demisto · OmriItzhak · Aug 14, 2023 · Aug 7, 2023 · Aug 7, 2023 · Aug 7, 2023
diff --git a/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml b/Packs/AWS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation.yml
diff --git a/...WS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md b/...WS-Enrichment-Remediation/Playbooks/playbook-AWS_-_User_Investigation_README.md
@@ -0,0 +1,64 @@
+This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user:
+- Failed login attempt
+- Suspicious activities 
+- API Access denied
+- Administrative user activities
+- Security rules and policies changes
+- Access keys and access token activities
+- Script-based user agent usage
+- User role changes activities
+- MFA device changes activities
+
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+* AWS - CloudTrail
+
+### Scripts
+
+* LoadJSON
+* GetTime
+* Set
+
+### Commands
+
+* aws-cloudtrail-lookup-events
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Username | The username to investigate. <br/>Please enter the user's email. |  | Optional |
+| AwsTimeSearchFrom | The Search Time for the \`GetTime\` task used by the AWS Cloud Trail search query. <br/>This value represents the number of days to include in the search.<br/>Default value: 1.  \(1 Day\) | 1 | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| AwsMFAConfigCount | The number of MFA configurations performed by the user in the AWS environment. | unknown |
+| AwsUserRoleChangesCount | The number of user roles that were changed by the user in the AWS environment. | unknown |
+| AwsSuspiciousActivitiesCount | The number of suspicious activities performed by the user in the AWS environment. | unknown |
+| AwsScriptBasedUserAgentCount | The number of script-based user agent usages by the user in the AWS environment. | unknown |
+| AwsAccessKeyActivitiesCount | The number of access key activities performed by the user in the AWS environment. | unknown |
+| AwsSecurityChangesCount | The number of security rules that were changed by the user in the AWS environment. | unknown |
+| AwsAdminActivitiesCount | The number of administrative activities performed by the user in the AWS environment. | unknown |
+| AwsApiAccessDeniedCount | The number of API accesses denied by the user in the AWS environment. | unknown |
+| AwsFailedLogonCount | The number of failed logins by the user in the AWS environment. | unknown |
+
+## Playbook Image
+
+---
+
+![AWS - User Investigation](../doc_files/AWS_-_User_Investigation.png)
diff --git a/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md b/Packs/AWS-Enrichment-Remediation/ReleaseNotes/1_1_3.md
@@ -0,0 +1,7 @@
+
+#### Playbooks
+
+##### New: AWS - User Investigation
+
+New: This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail.
+ (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png b/Packs/AWS-Enrichment-Remediation/doc_files/AWS_-_User_Investigation.png
diff --git a/Packs/AWS-Enrichment-Remediation/pack_metadata.json b/Packs/AWS-Enrichment-Remediation/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "AWS Enrichment and Remediation",
     "description": "Playbooks using multiple AWS content packs for enrichment and remediation purposes",
     "support": "xsoar",
-    "currentVersion": "1.1.2",
+    "currentVersion": "1.1.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",