4eab-8b29-8577018f047a + type: regular + task: + id: 47fae1fd-4922-4eab-8b29-8577018f047a + version: -1 + name: Set attempt to change security rules events + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + key: + simple: AzureUnsuccessSecurityRulesChangeEvents + value: + complex: + root: AzureUnsuccessSecurityRulesChange.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 930, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: 7f8e214d-c0df-4d8b-8867-3fd95e597d66 + type: regular + task: + id: 7f8e214d-c0df-4d8b-8867-3fd95e597d66 + version: -1 + name: Set anomalies events + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + key: + simple: AzureAnomaliesEvents + value: + complex: + root: AzureAnomalies.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: ad023e29-8a0d-4c84-87cf-bec720378b87 + type: regular + task: + id: ad023e29-8a0d-4c84-87cf-bec720378b87 + version: -1 + name: Set event of logon attempt from uncommon country + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "10" + scriptarguments: + key: + simple: AzureUncommonCountryLogonEvents + value: + complex: + root: AzureUncommonCountryLogon.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 532d2390-6293-4c2c-8873-cbe620c21414 + type: regular + task: + id: 532d2390-6293-4c2c-8873-cbe620c21414 + version: -1 + name: Set events of uncommon high volume of actions + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + key: + simple: AzureUncommonVolumeEvents + value: + complex: + root: AzureUncommonVolume.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 2add1b66-34d3-4c95-8697-2403d56660a7 + type: regular + task: + id: 2add1b66-34d3-4c95-8697-2403d56660a7 + version: -1 + name: Set events of action uncommonly performed by the user + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + key: + simple: AzureUncommonActivitiesEvents + value: + complex: + root: AzureUncommonActivities.tables.rows.[0] + accessor: '[1]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -810, + "y": 1490 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: b8af36fa-0211-4310-866b-cb9f58e16115 + type: title + task: + id: b8af36fa-0211-4310-866b-cb9f58e16115 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 270, + "y": 1850 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: 982caec5-ce0d-46e0-81d4-54f83b6378d7 + type: regular + task: + id: 982caec5-ce0d-46e0-81d4-54f83b6378d7 + version: -1 + name: Set the number of failed login attempts by the user + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "23" + scriptarguments: + key: + simple: AzureFailLoginCount + value: + complex: + root: AzureNumOfFailLogin.tables.rows.[0] + accessor: '[0]' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 510, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 881466ef-da2a-461a-8ee3-81c1d7504eb8 + type: regular + task: + id: 881466ef-da2a-461a-8ee3-81c1d7504eb8 + version: -1 + name: Set the number of failed login MFA by the user + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + key: + simple: AzureFailLoginMFACount + value: + complex: + root: AzureNumOfFailMFA.tables.rows.[0] + accessor: '[0]' + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: "0" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 510, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 752b0d29-0d1f-4985-814f-72d96252984b + type: regular + task: + id: 752b0d29-0d1f-4985-814f-72d96252984b + version: -1 + name: Set the number that the user was defined as a risky user + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + key: + simple: AzureRiskyUserCount + value: + complex: + root: AzureRiskyUser.tables.rows.[0] + accessor: '[0]' + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: "0" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "1_22_#default#": 0.1 + }, + "paper": { + "dimensions": { + "height": 1845, + "width": 2540, + "x": -810, + "y": 70 + } + } + } +inputs: +- key: Username + value: {} + required: false + description: The username to investigate. + playbookInputQuery: +- key: AzureSearchTime + value: + simple: ago(7d) + required: false + description: 'The Search Time for the Azure Log Analytics search query. Default value: ago(1d)' + playbookInputQuery: +- key: failedLogonThreshold + value: + simple: "20" + required: false + description: The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events. + playbookInputQuery: +- key: MfaAttemptThreshold + value: + simple: "10" + required: false + description: The threshold number of MFA failed logons by the user. Required to determine how many MFA failed logon events count as suspicious events. + playbookInputQuery: +outputs: +- contextPath: AzureScriptBasedUserAgentEvents + description: Script-based user agent events used by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureScriptBasedUserAgentCount + description: The number of script-based user agent usages by the user in the Azure environment. + type: unknown +- contextPath: AzureAdminActivitiesEvents + description: Administrative activities performed by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureAdminActivitiesCount + description: The number of administrative activities performed by the user in the Azure environment. + type: unknown +- contextPath: AzureSecurityRulesChangeEvents + description: Security rules that were changed by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureSecurityRulesChangeCount + description: The number of security rules that were changed by the user in the Azure environment. + type: unknown +- contextPath: AzureUnsuccessSecurityRulesChangeEvents + description: Unsuccessful attempts to change security rules by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount + description: The number of unsuccessful attempts to change security rules by the user in the Azure environment. + type: unknown +- contextPath: AzureFailLoginCount + description: The number of failed logins by the user in the Azure environment. + type: unknown +- contextPath: AzureFailLoginMFACount + description: The number of failed logins by the user using MFA in the Azure environment. + type: unknown +- contextPath: AzureAnomaliesEvents + description: Anomaly events on the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureAnomaliesCount + description: The number of anomaly events on the user in the Azure environment. + type: unknown +- contextPath: AzureRiskyUserCount + description: The number of events where the user was defined as a risky user in the Azure environment. + type: unknown +- contextPath: AzureUncommonCountryLogonEvents + description: Uncommon country logon events by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUncommonCountryLogonCount + description: The number of uncommon country logon events by the user in the Azure environment. + type: unknown +- contextPath: AzureUncommonVolumeEvents + description: Uncommon volume events by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUncommonVolumeCount + description: The number of uncommon volume events by the user in the Azure environment. + type: unknown +- contextPath: AzureUncommonActivitiesEvents + description: Uncommon activity events by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUncommonActivitiesCount + description: The number of uncommon activity events by the user in the Azure environment. + type: unknown +tests: +- No tests (auto formatted) +fromversion: 6.9.0 \ No newline at end of file diff --git a/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation_README.md b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation_README.md new file mode 100644 index 000000000000..278d41f62af1 --- /dev/null +++ b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation_README.md @@ -0,0 +1,75 @@ +This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user: +- Script-based user agent usage +- Administrative user activities +- Security rules and policies changes +- Failed login attempt +- MFA failed login attempt +- Login attempt from an uncommon country. +- Anomalies activities +- Risky users +- Uncommon high volume of actions +- Action uncommonly performed by the user + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +Azure Log Analytics + +### Scripts + +* SetMultipleValues +* SetAndHandleEmpty + +### Commands + +azure-log-analytics-execute-query + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| Username | The username to investigate. | | Optional | +| AzureSearchTime | The Search Time for the Azure Log Analytics search query. Default value: ago\(1d\) | ago(7d) | Optional | +| failedLogonThreshold | The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events. | 20 | Optional | +| MfaAttemptThreshold | The threshold number of MFA failed logons by the user. Required to determine how many MFA failed logon events count as suspicious events. | 10 | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| AzureScriptBasedUserAgentEvents | Script-based user agent events used by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the Azure environment. | unknown | +| AzureAdminActivitiesEvents | Administrative activities performed by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureAdminActivitiesCount | The number of administrative activities performed by the user in the Azure environment. | unknown | +| AzureSecurityRulesChangeEvents | Security rules that were changed by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureSecurityRulesChangeCount | The number of security rules that were changed by the user in the Azure environment. | unknown | +| AzureUnsuccessSecurityRulesChangeEvents | Unsuccessful attempts to change security rules by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount | The number of unsuccessful attempts to change security rules by the user in the Azure environment. | unknown | +| AzureFailLoginCount | The number of failed logins by the user in the Azure environment. | unknown | +| AzureFailLoginMFACount | The number of failed logins by the user using MFA in the Azure environment. | unknown | +| AzureAnomaliesEvents | Anomaly events on the user in the Azure environment. | unknown | +| CountAzureEvents.AzureAnomaliesCount | The number of anomaly events on the user in the Azure environment. | unknown | +| AzureRiskyUserCount | The number of events where the user was defined as a risky user in the Azure environment. | unknown | +| AzureUncommonCountryLogonEvents | Uncommon country logon events by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUncommonCountryLogonCount | The number of uncommon country logon events by the user in the Azure environment. | unknown | +| AzureUncommonVolumeEvents | Uncommon volume events by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUncommonVolumeCount | The number of uncommon volume events by the user in the Azure environment. | unknown | +| AzureUncommonActivitiesEvents | Uncommon activity events by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUncommonActivitiesCount | The number of uncommon activity events by the user in the Azure environment. | unknown | + +## Playbook Image + +--- + +![Azure - User Investigation](../doc_files/Azure_-_User_Investigation.png) diff --git a/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_5.md b/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_5.md new file mode 100644 index 000000000000..0dfc5f8e0828 --- /dev/null +++ b/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_5.md @@ -0,0 +1,7 @@ + +#### Playbooks + +##### New: Azure - User Investigation + +New: This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics. + (Available from Cortex XSOAR 6.9.0). diff --git a/Packs/Azure-Enrichment-Remediation/doc_files/Azure_-_User_Investigation.png b/Packs/Azure-Enrichment-Remediation/doc_files/Azure_-_User_Investigation.png new file mode 100644 index 000000000000..f6f80c5ba644 Binary files /dev/null and b/Packs/Azure-Enrichment-Remediation/doc_files/Azure_-_User_Investigation.png differ diff --git a/Packs/Azure-Enrichment-Remediation/pack_metadata.json b/Packs/Azure-Enrichment-Remediation/pack_metadata.json index 50ab6e2ad6af..1ad2a508efac 100644 --- a/Packs/Azure-Enrichment-Remediation/pack_metadata.json +++ b/Packs/Azure-Enrichment-Remediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Enrichment and Remediation", "description": "Playbooks using multiple Azure content packs for enrichment and remediation purposes", "support": "xsoar", - "currentVersion": "1.1.4", + "currentVersion": "1.1.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic.yml new file mode 100644 index 000000000000..f566d1f60aae --- /dev/null +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic.yml @@ -0,0 +1,643 @@ +id: Cloud User Investigation - Generic +version: -1 +name: Cloud User Investigation - Generic +description: | + This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: db23b5f7-f28b-42e3-8f4f-4234f2a278c7 + type: start + task: + id: db23b5f7-f28b-42e3-8f4f-4234f2a278c7 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "23" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 656084fe-70c1-46ba-8bdd-7c314aa79c2c + type: title + task: + id: 656084fe-70c1-46ba-8bdd-7c314aa79c2c + version: -1 + name: AWS Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "31" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 220, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 76699a1b-adf1-4889-8426-d75e94cc7090 + type: title + task: + id: 76699a1b-adf1-4889-8426-d75e94cc7090 + version: -1 + name: Azure Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "33" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 1a6bad15-9ad9-42a3-8023-e7c2d30a3277 + type: title + task: + id: 1a6bad15-9ad9-42a3-8023-e7c2d30a3277 + version: -1 + name: GCP Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "32" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 680, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: 6e5e5dbb-0643-4235-851a-e670a45e5e15 + type: title + task: + id: 6e5e5dbb-0643-4235-851a-e670a45e5e15 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 535 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 0171fbe2-82e1-4357-8254-60419c406ac5 + type: condition + task: + id: 0171fbe2-82e1-4357-8254-60419c406ac5 + version: -1 + name: Select cloud provider + description: Checks the cloud provider. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "12" + AWS: + - "2" + Azure: + - "3" + GCP: + - "4" + separatecontext: false + conditions: + - label: AWS + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.cloudProvider + iscontext: true + right: + value: + simple: AWS + ignorecase: true + - label: Azure + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.cloudProvider + iscontext: true + right: + value: + simple: Azure + ignorecase: true + - label: GCP + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.cloudProvider + iscontext: true + right: + value: + simple: GCP + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 6455ca38-87d5-49ba-8bf9-3aa0c9e8fc17 + type: title + task: + id: 6455ca38-87d5-49ba-8bf9-3aa0c9e8fc17 + version: -1 + name: Azure Investigation Done + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "12" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 4eae44c2-2d06-47fd-868e-b9b186e653b6 + type: title + task: + id: 4eae44c2-2d06-47fd-868e-b9b186e653b6 + version: -1 + name: AWS Investigation Done + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "12" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 220, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: c72ac51f-28a1-4721-8504-9708e120897f + type: title + task: + id: c72ac51f-28a1-4721-8504-9708e120897f + version: -1 + name: GCP Investigation Done + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "12" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 680, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: c9691f70-47a1-450c-8dcc-11b0aec1c07e + type: playbook + task: + id: c9691f70-47a1-450c-8dcc-11b0aec1c07e + version: -1 + name: AWS - User Investigation + description: | + This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail. + playbookName: AWS - User Investigation + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "25" + scriptarguments: + AwsTimeSearchFrom: + complex: + root: inputs.AwsTimeSearchFrom + Username: + complex: + root: inputs.Username + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 220, + "y": 190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 539ff9cb-ec93-4373-83b2-1e60c7e75240 + type: playbook + task: + id: 539ff9cb-ec93-4373-83b2-1e60c7e75240 + version: -1 + name: GCP - User Investigation + description: | + This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging. + playbookName: GCP - User Investigation + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "27" + scriptarguments: + GcpProjectName: + complex: + root: inputs.GcpProjectName + GcpTimeSearchFrom: + complex: + root: inputs.GcpTimeSearchFrom + Username: + complex: + root: inputs.Username + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 680, + "y": 190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: 42fecd76-1d2a-4ed2-84b6-5a0701d7d569 + type: playbook + task: + id: 42fecd76-1d2a-4ed2-84b6-5a0701d7d569 + version: -1 + name: Azure - User Investigation + description: | + This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics. + playbookName: Azure - User Investigation + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "24" + scriptarguments: + AzureSearchTime: + complex: + root: inputs.AzureSearchTime + MfaAttemptThreshold: + complex: + root: inputs.MfaAttemptThreshold + Username: + complex: + root: inputs.Username + failedLogonThreshold: + complex: + root: inputs.failedLogonThreshold + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -230, + "y": 190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "23_12_#default#": 0.16, + "23_2_AWS": 0.68, + "23_3_Azure": 0.79 + }, + "paper": { + "dimensions": { + "height": 930, + "width": 1290, + "x": -230, + "y": -330 + } + } + } +inputs: +- key: Username + value: {} + required: false + description: The username to investigate. + playbookInputQuery: +- key: AzureSearchTime + value: + simple: ago(1d) + required: false + description: 'The Search Time for the Azure Log Analytics search query. Default value: ago(1d)' + playbookInputQuery: +- key: failedLogonThreshold + value: + simple: "20" + required: false + description: The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events. + playbookInputQuery: +- key: MfaAttemptThreshold + value: + simple: "10" + required: false + description: The threshold number of MFA failed logon by the user. Required to determine how many MFA failed logon events count as suspicious events. + playbookInputQuery: +- key: AwsTimeSearchFrom + value: + simple: "1" + required: false + description: "The Search Time for the `GetTime` task used by the Aws Cloud Trail search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)" + playbookInputQuery: +- key: GcpProjectName + value: {} + required: false + description: The GCP project name. This is a mandatory field for GCP queries. + playbookInputQuery: +- key: GcpTimeSearchFrom + value: + simple: "1" + required: false + description: "The Search Time for the `GetTime` task used by the GCP Logging search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)" + playbookInputQuery: +- key: cloudProvider + value: {} + required: false + description: The cloud service provider involved. + playbookInputQuery: +outputs: +- contextPath: AwsMFAConfigCount + description: The number of MFA configurations performed by the user in the AWS environment. + type: unknown +- contextPath: AwsUserRoleChangesCount + description: The number of user roles that were changed by the user in the AWS environment. + type: unknown +- contextPath: AwsSuspiciousActivitiesCount + description: The number of suspicious activities performed by the user in the AWS environment. + type: unknown +- contextPath: AwsScriptBasedUserAgentCount + description: The number of script-based user agent usages by the user in the AWS environment. + type: unknown +- contextPath: AwsAccessKeyActivitiesCount + description: The number of access key activities performed by the user in the AWS environment. + type: unknown +- contextPath: AwsSecurityChangesCount + description: The number of security rules that were changed by the user in the AWS environment. + type: unknown +- contextPath: AwsAdminActivitiesCount + description: The number of administrative activities performed by the user in the AWS environment. + type: unknown +- contextPath: AwsApiAccessDeniedCount + description: The number of API accesses denied by the user in the AWS environment. + type: unknown +- contextPath: AwsFailedLogonCount + description: The number of failed logins by the user in the AWS environment. + type: unknown +- contextPath: GcpAnomalousNetworkTraffic + description: Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. + type: unknown +- contextPath: GcpSuspiciousApiUsage + description: Determines whether there are events of suspicious API usage by the user in the GCP environment. + type: unknown +- contextPath: GcpFailLogonCount + description: The number of failed logins by the user in the GCP environment. + type: unknown +- contextPath: GsuiteFailLogonCount + description: The number of failed logins by the user in the G Suite environment. + type: unknown +- contextPath: GsuiteUnusualLoginAllowedCount + description: The number of unusual logins performed by the user and allowed in the G Suite environment. + type: unknown +- contextPath: GsuiteUnusualLoginBlockedCount + description: The number of unusual logins performed by the user and blocked in the G Suite environment. + type: unknown +- contextPath: GsuiteSuspiciousLoginCount + description: The number of suspicious logins performed by the user in the G Suite environment. + type: unknown +- contextPath: GsuiteUserPasswordLeaked + description: Determines whether user's password was leaked in the G Suite environment. + type: unknown +- contextPath: AzureScriptBasedUserAgentEvents + description: Script-based user agent events used by the user in the Azure environment. + type: unknown +- contextPath: AzureAdminActivitiesEvents + description: Administrative activities performed by the user in the Azure environment. + type: unknown +- contextPath: AzureSecurityRulesChangeEvents + description: Security rules that were changed by the user in the Azure environment. + type: unknown +- contextPath: AzureUnsuccessSecurityRulesChangeEvents + description: Unsuccessful attempts to change security rules by the user in the Azure environment. + type: unknown +- contextPath: AzureFailLoginCount + description: The number of failed logins by the user in the Azure environment. + type: unknown +- contextPath: AzureFailLoginMFACount + description: The number of failed logins by the user using MFA in the Azure environment. + type: unknown +- contextPath: AzureAnomaliesEvents + description: Anomaly events on the user in the Azure environment. + type: unknown +- contextPath: AzureRiskyUserCount + description: The number of events where the user was defined as a risky user in the Azure environment. + type: unknown +- contextPath: AzureUncommonCountryLogonEvents + description: Uncommon country logon events by the user in the Azure environment. + type: unknown +- contextPath: AzureUncommonVolumeEvents + description: Uncommon volume events by the user in the Azure environment. + type: unknown +- contextPath: AzureUncommonActivitiesEvents + description: Uncommon activity events by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureScriptBasedUserAgentCount + description: The number of script-based user agent usages by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureAdminActivitiesCount + description: The number of administrative activities performed by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureSecurityRulesChangeCount + description: The number of security rules that were changed by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount + description: The number of unsuccessful attempts to change security rules by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureAnomaliesCount + description: The number of anomaly events on the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUncommonCountryLogonCount + description: The number of uncommon country logon events by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUncommonVolumeCount + description: The number of uncommon volume events by the user in the Azure environment. + type: unknown +- contextPath: CountAzureEvents.AzureUncommonActivitiesCount + description: The number of uncommon activity events by the user in the Azure environment. + type: unknown +tests: +- No tests (auto formatted) +fromversion: 6.9.0 \ No newline at end of file diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic_README.md new file mode 100644 index 000000000000..4d9a4f812e03 --- /dev/null +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_User_Investigation_-_Generic_README.md @@ -0,0 +1,88 @@ +This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. + + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* Azure - User Investigation +* GCP - User Investigation +* AWS - User Investigation + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +This playbook does not use any scripts. + +### Commands + +This playbook does not use any commands. + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| Username | The username to investigate. | | Optional | +| AzureSearchTime | The Search Time for the Azure Log Analytics search query. Default value: ago\(1d\) | ago(1d) | Optional | +| failedLogonThreshold | The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events. | 20 | Optional | +| MfaAttemptThreshold | The threshold number of MFA failed logon by the user. Required to determine how many MFA failed logon events count as suspicious events. | 10 | Optional | +| AwsTimeSearchFrom | The Search Time for the \`GetTime\` task used by the Aws Cloud Trail search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional | +| GcpProjectName | The GCP project name. This is a mandatory field for GCP queries. | | Optional | +| GcpTimeSearchFrom | The Search Time for the \`GetTime\` task used by the GCP Logging search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional | +| cloudProvider | The cloud service provider involved. | | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| AwsMFAConfigCount | The number of MFA configurations performed by the user in the AWS environment. | unknown | +| AwsUserRoleChangesCount | The number of user roles that were changed by the user in the AWS environment. | unknown | +| AwsSuspiciousActivitiesCount | The number of suspicious activities performed by the user in the AWS environment. | unknown | +| AwsScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the AWS environment. | unknown | +| AwsAccessKeyActivitiesCount | The number of access key activities performed by the user in the AWS environment. | unknown | +| AwsSecurityChangesCount | The number of security rules that were changed by the user in the AWS environment. | unknown | +| AwsAdminActivitiesCount | The number of administrative activities performed by the user in the AWS environment. | unknown | +| AwsApiAccessDeniedCount | The number of API accesses denied by the user in the AWS environment. | unknown | +| AwsFailedLogonCount | The number of failed logins by the user in the AWS environment. | unknown | +| GcpAnomalousNetworkTraffic | Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. | unknown | +| GcpSuspiciousApiUsage | Determines whether there are events of suspicious API usage by the user in the GCP environment. | unknown | +| GcpFailLogonCount | The number of failed logins by the user in the GCP environment. | unknown | +| GsuiteFailLogonCount | The number of failed logins by the user in the G Suite environment. | unknown | +| GsuiteUnusualLoginAllowedCount | The number of unusual logins performed by the user and allowed in the G Suite environment. | unknown | +| GsuiteUnusualLoginBlockedCount | The number of unusual logins performed by the user and blocked in the G Suite environment. | unknown | +| GsuiteSuspiciousLoginCount | The number of suspicious logins performed by the user in the G Suite environment. | unknown | +| GsuiteUserPasswordLeaked | Determines whether user's password was leaked in the G Suite environment. | unknown | +| AzureScriptBasedUserAgentEvents | Script-based user agent events used by the user in the Azure environment. | unknown | +| AzureAdminActivitiesEvents | Administrative activities performed by the user in the Azure environment. | unknown | +| AzureSecurityRulesChangeEvents | Security rules that were changed by the user in the Azure environment. | unknown | +| AzureUnsuccessSecurityRulesChangeEvents | Unsuccessful attempts to change security rules by the user in the Azure environment. | unknown | +| AzureFailLoginCount | The number of failed logins by the user in the Azure environment. | unknown | +| AzureFailLoginMFACount | The number of failed logins by the user using MFA in the Azure environment. | unknown | +| AzureAnomaliesEvents | Anomaly events on the user in the Azure environment. | unknown | +| AzureRiskyUserCount | The number of events where the user was defined as a risky user in the Azure environment. | unknown | +| AzureUncommonCountryLogonEvents | Uncommon country logon events by the user in the Azure environment. | unknown | +| AzureUncommonVolumeEvents | Uncommon volume events by the user in the Azure environment. | unknown | +| AzureUncommonActivitiesEvents | Uncommon activity events by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureAdminActivitiesCount | The number of administrative activities performed by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureSecurityRulesChangeCount | The number of security rules that were changed by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount | The number of unsuccessful attempts to change security rules by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureAnomaliesCount | The number of anomaly events on the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUncommonCountryLogonCount | The number of uncommon country logon events by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUncommonVolumeCount | The number of uncommon volume events by the user in the Azure environment. | unknown | +| CountAzureEvents.AzureUncommonActivitiesCount | The number of uncommon activity events by the user in the Azure environment. | unknown | + +## Playbook Image + +--- + +![Cloud User Investigation - Generic](../doc_files/Cloud_User_Investigation_-_Generic.png) diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_3_90.md b/Packs/CommonPlaybooks/ReleaseNotes/2_3_90.md new file mode 100644 index 000000000000..c992f7a851c5 --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/2_3_90.md @@ -0,0 +1,7 @@ + +#### Playbooks + +##### New: Cloud User Investigation - Generic + +New: This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. + (Available from Cortex XSOAR 6.9.0). diff --git a/Packs/CommonPlaybooks/doc_files/Cloud_User_Investigation_-_Generic.png b/Packs/CommonPlaybooks/doc_files/Cloud_User_Investigation_-_Generic.png new file mode 100644 index 000000000000..78b22caa4697 Binary files /dev/null and b/Packs/CommonPlaybooks/doc_files/Cloud_User_Investigation_-_Generic.png differ diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json index 2cac6694a181..a5551ed8aeda 100644 --- a/Packs/CommonPlaybooks/pack_metadata.json +++ b/Packs/CommonPlaybooks/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Playbooks", "description": "Frequently used playbooks pack.", "support": "xsoar", - "currentVersion": "2.3.89", + "currentVersion": "2.3.90", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml new file mode 100644 index 000000000000..962c5f9dc9f7 --- /dev/null +++ b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation.yml @@ -0,0 +1,1199 @@ +id: GCP - User Investigation +version: -1 +name: GCP - User Investigation +description: |- + This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user: + - Failed login attempt + - Suspicious API usage by the user + - Anomalous network traffic by the user + - Unusual and suspicious login attempt + - User's password leaked +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: b27cfc98-c986-48f1-81f5-57a7f1ef7d05 + type: start + task: + id: b27cfc98-c986-48f1-81f5-57a7f1ef7d05 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "28" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -270 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: dadc9fcb-5a06-46e0-8ab0-90af4b540ab0 + type: condition + task: + id: dadc9fcb-5a06-46e0-8ab0-90af4b540ab0 + version: -1 + name: Is Google Cloud Logging enabled and the user name is defined? + description: Checks if the Google Cloud Logging integration is enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "14" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: GoogleCloudLogging + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.Username + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1210, + "y": 230 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 6d9cbf17-12c3-4665-8982-a8f9cab6f8bb + type: condition + task: + id: 6d9cbf17-12c3-4665-8982-a8f9cab6f8bb + version: -1 + name: Is G Suite Auditor enabled and the user name is defined? + description: Checks if the G Suite Auditor integration is enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "13" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: GSuiteAuditor + ignorecase: true + accessor: state + iscontext: true + right: + value: + simple: active + ignorecase: true + - - operator: isExists + left: + value: + complex: + root: inputs.Username + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -720, + "y": 230 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: e54c43ff-8afb-4223-800b-86aaeac9073f + type: title + task: + id: e54c43ff-8afb-4223-800b-86aaeac9073f + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 980 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 6dae067b-06cb-43e0-8226-842cf95bf639 + type: regular + task: + id: 6dae067b-06cb-43e0-8226-842cf95bf639 + version: -1 + name: Failed login + description: Retrieves a list of activities for a specific customer's account and application. + script: '|||gsuite-activity-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "12" + scriptarguments: + application_name: + simple: login + end_time: + complex: + root: TimeNow + event_name: + simple: login_failure + extend-context: + simple: GsuiteFailLogon= + ignore-outputs: + simple: "true" + start_time: + complex: + root: SearchFromTime + user_key: + complex: + root: inputs.Username + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 80, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: e7ae2ca7-97fb-43a9-8b46-56b6c48c49ee + type: regular + task: + id: e7ae2ca7-97fb-43a9-8b46-56b6c48c49ee + version: -1 + name: 'A count of login failure ' + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GsuiteFailLogonCount + value: + complex: + root: GsuiteFailLogon.items.events + accessor: name + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 80, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: bbf3382b-d462-45e3-8492-d2c860dbb660 + type: title + task: + id: bbf3382b-d462-45e3-8492-d2c860dbb660 + version: -1 + name: G Suite Auditor + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "10" + - "16" + - "17" + - "18" + - "19" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -720, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: 56251e8f-bbc7-4764-8729-da592377f6fc + type: title + task: + id: 56251e8f-bbc7-4764-8729-da592377f6fc + version: -1 + name: Google Cloud Logging + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "15" + - "25" + - "26" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1210, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 3a68adeb-b97e-4308-8ad8-0e64b816b2ad + type: regular + task: + id: 3a68adeb-b97e-4308-8ad8-0e64b816b2ad + version: -1 + name: Multiple failed login attempts by the service account + description: Lists log entries. Use this method to retrieve log entries that originated from a project/folder/organization/billing account. + script: '|||gcp-logging-log-entries-list' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "29" + scriptarguments: + extend-context: + simple: GcpFailLogon= + filter: + simple: |- + resource.type="audited_resource" AND protoPayload.methodName="google.cloud.audit.login" AND protoPayload.status.code!=0 + AND protoPayload.methodName="google.cloud.audit.AuthenticationInfo.AuthenticationFailed" + AND protoPayload.authenticationInfo.principalEmail="${inputs.Username}" + AND timestamp>="${SearchFromTime}" + ignore-outputs: + simple: "true" + project_name: + complex: + root: inputs.GcpProjectName + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 800, + "y": 590 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: d87966fb-9f6e-4fed-8f90-7912f1969ff8 + type: regular + task: + id: d87966fb-9f6e-4fed-8f90-7912f1969ff8 + version: -1 + name: An unusual login was performed by the user + description: The login attempt had some unusual characteristics, for example the user logged in from an unfamiliar IP address. + script: '|||gsuite-activity-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + application_name: + simple: login + end_time: + complex: + root: TimeNow + event_name: + simple: risky_sensitive_action_allowed + extend-context: + simple: UnusualLoginAllowed= + ignore-outputs: + simple: "true" + start_time: + complex: + root: SearchFromTime + user_key: + complex: + root: inputs.Username + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -320, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 651f89f0-a093-4922-80a3-10dfba47413f + type: regular + task: + id: 651f89f0-a093-4922-80a3-10dfba47413f + version: -1 + name: An unusual login attempt was performed by the user and blocked + description: Retrieves a list of activities for a specific customer's account and application. + script: '|||gsuite-activity-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "21" + scriptarguments: + application_name: + simple: login + end_time: + complex: + root: TimeNow + event_name: + simple: risky_sensitive_action_blocked + extend-context: + simple: GsuiteUnusualLoginBlocked= + ignore-outputs: + simple: "true" + start_time: + complex: + root: SearchFromTime + user_key: + complex: + root: inputs.Username + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -720, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 76c3f3ce-9072-4074-8565-2f4f5e24c649 + type: regular + task: + id: 76c3f3ce-9072-4074-8565-2f4f5e24c649 + version: -1 + name: Suspicious login was performed by the user + description: Retrieves a list of activities for a specific customer's account and application. + script: '|||gsuite-activity-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "20" + scriptarguments: + application_name: + simple: login + end_time: + complex: + root: TimeNow + event_name: + simple: suspicious_login + extend-context: + simple: GsuiteSuspiciousLogin= + ignore-outputs: + simple: "true" + start_time: + complex: + root: SearchFromTime + user_key: + complex: + root: inputs.Username + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1120, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: bcb78ae5-5768-41a7-84d5-043809656e5d + type: regular + task: + id: bcb78ae5-5768-41a7-84d5-043809656e5d + version: -1 + name: The user disabled and the user's password leaked + description: Retrieves a list of activities for a specific customer's account and application. + script: '|||gsuite-activity-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "23" + scriptarguments: + application_name: + simple: login + end_time: + complex: + root: TimeNow + event_name: + simple: account_disabled_password_leak + extend-context: + simple: GsuiteLeakedpassword= + ignore-outputs: + simple: "true" + start_time: + complex: + root: SearchFromTime + user_key: + complex: + root: inputs.Username + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1520, + "y": 580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 4e139f69-d44c-437c-85a5-37bc0b5b362d + type: regular + task: + id: 4e139f69-d44c-437c-85a5-37bc0b5b362d + version: -1 + name: A count of Suspicious login performed by the user + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GsuiteSuspiciousLoginCount + value: + complex: + root: GoogleUserLogs.items.events + accessor: name + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1120, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 1a06c391-b315-44cb-81b0-99908ac77676 + type: regular + task: + id: 1a06c391-b315-44cb-81b0-99908ac77676 + version: -1 + name: A count of unusual logins attempts performed by the user and blocked + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GsuiteUnusualLoginBlockedCount + value: + complex: + root: GoogleUserLogs.items.events + accessor: name + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -720, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 2b3aba1d-0642-4246-8a7b-d3823f405798 + type: regular + task: + id: 2b3aba1d-0642-4246-8a7b-d3823f405798 + version: -1 + name: A count of unusual logins performed by the user + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GsuiteUnusualLoginAllowedCount + value: + complex: + root: GoogleUserLogs.items.events + accessor: name + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -320, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 02c4cc95-abd1-4c0e-8b21-daeff88959a2 + type: regular + task: + id: 02c4cc95-abd1-4c0e-8b21-daeff88959a2 + version: -1 + name: Set If User's password was leaked + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GsuiteUserPasswordLeaked + value: + complex: + root: inputs.Username + transformers: + - operator: If-Then-Else + args: + condition: + value: + simple: lhs!=rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: "False" + equals: {} + lhs: + value: + simple: LeakedPassword.items.events.name + iscontext: true + lhsB: {} + options: {} + optionsB: {} + rhs: {} + rhsB: {} + then: + value: + simple: "True" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1520, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: acebc7b1-fc43-4027-8ad2-e8b236ca8ab6 + type: regular + task: + id: acebc7b1-fc43-4027-8ad2-e8b236ca8ab6 + version: -1 + name: ' Suspicious API usage by the service account' + description: Lists log entries. Use this method to retrieve log entries that originated from a project/folder/organization/billing account. + script: '|||gcp-logging-log-entries-list' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "30" + scriptarguments: + extend-context: + simple: GcpApi= + filter: + simple: "resource.type=\"api\" AND \nprotoPayload.type=\"type.googleapis.com/google.cloud.audit.AuditLog\" AND protoPayload.authenticationInfo.principalEmail=\"${inputs.Username}\" AND protoPayload.status.code!=OK AND timestamp>=\"${SearchFromTime}\"" + ignore-outputs: + simple: "true" + project_name: + complex: + root: inputs.GcpProjectName + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1210, + "y": 590 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: 485e7aad-cfa0-4d76-8b57-7909630b2217 + type: regular + task: + id: 485e7aad-cfa0-4d76-8b57-7909630b2217 + version: -1 + name: Anomalous network traffic by the service account + description: Lists log entries. Use this method to retrieve log entries that originated from a project/folder/organization/billing account. + script: '|||gcp-logging-log-entries-list' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "31" + scriptarguments: + extend-context: + simple: GcpAnomalousTraffic= + filter: + simple: |- + resource.type="gce_network" AND + logName="projects/${inputs.GcpProjectName}/logs/compute.googleapis.com%2Fvpc_flows" AND + protoPayload.authenticationInfo.principalEmail="${inputs.Username}" AND + protoPayload.status.details="ANOMALOUS_TRAFFIC" AND timestamp>="${SearchFromTime}" + ignore-outputs: + simple: "true" + project_name: + complex: + root: inputs.GcpProjectName + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1620, + "y": 590 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: ecdd0724-1f54-46dc-8ca3-195f7106c933 + type: regular + task: + id: ecdd0724-1f54-46dc-8ca3-195f7106c933 + version: -1 + name: Get Time for a search + description: | + Retrieves the current date and time. + scriptName: GetTime + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + - "7" + scriptarguments: + contextKey: + simple: SearchFromTime + dateFormat: + simple: ISO + daysAgo: + complex: + root: inputs.GcpTimeSearchFrom + extend-context: + simple: SearchFromTime= + ignore-outputs: + simple: "true" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 45 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: ff2101fc-3346-4b65-86f6-aff69984940e + type: regular + task: + id: ff2101fc-3346-4b65-86f6-aff69984940e + version: -1 + name: Get TimeNow for a search + description: | + Retrieves the current date and time. + scriptName: GetTime + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "27" + scriptarguments: + dateFormat: + simple: ISO + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -135 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 70b6ec52-aa56-47c2-822c-cbadf7ff93cc + type: regular + task: + id: 70b6ec52-aa56-47c2-822c-cbadf7ff93cc + version: -1 + name: Count of login failure by the service account + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GcpFailLogonCount + value: + complex: + root: GcpFailLogon.items.events + accessor: name + transformers: + - operator: count + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 800, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: b3ca8f19-3b42-492d-85b9-b88e69668194 + type: regular + task: + id: b3ca8f19-3b42-492d-85b9-b88e69668194 + version: -1 + name: Set If there suspicious API usage by the service account + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GcpSuspiciousApiUsage + value: + complex: + root: inputs.Username + transformers: + - operator: If-Then-Else + args: + condition: + value: + simple: lhs!=rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: "False" + equals: {} + lhs: + value: + simple: GcpApi.items.events.name + iscontext: true + lhsB: {} + options: {} + optionsB: {} + rhs: {} + rhsB: {} + then: + value: + simple: "True" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1210, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 1180b12d-2fa5-44eb-8379-0396652b579e + type: regular + task: + id: 1180b12d-2fa5-44eb-8379-0396652b579e + version: -1 + name: Set If there is anomalous network traffic by the service account + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + ignore-outputs: + simple: "false" + key: + simple: GcpAnomalousNetworkTraffic + value: + complex: + root: inputs.Username + transformers: + - operator: If-Then-Else + args: + condition: + value: + simple: lhs!=rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: "False" + equals: {} + lhs: + value: + simple: GcpAnomalousTraffic.items.events.name + iscontext: true + lhsB: {} + options: {} + optionsB: {} + rhs: {} + rhsB: {} + then: + value: + simple: "True" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1620, + "y": 755 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "6_14_yes": 0.52, + "6_8_#default#": 0.21, + "7_13_yes": 0.41, + "7_8_#default#": 0.15 + }, + "paper": { + "dimensions": { + "height": 1315, + "width": 3520, + "x": -1520, + "y": -270 + } + } + } +inputs: +- key: Username + value: {} + required: false + description: The username to investigate. + playbookInputQuery: +- key: GcpProjectName + value: {} + required: false + description: The GCP project name. This is a mandatory field for GCP queries. + playbookInputQuery: +- key: GcpTimeSearchFrom + value: + simple: "1" + required: false + description: "The Search Time for the `GetTime` task used by the GCP Logging search query. \nThis value represents the number of days to include in the search.\nDefault value: 1. (1 Day)" + playbookInputQuery: +outputs: +- contextPath: GcpAnomalousNetworkTraffic + description: Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. + type: unknown +- contextPath: GcpSuspiciousApiUsage + description: Determines whether there are events of suspicious API usage by the user in the GCP environment. + type: unknown +- contextPath: GcpFailLogonCount + description: The number of failed logins by the user in the GCP environment. + type: unknown +- contextPath: GsuiteFailLogonCount + description: The number of failed logins by the user in the G Suite environment. + type: unknown +- contextPath: GsuiteUnusualLoginAllowedCount + description: The number of unusual logins performed by the user and allowed in the G Suite environment. + type: unknown +- contextPath: GsuiteUnusualLoginBlockedCount + description: The number of unusual logins performed by the user and blocked in the G Suite environment. + type: unknown +- contextPath: GsuiteSuspiciousLoginCount + description: The number of suspicious logons performed by the user in the G Suite environment. + type: unknown +- contextPath: GsuiteUserPasswordLeaked + description: Determines whether the user's password was leaked in the G Suite environment. + type: unknown +tests: +- No tests (auto formatted) +fromversion: 6.9.0 \ No newline at end of file diff --git a/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation_README.md b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation_README.md new file mode 100644 index 000000000000..634ffffaeef2 --- /dev/null +++ b/Packs/GCP-Enrichment-Remediation/Playbooks/playbook-GCP_-_User_Investigation_README.md @@ -0,0 +1,59 @@ +This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user: +- Failed login attempt +- Suspicious API usage by the user +- Anomalous network traffic by the user +- Unusual and suspicious login attempt +- User's password leaked + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* GetTime +* Set + +### Commands + +* gcp-logging-log-entries-list +* gsuite-activity-search + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| Username | The username to investigate. | | Optional | +| GcpProjectName | The GCP project name. This is a mandatory field for GCP queries. | | Optional | +| GcpTimeSearchFrom | The Search Time for the \`GetTime\` task used by the GCP Logging search query.
This value represents the number of days to include in the search.
Default value: 1. \(1 Day\) | 1 | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| GcpAnomalousNetworkTraffic | Determines whether there are events of anomalous network traffic performed by the user in the GCP environment. | unknown | +| GcpSuspiciousApiUsage | Determines whether there are events of suspicious API usage by the user in the GCP environment. | unknown | +| GcpFailLogonCount | The number of failed logins by the user in the GCP environment. | unknown | +| GsuiteFailLogonCount | The number of failed logins by the user in the G Suite environment. | unknown | +| GsuiteUnusualLoginAllowedCount | The number of unusual logins performed by the user and allowed in the G Suite environment. | unknown | +| GsuiteUnusualLoginBlockedCount | The number of unusual logins performed by the user and blocked in the G Suite environment. | unknown | +| GsuiteSuspiciousLoginCount | The number of suspicious logons performed by the user in the G Suite environment. | unknown | +| GsuiteUserPasswordLeaked | Determines whether the user's password was leaked in the G Suite environment. | unknown | + +## Playbook Image + +--- + +![GCP - User Investigation](../doc_files/GCP_-_User_Investigation.png) diff --git a/Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_6.md b/Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_6.md new file mode 100644 index 000000000000..23769634e862 --- /dev/null +++ b/Packs/GCP-Enrichment-Remediation/ReleaseNotes/1_1_6.md @@ -0,0 +1,7 @@ + +#### Playbooks + +##### New: GCP - User Investigation + +New: This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging. + (Available from Cortex XSOAR 6.9.0). diff --git a/Packs/GCP-Enrichment-Remediation/doc_files/GCP_-_User_Investigation.png b/Packs/GCP-Enrichment-Remediation/doc_files/GCP_-_User_Investigation.png new file mode 100644 index 000000000000..7ca075e966fd Binary files /dev/null and b/Packs/GCP-Enrichment-Remediation/doc_files/GCP_-_User_Investigation.png differ diff --git a/Packs/GCP-Enrichment-Remediation/pack_metadata.json b/Packs/GCP-Enrichment-Remediation/pack_metadata.json index 559099170a14..cd36f82c2bb1 100644 --- a/Packs/GCP-Enrichment-Remediation/pack_metadata.json +++ b/Packs/GCP-Enrichment-Remediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "GCP Enrichment and Remediation", "description": "Playbooks using multiple GCP content packs for enrichment and remediation purposes", "support": "xsoar", - "currentVersion": "1.1.5", + "currentVersion": "1.1.6", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",