This playbook sets the alert's verdict as malicious if one of the following conditions is true:
- If the source IP address is malicious
- If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity)
- If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity"
- If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well.
- If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region"
If none of the conditions is true, the playbook will wait for an analyst's decision.
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
This playbook does not use any integrations.
- Set
- SearchIncidentsV2
This playbook does not use any commands.
| Name | Description | Default Value | Required |
|---|---|---|---|
| sourceIP | The source IP of the attack. | Optional |
| Path | Description | Type |
|---|---|---|
| alertVerdict | The alert verdict | string |
