0:{"P":null,"b":"bWTxmo3xrl9LpwKAvDLZr","c":["","playbooks",""],"q":"","i":false,"f":[[["",{"children":["playbooks",{"children":["__PAGE__",{}]}]},"$undefined","$undefined",true],[["$","$1","c",{"children":[[["$","link","0",{"rel":"stylesheet","href":"/_next/static/chunks/01a8c829da317c7e.css","precedence":"next","crossOrigin":"$undefined","nonce":"$undefined"}],["$","script","script-0",{"src":"/_next/static/chunks/80465abf2d62fd16.js","async":true,"nonce":"$undefined"}]],["$","html",null,{"lang":"en","suppressHydrationWarning":true,"children":[["$","head",null,{"children":[["$","link",null,{"rel":"alternate","type":"application/rss+xml","title":"Cost Nimbus","href":"/feed.xml"}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"Organization\",\"name\":\"Cost Nimbus\",\"url\":\"https://costnimbus.com\",\"description\":\"Cloud cost intelligence built by engineers, for engineers. Real numbers, no vendor fluff.\",\"logo\":\"https://costnimbus.com/og-image.png\"}"}}]]}],["$","body",null,{"className":"space_grotesk_e6988195-module__RNs2Mq__variable nunito_faf8bdde-module__ZdPV6W__variable jetbrains_mono_7ea1d0f9-module__6GV5LG__variable antialiased","style":{"fontFamily":"var(--font-nunito)"},"children":[["$","a",null,{"href":"#main-content","className":"skip-to-content","children":"Skip to content"}],["$","$L2",null,{}],["$","main",null,{"id":"main-content","children":["$","$L3",null,{"parallelRouterKey":"children","error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L4",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":[["$","div",null,{"className":"not-found","children":[["$","h1",null,{"className":"not-found-title","children":"404"}],["$","p",null,{"className":"not-found-desc","children":"This page doesn't exist — but your cloud savings opportunity does."}],["$","div",null,{"className":"flex gap-4 flex-wrap justify-center","children":[["$","$L5",null,{"href":"/","className":"not-found-btn not-found-btn-primary","children":"Home"}],["$","$L5",null,{"href":"/calculators","className":"not-found-btn not-found-btn-cyan","children":"Calculators"}],["$","$L5",null,{"href":"/articles","className":"not-found-btn not-found-btn-purple","children":"Articles"}]]}]]}],[]],"forbidden":"$undefined","unauthorized":"$undefined"}]}],["$","$L6",null,{}],["$","$L7",null,{}],["$","$L8",null,{}]]}]]}]]}],{"children":[["$","$1","c",{"children":[null,["$","$L3",null,{"parallelRouterKey":"children","error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L4",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","forbidden":"$undefined","unauthorized":"$undefined"}]]}],{"children":[["$","$1","c",{"children":[["$","$L9",null,{"playbooks":[{"id":"IR-001","name":"Phishing Email Investigation","version":"1.0.0","author":"CostNimbus","category":"email-security","severity":["medium","high"],"mitre_attack":["T1566.001","T1566.002","T1598.003","T1204.001","T1204.002"],"trigger":["email_security_alert","user_reported_phishing","anti-phishing_gateway_block","siem_correlation_rule"],"tags":["phishing","email","credential-theft","bec","spearphishing","social-engineering"],"tools_required":["email_gateway","edr","siem","threat_intelligence_platform","url_sandbox"],"estimated_time":"30m","integrations":[{"platform":"defender_for_o365","optional":false,"notes":"Microsoft Defender for Office 365 — Threat Explorer and quarantine management"},{"platform":"proofpoint_tap","optional":true,"notes":"Proofpoint Targeted Attack Protection — alternative email security gateway"},{"platform":"crowdstrike_falcon","optional":true,"notes":"Endpoint telemetry for recipients who may have clicked links"},{"platform":"splunk","optional":true,"notes":"Correlation across email, proxy, and endpoint logs"},{"platform":"virustotal","optional":false,"notes":"URL and hash reputation lookups for IOC extraction"}],"steps":[{"id":"step-1","name":"Triage and classify the alert","type":"investigation","tool":"email_gateway","description":"Review the original alert or user report. Determine if this is a bulk phishing campaign, targeted spearphishing, or Business Email Compromise (BEC). Check the sender domain age, SPF/DKIM/DMARC alignment, and reply-to address. Flag BEC indicators (executive impersonation, finance-themed lures, urgency language).\n","automation_hint":"Microsoft Defender for O365 — Threat Explorer: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/{hostId} Proofpoint TAP: GET https://tap-api-v2.proofpoint.com/v2/siem/messages/blocked?sinceSeconds=3600\n","outputs":["email_id","sender_address","sender_ip","email_classification","recipient_list"]},{"id":"step-2","name":"Quarantine suspicious email from all mailboxes","type":"action","tool":"email_gateway","description":"Immediately quarantine the email from all recipient mailboxes — including forwarded copies. Do not wait for user confirmation. Use hard delete or admin quarantine to prevent further access. Log all affected recipients before removal.\n","automation_hint":"Microsoft Defender for O365 PowerShell: Search-Mailbox -SearchQuery \"Subject:''\" -DeleteContent -Force Or via REST: POST https://graph.microsoft.com/v1.0/admin/serviceAnnouncement/messages/archive Proofpoint: POST https://tap-api-v2.proofpoint.com/v2/forensics with campaignId\n","outputs":["quarantine_confirmation","affected_recipient_count"]},{"id":"step-3","name":"Extract all IOCs from email","type":"investigation","tool":"threat_intelligence_platform","description":"Extract all indicators of compromise from the email headers, body, and attachments. Collect: sender IP, sending mail server IP, reply-to address, all embedded URLs (including redirectors), attachment names and SHA256 hashes, X-Originating-IP header. Decode any URL-encoded or base64-encoded content.\n","automation_hint":"CrowdStrike Falcon Intelligence: POST https://api.crowdstrike.com/intel/entities/indicators/v1 VirusTotal URL scan: POST https://www.virustotal.com/api/v3/urls {\"url\": \"\"} Urlscan.io: POST https://urlscan.io/api/v1/scan/ {\"url\": \"\", \"visibility\": \"private\"}\n","outputs":["sender_ip","urls","file_hashes","attachment_names","mail_server_ips"]},{"id":"step-4","name":"Check URL reputation and sandbox suspicious links","type":"investigation","tool":"url_sandbox","description":"Submit all extracted URLs to a sandbox for detonation analysis. Check for credential harvesting pages, drive-by downloads, or redirector chains. Note final landing page URL and any dropped files or executed scripts. Cross-reference against threat intel feeds.\n","automation_hint":"Any.run sandbox: POST https://api.any.run/v1/analysis {\"obj_url\": \"\", \"env_os\": \"Windows\"} VirusTotal: GET https://www.virustotal.com/api/v3/urls/{url_id} Splunk SOAR: Run playbook \"URL Reputation Check\" action\n","outputs":["url_verdict","landing_page_url","dropped_files","credential_harvest_page_detected"]},{"id":"step-5","name":"Identify users who opened email or clicked links","type":"investigation","tool":"siem","description":"Query proxy logs, email gateway click logs, and EDR telemetry to identify any users who opened the email or clicked embedded links. Check Defender for O365 URL click reports, Proofpoint TRAP click data, or web proxy logs for destination URL hits in the timeframe.\n","automation_hint":"Splunk SPL: index=proxy earliest=-1h src_ip IN () url IN () | stats count by src_ip, url, _time Defender for O365: GET https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles KQL (Sentinel): EmailUrlInfo | where Url in (\"\") | join EmailEvents on NetworkMessageId\n","outputs":["clicked_users","click_timestamps","post_click_activity"]},{"id":"step-6","name":"Assess credential compromise for clicking users","type":"investigation","tool":"edr","description":"For each user who clicked links, check for credential submission to phishing sites via browser telemetry. Review form submission events in CrowdStrike or Defender. Check if the user's credentials appear in recent threat intel or paste sites. Review authentication logs for anomalous logins (new geolocation, new device, impossible travel).\n","automation_hint":"CrowdStrike: GET https://api.crowdstrike.com/incidents/queries/incidents/v1 with user filter Azure AD Sign-in Logs (KQL): SigninLogs | where UserPrincipalName == \"\" | where RiskLevel == \"high\" HaveIBeenPwned: GET https://haveibeenpwned.com/api/v3/breachedaccount/\n","outputs":["compromised_accounts","anomalous_login_events"]},{"id":"step-7","name":"Reset credentials for compromised accounts","type":"action","tool":"identity_provider","description":"For any accounts assessed as compromised: immediately revoke all active sessions and OAuth tokens, reset password, enforce MFA re-enrollment. Notify user via out-of-band channel (phone or secondary email). Do not notify via the potentially compromised email account.\n","automation_hint":"Azure AD (Graph API): POST https://graph.microsoft.com/v1.0/users/{userId}/revokeSignInSessions Password reset: PATCH https://graph.microsoft.com/v1.0/users/{userId} {\"passwordProfile\": {\"forceChangePasswordNextSignIn\": true}} CrowdStrike Identity: POST https://api.crowdstrike.com/identity-protection/entities/detections/v1\n","outputs":["reset_confirmation","session_revocation_confirmation"]},{"id":"step-8","name":"Block IOCs across security controls","type":"action","tool":"email_gateway","description":"Push extracted IOCs to blocking controls: add sender domain/IP to email gateway blocklist, add malicious URLs to web proxy/DNS blocklist, add file hashes to EDR blocklist. Create threat intel indicator objects for automated future blocking.\n","automation_hint":"Defender for O365 block: POST https://graph.microsoft.com/v1.0/security/tiIndicators CrowdStrike custom IOC: POST https://api.crowdstrike.com/iocs/entities/indicators/v1 Palo Alto Cortex: POST https://api.paloaltonetworks.com/xsoar/api/v2/incident/artifacts Cisco Umbrella: POST https://management.api.umbrella.com/v1/organizations/{orgId}/destinationlists/{listId}/destinations\n","outputs":["ioc_block_confirmations"]},{"id":"step-9","name":"Search for similar emails across the organization","type":"investigation","tool":"email_gateway","description":"Hunt for similar phishing emails using extracted IOCs. Search by sender domain, reply-to, subject line patterns, URL patterns, and attachment hashes. Expand time window to 30 days to catch campaign infrastructure. Quarantine any additional matches found.\n","automation_hint":"Defender for O365 Threat Explorer: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts Splunk SPL: index=email sourcetype=exchange sender_domain=\"\" earliest=-30d | table recipient, subject, timestamp Proofpoint TAP: GET https://tap-api-v2.proofpoint.com/v2/siem/messages/delivered?sinceSeconds=2592000\n","outputs":["related_emails_found","additional_quarantine_count"]},{"id":"step-10","name":"Determine if escalation to IR team is needed","type":"decision","description":"Evaluate whether this requires full incident response engagement. Escalate if: credentials were confirmed compromised, attacker established persistence (new OAuth grants, forwarding rules), BEC with financial transaction, or campaign targeted C-suite. Otherwise close as contained and proceed to post-incident steps.\n","outputs":["escalation_decision","escalation_reason"]},{"id":"step-11","name":"Escalate to IR team if required","type":"escalation","description":"If escalation criteria met: open P1/P2 incident ticket, notify SOC lead, CISO, and legal (if PII involved). Preserve email artifacts and chain of custody. Do not delete any evidence. Brief IR team on timeline, IOCs, and confirmed compromise scope.\n","outputs":["incident_ticket_id","escalation_notification_sent"]},{"id":"step-12","name":"Notify affected users and security awareness team","type":"notification","description":"Send out-of-band notification to all affected recipients informing them of the phishing attempt, what to watch for (credential prompts, unexpected MFA requests), and who to contact if they observe suspicious activity. Notify security awareness team to prepare targeted training for the lure type used.\n","outputs":["user_notification_sent","awareness_team_notified"]}],"post_incident":["Update email gateway blocklists with all extracted IOCs (domain, IP, URL, hash)","File incident report in ticketing system with full timeline and IOC list","Notify affected users of phishing attempt via out-of-band channel","Schedule targeted phishing awareness training within 5 business days","Review and tighten SPF/DKIM/DMARC policies for own domains","Add phishing lure indicators to anti-phishing simulation platform for future training","Submit campaign indicators to threat sharing communities (ISACs, FS-ISAC if applicable)","Review email gateway detection tuning — reduce false negatives for this campaign type"],"metrics":{"avg_resolution_time":"45m","false_positive_rate":"15%","escalation_rate":"8%"},"filename":"IR-001-phishing-email-investigation.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/email-security/IR-001-phishing-email-investigation.yaml"},{"id":"IR-002","name":"Malware Endpoint Containment","version":"1.0.0","author":"CostNimbus","category":"endpoint","severity":["high","critical"],"mitre_attack":["T1059.001","T1059.003","T1055","T1027","T1547.001","T1036","T1071.001","T1105"],"trigger":["edr_malware_detection","av_alert","siem_malware_correlation_rule","user_reported_suspicious_behavior","ndr_c2_beacon_detected"],"tags":["malware","endpoint","containment","edr","c2","persistence"],"tools_required":["edr","siem","threat_intelligence_platform","network_firewall","forensics_platform"],"estimated_time":"45m","integrations":[{"platform":"crowdstrike_falcon","optional":false,"notes":"Primary EDR — real-time detection, containment, and forensics"},{"platform":"splunk","optional":false,"notes":"SIEM correlation, log aggregation, threat hunting"},{"platform":"carbon_black","optional":true,"notes":"Alternative EDR — process tree analysis and live response"},{"platform":"palo_alto_cortex_xdr","optional":true,"notes":"Alternative XDR platform"},{"platform":"virustotal","optional":false,"notes":"Malware hash and file reputation lookups"}],"steps":[{"id":"step-1","name":"Confirm detection and assess severity","type":"investigation","tool":"edr","description":"Review the EDR alert details: detection engine verdict (ML, behavioral, signature), process tree, parent-child relationships, detection confidence score, and any existing threat intel classification (ransomware, RAT, info-stealer, cryptominer). Determine if this is a confirmed detection or false positive based on file reputation, process context, and user context.\n","automation_hint":"CrowdStrike Falcon: GET https://api.crowdstrike.com/detections/entities/summaries/GET/v1 {\"ids\": [\"\"]} Carbon Black: GET https://defense.conferdeploy.net/integrationServices/v3/alertNotifications\n","outputs":["detection_verdict","malware_family","detection_confidence","affected_host","affected_user"]},{"id":"step-2","name":"Isolate the affected endpoint","type":"action","tool":"edr","description":"Immediately contain/isolate the endpoint to prevent lateral movement and C2 communication. Network isolation should allow EDR agent communication but block all other traffic. Confirm isolation is active before proceeding. Note: isolation cuts off user — communicate with user via phone or secondary device.\n","automation_hint":"CrowdStrike Falcon: POST https://api.crowdstrike.com/devices/entities/devices-actions/v2 {\"action_name\": \"contain\", \"ids\": [\"\"]} Carbon Black: POST https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/devices/{device_id}/actions {\"action_type\": \"QUARANTINE\", \"options\": {\"toggle\": \"ON\"}}\n","outputs":["isolation_confirmation","isolation_timestamp"]},{"id":"step-3","name":"Capture full process tree and execution chain","type":"investigation","tool":"edr","description":"Pull the complete process tree for the malicious process: parent process, grandparent, all child spawns, and any injected processes. Capture process command lines, hashes, user context, working directory, and execution timestamps. This establishes the full attack chain and initial access vector.\n","automation_hint":"CrowdStrike Falcon (Event Search): GET https://api.crowdstrike.com/events/combined/events/v1 Splunk SPL: index=crowdstrike sourcetype=crowdstrike:events ComputerName=\"\" | table timestamp, FileName, CommandLine, ParentBaseFileName, SHA256HashData | sort timestamp\n","outputs":["process_tree","initial_process_hash","parent_process","execution_timestamp"]},{"id":"step-4","name":"Extract malware artifacts and hashes","type":"investigation","tool":"edr","description":"Collect all file artifacts dropped or modified by the malware: executable paths, DLLs, scripts, config files, and any dropped payloads. Hash all files (SHA256). Collect registry keys created or modified. Capture network connections established (destination IPs, ports, domains).\n","automation_hint":"CrowdStrike Real Time Response: POST https://api.crowdstrike.com/real-time-response/entities/sessions/v1 Then: POST https://api.crowdstrike.com/real-time-response/entities/command/v1 {\"session_id\": \"\", \"base_command\": \"get\", \"command_string\": \"get \"}\n","outputs":["malware_file_hashes","dropped_file_paths","registry_modifications","c2_ips","c2_domains"]},{"id":"step-5","name":"Perform threat intelligence lookup on malware","type":"investigation","tool":"threat_intelligence_platform","description":"Submit malware hashes to threat intel platforms for family identification, known C2 infrastructure, known TTPs, and any decryption or kill switch information. Cross-reference with threat actor profiles. Determine if malware is commodity (opportunistic) or targeted (APT-associated). Check for known YARA signatures.\n","automation_hint":"VirusTotal: GET https://www.virustotal.com/api/v3/files/{sha256} CrowdStrike Intel: GET https://api.crowdstrike.com/intel/entities/indicators/v1?ids={hash} MalwareBazaar: POST https://mb-api.abuse.ch/api/v1/ {\"query\": \"get_info\", \"hash\": \"\"}\n","outputs":["malware_family","threat_actor","known_c2_infrastructure","malware_capabilities"]},{"id":"step-6","name":"Block C2 infrastructure at network controls","type":"action","tool":"network_firewall","description":"Block all identified C2 IP addresses and domains at the network perimeter, DNS sinkholes, and proxy blocklists. Create firewall rules to drop outbound connections to C2 infrastructure. Add domains to DNS blocklist for sinkholing. Monitor for any other hosts attempting to reach the same C2 infrastructure.\n","automation_hint":"Palo Alto Firewall API: POST https:///api/?type=config&action=set &xpath=&element= Cisco Umbrella: POST https://management.api.umbrella.com/v1/organizations/{orgId}/destinationlists/{listId}/destinations CrowdStrike Custom IOC: POST https://api.crowdstrike.com/iocs/entities/indicators/v1\n","outputs":["c2_block_confirmation"]},{"id":"step-7","name":"Hunt for lateral movement from infected host","type":"investigation","tool":"siem","description":"Search for evidence of lateral movement originating from the infected endpoint: SMB connections to other hosts, RDP sessions, PsExec/WMI execution, credential use on other systems, network scanning activity. Check authentication logs for logons from infected host's IP within the infection window.\n","automation_hint":"Splunk SPL: index=wineventlog (EventCode=4624 OR EventCode=4648) src_ip=\"\" NOT dest_ip=\"\" earliest=-2h | stats count by dest_ip, Account_Name, LogonType Splunk SPL: index=crowdstrike sourcetype=crowdstrike:events ComputerName=\"\" RemoteAddressIP1!=\"\" | table timestamp, RemoteAddressIP1, LocalPort\n","outputs":["lateral_movement_targets","additional_compromised_hosts"]},{"id":"step-8","name":"Identify persistence mechanisms","type":"investigation","tool":"edr","description":"Enumerate all persistence mechanisms established by the malware: scheduled tasks, registry run keys, service installations, startup folder entries, WMI subscriptions, browser extensions, or modified system files. Document all persistence locations for remediation.\n","automation_hint":"CrowdStrike RTR: run \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" Autoruns remote collection: autorunsc.exe -a * -s -h -c -nobanner > autoruns.csv Splunk SPL: index=wineventlog EventCode=4698 earliest=-6h | table SubjectUserName, TaskName, TaskContent\n","outputs":["persistence_mechanisms","scheduled_tasks","registry_run_keys"]},{"id":"step-9","name":"Assess scope — identify all affected hosts","type":"investigation","tool":"siem","description":"Determine if this is an isolated infection or part of broader campaign. Search for the malware hash across all endpoints. Search for C2 communication in proxy/DNS logs across the entire organization. Search for the same lateral movement patterns on other hosts.\n","automation_hint":"CrowdStrike: GET https://api.crowdstrike.com/iocs/queries/indicators/v1 Splunk SPL: index=proxy url IN () OR dest_ip IN () earliest=-24h | stats dc(src_ip) as unique_hosts by url | where unique_hosts > 0\n","outputs":["total_infected_hosts","infection_spread_timeline"]},{"id":"step-10","name":"Eradicate malware from isolated host","type":"action","tool":"edr","description":"Execute EDR-driven remediation: remove malware files, revert registry changes, remove scheduled tasks, uninstall malicious services. Run a full offline scan with up-to-date signatures. Restore modified system files from known-good backups or Windows file protection. Document all remediated items.\n","automation_hint":"CrowdStrike RTR: POST https://api.crowdstrike.com/real-time-response/entities/command/v1 {\"session_id\": \"\", \"base_command\": \"rm\", \"command_string\": \"rm ''\"} Carbon Black: trigger \"kill process\" and \"delete file\" via Live Response API\n","outputs":["remediation_actions","files_removed"]},{"id":"step-11","name":"Verify clean state before re-imaging or reconnecting","type":"investigation","tool":"edr","description":"Run post-remediation validation: check EDR scan clean, verify all persistence mechanisms removed, confirm no active network connections to C2 infrastructure. If confidence in clean state is < 100%, escalate to full re-image. For critical infrastructure hosts, always re-image regardless of apparent clean status.\n","outputs":["clean_verification_result","reimaging_required"]},{"id":"step-12","name":"Lift isolation and restore operations","type":"action","tool":"edr","description":"Once verified clean (or after re-image), lift network isolation, restore host to production. Monitor closely for 24h post-restoration. Force password change for any user accounts that were active on the compromised host.\n","automation_hint":"CrowdStrike: POST https://api.crowdstrike.com/devices/entities/devices-actions/v2 {\"action_name\": \"lift_containment\", \"ids\": [\"\"]}\n","outputs":["isolation_lifted","restoration_timestamp"]}],"post_incident":["Push all malware IOCs (hashes, C2 IPs/domains) to EDR and firewall blocklists","File incident report with full attack chain timeline, IOCs, and affected host list","Force password resets for all user accounts active on affected hosts during infection window","Conduct forensic disk imaging of affected host(s) for legal hold or investigation","Review EDR detection rules — tune to catch this malware family earlier in kill chain","Verify all affected hosts are patched against any exploited vulnerabilities","Share IOCs with threat intel community (ISACs, sector partners)","Conduct root cause analysis: how did malware get in? Address the initial access vector.","Brief CISO on scope, impact, and remediation timeline"],"metrics":{"avg_resolution_time":"90m","false_positive_rate":"5%","escalation_rate":"25%"},"filename":"IR-002-malware-endpoint-containment.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/endpoint/IR-002-malware-endpoint-containment.yaml"},{"id":"IR-003","name":"Brute Force Authentication Attack","version":"1.0.0","author":"CostNimbus","category":"identity","severity":["medium","high"],"mitre_attack":["T1110.001","T1110.003","T1110.004","T1078","T1556.006"],"trigger":["siem_failed_login_threshold","identity_provider_lockout_alert","azure_ad_risky_sign_in","okta_suspicious_activity_alert"],"tags":["brute-force","credential-attack","password-spray","account-lockout","authentication","mfa"],"tools_required":["siem","identity_provider","threat_intelligence_platform","network_firewall"],"estimated_time":"20m","integrations":[{"platform":"azure_active_directory","optional":false,"notes":"Azure AD Sign-in Logs, Risky Users, Identity Protection"},{"platform":"okta","optional":true,"notes":"Alternative IdP — System Log and ThreatInsight"},{"platform":"splunk","optional":false,"notes":"Log aggregation and correlation across authentication sources"},{"platform":"palo_alto_prisma_access","optional":true,"notes":"Geo-blocking and IP reputation enforcement at network edge"}],"steps":[{"id":"step-1","name":"Determine attack type and source","type":"investigation","tool":"siem","description":"Classify the attack pattern: password spraying (few passwords, many accounts), credential stuffing (known breach credentials), brute force (many passwords, one account), or MFA fatigue attack. Identify the source: single IP, distributed IP range, TOR exit nodes, VPN infrastructure, or botnet. Note timing patterns (distributed vs. rate-limited).\n","automation_hint":"Splunk SPL: index=windows_security EventCode=4625 earliest=-1h | stats count by src_ip, user | eval attack_type=if(dc(user)>10,\"password_spray\",\"brute_force\") | sort -count Azure AD KQL: SigninLogs | where TimeGenerated > ago(1h) | where ResultType != \"0\" | summarize FailureCount=count() by IPAddress, UserPrincipalName | where FailureCount > 10\n","outputs":["attack_type","source_ips","targeted_accounts","failure_count"]},{"id":"step-2","name":"Block attacking IP addresses","type":"action","tool":"network_firewall","description":"Block the identified source IP addresses at the perimeter firewall and at the identity provider level. For distributed attacks (botnet/TOR), block by ASN or geo-region if business operations permit. Add IPs to WAF blacklist if attack is targeting web-based authentication portals.\n","automation_hint":"Azure AD Named Locations block: POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations Okta Network Zone: PUT https://{domain}.okta.com/api/v1/zones/{zoneId} with blocked IPs Cloudflare WAF: POST https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/access_rules/rules {\"mode\": \"block\", \"configuration\": {\"target\": \"ip\", \"value\": \"\"}}\n","outputs":["blocked_ips","block_confirmation"]},{"id":"step-3","name":"Identify accounts that successfully authenticated during attack window","type":"investigation","tool":"identity_provider","description":"Search for any successful authentications from the attacking IPs or from targeted accounts during and immediately after the attack window. A successful login during a brute force attack indicates account compromise. Flag all accounts with successful auth from attack IPs, even if they had previous failures.\n","automation_hint":"Splunk SPL: index=windows_security EventCode=4624 src_ip IN () earliest=-2h | table _time, user, src_ip, LogonType | sort _time Azure AD: SigninLogs | where IPAddress in (\"\") and ResultType == \"0\" | project TimeGenerated, UserPrincipalName, IPAddress, Location, DeviceDetail\n","outputs":["compromised_accounts","successful_auth_timestamps","compromised_account_activity"]},{"id":"step-4","name":"Check if MFA was bypassed or is absent","type":"investigation","tool":"identity_provider","description":"For any accounts with successful logins during the attack: verify whether MFA was challenged. Check if MFA is even enforced for these accounts. Look for MFA fatigue indicators (repeated push approvals from same user). Check for legacy protocol auth (SMTP, POP, IMAP, NTLM) that bypasses MFA enforcement.\n","automation_hint":"Azure AD: SigninLogs | where UserPrincipalName in (\"\") | where AuthenticationRequirement == \"singleFactorAuthentication\" Okta: GET https://{domain}.okta.com/api/v1/logs?filter=eventType+eq+\"user.authentication.auth_via_mfa\" Microsoft Graph: GET https://graph.microsoft.com/v1.0/users/{userId}/authentication/methods\n","outputs":["mfa_bypass_confirmed","accounts_without_mfa","legacy_auth_usage"]},{"id":"step-5","name":"Force session termination for compromised accounts","type":"action","tool":"identity_provider","description":"Immediately revoke all active sessions and refresh tokens for identified compromised accounts. This logs the attacker out of any established sessions. Also revoke any OAuth application grants that may have been established during the compromise window.\n","automation_hint":"Azure AD: POST https://graph.microsoft.com/v1.0/users/{userId}/revokeSignInSessions Okta: POST https://{domain}.okta.com/api/v1/users/{userId}/sessions {\"clearFactors\": true} Google Workspace: POST https://admin.googleapis.com/admin/directory/v1/users/{userKey}/signOut\n","outputs":["sessions_revoked","tokens_invalidated"]},{"id":"step-6","name":"Reset passwords and enforce MFA for compromised accounts","type":"action","tool":"identity_provider","description":"Force password reset for all compromised accounts — require strong password, deny previous 24 passwords. Enforce MFA registration before next login. For accounts without MFA, force enrollment. Notify users via out-of-band channel (phone) before reset to avoid user confusion.\n","automation_hint":"Azure AD: PATCH https://graph.microsoft.com/v1.0/users/{userId} {\"passwordProfile\": {\"forceChangePasswordNextSignIn\": true, \"password\": \"\"}} Okta: POST https://{domain}.okta.com/api/v1/users/{userId}/lifecycle/reset_password Enforce MFA: POST https://{domain}.okta.com/api/v1/users/{userId}/factors\n","outputs":["password_resets_completed","mfa_enforced_count"]},{"id":"step-7","name":"Investigate post-compromise activity for successful logins","type":"investigation","tool":"siem","description":"For any accounts with confirmed successful authentication during the attack: conduct thorough investigation of all activity post-compromise. Look for: email rule creation, data access and downloads, OAuth app grants, admin permission changes, new user creation, external sharing of files.\n","automation_hint":"Microsoft 365 Unified Audit Log: Search-UnifiedAuditLog -StartDate -EndDate -UserIds \"\" -RecordType ExchangeAdmin | Where-Object {$_.Operations -like \"*Rule*\"} Splunk SPL: index=o365 user=\"\" earliest= | stats count by Operation | sort -count\n","outputs":["post_compromise_activities","data_access_events","persistence_mechanisms_created"]},{"id":"step-8","name":"Notify account owners and IT","type":"notification","description":"Notify affected account holders via out-of-band channel (phone, personal email, Slack DM) about the attack and required password reset. Provide clear instructions. Notify IT helpdesk to expect password reset calls — warn about social engineering attempts to hijack the reset process.\n","outputs":["notifications_sent","helpdesk_briefed"]},{"id":"step-9","name":"Review and strengthen authentication policies","type":"investigation","tool":"identity_provider","description":"Review the effectiveness of existing controls: Are lockout policies configured correctly? Is conditional access enforcing MFA from all locations? Are legacy auth protocols disabled? Is there geo-blocking for unusual countries? Is risk-based authentication enabled? Document any gaps for immediate remediation.\n","automation_hint":"Azure AD: GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies Okta: GET https://{domain}.okta.com/api/v1/policies?type=PASSWORD Check legacy auth: SigninLogs | where ClientAppUsed in (\"IMAP4\",\"POP3\",\"SMTP\",\"Exchange ActiveSync\")\n","outputs":["policy_gaps","lockout_policy_config","legacy_auth_exposure"]}],"post_incident":["Block attacking IP ranges permanently at perimeter and IdP level","Enable risk-based conditional access policies if not already active","Disable legacy authentication protocols (IMAP, POP, SMTP Auth, Basic Auth) organization-wide","Enforce FIDO2/hardware MFA for privileged accounts and executive accounts","File incident report documenting attack source, timeline, targeted accounts, and outcomes","Notify CISO and legal if any accounts confirmed compromised (potential data breach notification requirement)","Run quarterly password hygiene review — check against known breach credential databases","Review and update account lockout thresholds based on attack pattern observed"],"metrics":{"avg_resolution_time":"35m","false_positive_rate":"20%","escalation_rate":"15%"},"filename":"IR-003-brute-force-authentication.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/identity/IR-003-brute-force-authentication.yaml"},{"id":"IR-004","name":"AWS Unauthorized Access via CloudTrail Anomaly","version":"1.0.0","author":"CostNimbus","category":"cloud","severity":["high","critical"],"mitre_attack":["T1078.004","T1530","T1552.005","T1537","T1098.001","T1619","T1580"],"trigger":["guardduty_finding","cloudtrail_anomaly_alert","siem_aws_unauthorized_api","iam_credential_report_anomaly","aws_security_hub_finding"],"tags":["aws","cloud","iam","cloudtrail","unauthorized-access","data-exfiltration","credential-compromise"],"tools_required":["aws_cloudtrail","aws_guardduty","aws_iam","siem","threat_intelligence_platform"],"estimated_time":"40m","integrations":[{"platform":"aws_guardduty","optional":false,"notes":"Primary detection source for AWS threat detection"},{"platform":"aws_cloudtrail","optional":false,"notes":"Full API audit trail — essential for investigation"},{"platform":"aws_security_hub","optional":true,"notes":"Aggregated security findings across AWS accounts"},{"platform":"splunk","optional":true,"notes":"CloudTrail log ingestion and SIEM correlation"},{"platform":"datadog","optional":true,"notes":"Alternative cloud monitoring — CloudTrail integration"}],"steps":[{"id":"step-1","name":"Identify the compromised IAM principal","type":"investigation","tool":"aws_cloudtrail","description":"Identify which IAM entity (user, role, or service account) is performing the unauthorized actions. Review the GuardDuty finding or SIEM alert for the principal ARN. Determine credential type: long-term access key, temporary STS token, or instance profile. Check if the principal is a human user or machine identity (CI/CD, Lambda, EC2 role).\n","automation_hint":"aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue= --start-time $(date -d \"2 hours ago\" --iso-8601=seconds) --max-results 50 AWS CLI: aws guardduty get-findings --detector-id --finding-ids \n","outputs":["compromised_principal_arn","credential_type","access_key_id","source_ip","user_agent"]},{"id":"step-2","name":"Immediately disable or deactivate compromised credentials","type":"action","tool":"aws_iam","description":"Disable the compromised access key or, if role-based, revoke all active sessions. For IAM users: disable the access key, do NOT delete yet (preserve for investigation). For roles: attach an inline deny-all policy as emergency brake. For STS temp credentials: set the session policy to deny. This is the most critical containment step.\n","automation_hint":"Disable access key: aws iam update-access-key --access-key-id --status Inactive --user-name Revoke role sessions: aws iam put-role-policy --role-name --policy-name EmergencyDeny --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"*\",\"Resource\":\"*\"}]}' Invalidate STS: aws sts get-caller-identity (confirm key invalid after disable)\n","outputs":["credential_disabled","deny_policy_attached","containment_timestamp"]},{"id":"step-3","name":"Enumerate all API actions performed with compromised credentials","type":"investigation","tool":"aws_cloudtrail","description":"Pull complete CloudTrail event history for the compromised principal over the past 30 days (or from key creation date). Focus on: IAM changes (new users, keys, policies), data access (S3 GetObject, RDS queries), compute spawning (EC2, Lambda), networking changes (VPC, SGs), and cross-account assumption attempts. Build a complete timeline.\n","automation_hint":"aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue= --start-time --end-time | jq '.Events[] | {time: .EventTime, event: .EventName, resources: .Resources}' Athena query on S3 CloudTrail bucket: SELECT eventTime, eventName, sourceIPAddress, userAgent, errorCode FROM cloudtrail_logs WHERE userIdentity.accessKeyId = '' ORDER BY eventTime DESC LIMIT 500;\n","outputs":["api_call_timeline","sensitive_operations","iam_changes_made","data_accessed"]},{"id":"step-4","name":"Identify resources created or modified by attacker","type":"investigation","tool":"aws_cloudtrail","description":"Enumerate all AWS resources created, modified, or deleted by the attacker. Common attacker actions: new IAM users/keys (persistence), new EC2 instances (cryptomining/C2), S3 bucket policy changes (exfiltration), Lambda deployments (backdoor), new STS role trust relationships (privilege escalation). Compile a complete resource inventory for remediation.\n","automation_hint":"aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue= --query 'Events[?contains(`[\"CreateUser\",\"CreateAccessKey\",\"RunInstances\",\"CreateBucket\"]`, EventName)]' EC2 instances: aws ec2 describe-instances --filters \"Name=tag:CreatedBy,Values=\" IAM new keys: aws iam list-access-keys (check all users for recently created keys)\n","outputs":["attacker_created_resources","persistence_mechanisms","exfiltration_targets"]},{"id":"step-5","name":"Assess S3 data exposure and exfiltration","type":"investigation","tool":"aws_cloudtrail","description":"Review S3 access events for any sensitive data exfiltration. Check: GetObject calls on sensitive buckets, PutBucketPolicy changes (public access), GetBucketAcl/PutBucketAcl, PutObjectAcl (public objects), CreatePresignedUrl for external sharing. Cross-reference with S3 access logs for actual data transferred.\n","automation_hint":"S3 CloudTrail query (Athena): SELECT bucketName, COUNT(*) as GetCount, SUM(bytes) as TotalBytes FROM s3_access_logs WHERE requester = '' AND operation = 'REST.GET.OBJECT' AND requestdatetime > '' GROUP BY bucketName ORDER BY TotalBytes DESC; aws s3api get-bucket-policy --bucket \n","outputs":["exfiltrated_data_estimate","accessed_buckets","public_access_changes"]},{"id":"step-6","name":"Identify and remove attacker persistence mechanisms","type":"action","tool":"aws_iam","description":"Remove all persistence mechanisms created by the attacker: new IAM users and their access keys, backdoor roles with external trust relationships, modified SCPs or permission boundaries, new Lambda functions, CloudFormation stacks, or EC2 instances. Work through the attacker resource inventory from step-4.\n","automation_hint":"aws iam delete-access-key --access-key-id --user-name aws iam delete-user --user-name aws ec2 terminate-instances --instance-ids aws lambda delete-function --function-name aws iam delete-role --role-name \n","outputs":["persistence_removed","resources_terminated"]},{"id":"step-7","name":"Rotate all potentially exposed credentials and secrets","type":"action","tool":"aws_iam","description":"Rotate all credentials that may have been exposed: the original compromised access key (create new, delete old), any AWS Secrets Manager or Parameter Store values accessed, database passwords, API keys for third-party services stored in AWS. For EC2 instance profiles, replace with new roles.\n","automation_hint":"aws iam create-access-key --user-name (create new) aws iam delete-access-key --access-key-id (delete old) aws secretsmanager rotate-secret --secret-id aws ssm put-parameter --name --value --overwrite\n","outputs":["credentials_rotated","secrets_rotated"]},{"id":"step-8","name":"Review and remediate IAM policy changes","type":"action","tool":"aws_iam","description":"Review all IAM policy changes made during the attack window. Revert any policy modifications, attached policies, or permission boundary changes. Use AWS Config history to identify the pre-attack state and restore to it. Check trust policies on all roles for external account trust additions.\n","automation_hint":"aws configservice get-resource-config-history --resource-type AWS::IAM::Policy --resource-id --limit 10 aws iam detach-user-policy --user-name --policy-arn Check trust policies: aws iam get-role --role-name | jq '.Role.AssumeRolePolicyDocument'\n","outputs":["iam_reverted","trust_policies_reviewed"]},{"id":"step-9","name":"Enable or verify enhanced monitoring","type":"action","tool":"aws_cloudtrail","description":"Verify or enable enhanced monitoring for the affected account: CloudTrail in all regions with S3 data events enabled, GuardDuty with all features enabled, AWS Config with all rules, Security Hub with all standards, and VPC Flow Logs for all VPCs. Set CloudWatch alarms for root account usage, unauthorized API calls, and high-value IAM operations.\n","automation_hint":"aws guardduty update-detector --detector-id --enable --data-sources '{\"S3Logs\":{\"Enable\":true},\"EKSAuditLogs\":{\"Enable\":true},\"MalwareProtection\":{\"ScanEc2InstanceWithFindings\":{\"EbsVolumes\":{\"Enable\":true}}}}' aws cloudtrail update-trail --name --enable-log-file-validation --include-global-service-events --is-multi-region-trail\n","outputs":["monitoring_enhanced"]},{"id":"step-10","name":"Determine initial access vector","type":"investigation","description":"Investigate how the attacker obtained the credentials. Common sources: exposed in code repository (GitHub secret scan), leaked via metadata endpoint (EC2 SSRF), phishing of developer, insider threat, supply chain (compromised CI/CD), or from a third-party breach. Check git history, CI/CD logs, and developer workstations.\n","automation_hint":"GitHub: Search repo for access key pattern: git log -p | grep -E \"AKIA[0-9A-Z]{16}\" GitGuardian API: GET https://api.gitguardian.com/v1/incidents?detector=aws_iam_key Trufflesecurity/trufflehog: trufflehog git https://github.com// Check IMDS: aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetInstanceMetadataServiceToken\n","outputs":["initial_access_vector","exposure_source"]}],"post_incident":["File security incident report with full API timeline, data impact assessment, and remediation steps","Notify legal/compliance if sensitive data (PII, PCI, PHI) was accessed (potential breach notification)","Implement SCPs to prevent dangerous IAM operations in production accounts","Enable AWS Organizations Service Control Policies to block root account usage","Rotate ALL access keys for the affected account as a precaution (not just the compromised key)","Implement git-secrets or similar pre-commit hooks to prevent future credential exposure in code","Conduct IAM access review — remove unused users, roles, and permissions (least privilege)","Enable IAM Access Analyzer to continuously monitor for external access exposure","Schedule quarterly AWS security posture review using AWS Security Hub"],"metrics":{"avg_resolution_time":"75m","false_positive_rate":"10%","escalation_rate":"40%"},"filename":"IR-004-aws-unauthorized-access.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/cloud/IR-004-aws-unauthorized-access.yaml"},{"id":"IR-005","name":"Data Exfiltration via DLP Alert","version":"1.0.0","author":"CostNimbus","category":"data-loss","severity":["high","critical"],"mitre_attack":["T1048","T1048.003","T1041","T1567.002","T1052.001","T1530","T1213"],"trigger":["dlp_policy_violation","casb_alert","siem_large_data_transfer","email_dlp_block","endpoint_dlp_alert"],"tags":["data-loss","exfiltration","dlp","pii","sensitive-data","casb","compliance"],"tools_required":["dlp_platform","casb","siem","edr","proxy"],"estimated_time":"60m","integrations":[{"platform":"microsoft_purview","optional":false,"notes":"Microsoft Purview DLP — email, SharePoint, OneDrive, Teams, endpoint"},{"platform":"forcepoint_dlp","optional":true,"notes":"Alternative enterprise DLP — network and endpoint coverage"},{"platform":"netskope","optional":true,"notes":"CASB and inline DLP for cloud app data movement"},{"platform":"crowdstrike_falcon","optional":true,"notes":"Endpoint DLP and USB activity monitoring"},{"platform":"splunk","optional":false,"notes":"SIEM correlation across DLP, proxy, and email logs"}],"steps":[{"id":"step-1","name":"Triage DLP alert and classify data sensitivity","type":"investigation","tool":"dlp_platform","description":"Review the DLP alert details: policy triggered, data classification (PII, PCI, PHI, IP, Confidential), file name, data volume, and detection confidence. Determine data sensitivity level. Assess if this is a true positive (actual exfiltration attempt) or a false positive (authorized transfer, miscategorized data). Avoid over-escalation on low-confidence alerts.\n","automation_hint":"Microsoft Purview: GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftPurview' Forcepoint DLP: GET https:///api/incidents/{incident_id} Netskope: GET https://.goskope.com/api/v1/alerts?token=&type=dlp\n","outputs":["alert_id","data_classification","confidence_score","user_identity","destination"]},{"id":"step-2","name":"Identify the source user and data origin","type":"investigation","tool":"siem","description":"Identify the user account involved: employee name, department, role, employment status (especially: is this their notice period?). Identify where the data originated — SharePoint, file server share, database, cloud storage. Establish whether the user has authorized access to this data type and whether this transfer pattern is normal for their role.\n","automation_hint":"Splunk SPL: index=dlp sourcetype=purview user=\"\" earliest=-7d | stats count by action, destination_type | sort -count Active Directory: Get-ADUser -Identity \"\" -Properties Department,Manager,Title,whenCreated HR system check: verify employment status and any pending departures\n","outputs":["user_profile","data_origin","user_access_authorization","normal_transfer_baseline"]},{"id":"step-3","name":"Determine exfiltration destination and method","type":"investigation","tool":"proxy","description":"Identify where data was sent: personal cloud storage (Dropbox, Google Drive, iCloud), personal email (Gmail, Hotmail), USB device, airdrop, screenshot/camera, print, or external web service. For cloud destinations, capture the account identifier if possible. Check if HTTPS inspection is in place to see content.\n","automation_hint":"Splunk SPL (proxy logs): index=proxy user=\"\" earliest=-24h | stats sum(bytes_out) as total_bytes by dest_ip, dest_domain, url_category | where total_bytes > 10000000 | sort -total_bytes Netskope: GET https://.goskope.com/api/v1/events?token=&type=page &query=user+eq++AND+appcategory+eq+\"Cloud Storage\"\n","outputs":["exfiltration_channel","destination_account","data_volume_bytes","transfer_timestamps"]},{"id":"step-4","name":"Quantify the data exposure","type":"investigation","tool":"dlp_platform","description":"Determine the scope of data exposure: number of records, file types, specific data elements (SSNs, credit card numbers, health records, trade secrets). Pull file metadata and content samples from DLP evidence storage. Assess regulatory impact (GDPR, HIPAA, PCI-DSS, CCPA). This directly informs breach notification obligations.\n","automation_hint":"Microsoft Purview Evidence: GET https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{case_id}/searches/{search_id}/exportResult Run data inventory query in Purview: SELECT * FROM data_inventory WHERE classification IN ('PII','PCI','PHI') AND last_accessed_by = '' AND last_accessed > ''\n","outputs":["record_count","data_elements_exposed","regulatory_frameworks_triggered","breach_notification_threshold"]},{"id":"step-5","name":"Block the exfiltration channel immediately","type":"action","tool":"casb","description":"Block the identified exfiltration channel: block personal cloud storage in CASB/proxy, disable USB write access on the endpoint via EDR/MDM policy, block personal email in DLP policy, revoke external sharing permissions in SharePoint/OneDrive. Apply blocks urgently but confirm with manager/legal before if employment action may follow.\n","automation_hint":"Netskope block app: POST https://.goskope.com/api/v1/updatepolicy Intune USB disable: PATCH https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{id} SharePoint: Set-SPOTenant -OneDriveForGuestsEnabled $false CrowdStrike USB block: POST https://api.crowdstrike.com/policy/entities/device-control-policies/v1\n","outputs":["channel_blocked","block_scope"]},{"id":"step-6","name":"Preserve evidence and establish chain of custody","type":"action","tool":"dlp_platform","description":"Preserve all DLP evidence before any remediation that could alter it: capture screenshots of the DLP alert, export the full audit log for the user's activity, preserve network proxy logs, preserve EDR telemetry. Create a legal hold on the user's mailbox and OneDrive/SharePoint content. Hash all evidence files for chain of custody.\n","automation_hint":"Microsoft Purview: POST https://graph.microsoft.com/v1.0/compliance/ediscovery/cases/{case_id}/legalHolds {\"displayName\": \"IR-005 Legal Hold - \", \"custodians\": [{\"id\": \"\"}]} Export audit log: Export-AuditLogSearchResult -StartDate -EndDate -UserIds \n","outputs":["evidence_preserved","legal_hold_applied","chain_of_custody_hash"]},{"id":"step-7","name":"Assess whether data retrieval is possible","type":"investigation","description":"Determine if the exfiltrated data can be recovered or access revoked: if sent to cloud storage, can the destination account be suspended (if corporate)? Can the file be remotely wiped (MDM)? If emailed externally, is there a recall capability? If physical device, can device be retrieved? Attempt data retrieval only if it won't tip off the subject prematurely (if insider threat investigation is ongoing).\n","outputs":["data_recovery_feasibility","recovery_method","recovery_risk_assessment"]},{"id":"step-8","name":"Escalate to HR, Legal, and CISO","type":"escalation","description":"Escalate immediately to: CISO (data breach decision-making authority), Legal (breach notification obligations, employment law), HR (if insider threat — employment action). Do not confront the employee until HR and Legal sign off on the approach. Provide them with the evidence package, timeline, and regulatory exposure assessment.\n","outputs":["ciso_notified","legal_notified","hr_notified","escalation_timestamp"]},{"id":"step-9","name":"Assess regulatory breach notification requirements","type":"investigation","description":"Work with Legal to determine notification obligations. GDPR: 72-hour notification to supervisory authority if EU residents' data. HIPAA: 60-day notification to HHS + affected individuals if PHI. CCPA: notification to CA Attorney General if >500 CA residents. State breach notification laws vary — check all applicable jurisdictions.\n","outputs":["notification_required","notification_deadline","notification_recipients","regulatory_frameworks"]},{"id":"step-10","name":"Implement enhanced monitoring on user account","type":"action","tool":"siem","description":"If investigation is ongoing (employee not yet confronted), implement enhanced monitoring without blocking access: increase logging verbosity, enable user behavior analytics (UBA) alerts, alert on any additional sensitive data access, monitor all outbound communications. Coordinate with Legal to ensure monitoring is lawful in your jurisdiction.\n","automation_hint":"Splunk UBA: POST https:///rest/api/watchlist {\"users\": [\"\"]} Microsoft Sentinel: Add user to watchlist for high-priority monitoring DLP: Increase policy sensitivity for this user — lower thresholds, log-only becomes block\n","outputs":["enhanced_monitoring_active"]}],"post_incident":["Notify affected individuals and regulators per legal requirements and deadlines","Conduct data inventory to understand what data is at risk and who has access","Implement data minimization — reduce access to sensitive data on need-to-know basis","Enable CASB for all cloud storage and collaboration tools to enforce DLP inline","Review and tighten DLP policies — add recently exposed data types to detection rules","Implement offboarding data security protocol — automatic access revocation on last day","Conduct insider threat awareness training for all employees","Commission annual data protection impact assessment (DPIA)","File incident post-mortem with lessons learned and control improvements"],"metrics":{"avg_resolution_time":"120m","false_positive_rate":"30%","escalation_rate":"60%"},"filename":"IR-005-data-exfiltration-dlp.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/data-loss/IR-005-data-exfiltration-dlp.yaml"},{"id":"IR-006","name":"Ransomware Initial Response and Containment","version":"1.0.0","author":"CostNimbus","category":"ransomware","severity":["critical"],"mitre_attack":["T1486","T1490","T1489","T1485","T1070.001","T1562.001","T1135","T1021.002","T1078"],"trigger":["edr_ransomware_detection","honeypot_file_modified","mass_file_rename_alert","shadow_copy_deletion_alert","siem_ransomware_ioc_match","user_reported_ransom_note"],"tags":["ransomware","critical-incident","containment","encryption","business-continuity","backup-recovery"],"tools_required":["edr","siem","network_firewall","backup_system","incident_response_platform"],"estimated_time":"15m","integrations":[{"platform":"crowdstrike_falcon","optional":false,"notes":"Ransomware detection, host isolation, and lateral movement visibility"},{"platform":"palo_alto_cortex_xdr","optional":true,"notes":"Alternative XDR with ransomware-specific behavioral detection"},{"platform":"veeam","optional":false,"notes":"Backup and recovery — critical for restoration decision"},{"platform":"splunk","optional":false,"notes":"Enterprise-wide log correlation during active incident"},{"platform":"servicenow","optional":true,"notes":"Major incident management and executive communication"}],"steps":[{"id":"step-1","name":"IMMEDIATE — Declare critical incident and activate IR team","type":"escalation","description":"This is a P0 critical incident. Immediately wake up the full incident response team. Notify CISO, CTO, and legal counsel NOW — do not wait for full analysis. Activate the IR retainer if one exists (CrowdStrike Services, Mandiant, etc.). Open a bridge call. Time is critical: every minute of delay allows further encryption and lateral movement. Do not attempt analysis on the affected host — isolate first, analyze later.\n","outputs":["ir_team_assembled","bridge_call_open","ciso_notified","retainer_activated"]},{"id":"step-2","name":"IMMEDIATE — Network isolate all confirmed affected hosts","type":"action","tool":"edr","description":"Mass isolate ALL hosts showing ransomware indicators simultaneously. Do not isolate one at a time — the ransomware is spreading in parallel. Use EDR bulk containment. If EDR is not available or bypassed, work with network team to VLAN segment or physically disconnect affected segments. Preserve domain controllers — these need special handling to avoid complete operational shutdown.\n","automation_hint":"CrowdStrike bulk contain: POST https://api.crowdstrike.com/devices/entities/devices-actions/v2 {\"action_name\": \"contain\", \"ids\": [\"\", \"\", \"...\"]} Emergency VLAN isolation: work with network team to implement ACLs blocking lateral traffic CrowdStrike RTR bulk: use Falcon Fusion workflow to trigger on ransomware indicators automatically\n","outputs":["isolated_hosts","isolation_timestamp","hosts_not_isolated"]},{"id":"step-3","name":"Stop lateral movement — block SMB and RDP internally","type":"action","tool":"network_firewall","description":"Implement emergency network ACLs to block SMB (445), RDP (3389), WMI (135), and PsExec-related traffic between endpoint segments. This interrupts the ransomware's primary lateral movement mechanisms. Accept the operational impact — this is necessary. Do NOT block domain controller replication traffic (389, 88, 135 between DCs).\n","automation_hint":"Cisco ASA: access-list BLOCK_RANSOMWARE_LATERAL deny tcp any any eq 445 access-list BLOCK_RANSOMWARE_LATERAL deny tcp any any eq 3389 Palo Alto: add security rule \"block-ransomware-lateral\" | action drop | application smb, msrdp | zones trust CrowdStrike RTR: run \"netsh advfirewall firewall add rule name='Block-SMB-Lateral' dir=out action=block protocol=TCP localport=445\"\n","outputs":["lateral_movement_blocked","network_acl_id"]},{"id":"step-4","name":"Identify patient zero and initial access vector","type":"investigation","tool":"edr","description":"Identify the first host to exhibit ransomware behavior (patient zero) and trace back to the initial access vector. Common vectors: phishing email with malicious attachment, exposed RDP (credential brute force), VPN credential compromise, supply chain compromise, or drive-by download. The initial access vector determines remediation scope.\n","automation_hint":"CrowdStrike Threat Graph: find earliest process with ransomware IOC behavior Splunk SPL: index=crowdstrike earliest=-6h event_type=DetectionSummaryEvent | stats min(_time) as first_seen by ComputerName | sort first_seen | head 1 Review EDR process tree on patient zero for parent process of ransomware executable\n","outputs":["patient_zero_hostname","initial_access_vector","infection_start_time","ransomware_family"]},{"id":"step-5","name":"Identify ransomware family and check for decryptors","type":"investigation","tool":"threat_intelligence_platform","description":"Identify the ransomware strain from executable hash, ransom note text, or encrypted file extension. Check ID Ransomware service. Look up known decryptors from NoMoreRansom project, Emsisoft, or vendor-released tools. Contact CISA if critical infrastructure — they may have intelligence or decryptors. Do NOT pay ransom without legal counsel sign-off.\n","automation_hint":"ID Ransomware: POST https://id-ransomware.malwarehunterteam.com/api/ (upload sample) NoMoreRansom: GET https://www.nomoreransom.org/crypto-sheriff.php CrowdStrike Intel: GET https://api.crowdstrike.com/intel/combined/indicators/v1?filter=malware_families:*ransomware* VirusTotal: POST https://www.virustotal.com/api/v3/files (upload ransomware sample)\n","outputs":["ransomware_family","decryptor_available","ransomware_group","known_iocs"]},{"id":"step-6","name":"Assess encryption scope — what has been encrypted","type":"investigation","tool":"siem","description":"Map the scope of encryption: how many hosts, which file shares, which systems. Check file servers, NAS devices, SharePoint, backup systems, and databases. Determine if backups were specifically targeted (many ransomware gangs target Veeam, shadow copies). This is critical for the recovery decision — pay vs. restore from backup.\n","automation_hint":"Splunk SPL: index=wineventlog EventCode=4663 earliest=-4h ObjectName=\"*.encrypted\" OR ObjectName=\"*.\" | stats dc(ObjectName) as files_modified by ComputerName | sort -files_modified Check shadow copies: vssadmin list shadows (run on suspected hosts via RTR) CrowdStrike RTR: run \"Get-ChildItem -Path C:\\ -Recurse -Filter *.{ransom_ext} | Measure-Object | Select Count\"\n","outputs":["encrypted_hosts","encrypted_file_count","file_server_impact","backup_system_status"]},{"id":"step-7","name":"Verify backup integrity and recovery feasibility","type":"investigation","tool":"backup_system","description":"IMMEDIATELY check backup system status: are backups intact and unencrypted? Were the backup servers isolated/compromised? What is the most recent clean recovery point? Can recovery meet the business RTO/RPO requirements? Contact backup vendor if backup system shows signs of compromise. Do not use potentially compromised backups.\n","automation_hint":"Veeam: Get-VBRRestorePoint | Sort-Object CreationTime -Descending | Select-Object -First 5 | Select-Object Name, CreationTime, IsCorrupted AWS Backup: aws backup list-recovery-points-by-backup-vault --backup-vault-name default Veeam REST API: GET https://:9419/api/v1/restorePoints?backupId=\n","outputs":["backup_integrity_status","latest_clean_backup_date","recovery_time_estimate","backup_coverage_gaps"]},{"id":"step-8","name":"Preserve forensic artifacts from patient zero","type":"action","tool":"edr","description":"Before any remediation of patient zero: collect forensic artifacts via EDR live response. Capture: running process list, network connections, scheduled tasks, services, registry run keys, event logs (before ransomware clears them), memory dump if executable is still in memory. This is required for insurance, law enforcement, and understanding the attack.\n","automation_hint":"CrowdStrike RTR forensic collection script: run \"Get-WinEvent -LogName Security -MaxEvents 1000 | Export-Csv security_log.csv\" run \"netstat -ano > netstat.txt\" run \"schtasks /query /fo CSV /v > scheduled_tasks.csv\" CrowdStrike Spotlight: GET https://api.crowdstrike.com/spotlight/queries/vulnerabilities/v1\n","outputs":["forensic_artifacts_collected","memory_dump_captured","event_logs_preserved"]},{"id":"step-9","name":"Report to law enforcement and cyber insurance","type":"notification","description":"Report to FBI IC3 (Internet Crime Complaint Center) — this is recommended and not legally required but may provide intelligence support and notification if decryptor exists. Notify cyber insurance carrier within the required timeframe (check policy). CISA: report via cisa.gov/report if critical infrastructure. Preserve all evidence for law enforcement — do not wipe systems yet.\n","outputs":["law_enforcement_notified","insurance_notified","report_references"]},{"id":"step-10","name":"Execute recovery plan — restore from clean backups","type":"action","tool":"backup_system","description":"Begin recovery using clean, verified backups. Priority order: (1) domain controllers and AD, (2) critical business systems, (3) file servers, (4) endpoint workstations. Restore to quarantined environment first — do not restore directly to production. Validate each system before reconnecting to the network. Re-image endpoints rather than restoring from backup (backup may contain malware).\n","automation_hint":"Veeam: Start-VBRRestoreVM -RestorePoint -Server -StorePath AWS: aws ec2 restore-snapshot-tier --snapshot-id Verify restored system: run CrowdStrike full scan before reconnection\n","outputs":["systems_restored","restoration_priority_list","reconnection_validation"]}],"post_incident":["Conduct full threat hunt to ensure no attacker persistence remains before declaring all-clear","Perform root cause analysis and patch the initial access vector","Engage forensic firm for comprehensive post-incident review and legal-quality report","Review and test backup strategy — implement 3-2-1 rule with offline/air-gapped backups","Implement network segmentation to limit blast radius of future ransomware incidents","Deploy honeypot files (canary tokens) in file shares for early ransomware detection","Conduct tabletop exercise for leadership team on ransomware response decision-making","Notify customers, partners, and regulators as legally required","Brief board of directors on incident, impact, and remediation investment required","Commission a security maturity assessment to identify systemic gaps"],"metrics":{"avg_resolution_time":"240m","false_positive_rate":"2%","escalation_rate":"100%"},"filename":"IR-006-ransomware-initial-response.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/ransomware/IR-006-ransomware-initial-response.yaml"},{"id":"IR-007","name":"Insider Threat Investigation","version":"1.0.0","author":"CostNimbus","category":"insider-threat","severity":["medium","high"],"mitre_attack":["T1078","T1213","T1052.001","T1567.002","T1048.003","T1136","T1531"],"trigger":["ueba_anomaly_alert","hr_offboarding_trigger","dlp_policy_violation_insider","siem_after_hours_access","peer_manager_report","security_tip_line_report"],"tags":["insider-threat","ueba","data-theft","employee-monitoring","hr-coordination","legal-hold"],"tools_required":["ueba","siem","dlp_platform","edr","identity_provider"],"estimated_time":"90m","integrations":[{"platform":"microsoft_sentinel_ueba","optional":false,"notes":"User and Entity Behavior Analytics — entity risk scoring"},{"platform":"varonis","optional":true,"notes":"File system activity monitoring and data access anomaly detection"},{"platform":"splunk_ueba","optional":true,"notes":"Alternative UEBA — behavior baselining and anomaly detection"},{"platform":"microsoft_purview","optional":false,"notes":"DLP evidence collection and legal hold management"},{"platform":"servicenow","optional":true,"notes":"HR case management integration"}],"steps":[{"id":"step-1","name":"Receive and evaluate the initial indicator","type":"investigation","tool":"ueba","description":"Assess the reliability and context of the initial indicator. UEBA alerts need baseline context — what is this user's normal behavior score? HR-triggered (resignation, PIP, termination notice) investigations have higher prior probability. Anonymous tips need corroboration. Determine if this is a disgruntled employee, negligent insider, or compromised account scenario. Engage HR to confirm employment status before proceeding.\n","automation_hint":"Microsoft Sentinel UEBA: GET https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/ providers/Microsoft.SecurityInsights/entityQueries/{id}?api-version=2022-12-01-preview Splunk UBA: GET https:///rest/api/insight/user/\n","outputs":["investigation_type","user_risk_score","employment_status","initial_indicator_source"]},{"id":"step-2","name":"Establish covert investigation — do NOT alert subject","type":"investigation","description":"Insider threat investigations must remain covert until HR and Legal authorize disclosure. Use need-to-know compartmentalization. Do NOT lock the account, revoke access, or confront the employee until the investigation is complete and HR/Legal approve action. Do NOT discuss in email — use phone or encrypted messaging. Assign a case number. Brief only the investigation core team (CISO, SOC lead, Legal, HR).\n","outputs":["investigation_code_name","core_team_briefed","legal_hold_initiated"]},{"id":"step-3","name":"Build complete user activity timeline","type":"investigation","tool":"siem","description":"Construct a comprehensive timeline of the subject's digital activity over the past 90 days. Cover: data access patterns (which files, shares, databases), authentication events (times, locations, devices), email activity (external recipients, large attachments), web browsing (cloud storage, job boards, competitor sites), and USB/peripheral activity. Compare against peer group baseline.\n","automation_hint":"Splunk SPL: index=* user=\"\" earliest=-90d | stats count by sourcetype, _time span=1d | timechart span=1d count by sourcetype Microsoft Purview Audit: Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -UserIds \"\" -ResultSize 5000 | Export-Csv activity_log.csv\n","outputs":["activity_timeline","anomalous_patterns","peer_group_deviation"]},{"id":"step-4","name":"Analyze file access patterns and sensitive data access","type":"investigation","tool":"ueba","description":"Identify unusual data access: accessing files outside normal job function, bulk file downloads or copies, accessing files of departing colleagues, accessing HR/executive data, or accessing data immediately before a resignation/last day. Use Varonis or UEBA to visualize the file access graph and identify abnormal patterns.\n","automation_hint":"Varonis DatAdvantage: filter events by user, last 90 days, sensitivity=high GET https:///api/v1/users/{userId}/events?type=file_access&days=90 Splunk SPL: index=file_activity user=\"\" object_type=file classification=sensitive | stats count by path, action, _time | sort -count\n","outputs":["sensitive_files_accessed","access_volume_trend","unusual_access_events"]},{"id":"step-5","name":"Review email activity for external data sharing","type":"investigation","tool":"siem","description":"Analyze the subject's email activity for indicators of data exfiltration via email: large attachments sent to personal/external addresses, BCC to personal accounts, forwarding rules to external domains, emails to competitors or recruiters, and emails with sensitive file types (xlsx, csv, pdf, docx) sent externally.\n","automation_hint":"Microsoft Purview: Search-MailboxAuditLog -Identity \"\" -LogonTypes Owner -Operations SendAs,Send -StartDate (Get-Date).AddDays(-90) | Where-Object {$_.ExternalAccess} Microsoft Graph: GET https://graph.microsoft.com/v1.0/users/{userId}/mailFolders/sentItems/messages ?$filter=toRecipients/any(r:not(endsWith(r/emailAddress/address,'@companydomain.com'))) &$select=subject,toRecipients,hasAttachments,sentDateTime\n","outputs":["external_emails_sent","attachment_sizes","external_recipients","forwarding_rules"]},{"id":"step-6","name":"Check for cloud storage and device upload activity","type":"investigation","tool":"casb","description":"Review CASB and proxy logs for uploads to personal cloud storage (Dropbox, Google Drive, iCloud, Box personal), file transfer services (WeTransfer, SendSpace), and USB/external device usage. Quantify data volume. Check if corporate DLP prevented transfers or only logged them.\n","automation_hint":"Netskope: GET https://.goskope.com/api/v1/events?type=application&query=user+eq++AND+type+eq+upload Splunk (proxy): index=proxy user=\"\" url_category=cloud_storage http_method=POST | stats sum(bytes_out) as total_bytes by url_domain | sort -total_bytes CrowdStrike USB: GET https://api.crowdstrike.com/falcon-complete-dashboard/queries/detections/v1\n","outputs":["cloud_upload_events","usb_activity","total_data_transferred"]},{"id":"step-7","name":"Review authentication anomalies and off-hours access","type":"investigation","tool":"identity_provider","description":"Review authentication patterns for anomalies: after-hours system access (particularly evenings/weekends during notice period), access to systems outside normal job scope, new device registrations, geolocation anomalies, and excessive failed logins (password searching). Check VPN logs for connections from home network during off-hours.\n","automation_hint":"Azure AD: SigninLogs | where UserPrincipalName == \"\" | where TimeGenerated > ago(90d) | extend Hour = hourofday(TimeGenerated) | where Hour < 7 or Hour > 19 or dayofweek(TimeGenerated) in (0, 6) | project TimeGenerated, IPAddress, Location, DeviceDetail, AppDisplayName\n","outputs":["after_hours_events","geolocation_anomalies","system_access_scope"]},{"id":"step-8","name":"Check for account persistence or backdoor creation","type":"investigation","tool":"identity_provider","description":"Determine if the subject created any backdoor access mechanisms: new service accounts, OAuth app grants with broad permissions, new email forwarding rules, shared credentials with external parties, or AWS/cloud IAM users. Also check if the subject attempted to access colleagues' accounts or escalate their own privileges.\n","automation_hint":"Azure AD: AuditLogs | where InitiatedBy.user.userPrincipalName == \"\" | where OperationName in (\"Add user\",\"Add member to role\",\"Add service principal\") Microsoft 365: Get-InboxRule -Mailbox | Where-Object {$_.ForwardTo -ne $null} AWS: aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue= --query 'Events[?EventName==`CreateUser`]'\n","outputs":["backdoor_mechanisms","privilege_escalation_attempts","forwarding_rules_created"]},{"id":"step-9","name":"Compile investigation package for HR and Legal","type":"investigation","description":"Compile a comprehensive, legally sound evidence package: chronological timeline of all suspicious activity with log evidence, estimated data exfiltrated (volume, classification), policy violations identified, and screenshots of key evidence. Ensure all evidence is authenticated (hash logs, timestamps from authoritative sources). Present findings to Legal for review before any employment action.\n","outputs":["investigation_report","evidence_package","policy_violations_cited","legal_review_complete"]},{"id":"step-10","name":"Execute employment action with HR and IT coordination","type":"action","description":"Upon HR/Legal sign-off, execute coordinated employment action: terminate access simultaneously across all systems at the moment HR delivers the notification. Sequence: (1) HR meeting begins, (2) IT immediately terminates all access (AD, email, VPN, badge), (3) MDM wipe corporate data from personal devices, (4) Collect any corporate devices. Do not allow access to any systems after notification begins.\n","automation_hint":"AD account disable: Disable-ADAccount -Identity Revoke all sessions: POST https://graph.microsoft.com/v1.0/users/{userId}/revokeSignInSessions Intune: wipe corporate data via MAM selective wipe Badge system: deactivate access card\n","outputs":["access_terminated","termination_timestamp","devices_collected"]}],"post_incident":["Preserve all evidence for potential legal proceedings — maintain legal hold indefinitely","Conduct access review for the departed employee's system access — verify all access is revoked","Review peer group access — did others have similar unauthorized data access?","Implement automatic access review triggers for employees on PIPs or with resignation notice","Strengthen offboarding checklist — verify access revocation within 1 hour of termination","Brief CISO and legal on investigation outcomes, data exposure scope, and legal options","Notify affected data subjects if regulatory breach notification is required","Review and update insider threat detection rules based on observed behavior patterns","Conduct lessons-learned with HR and Legal to improve investigation process"],"metrics":{"avg_resolution_time":"2160m","false_positive_rate":"40%","escalation_rate":"70%"},"filename":"IR-007-insider-threat-investigation.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/identity/IR-007-insider-threat-investigation.yaml"},{"id":"IR-008","name":"Cloud Resource Hijacking (Cryptomining and Unauthorized Compute)","version":"1.0.0","author":"CostNimbus","category":"cloud","severity":["high","critical"],"mitre_attack":["T1496","T1578.002","T1578.003","T1190","T1552.005","T1098.001","T1526"],"trigger":["cloud_cost_anomaly_alert","aws_guardduty_cryptomining_finding","compute_usage_spike","billing_threshold_breach","siem_unusual_instance_creation"],"tags":["cloud","cryptomining","resource-hijacking","aws","cost-anomaly","iam-abuse","unauthorized-compute"],"tools_required":["aws_cloudtrail","aws_guardduty","aws_cost_explorer","aws_iam","siem"],"estimated_time":"35m","integrations":[{"platform":"aws_guardduty","optional":false,"notes":"CryptoCurrency:EC2/BitcoinTool.B, UnauthorizedAccess:EC2/TorClient findings"},{"platform":"aws_cost_explorer","optional":false,"notes":"Cost anomaly detection and usage breakdown by service/region"},{"platform":"aws_cloudtrail","optional":false,"notes":"Full API audit trail for instance creation and credential usage"},{"platform":"datadog","optional":true,"notes":"Cloud cost monitoring and compute anomaly detection"},{"platform":"lacework","optional":true,"notes":"Cloud security posture and anomaly detection alternative"}],"steps":[{"id":"step-1","name":"Assess the scope of unauthorized resource usage","type":"investigation","tool":"aws_cost_explorer","description":"Quantify the financial and resource impact: identify which AWS services are showing anomalous costs (EC2, GPU instances, Lambda, ECS), which regions, and which accounts. Cryptomining typically uses compute-intensive instance types (c5.9xlarge, p3.16xlarge, g4dn instances). Check cost anomaly vs. normal baseline. Calculate hourly burn rate to quantify urgency.\n","automation_hint":"AWS CLI: aws ce get-cost-and-usage --time-period Start=,End= --granularity DAILY --metrics BlendedCost --group-by Type=DIMENSION,Key=SERVICE AWS Cost Anomaly: aws ce get-anomalies --date-interval StartDate=,EndDate= Boto3: ce.get_cost_forecast(TimePeriod=..., Metric='BLENDED_COST', Granularity='MONTHLY')\n","outputs":["cost_impact_usd","affected_services","affected_regions","hourly_burn_rate"]},{"id":"step-2","name":"Identify unauthorized EC2 instances and resources","type":"investigation","tool":"aws_cloudtrail","description":"Enumerate all running instances, Lambda functions, and ECS tasks that may be unauthorized. Filter by: recent creation time, unusual instance types (GPU/compute-optimized for mining), regions you don't normally operate in, instances with no organizational tags, and instances with unusual user data scripts. Cross-reference against change management records.\n","automation_hint":"aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId,InstanceType, LaunchTime,Tags,State.Name,Placement.AvailabilityZone]' --output table Find untagged instances: aws ec2 describe-instances --filters \"Name=tag-key,Values=Name\" --query 'Reservations[?!Instances[?Tags]].[Instances[0].InstanceId]' Find GPU instances: aws ec2 describe-instances --filters \"Name=instance-type,Values=p*,g4*,p3*\"\n","outputs":["unauthorized_instances","instance_types","regions_affected","instance_creation_timestamps"]},{"id":"step-3","name":"Identify the compromised IAM credential used","type":"investigation","tool":"aws_cloudtrail","description":"Pull CloudTrail events for RunInstances, CreateFunction, and CreateCluster API calls in the attack timeframe. Identify the IAM principal (access key, role) used. Determine if this is a leaked access key (GitHub, code leak), SSRF via metadata endpoint, or compromised developer workstation. Check the source IP for these API calls.\n","automation_hint":"aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances --start-time | jq '.Events[] | {time: .EventTime, user: .Username, ip: .CloudTrailEvent | fromjson | .sourceIPAddress}' Athena: SELECT eventTime, userIdentity.accessKeyId, sourceIPAddress, requestParameters FROM cloudtrail_logs WHERE eventName = 'RunInstances' AND eventTime > ''\n","outputs":["compromised_principal","access_key_id","source_ips","api_call_pattern"]},{"id":"step-4","name":"Terminate all unauthorized compute resources","type":"action","tool":"aws_iam","description":"Immediately terminate all unauthorized EC2 instances, Lambda functions, and ECS tasks. Work through each unauthorized region. For Lambda: delete the functions. For ECS: stop all tasks and delete the clusters. For RDS: check for unauthorized database instances. Capture instance IDs and terminate — do not stop (cryptominers restart stopped instances).\n","automation_hint":"Terminate all instances in a region: aws ec2 describe-instances --region --query 'Reservations[].Instances[?State.Name!=`terminated`].InstanceId' --output text | xargs aws ec2 terminate-instances --instance-ids Lambda: aws lambda list-functions --region | jq '.Functions[].FunctionName' | xargs -I {} aws lambda delete-function --function-name {} ECS: aws ecs list-clusters | jq '.clusterArns[]' | xargs -I {} aws ecs delete-cluster --cluster {}\n","outputs":["instances_terminated","resources_deleted","termination_confirmed"]},{"id":"step-5","name":"Disable compromised credentials immediately","type":"action","tool":"aws_iam","description":"Disable the compromised access key or role. Apply an emergency deny-all inline policy to the compromised IAM user/role to prevent any further API calls while investigation continues. Do not delete the key yet — preserve for investigation and insurance purposes.\n","automation_hint":"aws iam update-access-key --access-key-id --status Inactive --user-name Emergency deny: aws iam put-user-policy --user-name --policy-name EmergencyStop --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"*\",\"Resource\":\"*\"}]}' Revoke role: aws iam put-role-policy --role-name --policy-name EmergencyDeny --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"*\",\"Resource\":\"*\"}]}'\n","outputs":["credentials_disabled","deny_policy_applied"]},{"id":"step-6","name":"Check for attacker persistence mechanisms","type":"investigation","tool":"aws_cloudtrail","description":"Attackers often create persistence via: new IAM users/access keys, Lambda functions with scheduled triggers, EC2 instances with cron jobs, AWS Systems Manager automations, or modified trust policies on roles. Review all CloudTrail create events for the attack timeframe across all regions. Check for CloudFormation stacks left as persistence.\n","automation_hint":"aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue= --query 'Events[?EventName==`CreateUser` || EventName==`CreateAccessKey` || EventName==`CreateFunction`]' Check new IAM users: aws iam list-users --query 'Users[?CreateDate > ``]' Check scheduled events: aws events list-rules --query 'Rules[?State==`ENABLED`]'\n","outputs":["persistence_mechanisms","new_iam_principals","scheduled_triggers"]},{"id":"step-7","name":"Investigate initial access vector","type":"investigation","description":"Determine how the attacker obtained the credentials. Common sources for cloud hijacking: (1) Hardcoded credentials in public GitHub repo, (2) SSRF vulnerability exploiting EC2 metadata service (IMDSv1), (3) Compromised developer machine, (4) CI/CD pipeline secrets exposure, (5) Supply chain compromise of build tools. Knowing the vector determines remediation scope.\n","automation_hint":"GitHub credential scan: trufflehog git https://github.com// IMDSv2 enforcement: aws ec2 modify-instance-metadata-options --instance-id --http-tokens required --http-endpoint enabled Check CI/CD: review GitLab/GitHub Actions secrets and pipeline logs GitGuardian: GET https://api.gitguardian.com/v1/incidents?detector=aws_iam_key\n","outputs":["initial_access_vector","exposure_source","affected_codebase"]},{"id":"step-8","name":"Enforce IMDSv2 and least-privilege IAM across all instances","type":"action","tool":"aws_iam","description":"Remediate the systemic vulnerability that enabled credential theft. Enforce IMDSv2 on all existing EC2 instances (prevents SSRF-based credential theft). Review IAM permissions for all service roles — remove EC2 permissions from roles that don't need to spawn instances. Implement SCP to restrict EC2 instance types in all accounts.\n","automation_hint":"Enforce IMDSv2 on all instances (loop all regions): for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do\n aws ec2 describe-instances --region $region --query 'Reservations[].Instances[].InstanceId'\n --output text | xargs -I {} aws ec2 modify-instance-metadata-options --instance-id {}\n --http-tokens required --region $region; done\nSCP to restrict GPU instances: use AWS Organizations SCPs\n","outputs":["imdsv2_enforced_count","iam_permissions_reviewed","scp_applied"]},{"id":"step-9","name":"Enable AWS cost controls and anomaly alerts","type":"action","tool":"aws_cost_explorer","description":"Implement preventive controls: set up AWS Budgets with alerting, enable Cost Anomaly Detection for all services, create CloudWatch billing alarms, set up EC2 Service Quotas limits for GPU instance types, and enable GuardDuty in all regions with automated remediation. Request a cost credit from AWS for fraudulent charges.\n","automation_hint":"aws budgets create-budget --account-id --budget file://budget.json --notifications-with-subscribers file://notifications.json aws ce create-anomaly-monitor --anomaly-monitor MonitorType=DIMENSIONAL,MonitorDimension=SERVICE aws ce create-anomaly-subscription --anomaly-subscription Threshold=10,MonitorArnList=[], Subscribers=[{Address:,Type=EMAIL}],Frequency=DAILY,SubscriptionName=DailyCostAlert\n","outputs":["budget_alerts_created","anomaly_detection_enabled","guardrails_applied"]}],"post_incident":["Request AWS cost credit for fraudulent charges via AWS Support (credit success rate is high for demonstrated attacks)","Conduct comprehensive IAM access review — remove all unnecessary permissions","Implement Service Control Policies to prevent large compute launches without approval","Enable GuardDuty with threat intelligence IP feeds in all AWS regions and accounts","Rotate all access keys in the affected AWS account as a precaution","Implement automatic remediation via GuardDuty + Lambda for CryptoCurrency findings","Remove hardcoded credentials from all code repositories; implement secrets rotation","Enforce IMDSv2 on all EC2 instances via SCP and startup policy","File incident report with cost impact and remediation timeline"],"metrics":{"avg_resolution_time":"60m","false_positive_rate":"5%","escalation_rate":"30%"},"filename":"IR-008-cloud-resource-hijacking.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/cloud/IR-008-cloud-resource-hijacking.yaml"},{"id":"IR-009","name":"Software Supply Chain Compromise","version":"1.0.0","author":"CostNimbus","category":"supply-chain","severity":["critical"],"mitre_attack":["T1195.001","T1195.002","T1554","T1059.001","T1059.004","T1105","T1071.001","T1068"],"trigger":["security_advisory_for_used_dependency","siem_known_malicious_package_hash","ci_cd_anomalous_behavior","edr_post_install_script_alert","threat_intel_feed_package_compromise","developer_reported_anomaly"],"tags":["supply-chain","dependency-compromise","open-source","npm","pypi","go-modules","ci-cd","solarwinds-style"],"tools_required":["siem","edr","sca_tool","ci_cd_platform","artifact_registry"],"estimated_time":"120m","integrations":[{"platform":"snyk","optional":false,"notes":"Software Composition Analysis — package vulnerability and malware detection"},{"platform":"crowdstrike_falcon","optional":false,"notes":"Endpoint detection of post-install script execution and C2 communication"},{"platform":"github_advanced_security","optional":true,"notes":"Dependency graph and secret scanning in source code"},{"platform":"jfrog_xray","optional":true,"notes":"Artifact scanning in internal package registry"},{"platform":"splunk","optional":false,"notes":"CI/CD pipeline log correlation and network telemetry"}],"steps":[{"id":"step-1","name":"Confirm the compromised package and affected versions","type":"investigation","tool":"sca_tool","description":"Identify the exact package, ecosystem (npm, PyPI, Go modules, Maven, NuGet, RubyGems), and affected version range. Obtain the security advisory (GitHub Advisory, NVD, OSV.dev, or vendor bulletin). Confirm the nature of the compromise: malicious code injected into legitimate package, typosquatting package, dependency confusion attack, or compromised package maintainer account. Understand what the malicious code does (data theft, RAT, cryptominer, backdoor, destructive payload).\n","automation_hint":"OSV.dev: GET https://api.osv.dev/v1/query {\"package\": {\"name\": \"\", \"ecosystem\": \"npm\"}} GitHub Advisory: GET https://api.github.com/advisories?ghsaid= Snyk: GET https://snyk.io/api/v1/test/npm// npm audit: npm audit --json | jq '.vulnerabilities.'\n","outputs":["compromised_package","affected_versions","malicious_behavior","cve_or_ghsa_id","compromise_type"]},{"id":"step-2","name":"Identify all internal codebases using the compromised package","type":"investigation","tool":"sca_tool","description":"Search all internal repositories, build artifacts, Docker images, and deployed applications for use of the compromised package and version. Include: direct dependencies, transitive dependencies (the package may be 3 levels deep), vendored copies, and Docker base image layers. Use SCA tooling across all repos, not just manifest files — check lock files.\n","automation_hint":"Snyk: POST https://snyk.io/api/v1/org/{orgId}/test (scan all projects) GitHub Code Search: GET https://api.github.com/search/code?q=+in:file+org: Dependency-track: GET https:///api/v1/component?purl=pkg:npm/@ Docker image scan: grype --only-fixed find / -name \"package-lock.json\" | xargs grep -l \"\"\n","outputs":["affected_repositories","affected_applications","affected_docker_images","total_exposure_scope"]},{"id":"step-3","name":"Determine if malicious package was executed in any environment","type":"investigation","tool":"edr","description":"Determine execution exposure: was the package only listed in dependencies (unused code path) or was it actually executed? Were the post-install scripts run (most dangerous — execute on npm install/pip install)? In which environments: developer workstations, CI/CD runners, production systems, test environments? Each executed environment is a potentially compromised system requiring investigation.\n","automation_hint":"CrowdStrike: search for process ancestry from npm/pip/go with malicious package path GET https://api.crowdstrike.com/events/combined/events/v1 Splunk SPL: index=crowdstrike sourcetype=crowdstrike:events ImageFileName=\"*node_modules**\" CI/CD: review build logs for package installation output with error/anomaly indicators npm: check if preinstall/postinstall scripts exist: cat node_modules//package.json | jq '.scripts'\n","outputs":["execution_confirmed","execution_environments","post_install_scripts_run","production_exposure"]},{"id":"step-4","name":"Isolate compromised CI/CD runners and build systems","type":"action","tool":"edr","description":"If CI/CD runners executed the malicious package: immediately isolate all affected build agents/runners from the network. This is critical — CI/CD systems have broad access to source code, secrets, artifact registries, and deployment credentials. A compromised CI/CD runner may have exfiltrated all build secrets. Suspend all pipelines until runners are verified clean.\n","automation_hint":"CrowdStrike: POST https://api.crowdstrike.com/devices/entities/devices-actions/v2 {\"action_name\": \"contain\", \"ids\": [\"\"]} GitHub Actions: disable affected workflows via API: PUT https://api.github.com/repos/{owner}/{repo}/actions/workflows/{workflow_id}/disable GitLab: PUT https://gitlab.com/api/v4/runners/{runner_id} {\"active\": false}\n","outputs":["runners_isolated","pipelines_suspended","isolation_scope"]},{"id":"step-5","name":"Rotate all secrets potentially exposed in CI/CD","type":"action","description":"Rotate ALL secrets that were accessible to compromised CI/CD environments. This includes: deployment credentials (AWS, GCP, Azure), container registry credentials, npm/PyPI publish tokens, GitHub/GitLab tokens, Kubernetes service account tokens, database credentials, API keys, and any secrets stored in pipeline environment variables or secret managers. This is comprehensive — when CI/CD is compromised, assume all secrets are stolen.\n","automation_hint":"AWS: rotate all IAM access keys used by CI/CD roles GitHub: POST https://api.github.com/repos/{owner}/{repo}/actions/secrets/{secret_name} Docker Hub: revoke and reissue all access tokens Kubernetes: kubectl delete secret -n && kubectl create secret generic ... Vault: vault lease revoke -prefix auth/\n","outputs":["secrets_rotated","rotation_scope","credentials_revoked"]},{"id":"step-6","name":"Investigate for malicious payload execution and C2 activity","type":"investigation","tool":"siem","description":"On all systems that executed the malicious package: hunt for indicators of the payload. Common supply chain payloads: DNS beaconing to attacker infrastructure, credential harvesting (env vars, .ssh, .aws, .kube), file system modification, reverse shell establishment, or cryptominer deployment. Check network logs for connections to attacker C2 infrastructure identified in the advisory.\n","automation_hint":"Splunk SPL: index=proxy earliest=-7d src_ip IN () dest_domain IN () | stats count by src_ip, dest_domain, _time CrowdStrike: search network events from affected hosts for external connections DNS hunting: index=dns query IN () | stats count by query, src_ip Check env variable theft: look for POST requests to external IPs from CI/CD IP range\n","outputs":["c2_communication_detected","data_exfiltrated","payload_behavior","affected_timeframe"]},{"id":"step-7","name":"Remove malicious package and update all dependencies","type":"action","tool":"artifact_registry","description":"Update the compromised package to a safe version in all affected repositories. If no safe version exists, remove the dependency entirely. Update package lock files, rebuild Docker images, and push updated base images. Remove any cached versions from internal artifact registries (JFrog Artifactory, Nexus, GitHub Packages). Clear npm/pip/go caches on build systems.\n","automation_hint":"npm: npm install @ && npm audit fix pip: pip install \">=\" Go: go get @ && go mod tidy JFrog: DELETE https:///artifactory/// Docker: rebuild all images FROM updated base images\n","outputs":["packages_updated","lock_files_updated","images_rebuilt","cache_cleared"]},{"id":"step-8","name":"Re-image compromised developer workstations and build servers","type":"action","tool":"edr","description":"For all systems confirmed to have executed the malicious payload: full re-image is required. Do not attempt to clean — supply chain compromises often establish deep persistence. For developer workstations: preserve user data (personal files), wipe OS and reinstall. For CI/CD runners: terminate and replace with new instances from golden image. Rotate any credentials stored locally (ssh keys, .aws/credentials, .kube/config).\n","automation_hint":"AWS EC2 runner: aws ec2 terminate-instances --instance-ids then launch new from golden AMI Intune (workstations): POST https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{id}/wipe CrowdStrike RTR: collect forensic artifacts before wipe\n","outputs":["systems_reimaged","new_runners_provisioned","developer_impact_count"]},{"id":"step-9","name":"Assess if malicious code reached production deployments","type":"investigation","description":"The highest severity scenario: did any artifacts built with the compromised package get deployed to production? Identify all production deployments using affected artifact versions. Check deployment timestamps against compromise window. If yes, escalate to full incident response: production systems may be compromised, and customers/users may be affected.\n","automation_hint":"Check deployed versions: kubectl get deployments --all-namespaces -o json | jq '.items[].spec.template.spec.containers[].image' AWS ECS: aws ecs describe-task-definition --task-definition Review deployment history in CD tool (ArgoCD, Spinnaker, Helm) for affected artifact versions\n","outputs":["production_affected","customer_impact_assessment","affected_deployment_versions"]},{"id":"step-10","name":"Implement supply chain security controls","type":"action","tool":"ci_cd_platform","description":"Immediately implement controls to prevent future supply chain attacks: pin all dependencies to exact versions with hash verification (npm --package-lock, pip --require-hashes), implement SCA scanning in CI/CD pipeline as a blocking step, set up private mirror of critical packages, enable Sigstore/cosign for package signature verification, configure Dependabot for automated security updates.\n","automation_hint":"npm: set package-lock=true and use npm ci (immutable installs) pip: pip-compile --generate-hashes requirements.in GitHub Dependabot: create .github/dependabot.yml Sigstore: cosign verify @sha256: --certificate-identity=... Policy-as-code: use OPA/Conftest to enforce dependency pinning in CI\n","outputs":["hash_pinning_enabled","sca_in_pipeline","dependabot_configured","package_signing_verified"]},{"id":"step-11","name":"Notify customers and regulators if production was affected","type":"notification","description":"If production systems running customer workloads were compromised: notify affected customers with full disclosure of impact scope. Engage Legal for breach notification obligations (GDPR, CCPA, SOC 2 requirements). Prepare public disclosure statement if material to publicly traded company. Notify CISA if critical infrastructure. Coordinate timing of notifications with legal and PR.\n","outputs":["customer_notifications_sent","regulator_notifications_sent","public_disclosure_prepared"]}],"post_incident":["Commission a complete SBOM (Software Bill of Materials) for all products — know what you're running","Implement private package mirror with allowlist for approved packages and versions","Enable continuous SCA scanning across all repositories in CI/CD","Implement SLSA (Supply-chain Levels for Software Artifacts) framework for build integrity","Establish a process for rapid response to new CVEs in dependencies (target: 24h patch window)","Conduct tabletop exercise focused on supply chain attack scenarios with engineering leadership","Subscribe to relevant security advisory feeds (GitHub Advisories, OSV, CVE) with automated alerting","Review and minimize blast radius: CI/CD should use least-privilege credentials, not admin access","File public post-mortem to contribute to community knowledge (coordinate with Legal)"],"metrics":{"avg_resolution_time":"480m","false_positive_rate":"5%","escalation_rate":"80%"},"filename":"IR-009-supply-chain-compromise.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/supply-chain/IR-009-supply-chain-compromise.yaml"},{"id":"IR-010","name":"Privilege Escalation Detection and Response","version":"1.0.0","author":"CostNimbus","category":"endpoint","severity":["high","critical"],"mitre_attack":["T1068","T1548.002","T1548.003","T1134.001","T1134.002","T1055","T1078.003","T1484.001","T1098"],"trigger":["edr_privilege_escalation_alert","siem_admin_group_change","siem_sudo_to_root_anomaly","windows_event_4672","windows_event_4673","ad_group_membership_change","siem_uac_bypass_technique"],"tags":["privilege-escalation","uac-bypass","token-manipulation","admin-rights","windows","linux","active-directory","lateral-movement-precursor"],"tools_required":["edr","siem","identity_provider","pam_solution","active_directory"],"estimated_time":"30m","integrations":[{"platform":"crowdstrike_falcon","optional":false,"notes":"Privilege escalation behavioral detection and process tree analysis"},{"platform":"microsoft_defender_for_endpoint","optional":true,"notes":"Alternative EDR — Windows-native privilege escalation detection"},{"platform":"splunk","optional":false,"notes":"Windows Event Log correlation, AD event monitoring"},{"platform":"cyberark_pam","optional":true,"notes":"Privileged Access Management — session recording and credential vaulting"},{"platform":"azure_active_directory","optional":false,"notes":"Azure AD / on-prem AD — group membership and role assignment audit"}],"steps":[{"id":"step-1","name":"Identify the escalation technique and affected user","type":"investigation","tool":"edr","description":"Determine the privilege escalation method used: UAC bypass (common techniques: fodhelper, eventvwr, ComputerDefaults), token impersonation (SeImpersonatePrivilege), process injection into higher-privileged process, kernel exploit, sudo misconfiguration (Linux), SUID binary abuse (Linux), or direct AD group modification. Identify the affected user account — was this a standard user who escalated, or a service account? Is this a known-good administrator activity or clearly malicious?\n","automation_hint":"CrowdStrike: GET https://api.crowdstrike.com/detections/entities/summaries/GET/v1 {\"ids\": [\"\"]} Review detection technique field and process tree Windows Event Log: Get-WinEvent -FilterHashtable @{LogName='Security';Id=4672} | Where-Object {$_.Properties[1].Value -notlike \"*Administrator*\"} Linux: ausearch -m USER_ROLE_CHANGE -ts recent | grep -v \"root\"\n","outputs":["escalation_technique","escalation_user","target_privilege_level","affected_host","detection_confidence"]},{"id":"step-2","name":"Capture process tree and execution context","type":"investigation","tool":"edr","description":"Pull the complete process tree for the escalation event: the process that initiated the escalation, parent process, any child processes spawned with elevated privileges, and command-line arguments. Determine what the attacker did with elevated privileges immediately after escalation — this reveals their objective (lateral movement, persistence, data access, credential dumping).\n","automation_hint":"CrowdStrike: GET https://api.crowdstrike.com/events/combined/events/v1 ?filter=device_id:'' + timestamp:>='' Splunk SPL: index=wineventlog EventCode IN (4672,4673,4688) ComputerName=\"\" earliest= | table _time, EventCode, SubjectUserName, ProcessName, NewProcessName, CommandLine\n","outputs":["process_tree","parent_process","post_escalation_commands","spawned_processes"]},{"id":"step-3","name":"Determine if this is a compromised account or lateral movement","type":"investigation","tool":"siem","description":"Assess the context: is this a legitimate administrator who normally has these rights? Is the escalation happening from an unusual workstation for this user? Was there a recent authentication event from unusual IP/location for this account? Check if the account was recently used for phishing or brute force. Lateral movement from a compromised lower-privileged account escalating is a red flag.\n","automation_hint":"Splunk SPL: index=windows_security EventCode=4624 Account_Name=\"\" earliest=-24h | stats count by Source_Network_Address, Logon_Type | sort _time Azure AD: SigninLogs | where UserPrincipalName == \"\" | where TimeGenerated > ago(24h) | project TimeGenerated, IPAddress, Location, RiskLevel, RiskEventTypes\n","outputs":["account_compromise_likelihood","unusual_auth_events","lateral_movement_indicators"]},{"id":"step-4","name":"Check for AD group membership changes and domain privilege escalation","type":"investigation","tool":"active_directory","description":"Check if the escalation included changes to Active Directory: was the user added to Domain Admins, Enterprise Admins, Schema Admins, or other privileged groups? Were new GPOs created or modified? Were new local admin accounts created on the host? Were domain trust relationships modified? AD-level privilege escalation is significantly more severe than local privilege escalation.\n","automation_hint":"Windows Event Log: Get-WinEvent -FilterHashtable @{LogName='Security';Id=4728,4732,4756} | Select-Object TimeCreated, Message | Where-Object {$_.Message -match \"Domain Admins|Enterprise Admins\"} Splunk: index=wineventlog EventCode IN (4728,4732,4756) earliest=-1h | table _time, EventCode, MemberName, GroupName, SubjectUserName AD PowerShell: Get-ADGroupMember \"Domain Admins\" | Select-Object SamAccountName, WhenCreated\n","outputs":["ad_group_changes","domain_admin_access_gained","gpo_modifications","domain_escalation_confirmed"]},{"id":"step-5","name":"Hunt for credential dumping activity","type":"investigation","tool":"edr","description":"Privilege escalation is frequently followed by credential dumping to enable lateral movement. Hunt for: LSASS memory access (Mimikatz patterns), Volume Shadow Copy access (ntds.dit theft), DCSync activity, SAM registry hive reads, DPAPI master key abuse, or network credential capture. Credential dumping from an elevated context is a major escalation in incident severity.\n","automation_hint":"CrowdStrike: detect LSASS access — GET https://api.crowdstrike.com/indicators/queries/processes/v1 ?filter=indicator_value:'lsass.exe' Splunk (Sysmon EventCode=10): index=sysmon EventCode=10 TargetImage=\"*lsass.exe\" NOT SourceImage IN (\"*MsMpEng.exe\",\"*svchost.exe\",\"*wininit.exe\") | table _time, SourceImage, SourceCommandLine, GrantedAccess DCSync detection: index=wineventlog EventCode=4662 Properties=\"*1131f6aa*\"\n","outputs":["credential_dumping_confirmed","lsass_access_detected","dcsync_detected","credentials_at_risk"]},{"id":"step-6","name":"Isolate affected host if escalation is confirmed malicious","type":"action","tool":"edr","description":"If privilege escalation is confirmed malicious (not authorized admin activity): isolate the endpoint immediately. For domain-level escalation, also disable the affected account in AD to prevent lateral movement using newly acquired privileges. For domain controller compromise: follow the ransomware/critical incident playbook — this is a P0 event.\n","automation_hint":"CrowdStrike contain: POST https://api.crowdstrike.com/devices/entities/devices-actions/v2 {\"action_name\": \"contain\", \"ids\": [\"\"]} AD disable account: Disable-ADAccount -Identity Revoke Azure AD sessions: POST https://graph.microsoft.com/v1.0/users/{userId}/revokeSignInSessions\n","outputs":["host_isolated","account_disabled","isolation_timestamp"]},{"id":"step-7","name":"Remove unauthorized privilege grants and reverse AD changes","type":"action","tool":"active_directory","description":"Reverse all unauthorized privilege changes: remove attacker account from privileged AD groups, revert modified GPOs to previous state using AD backup or Group Policy restore, remove local admin rights granted on endpoints, revoke newly created service accounts or local accounts. Use AD change audit logs to identify every modification and revert each.\n","automation_hint":"Remove from group: Remove-ADGroupMember -Identity \"Domain Admins\" -Members \"\" -Confirm:$false Revert GPO: Restore-GPO -Name \"\" -Path \"\" Local admin removal: net localgroup Administrators /delete Revoke Azure AD role: Remove-MgUserAppRoleAssignment -UserId -AppRoleAssignmentId \n","outputs":["privilege_grants_reverted","ad_changes_reversed","local_admin_removed"]},{"id":"step-8","name":"Patch the vulnerability or misconfiguration exploited","type":"action","description":"Identify and remediate the root cause. For CVE-based kernel exploits: emergency patch the OS. For UAC bypass techniques: enforce UAC level 2 (Always Notify) and disable known bypass tools via AppLocker/WDAC. For sudo misconfigurations (Linux): remove NOPASSWD entries, audit sudoers file. For SUID binary abuse: remove unnecessary SUID bits. For SeImpersonatePrivilege abuse (potato attacks): upgrade OS or remove unnecessary service accounts with this privilege.\n","automation_hint":"Windows UAC hardening: Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" -Name \"ConsentPromptBehaviorAdmin\" -Value 2 AppLocker: Set-AppLockerPolicy -XMLPolicy Linux sudoers audit: visudo -c && grep -E \"NOPASSWD|ALL.*ALL\" /etc/sudoers /etc/sudoers.d/* SUID check: find / -perm -4000 -type f 2>/dev/null | xargs ls -la\n","outputs":["vulnerability_patched","misconfiguration_remediated","control_strengthened"]},{"id":"step-9","name":"Assess lateral movement from elevated context","type":"investigation","tool":"siem","description":"With elevated privileges, the attacker may have moved laterally to other systems. Hunt for: authentication events from the compromised host/account to other systems, RDP/WMI/PsExec connections with new admin credentials, network scanning from the escalated context, and new processes spawned on remote systems. Expand scope if lateral movement is confirmed.\n","automation_hint":"Splunk SPL: index=wineventlog (EventCode=4624 OR EventCode=4648) src_ip=\"\" NOT dest_ip=\"\" earliest= | stats count by dest_ip, Account_Name, LogonType CrowdStrike: search lateral movement detections linked to GET https://api.crowdstrike.com/incidents/queries/behaviors/v1?filter=device_id:''\n","outputs":["lateral_movement_targets","additional_compromised_hosts","lateral_movement_scope"]},{"id":"step-10","name":"Force password rotation for all accounts used during escalation","type":"action","tool":"identity_provider","description":"Force immediate password resets for: the escalated account, any accounts whose credentials were dumped or accessed during the escalation window, service accounts on the affected host, and any accounts that authenticated to the host from an external location after the escalation. Reset Kerberos service account keys (krbtgt) if AD was accessed by the attacker.\n","automation_hint":"AD bulk reset: Get-ADUser -Filter * -SearchBase \"OU=Users,DC=corp,DC=com\" | Set-ADUser -ChangePasswordAtLogon $true krbtgt reset (if AD compromise): Reset-KrbtgtKeyInteractive (run twice for full propagation) Azure AD: PATCH https://graph.microsoft.com/v1.0/users/{userId} {\"passwordProfile\": {\"forceChangePasswordNextSignIn\": true}} Service account rotation: script to rotate all service account passwords stored in AD\n","outputs":["passwords_reset","krbtgt_rotated","service_accounts_rotated"]}],"post_incident":["Deploy Privileged Access Workstations (PAWs) for all administrators — prevent admin activity from standard workstations","Implement Just-In-Time (JIT) privileged access — eliminate standing admin accounts","Deploy CyberArk or similar PAM solution for credential vaulting and session recording","Review and harden local administrator account policy — disable built-in Administrator, randomize LAPS passwords","Enforce principle of least privilege — audit all AD group memberships and remove excessive access","Implement Tier Model for Active Directory (Tier 0: DCs, Tier 1: Servers, Tier 2: Workstations)","Enable Windows Defender Credential Guard to protect LSASS from credential dumping","Configure Windows Audit Policy for enhanced privilege use monitoring","File incident report with root cause, remediation steps, and systemic control improvements","Conduct purple team exercise focused on privilege escalation and lateral movement"],"metrics":{"avg_resolution_time":"60m","false_positive_rate":"12%","escalation_rate":"35%"},"filename":"IR-010-privilege-escalation-detection.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/endpoint/IR-010-privilege-escalation-detection.yaml"},{"id":"IR-011","name":"AI/ML Model Abuse and Training Data Poisoning","version":"1.0.0","author":"CostNimbus","category":"cloud","severity":["medium","high","critical"],"mitre_attack":["T1190","T1078","T1496","T1485","T1565.001","T1552.001","T1059"],"trigger":["ml_api_rate_limit_breach","inference_cost_spike_alert","model_endpoint_anomaly","training_pipeline_unauthorized_access","siem_ml_api_abuse","dlp_training_data_exfiltration"],"tags":["ai","ml","llm","prompt-injection","model-abuse","training-data-poisoning","api-key-theft","inference-hijacking"],"tools_required":["siem","cloud_console","api_gateway","dlp_platform","ml_platform_logs","threat_intelligence_platform"],"estimated_time":"60m","integrations":[{"platform":"openai_api","optional":true,"notes":"Usage dashboard and API key management for OpenAI-hosted models"},{"platform":"aws_sagemaker","optional":true,"notes":"CloudWatch metrics for SageMaker endpoints — inference anomaly detection"},{"platform":"azure_ml","optional":true,"notes":"Azure Monitor for ML workspace activity and model registry changes"},{"platform":"splunk","optional":true,"notes":"Ingest model API logs for SIEM correlation and anomaly queries"},{"platform":"datadog","optional":true,"notes":"APM for model serving infrastructure and cost anomaly detection"}],"steps":[{"id":"step-1","name":"Identify the abused model endpoint or API key","type":"investigation","tool":"api_gateway","description":"Identify which model endpoint, API key, or service account is at the center of the anomaly. Review the triggering alert for details: API key ID, model name, endpoint URL, and the nature of the abuse (rate limit breach, unusual request payloads, cost spike). Determine whether the caller is an internal service, external application, or unknown third party. Check if the key is associated with a human developer or a machine identity (CI/CD pipeline, service account).\n","automation_hint":"OpenAI: GET https://api.openai.com/v1/usage — filter by date and API key. AWS SageMaker: aws cloudwatch get-metric-statistics --namespace AWS/SageMaker --metric-name InvocationsPerInstance --dimensions Name=EndpointName,Value= GCP Vertex AI: gcloud logging read 'resource.type=\"aiplatform.googleapis.com/Endpoint\"'\n","outputs":["abused_api_key_id","model_endpoint_name","calling_principal","abuse_type"]},{"id":"step-2","name":"Assess inference cost and volume anomaly","type":"investigation","tool":"cloud_console","description":"Quantify the scope of abuse: total API calls in the anomaly window, tokens processed (for LLMs), compute hours consumed, and associated cost impact. Compare against historical baselines for the same key or endpoint. Identify peak usage windows and correlate with business hours to flag off-hours activity. For LLM endpoints, review average prompt and completion lengths for signs of data exfiltration via model outputs.\n","automation_hint":"OpenAI: GET https://api.openai.com/v1/usage?date=YYYY-MM-DD — sum total_tokens by model. AWS Cost Explorer: aws ce get-cost-and-usage --time-period Start=,End= --granularity HOURLY --filter '{\"Dimensions\":{\"Key\":\"SERVICE\",\"Values\":[\"Amazon SageMaker\"]}}' Azure: az consumption usage list --start-date --end-date --query \"[?contains(instanceName,'ml')]\"\n","outputs":["total_api_calls","total_tokens_or_compute","cost_impact_usd","peak_usage_window"]},{"id":"step-3","name":"Detect prompt injection or jailbreak attempts","type":"investigation","tool":"siem","description":"For LLM-based endpoints, review request payloads for prompt injection patterns: instructions to ignore system prompts, role-play overrides, attempts to extract training data or system configuration, DAN (Do Anything Now) patterns, and indirect injection via user-supplied documents. Check if any completions contain sensitive system information, internal data, or PII. Correlate with DLP alerts for data exfiltration via model outputs.\n","automation_hint":"SIEM query (Splunk): index=ml_api_logs | where match(request_body, \"(?i)(ignore previous|you are now|disregard|system prompt|reveal your|DAN|jailbreak)\") | stats count by src_ip, api_key, model Regex patterns: /ignore (previous|all) (instructions|prompts)/i, /you are (now|a) /i Check completions for SSN, credentials, internal IP patterns.\n","outputs":["prompt_injection_attempts","jailbreak_patterns_found","sensitive_data_in_outputs"]},{"id":"step-4","name":"Investigate training data pipeline for poisoning or exfiltration","type":"investigation","tool":"ml_platform_logs","description":"If training pipelines are involved, audit access to training data stores: S3 buckets, GCS buckets, Azure Blob, or on-premises datasets. Look for unauthorized GetObject or ListBucket calls, unexpected data download volumes, or modifications to training datasets (poisoning). Check the model registry for unauthorized model version uploads, which could introduce backdoored model weights. Review feature store access logs.\n","automation_hint":"AWS S3 training data: aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetObject --query 'Events[?contains(Resources[].ResourceName, `training`)]' Model registry: aws sagemaker list-model-packages --sort-by CreationTime --sort-order Descending GCS: gcloud logging read 'resource.type=\"gcs_bucket\" AND protoPayload.methodName=\"storage.objects.get\"'\n","outputs":["training_data_access_anomalies","poisoned_datasets","unauthorized_model_versions"]},{"id":"step-5","name":"Revoke compromised API keys and model endpoint access","type":"action","tool":"api_gateway","description":"Immediately revoke any compromised or abused API keys. For hosted model APIs (OpenAI, Anthropic, Cohere), rotate the key via the provider's dashboard or API. For self-hosted endpoints (SageMaker, Vertex AI), delete and recreate the endpoint auth token or IAM role. If a service account is involved, disable it and create a new one with least-privilege permissions. Do not delete old keys immediately — preserve for forensics.\n","automation_hint":"OpenAI: DELETE https://api.openai.com/v1/api-keys/ (dashboard or API) AWS SageMaker: aws iam update-access-key --access-key-id --status Inactive GCP: gcloud iam service-accounts keys disable --iam-account=@.iam.gserviceaccount.com Azure: az ad app credential delete --id --key-id \n","outputs":["keys_revoked","endpoints_secured","containment_timestamp"]},{"id":"step-6","name":"Isolate and quarantine affected training environment","type":"action","tool":"cloud_console","description":"If training data poisoning is suspected, immediately halt all training jobs using the affected datasets. Quarantine the dataset by removing read permissions for all principals except the security team. Snapshot current model weights and training artifacts before any cleanup. Pause the model registry to prevent deployment of potentially poisoned models. Cordon off the training VPC/VNet if lateral movement is suspected.\n","automation_hint":"AWS: aws sagemaker stop-training-job --training-job-name Quarantine S3: aws s3api put-bucket-policy --bucket --policy '{\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::/*\",\"Condition\":{\"StringNotEquals\":{\"aws:PrincipalArn\":\"arn:aws:iam:::role/SecurityTeam\"}}}]}' GCP: gcloud ml-engine jobs cancel \n","outputs":["training_jobs_stopped","datasets_quarantined","model_registry_paused"]},{"id":"step-7","name":"Assess model integrity and rollback if poisoned","type":"action","tool":"ml_platform_logs","description":"For models suspected of training data poisoning or backdoor injection, perform integrity checks: compare current model hash against the last known-good checkpoint, run model evaluation on a clean holdout dataset to detect behavioral anomalies, and check for unusual activation patterns or backdoor triggers. If poisoning is confirmed, roll back to the last clean model version from the model registry and retrain from verified data.\n","automation_hint":"Compare model artifacts: sha256sum model.tar.gz vs stored baseline hash AWS SageMaker: aws sagemaker describe-model --model-name | jq '.PrimaryContainer.ModelDataUrl' Azure ML: az ml model list --workspace-name --resource-group --query '[].{name:name,version:version}' Rollback: aws sagemaker create-model --primary-container ImageUri=,ModelDataUrl=\n","outputs":["model_integrity_status","rollback_completed","clean_model_version"]},{"id":"step-8","name":"Implement API gateway rate limiting and geo-restrictions","type":"action","tool":"api_gateway","description":"Harden the model endpoint access controls: implement strict per-key rate limiting, add geographic IP restrictions for model API endpoints, enable request payload validation to block known injection patterns, require mutual TLS for internal service-to-model communication, and implement usage quotas with automatic alerts for anomalous spend. Consider adding a WAF rule set for LLM-specific attack patterns.\n","automation_hint":"AWS API Gateway: aws apigateway create-usage-plan --name MLRateLimit --throttle burstLimit=100,rateLimit=50 AWS WAF: aws wafv2 create-rule-group — add prompt injection regex match rules GCP Apigee: gcloud apigee apis deploy -- add quota policies Azure APIM: az apim product api add — configure rate limits and IP filtering\n","outputs":["rate_limiting_applied","geo_restrictions_set","waf_rules_deployed"]},{"id":"step-9","name":"Notify affected teams and document findings","type":"notification","description":"Notify the ML engineering team, data science leads, and security leadership of the incident scope, impacted models, data exposure risk, and remediation status. If customer data was submitted to or returned from the model in violation of data governance policies, initiate the data breach notification workflow. Document all findings, timeline, and remediation actions in the incident management system.\n","automation_hint":"Slack: POST /api/chat.postMessage to #ml-security-incidents with incident summary PagerDuty: pd incident create --title \"IR-011 AI/ML Abuse\" --urgency high JIRA: Create Security incident ticket with parent Epic link\n","outputs":["notifications_sent","incident_ticket_created"]},{"id":"step-10","name":"Determine initial access vector and close exposure","type":"investigation","description":"Trace how the attacker obtained the API key or model endpoint access. Common vectors: hardcoded key in public GitHub repository, exposed in CI/CD environment variables, leaked via SSRF targeting the cloud metadata service, insider threat, or supply chain compromise. Use git history scanning, CI/CD pipeline audit, and secrets scanning tools to find the source. Revoke and rotate all keys that may have been co-exposed.\n","automation_hint":"GitGuardian / trufflehog: trufflehog git https://github.com// --only-verified GitHub secret scanning: gh secret list --repo / AWS: git log -p | grep -E \"(OPENAI|sk-|ANTHROPIC_API_KEY|Bearer)\" (check CI configs) Secrets manager audit: aws secretsmanager list-secrets | jq '.SecretList[].Tags'\n","outputs":["initial_access_vector","exposure_source_closed","additional_keys_rotated"]}],"post_incident":["Implement secrets scanning (GitGuardian, trufflehog) as mandatory pre-commit and CI gate","Enforce API key rotation policy — maximum 90-day key lifetime for all AI/ML platform keys","Deploy prompt injection detection layer (e.g., Rebuff, LLM Guard) in front of all LLM endpoints","Audit model registry access controls — enforce code review and security approval for model promotions","Implement ML model signing and hash verification to detect tampering of model artifacts","Enable spend anomaly alerts on all AI/ML API accounts with automatic key suspension thresholds","Review data governance policies for training datasets — classify sensitivity and enforce access controls","Conduct red team exercise targeting AI/ML infrastructure to identify additional attack surfaces","Add AI/ML abuse detection rules to SIEM with automated SOAR response playbook"],"metrics":{"avg_resolution_time":"90m","false_positive_rate":"15%","escalation_rate":"45%"},"filename":"IR-011-ai-ml-model-abuse.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/ai-ml/IR-011-ai-ml-model-abuse.yaml"},{"id":"IR-012","name":"API Abuse and Credential Stuffing Attack Response","version":"1.0.0","author":"CostNimbus","category":"network","severity":["medium","high","critical"],"mitre_attack":["T1110.004","T1110.003","T1078","T1539","T1552.001","T1190","T1499.002"],"trigger":["api_gateway_rate_limit_breach","waf_credential_stuffing_alert","siem_4xx_spike","siem_impossible_travel_api_token","siem_geographic_anomaly_api","bot_protection_alert","account_lockout_spike"],"tags":["api","credential-stuffing","rate-limiting","api-gateway","token-theft","bot-attack","brute-force","ip-blocking"],"tools_required":["api_gateway","waf","siem","threat_intelligence_platform","identity_provider","rate_limiting_platform"],"estimated_time":"45m","integrations":[{"platform":"aws_api_gateway","optional":true,"notes":"Usage plans, throttling, and API key management"},{"platform":"cloudflare","optional":true,"notes":"WAF rules, bot management, and IP reputation blocking"},{"platform":"okta","optional":true,"notes":"Identity threat protection and session management for API token issuance"},{"platform":"splunk","optional":true,"notes":"API access log ingestion and 4xx rate anomaly detection"},{"platform":"datadog","optional":true,"notes":"APM trace analysis for credential stuffing pattern detection"}],"steps":[{"id":"step-1","name":"Confirm the attack pattern and identify targeted endpoints","type":"investigation","tool":"api_gateway","description":"Review the triggering alert and confirm the attack type. Credential stuffing presents as a high volume of authentication attempts using valid-format credentials from distributed IPs with low success rates (~0.1-2%). API abuse may show as rate limit breaches, unusual endpoint targeting, or token enumeration. Identify exactly which API endpoints are under attack, the attack start time, source IPs/ASNs, and the volume. Determine if the attack is still in progress.\n","automation_hint":"AWS API Gateway: aws apigateway get-usage --usage-plan-id --start-date --end-date Cloudflare: GET https://api.cloudflare.com/client/v4/zones//security/events SIEM (Splunk): index=api_logs status>=400 status<500 | timechart count by uri | where count > threshold — identify top targeted endpoints\n","outputs":["targeted_endpoints","attack_start_time","source_ip_ranges","attack_still_active"]},{"id":"step-2","name":"Analyze 4xx spike and identify credential stuffing signatures","type":"investigation","tool":"siem","description":"Pull API access logs for the anomaly window and build the attack signature. For credential stuffing: look for high 401/403 rates from the same IP or user-agent, sequential username enumeration, distributed low-and-slow patterns across many IPs, and identical request timing intervals (bot automation). Calculate the hit rate (successful logins / total attempts). Identify any compromised accounts where login succeeded.\n","automation_hint":"Splunk: index=api_logs action=login | stats count(eval(status=200)) as success, count(eval(status=401)) as fail by src_ip | eval hit_rate=round(success/(success+fail)*100,2) | where fail > 50 | sort -fail ELK: GET /api_logs/_search — agg by client_ip, filter status:401, bucket by 5min intervals Check for same user-agent, fixed request intervals (sign of automation)\n","outputs":["attack_signature","compromised_accounts","hit_rate_percentage","bot_indicators"]},{"id":"step-3","name":"Detect impossible travel and geographic anomalies on API tokens","type":"investigation","tool":"siem","description":"Check all API tokens that authenticated successfully during the attack window for impossible travel: the same token used from two geographically distant IPs within a time window that is physically impossible to travel between. Also flag logins from high-risk countries (if not expected), Tor exit nodes, known VPN/proxy providers, and data centers (legitimate users rarely authenticate from cloud provider IP ranges). Correlate with user's historical access patterns.\n","automation_hint":"MaxMind GeoIP lookup: curl https://ipinfo.io//json Impossible travel query (Splunk): index=api_auth_logs | sort by user, _time | streamstats current=false last(_time) as prev_time, last(src_country) as prev_country by user | eval hours_diff=round(((_time-prev_time)/3600),2) | where src_country!=prev_country AND hours_diff < 4 | table user, src_ip, src_country, prev_country, hours_diff\n","outputs":["impossible_travel_events","high_risk_geo_logins","tokens_to_revoke"]},{"id":"step-4","name":"Block attacking IPs and apply emergency rate limiting","type":"action","tool":"waf","description":"Apply immediate containment: block the highest-volume attacking IPs and ASNs at the WAF or API gateway layer. Implement aggressive rate limiting on authentication endpoints (e.g., 5 requests/minute per IP). Add CAPTCHA challenges for suspicious traffic patterns. If using a CDN/WAF (Cloudflare, Akamai, AWS WAF), activate bot management rules and enable enhanced bot detection. Consider temporarily geo-blocking countries that have no legitimate user base.\n","automation_hint":"Cloudflare: POST /zones//firewall/rules — add IP block rules AWS WAF: aws wafv2 update-ip-set --scope REGIONAL --id --addresses nginx rate limiting: limit_req_zone $binary_remote_addr zone=api_auth:10m rate=5r/m; API Gateway: aws apigateway update-stage --rest-api-id --stage-name prod --patch-ops op=replace,path=/defaultRouteSettings/throttlingBurstLimit,value=10\n","outputs":["ips_blocked","rate_limiting_applied","captcha_enabled"]},{"id":"step-5","name":"Revoke compromised tokens and force password resets","type":"action","tool":"identity_provider","description":"For all accounts identified as compromised (successful login during attack or impossible travel detected), immediately revoke all active sessions and API tokens. Force a password reset via email or admin console. If MFA is not enrolled, require MFA enrollment as part of the reset flow. Notify affected users with clear instructions and a support contact. Generate new API keys for affected service accounts and distribute via secure channels.\n","automation_hint":"Okta: POST /api/v1/users//sessions — DELETE (revoke all sessions) Auth0: DELETE /api/v2/users//sessions AWS Cognito: aws cognito-idp admin-user-global-sign-out --user-pool-id --username Azure AD: Revoke-AzureADUserAllRefreshToken -ObjectId Custom JWT: Increment token version in user store to invalidate all existing JWTs\n","outputs":["sessions_revoked","password_resets_forced","mfa_enrollment_required","users_notified"]},{"id":"step-6","name":"Enumerate accounts successfully compromised and assess data accessed","type":"investigation","tool":"siem","description":"For each account confirmed as compromised, perform a detailed audit of all API calls made during the attacker-controlled session: data read/exported, configuration changes, privilege escalation attempts, and lateral movement. Check for new API keys created, OAuth app grants, webhook registrations, or data exports. Determine if any sensitive data was exfiltrated and the scope of PII/financial data exposure.\n","automation_hint":"Filter logs by compromised session token: index=api_logs token= | stats values(uri) as endpoints_hit, sum(response_bytes) as bytes_out by user Look for: POST /exports, GET /users, GET /admin, POST /webhooks, POST /oauth/authorize AWS CloudTrail: filter by source IP of attacker, enumerate all API calls\n","outputs":["compromised_account_list","data_accessed_per_account","pii_exposure_scope","actions_taken_by_attacker"]},{"id":"step-7","name":"Deploy long-term bot mitigation controls","type":"action","tool":"api_gateway","description":"Implement durable bot mitigation: device fingerprinting on authentication endpoints, behavioral analysis to distinguish bots from humans, credential stuffing-specific rules in WAF (known credential breach lists), API token binding to client certificates or device fingerprints, and integration with HaveIBeenPwned or similar breach data feeds to proactively force password resets for users with credentials found in breaches.\n","automation_hint":"HaveIBeenPwned API: GET https://haveibeenpwned.com/api/v3/breachedaccount/ Cloudflare Bot Management: enable via dashboard or API Shape Security / Akamai Bot Manager: configure credential stuffing rules Add IP reputation enrichment: query abuse.ch, Shodan, or IPQualityScore for attacker IPs\n","outputs":["bot_mitigation_deployed","breach_feed_integrated","device_fingerprinting_enabled"]},{"id":"step-8","name":"Notify security, compliance, and affected users","type":"notification","description":"Notify internal stakeholders: security leadership of attack scope and containment status, product/engineering team of any API changes deployed, and legal/compliance if user data was accessed without authorization (potential breach notification trigger). Send user notifications to compromised accounts with password reset instructions, advice to check other sites where they may reuse passwords, and recommendation to enable MFA.\n","automation_hint":"PagerDuty: pd incident create --title \"IR-012 Credential Stuffing Active\" Email notifications: use SMTP relay or SendGrid API for bulk user reset notifications Slack alert to #security-incidents with attack stats and remediation status\n","outputs":["internal_notifications_sent","user_notifications_sent","breach_notification_assessed"]},{"id":"step-9","name":"Review and harden API authentication architecture","type":"action","tool":"api_gateway","description":"Conduct a post-incident review of the API authentication architecture. Assess whether short-lived tokens (JWT with 15-minute expiry) replace long-lived API keys, whether PKCE is enforced for OAuth flows, whether token binding is implemented, and whether the authentication endpoints have dedicated monitoring. Recommend multi-factor authentication for all user-facing API authentication flows.\n","automation_hint":"Review OAuth 2.0 configuration for PKCE: check authorization_code_challenge_method=S256 JWT expiry audit: decode existing JWTs and check exp claim values AWS Cognito: aws cognito-idp describe-user-pool --user-pool-id | jq '.UserPool.Policies'\n","outputs":["auth_architecture_reviewed","hardening_recommendations","mfa_enforcement_plan"]},{"id":"step-10","name":"Document attack timeline and metrics","type":"investigation","tool":"siem","description":"Compile the complete attack timeline: first malicious request, peak attack volume, first detection, time to containment, accounts compromised, and data accessed. Record all indicators of compromise (IOCs): attacker IPs, ASNs, user-agents, attack tools identified, and any C2 infrastructure. Share relevant IOCs with threat intelligence partners and ISAC.\n","automation_hint":"Export attacker IPs to MISP or STIX/TAXII feed for threat intelligence sharing Build timeline: siem query ordered by time, export to incident report template OSINT on attacker IPs: Shodan, Censys, VirusTotal, AbuseIPDB lookups\n","outputs":["attack_timeline","ioc_list","threat_intel_shared"]}],"post_incident":["Implement adaptive rate limiting with exponential backoff for repeated authentication failures","Deploy credential breach monitoring — proactively notify users whose credentials appear in breach databases","Enforce MFA for all user accounts — remove legacy password-only authentication flows","Implement API token binding to client device or certificate to prevent token theft replay","Integrate bot protection solution (Cloudflare Bot Management, Akamai Bot Defender, or AWS WAF Bot Control)","Enable real-time impossible travel detection with automatic session revocation in IdP","Rotate all API keys that were active during the attack window as a precaution","Conduct purple team exercise testing credential stuffing defenses end-to-end","Review password policy — enforce minimum complexity, breach database checks at password set/change"],"metrics":{"avg_resolution_time":"60m","false_positive_rate":"20%","escalation_rate":"35%"},"filename":"IR-012-api-abuse-credential-stuffing.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/api-security/IR-012-api-abuse-credential-stuffing.yaml"},{"id":"IR-013","name":"SaaS Account Compromise (M365, Google Workspace, Slack)","version":"1.0.0","author":"CostNimbus","category":"identity","severity":["high","critical"],"mitre_attack":["T1078.004","T1556.006","T1114.002","T1114.003","T1550.001","T1098.003","T1136.003","T1530"],"trigger":["impossible_travel_alert","new_mfa_device_registered","suspicious_mail_forwarding_rule","oauth_app_admin_consent","mass_download_sharepoint","saas_risky_signin_alert","identity_protection_alert","user_reported_account_takeover"],"tags":["saas","microsoft-365","google-workspace","slack","account-takeover","oauth","mfa-bypass","email-forwarding","session-hijacking"],"tools_required":["microsoft_365_defender","google_workspace_admin","identity_provider","siem","casb","threat_intelligence_platform"],"estimated_time":"50m","integrations":[{"platform":"microsoft_365_defender","optional":false,"notes":"Primary detection for M365 — Unified audit log, Identity Protection, Defender for Cloud Apps"},{"platform":"google_workspace_admin","optional":true,"notes":"Admin SDK audit logs and security center for Workspace investigations"},{"platform":"okta","optional":true,"notes":"Identity threat protection, session management, and risk-based authentication"},{"platform":"microsoft_entra_id","optional":true,"notes":"Azure AD Conditional Access, sign-in logs, and Identity Protection risk signals"},{"platform":"microsoft_defender_for_cloud_apps","optional":true,"notes":"CASB for OAuth app governance, anomalous activity detection, and session controls"}],"steps":[{"id":"step-1","name":"Confirm account compromise and assess initial scope","type":"investigation","tool":"microsoft_365_defender","description":"Review the triggering alert and confirm account compromise indicators: impossible travel (login from two distant IPs within an unrealistic timeframe), login from an atypical country or high-risk IP, new MFA device registration not initiated by the user, or user-reported unauthorized access. Identify all affected accounts, the compromise timeline, and the attacker's source IPs. Determine if the incident is isolated to one user or is part of a broader campaign targeting multiple accounts.\n","automation_hint":"M365: Search-UnifiedAuditLog -UserIds -Operations UserLoggedIn,UserLoginFailed -StartDate Azure AD sign-in logs: GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq '' Google Workspace: GET https://admin.googleapis.com/admin/reports/v1/activity/users//applications/login PowerShell: Get-MgAuditLogSignIn -Filter \"userPrincipalName eq ''\" | Select-Object CreatedDateTime, IpAddress, Location, RiskLevelDuringSignIn\n","outputs":["confirmed_compromised_accounts","attacker_source_ips","compromise_start_time","attack_campaign_scope"]},{"id":"step-2","name":"Revoke all active sessions immediately","type":"action","tool":"identity_provider","description":"Terminate all active sessions for the compromised account across all SaaS platforms. This invalidates existing access tokens, refresh tokens, and session cookies, forcing the attacker out immediately. For M365, revoke sign-in sessions and invalidate all refresh tokens. For Google Workspace, sign out all devices. For Slack, revoke all active sessions. Do not wait for password reset before revoking sessions — the attacker may be monitoring the session actively.\n","automation_hint":"M365 PowerShell: Revoke-MgUserSignInSession -UserId Or: Invoke-MgInvalidateAllRefreshTokensByUserId (Graph API) Microsoft Graph: POST https://graph.microsoft.com/v1.0/users//revokeSignInSessions Google Workspace: POST https://admin.googleapis.com/admin/directory/v1/users//signOut Slack: POST https://slack.com/api/admin.users.session.resetBulk (Slack Enterprise Grid)\n","outputs":["sessions_revoked","refresh_tokens_invalidated","revocation_timestamp"]},{"id":"step-3","name":"Force password reset and re-enroll MFA","type":"action","tool":"identity_provider","description":"Force a password reset for all compromised accounts. Require the user to create a strong password not previously used. Require MFA re-enrollment from a trusted device — invalidate any recently registered MFA devices that were not approved by the user. If phishing-resistant MFA (FIDO2/passkeys) is available, require upgrade from SMS/TOTP. Notify the user via an out-of-band channel (phone call, Slack DM from IT) with instructions.\n","automation_hint":"M365: Set-MsolUserPassword -UserPrincipalName -ForceChangePassword $true Disable new MFA methods: Set-MgUserAuthenticationPhoneMethod (review and delete attacker-added methods) Microsoft Graph: DELETE https://graph.microsoft.com/v1.0/users//authentication/phoneMethods/ Azure AD: Remove-MgUserAuthenticationSoftwareOathMethod -UserId -SoftwareOathAuthenticationMethodId Google: admin.directory.users.update — changePasswordAtNextLogin: true\n","outputs":["password_reset_forced","attacker_mfa_devices_removed","mfa_re_enrollment_required"]},{"id":"step-4","name":"Audit and remove malicious mail forwarding rules and inbox rules","type":"investigation","tool":"microsoft_365_defender","description":"Attackers commonly establish persistence by creating inbox rules to forward emails to external addresses, delete security alerts, or move sensitive emails to obscure folders. Review all inbox rules and mail forwarding settings for the compromised account. Check: external forwarding rules, rules that delete or move security alert emails, rules triggered on keywords (invoice, payment, password reset), and tenant-level external email forwarding policies.\n","automation_hint":"M365 Exchange: Get-InboxRule -Mailbox | Select Name, Description, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage Remove malicious rule: Remove-InboxRule -Identity -Mailbox Check mail transport rules: Get-TransportRule | Where-Object {$_.BlindCopyTo -ne $null} Google Workspace: GET https://gmail.googleapis.com/gmail/v1/users//settings/forwardingAddresses Microsoft Graph: GET https://graph.microsoft.com/v1.0/users//mailFolders/inbox/messageRules\n","outputs":["malicious_rules_found","forwarding_destinations","rules_removed"]},{"id":"step-5","name":"Review and revoke unauthorized OAuth application grants","type":"investigation","tool":"casb","description":"Attackers may grant OAuth consent to malicious third-party applications to maintain persistent access even after password reset. Review all OAuth applications authorized by the compromised account. Flag apps with broad permissions (mail.read, files.read.all, contacts.read), unfamiliar app publishers, recently consented apps, and apps not in the approved enterprise application catalog. Revoke all suspicious OAuth grants immediately.\n","automation_hint":"M365: Get-MgUserOAuth2PermissionGrant -UserId | Select ClientId, Scope, ConsentType Revoke: Remove-MgOAuth2PermissionGrant -OAuth2PermissionGrantId PowerShell: Get-AzureADUserOAuth2PermissionGrant -ObjectId Microsoft Graph: DELETE https://graph.microsoft.com/v1.0/oauth2PermissionGrants/ Google Workspace Admin: POST https://admin.googleapis.com/admin/datatransfer/v1/transfers Revoke all for user: Get-AzureADServicePrincipal | Get-AzureADServicePrincipalOAuth2PermissionGrant\n","outputs":["oauth_apps_audited","malicious_oauth_grants_revoked","approved_app_list_reviewed"]},{"id":"step-6","name":"Investigate data access and exfiltration during attack window","type":"investigation","tool":"casb","description":"Audit all data access activity during the attacker-controlled session: files downloaded from SharePoint/OneDrive/Google Drive, emails read or forwarded, calendar events viewed, Teams/Slack messages accessed, and any data shared externally. Look for mass download events, external sharing link creation, bulk email reads, and calendar data access (often used for whaling and BEC). Assess the sensitivity of data accessed.\n","automation_hint":"M365 Unified Audit Log (PowerShell): Search-UnifiedAuditLog -UserIds -Operations FileDownloaded,FileCopied,FileAccessedExtended,SendAs -StartDate -EndDate | Export-Csv audit_report.csv SharePoint activity: Get-SPOSite | Get-SPOActivityReport Google Workspace: Reports API — drive activity, gmail activity during attack window Defender for Cloud Apps: Investigate user activity timeline in MCAS portal\n","outputs":["files_downloaded","emails_exfiltrated","external_shares_created","data_sensitivity_assessment"]},{"id":"step-7","name":"Check for attacker persistence mechanisms","type":"investigation","tool":"microsoft_365_defender","description":"Attackers often establish multiple persistence mechanisms. Check for: new app registrations in Azure AD with permissions to the compromised tenant, new service principals or managed identities, new user accounts created by the attacker, admin role assignments made during the attack window, modifications to Conditional Access policies, new mail connectors or transport rules, and new webhooks or API subscriptions in Slack, Teams, or other SaaS.\n","automation_hint":"New Azure AD apps: Get-MgApplication -Filter \"createdDateTime ge \" New users: Get-MgUser -Filter \"createdDateTime ge \" Admin roles: Get-MgRoleManagementDirectoryRoleAssignment | Where-Object {$_.CreatedDateTime -gt } Slack app installations: GET https://slack.com/api/apps.connections.list (Enterprise Grid) New M365 mail connectors: Get-InboundConnector; Get-OutboundConnector (check CreatedDate)\n","outputs":["persistence_mechanisms_found","new_accounts_created","privilege_escalation_detected","persistence_removed"]},{"id":"step-8","name":"Implement conditional access and session controls","type":"action","tool":"identity_provider","description":"Strengthen access controls to prevent recurrence: enable Conditional Access policies requiring compliant/hybrid-joined devices for SaaS access, block legacy authentication protocols (SMTP AUTH, POP3, IMAP — common bypass vectors), enable continuous access evaluation (CAE) for real-time token revocation, require phishing-resistant MFA for all privileged accounts, and deploy Microsoft Defender for Cloud Apps session controls or equivalent CASB proxy for sensitive SaaS applications.\n","automation_hint":"Azure AD Conditional Access: New-MgIdentityConditionalAccessPolicy (block legacy auth) Block legacy auth: clientAppTypes = ['exchangeActiveSync', 'other'] — grant access block CAE: Enabled by default in Azure AD — verify with: Get-MgPolicyContinuousAccessEvaluation CASB session control: Configure Defender for Cloud Apps app connector and conditional access app control\n","outputs":["legacy_auth_blocked","cae_enabled","session_controls_deployed","phishing_resistant_mfa_enforced"]},{"id":"step-9","name":"Notify user, management, and compliance teams","type":"notification","description":"Notify the compromised user directly (out-of-band channel) with: confirmation of compromise, actions taken, and guidance on securing personal accounts that may share the same password. Brief the user's manager and HR if sensitive business communications were accessed. Engage legal and compliance if regulated data (HIPAA, GDPR, PCI) was accessed — potential breach notification obligations within 72 hours (GDPR) or 60 days (HIPAA) may apply. File incident report in ticketing system.\n","automation_hint":"Out-of-band notification: phone call, SMS via Twilio, or Slack DM from IT account GDPR breach register: document within 72 hours if personal data involved PagerDuty: pd incident create --title \"IR-013 SaaS Account Compromise: \" JIRA: Create Incident ticket with Privacy/Legal label if regulated data accessed\n","outputs":["user_notified","management_briefed","legal_compliance_assessed","breach_notification_filed"]},{"id":"step-10","name":"Determine initial access vector and close the gap","type":"investigation","description":"Investigate how the attacker obtained valid credentials. Common vectors: phishing email with AiTM (adversary-in-the-middle) proxy stealing session cookies, credential bought from infostealer marketplace, password reuse from prior data breach, SIM swapping to bypass SMS MFA, or insider threat. Review email headers for phishing attempts received prior to the compromise, check for infostealer infection on the user's endpoint (Redline, Raccoon, Vidar), and scan the dark web for the user's credentials.\n","automation_hint":"Phishing search: Search-UnifiedAuditLog -Operations MailItemsAccessed,UserLoggedIn -prior to compromise time Infostealer hunting: check endpoint EDR for credential-stealing malware indicators HaveIBeenPwned: GET https://haveibeenpwned.com/api/v3/breachedaccount/ AiTM phishing IOCs: check email headers for Evilginx2, Modlishka, Muraena relay patterns Dark web monitoring: Flare, SpyCloud, or similar platforms for credential exposure\n","outputs":["initial_access_vector","phishing_campaign_identified","endpoint_clean_or_compromised"]}],"post_incident":["Enforce phishing-resistant MFA (FIDO2/passkeys) for all accounts — eliminate SMS and TOTP for privileged users","Block legacy authentication protocols globally across M365 and Google Workspace tenants","Implement CASB session controls for all sanctioned SaaS applications","Enable tenant-wide external email forwarding block and audit forwarding rules quarterly","Deploy Microsoft Entra Identity Protection or equivalent risk-based Conditional Access policies","Conduct phishing simulation campaign targeting all employees, with focus on AiTM scenarios","Integrate dark web credential monitoring to proactively detect exposed credentials","Establish OAuth application allowlisting — block unapproved app consent at tenant level","Review SaaS application catalog and remove unused or unapproved applications"],"metrics":{"avg_resolution_time":"80m","false_positive_rate":"10%","escalation_rate":"50%"},"filename":"IR-013-saas-account-compromise.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/identity/IR-013-saas-account-compromise.yaml"},{"id":"IR-014","name":"Container and Kubernetes Security Incident Response","version":"1.0.0","author":"CostNimbus","category":"cloud","severity":["high","critical"],"mitre_attack":["T1610","T1613","T1611","T1496","T1552.007","T1021.004","T1543","T1078.001"],"trigger":["falco_container_escape_alert","kubernetes_audit_privileged_pod","resource_spike_cpu_memory","unexpected_network_policy_change","kubernetes_rbac_anomaly","container_scanning_critical_finding","siem_k8s_audit_anomaly","cryptominer_detected"],"tags":["kubernetes","container","k8s","container-escape","cryptomining","lateral-movement","privileged-pod","rbac-abuse","pod-security"],"tools_required":["kubernetes_cli","container_runtime","siem","cloud_console","falco","trivy","threat_intelligence_platform"],"estimated_time":"60m","integrations":[{"platform":"falco","optional":false,"notes":"Runtime security for container escape, privilege escalation, and anomalous syscall detection"},{"platform":"aws_eks","optional":true,"notes":"EKS control plane audit logs, CloudTrail for Kubernetes API server events"},{"platform":"gke_security_command_center","optional":true,"notes":"GKE threat detection and container threat analysis"},{"platform":"datadog","optional":true,"notes":"Container performance monitoring for resource hijacking and crypto mining detection"},{"platform":"trivy","optional":true,"notes":"Container image vulnerability scanning and SBOM analysis"}],"steps":[{"id":"step-1","name":"Identify the affected pods, nodes, and namespaces","type":"investigation","tool":"kubernetes_cli","description":"Identify the scope of the incident: which pods, namespaces, and nodes are affected. Review the triggering alert for details — Falco rule name, pod name, namespace, node, and container image. For cryptomining: identify pods with abnormal CPU/memory consumption. For container escapes: identify the pod that triggered the syscall anomaly and the node it runs on. For RBAC abuse: identify the ServiceAccount and the API calls made. Determine if the incident is limited to a single pod or has spread across the cluster.\n","automation_hint":"kubectl get pods --all-namespaces -o wide | grep -v Running kubectl top pods --all-namespaces | sort --reverse --key 3 --numeric | head -20 kubectl get events --all-namespaces --sort-by='.lastTimestamp' | tail -50 kubectl describe pod -n EKS audit logs: aws cloudwatch filter-log-events --log-group-name /aws/eks//cluster --filter-pattern '{ $.verb = \"create\" && $.objectRef.resource = \"pods\" }'\n","outputs":["affected_pods","affected_nodes","affected_namespaces","container_images_involved"]},{"id":"step-2","name":"Detect container escape or privileged container abuse","type":"investigation","tool":"falco","description":"Investigate container escape indicators: privileged containers mounting the host filesystem (hostPath volumes), pods with hostPID or hostNetwork enabled, unusual mount points inside containers, Falco alerts for container_escape or shell_in_container rules, unexpected nsenter or chroot syscalls, and processes running inside containers that shouldn't be (kubectl, crictl, docker). Check if the attacker has accessed the underlying node OS.\n","automation_hint":"kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.hostPID==true or .spec.hostNetwork==true or .spec.containers[].securityContext.privileged==true) | {name: .metadata.name, ns: .metadata.namespace}' Falco: journalctl -u falco | grep \"Container Escape\\|Privilege Escalation\\|shell in container\" Check host mounts: kubectl get pod -o json | jq '.spec.volumes[] | select(.hostPath)' Node access: kubectl exec -it -- chroot /host /bin/bash (if /host is mounted)\n","outputs":["container_escape_confirmed","privileged_containers_found","host_access_achieved","affected_nodes_compromised"]},{"id":"step-3","name":"Identify cryptomining or resource hijacking workloads","type":"investigation","tool":"siem","description":"If resource hijacking is suspected, identify cryptomining containers: look for pods with sustained >90% CPU usage, known cryptominer process names (xmrig, kswapd0, kdevtmpfsi, cryptonight), outbound connections to mining pool domains (pool.minexmr.com, xmrig.com), and container images not from approved registries. Check for recently deployed DaemonSets (to ensure persistence across all nodes). Correlate with cloud billing anomalies.\n","automation_hint":"kubectl top pods --all-namespaces --sort-by=cpu | head -20 Process check: kubectl exec -it -- ps aux | grep -E \"(xmrig|minerd|cryptonight|kswapd)\" Network: kubectl exec -it -- ss -tnp | grep -E \"(3333|4444|5555|7777|14444)\" # common mining ports Image audit: kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{\"\\t\"}{.spec.containers[*].image}{\"\\n\"}{end}' | grep -v \n","outputs":["cryptominer_pods_identified","mining_pool_connections","unauthorized_images","resource_cost_impact"]},{"id":"step-4","name":"Isolate affected pods with network policy","type":"action","tool":"kubernetes_cli","description":"Apply emergency network policy to isolate affected pods and prevent lateral movement or C2 communication. Create a deny-all NetworkPolicy in the affected namespace to block all ingress and egress traffic. For container escape scenarios where the node may be compromised, cordon the node to prevent new pod scheduling. If Calico or Cilium is used, apply a GlobalNetworkPolicy to quarantine at the node level.\n","automation_hint":"Apply deny-all network policy: kubectl apply -f - <\nspec:\n podSelector: {}\n policyTypes: [Ingress, Egress]\nEOF Cordon node: kubectl cordon Label pod for quarantine: kubectl label pod quarantine=true -n \n","outputs":["network_policies_applied","nodes_cordoned","lateral_movement_blocked"]},{"id":"step-5","name":"Kill malicious pods and delete unauthorized workloads","type":"action","tool":"kubernetes_cli","description":"Terminate malicious pods and delete any unauthorized workloads created by the attacker. Before deletion, capture the pod's runtime state for forensics: exec into the pod to collect process list, network connections, and filesystem artifacts. If possible, snapshot the container filesystem. Delete cryptomining pods, attacker-created Deployments, DaemonSets, Jobs, and CronJobs. Remove unauthorized container images from the node's local cache to prevent re-execution.\n","automation_hint":"Collect forensics first: kubectl exec -n -- /bin/sh -c \"ps aux; ss -tnp; cat /etc/hosts\" > pod_forensics.txt Snapshot filesystem: kubectl cp :/tmp /local/evidence/ -n Kill pod: kubectl delete pod -n --grace-period=0 --force Delete deployment: kubectl delete deployment -n Remove from all nodes: kubectl get nodes -o name | xargs -I{} kubectl debug -it {} --image=alpine -- crictl rmi \n","outputs":["forensics_collected","malicious_pods_deleted","unauthorized_workloads_removed"]},{"id":"step-6","name":"Audit RBAC and ServiceAccount permissions","type":"investigation","tool":"kubernetes_cli","description":"Investigate RBAC abuse: identify which ServiceAccount the compromised pod used, what ClusterRoles or Roles it was bound to, and what API server calls were made using that token. Check the Kubernetes audit log for sensitive API calls: listing secrets, creating pods, exec into other pods, or accessing the kubelet API. Look for newly created ServiceAccounts, RoleBindings, or ClusterRoleBindings created during the attack window.\n","automation_hint":"Check SA permissions: kubectl auth can-i --list --as system:serviceaccount:: List bindings: kubectl get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.name==\"\")' Audit log (EKS): filter for verb=exec, list, get -- resource=secrets,pods in cloudwatch New RBAC objects: kubectl get clusterrolebindings --sort-by=.metadata.creationTimestamp | tail -20 Revoke SA token: kubectl delete secret -n \n","outputs":["serviceaccount_permissions","api_calls_made_by_attacker","rbac_changes_detected","excessive_permissions_found"]},{"id":"step-7","name":"Investigate lateral movement to other pods or cloud services","type":"investigation","tool":"siem","description":"Determine if the attacker moved laterally from the compromised pod. Check for: API calls to the Kubernetes API server from unusual pods, kubectl exec sessions initiated against other pods, cloud metadata service calls (IMDS at 169.254.169.254) to steal cloud credentials, attempts to access secrets in other namespaces, and connections to other pods on non-standard ports. For cloud-hosted clusters, check CloudTrail/Stackdriver for subsequent cloud API calls from the node's IAM role.\n","automation_hint":"Node IAM role abuse (EKS): aws cloudtrail lookup-events --lookup-attributes AttributeKey=SourceIPAddress,AttributeValue= IMDS call detection: Falco rule: k8s_metadata_service_access or check container network logs for 169.254.169.254 Pod-to-pod connections: kubectl logs -n calico-system | grep Secrets accessed: kubernetes audit log — filter verb=get resource=secrets namespace!=\n","outputs":["lateral_movement_confirmed","cloud_credentials_stolen","other_pods_compromised","blast_radius_assessment"]},{"id":"step-8","name":"Rotate secrets, tokens, and cloud credentials","type":"action","tool":"cloud_console","description":"Rotate all credentials that may have been accessed by the attacker: Kubernetes Secrets in the compromised namespace (DB passwords, API keys, TLS certs), ServiceAccount tokens, cloud IAM credentials associated with the node's instance profile or workload identity, and any secrets stored in a secrets manager (Vault, AWS Secrets Manager) that the compromised workload had access to. Rotate the Kubernetes API server certificate if a cluster-admin token was exposed.\n","automation_hint":"List secrets in namespace: kubectl get secrets -n Recreate SA token: kubectl delete serviceaccount -n ; kubectl create serviceaccount -n AWS node role key rotation: aws iam create-access-key (if using static keys — prefer IRSA instead) Vault: vault lease revoke -prefix auth/kubernetes/ AWS Secrets Manager: aws secretsmanager rotate-secret --secret-id \n","outputs":["secrets_rotated","sa_tokens_regenerated","cloud_credentials_rotated"]},{"id":"step-9","name":"Re-image or rebuild compromised nodes","type":"action","tool":"cloud_console","description":"For confirmed container escapes where the host OS was accessed, the node is no longer trustworthy and must be drained and terminated. Drain the node to reschedule workloads, then terminate and replace it with a fresh instance from a known-good AMI/image. For managed Kubernetes (EKS, GKE, AKS), trigger a node pool replacement or rolling upgrade. Do not attempt to clean and reuse a compromised node.\n","automation_hint":"Drain node: kubectl drain --ignore-daemonsets --delete-emptydir-data Delete node from cluster: kubectl delete node EKS: aws eks update-nodegroup-config --cluster-name --nodegroup-name --scaling-config desiredSize= Then terminate compromised instance: aws ec2 terminate-instances --instance-ids GKE: gcloud container clusters upgrade --node-pool \n","outputs":["nodes_drained","nodes_terminated","clean_nodes_provisioned"]},{"id":"step-10","name":"Apply pod security policies and admission controls","type":"action","tool":"kubernetes_cli","description":"Harden the cluster post-incident: enforce Pod Security Standards (Restricted or Baseline) across all namespaces, implement OPA Gatekeeper or Kyverno policies to reject privileged containers, hostPath mounts, and default ServiceAccount auto-mounting. Ensure all container images are from approved registries with verified signatures (Cosign/Notary). Deploy runtime security with Falco rules for ongoing detection. Review and tighten all RBAC to least privilege.\n","automation_hint":"Apply Pod Security Standard: kubectl label namespace pod-security.kubernetes.io/enforce=restricted Kyverno policy — block privileged: kubectl apply -f https://kyverno.io/policies/pod-security/restricted/ Disable SA automount: kubectl patch serviceaccount default -p '{\"automountServiceAccountToken\": false}' -n Image signing: cosign verify --key Falco rules: edit /etc/falco/falco_rules.yaml — enable container_escape, write_below_etc, etc.\n","outputs":["pod_security_standards_enforced","admission_controls_deployed","rbac_hardened","runtime_monitoring_enhanced"]}],"post_incident":["Enforce Pod Security Standards (Restricted) globally — no privileged containers outside kube-system","Implement mandatory image signing and verify signatures at admission time (Cosign + Kyverno)","Deploy Falco or equivalent runtime security with custom rules for your environment","Audit all ClusterRoleBindings — remove cluster-admin grants from service accounts and user workloads","Disable ServiceAccount token automounting by default — opt-in only for pods that need it","Implement network segmentation with NetworkPolicy — default deny-all with explicit allow rules","Enable Kubernetes audit logging to SIEM with alerting for sensitive API calls","Scan all container images in CI/CD with Trivy — block critical CVEs from reaching production","Conduct cluster penetration test using kube-bench, kube-hunter, and Peirates","Review cloud IAM for the cluster's node group — apply IRSA/Workload Identity instead of node-level IAM roles"],"metrics":{"avg_resolution_time":"90m","false_positive_rate":"12%","escalation_rate":"55%"},"filename":"IR-014-container-kubernetes-incident.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/cloud/IR-014-container-kubernetes-incident.yaml"},{"id":"IR-015","name":"Non-Human Identity (NHI) Compromise — Service Accounts, API Keys, and CI/CD Tokens","version":"1.0.0","author":"CostNimbus","category":"identity","severity":["high","critical"],"mitre_attack":["T1078.004","T1552.001","T1552.004","T1550.001","T1098.001","T1059.009","T1053.007","T1195.002"],"trigger":["service_account_off_hours_activity","api_key_geographic_anomaly","cicd_token_unauthorized_use","service_account_permission_escalation","secrets_manager_unusual_access","siem_nhi_behavior_anomaly","git_secret_exposure_alert","github_actions_token_abuse"],"tags":["nhi","service-account","api-key","oauth-token","cicd","github-actions","secret-rotation","machine-identity","pipeline-security","least-privilege"],"tools_required":["siem","secrets_manager","identity_provider","cloud_console","cicd_platform","git_secret_scanner","threat_intelligence_platform"],"estimated_time":"55m","integrations":[{"platform":"hashicorp_vault","optional":true,"notes":"Dynamic secrets, lease revocation, and audit log for NHI credential management"},{"platform":"aws_iam","optional":true,"notes":"Service account audit, access key management, and IAM roles for workloads"},{"platform":"github_advanced_security","optional":true,"notes":"Secret scanning and push protection for detecting leaked NHI credentials in repos"},{"platform":"splunk","optional":true,"notes":"NHI behavior analytics — baseline service account activity and detect anomalies"},{"platform":"cyberark_conjur","optional":true,"notes":"Secrets management and rotation for CI/CD and application credentials"}],"steps":[{"id":"step-1","name":"Identify the compromised NHI and confirm the anomaly","type":"investigation","tool":"siem","description":"Identify which non-human identity is compromised: service account, API key, OAuth token, CI/CD pipeline token (GitHub Actions GITHUB_TOKEN, GitLab CI_JOB_TOKEN), or machine certificate. Confirm the anomaly: off-hours API activity from a service account that normally operates 9-5, geographically impossible source IP for an API key tied to a specific cloud region, unusual resource access scope, or Git secret scanner alert on a public/private repository. Determine if the NHI is still active.\n","automation_hint":"AWS: aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue= Azure: az monitor activity-log list --query \"[?contains(caller,'ServicePrincipal')]\" --start-time GCP: gcloud logging read 'protoPayload.authenticationInfo.serviceAccountKeyId=\"\"' --limit 100 GitHub Actions: GET https://api.github.com/repos///actions/runs?status=completed&per_page=30 GitGuardian: GET https://api.gitguardian.com/v1/incidents?status=triggered&severity=high\n","outputs":["compromised_nhi_id","nhi_type","anomaly_confirmed","activity_still_ongoing"]},{"id":"step-2","name":"Immediately disable or revoke the compromised credential","type":"action","tool":"cloud_console","description":"Disable the compromised NHI credential immediately. Do NOT delete — preserve for forensics. For AWS IAM access keys: set status to Inactive. For Azure service principals: disable the application or revoke the specific credential. For GCP service account keys: disable the key. For GitHub personal access tokens or PATs: revoke via GitHub settings or admin API. For Vault-managed secrets: revoke the specific lease. Act fast — every minute counts while the attacker retains access.\n","automation_hint":"AWS: aws iam update-access-key --access-key-id --status Inactive --user-name Azure SP: az ad sp credential reset --id --credential-description \"emergency-revoke\" GCP: gcloud iam service-accounts keys disable --iam-account=@.iam.gserviceaccount.com GitHub PAT/Token: DELETE https://api.github.com/user/tokens/ (requires admin) Vault: vault lease revoke or vault lease revoke -prefix HashiCorp: vault token revoke \n","outputs":["credential_disabled","revocation_timestamp","forensic_copy_preserved"]},{"id":"step-3","name":"Enumerate all API calls and actions made with the compromised identity","type":"investigation","tool":"siem","description":"Build a complete timeline of all actions taken by the attacker using the compromised NHI. Pull API call history from the relevant cloud/platform audit trail. Focus on: new credentials created (persistence), permissions granted or roles assumed, data accessed or exported, infrastructure changes (compute spawned, network changes), secrets read from vaults or environment variables, and any cross-account or cross-service lateral movement.\n","automation_hint":"AWS CloudTrail: aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue= --start-time --end-time | jq '.Events[] | {time:.EventTime, event:.EventName, source:.SourceIPAddress}' Azure: az monitor activity-log list --caller --start-time --end-time GCP: gcloud logging read 'protoPayload.authenticationInfo.principalEmail=\"\"' --limit 500 GitHub: GET https://api.github.com/orgs//audit-log?phrase=actor:&per_page=100\n","outputs":["complete_api_call_timeline","resources_accessed","persistence_mechanisms_created","data_exfiltration_assessment"]},{"id":"step-4","name":"Detect and remediate secrets exposed in code repositories","type":"investigation","tool":"git_secret_scanner","description":"If the compromise originated from a leaked secret in a code repository, scan all repos for the exposed credential and any co-located secrets. Use trufflehog, GitGuardian, or GitHub secret scanning to find all occurrences. Scan git history (not just HEAD) — secrets committed and later deleted are still in git history. Check forks, public gists, Pastebin, and developer workstations where the repo may have been cloned.\n","automation_hint":"Trufflehog: trufflehog git https://github.com// --only-verified --json Git history scan: git log -p --all | grep -E \"(AKIA|sk-|ghp_|glpat-|xoxb-)\" GitHub secret scanning: gh secret list; gh api /repos///secret-scanning/alerts GitGuardian API: GET https://api.gitguardian.com/v1/incidents?status=triggered Remove from history: git filter-repo --path-glob '*.env' --invert-paths (then force-push)\n","outputs":["exposure_source_identified","all_occurrences_found","git_history_cleaned"]},{"id":"step-5","name":"Investigate CI/CD pipeline compromise and token abuse","type":"investigation","tool":"cicd_platform","description":"If CI/CD pipeline tokens are involved, audit all pipeline executions during the attack window. Look for: pipeline runs triggered from unexpected branches or forks, jobs that accessed secrets not normally used by that pipeline, external network calls from build jobs that are not expected, modified pipeline definition files (.github/workflows, .gitlab-ci.yml, Jenkinsfile) with backdoors or secret exfiltration steps, and newly created pipeline variables or environment-level secrets.\n","automation_hint":"GitHub Actions: GET https://api.github.com/repos///actions/runs?event=workflow_dispatch&per_page=30 Check workflow file changes: git log --diff-filter=M -- .github/workflows/ GitLab: GET https://gitlab.com/api/v4/projects//jobs?scope=success&per_page=50 Jenkins: GET http:///job//api/json?tree=builds[number,result,timestamp,culprits] Check for exfiltration: grep -r \"curl.*\\$SECRETS\\|wget.*TOKEN\\|base64.*SECRET\" .github/workflows/\n","outputs":["malicious_pipeline_runs","secrets_accessed_in_ci","pipeline_backdoors_found","pipeline_definitions_modified"]},{"id":"step-6","name":"Assess blast radius — identify all systems accessed by the NHI","type":"investigation","tool":"siem","description":"Map the full blast radius of the compromise. Determine all systems, APIs, databases, and cloud services the compromised NHI had permissions to access. Cross-reference against the attacker's activity timeline to identify what was actually accessed vs. what was accessible. For service accounts with broad permissions, assume worst-case and notify data owners. Identify any privileged escalation paths the attacker could exploit from the compromised NHI.\n","automation_hint":"AWS: aws iam simulate-principal-policy --policy-source-arn --action-names \"*\" (enumerate all allowed actions) Azure: az role assignment list --assignee --all GCP: gcloud projects get-iam-policy --flatten=\"bindings[].members\" --filter=\"bindings.members:\" Blast radius visualization: use IAM tools like Cloudsploit, Prowler, or PMapper\n","outputs":["permissions_enumerated","blast_radius_map","sensitive_systems_accessed","worst_case_scenario"]},{"id":"step-7","name":"Rotate all compromised and co-located credentials","type":"action","tool":"secrets_manager","description":"Rotate the compromised credential and all secrets that were co-located or accessible to the compromised NHI. This includes: the primary compromised key/token, all other keys in the same service account or application, database passwords the NHI had access to, third-party API keys accessed via the NHI, and any secrets stored in the same vault path or environment scope. For Vault, enable dynamic secrets to eliminate static long-lived credentials.\n","automation_hint":"AWS rotate all keys for user: aws iam list-access-keys --user-name | jq '.AccessKeyMetadata[].AccessKeyId' | xargs -I{} aws iam update-access-key --access-key-id {} --status Inactive Create new key: aws iam create-access-key --user-name Vault dynamic secrets: vault write database/config/ rotation_statements=\"ALTER USER ...\" GitHub repo secrets: gh secret set -b --repo / AWS Secrets Manager: aws secretsmanager rotate-secret --secret-id \n","outputs":["primary_credential_rotated","all_related_secrets_rotated","dynamic_secrets_enabled"]},{"id":"step-8","name":"Audit CI/CD pipeline security and remove backdoors","type":"action","tool":"cicd_platform","description":"Remediate any CI/CD pipeline compromises found in step-5. Remove backdoored workflow files and restore from last known-good commit. Audit all pipeline environment variables and repository secrets — remove any that were not explicitly approved. Enable required reviews for workflow changes, pin GitHub Actions to specific commit SHAs (not tags), and implement OIDC-based token issuance for cloud access instead of long-lived service account keys.\n","automation_hint":"Pin GitHub Actions: replace uses: actions/checkout@v3 with uses: actions/checkout@ Require reviews: GitHub Settings → Environments → required reviewers Enable OIDC: Configure AWS: aws iam create-open-id-connect-provider (OIDC for GitHub Actions) Review and prune secrets: gh secret list --repo / Remove backdoor workflow: git revert && git push\n","outputs":["pipeline_backdoors_removed","workflow_files_audited","oidc_token_issuance_enabled","pipeline_secret_inventory_cleaned"]},{"id":"step-9","name":"Implement NHI lifecycle management and monitoring","type":"action","tool":"identity_provider","description":"Establish formal NHI lifecycle controls to prevent recurrence: inventory all service accounts and API keys with owners and expiration dates, enforce maximum key age policies (90 days), disable unused service accounts (>90 days without use), implement automated rotation for all NHI credentials, and deploy continuous monitoring for NHI behavior anomalies. Create a service account registry with documented purpose, owner, and access scope.\n","automation_hint":"AWS access key age audit: aws iam generate-credential-report && aws iam get-credential-report | base64 -d | cut -d, -f1,4,9,11,14 | grep -v \"N/A\" Unused keys: aws iam list-access-keys --user-name | jq '.AccessKeyMetadata[] | select(.LastUsedDate==null or (.LastUsedDate|fromdateiso8601) < (now - 90*86400))' GCP unused SAs: gcloud iam service-accounts list | while read sa; do gcloud projects get-iam-policy --flatten bindings --filter \"bindings.members:$sa\"; done Rotation: use AWS Secrets Manager rotation Lambda or Vault's automatic rotation\n","outputs":["nhi_inventory_completed","stale_credentials_disabled","rotation_automation_enabled","behavior_monitoring_active"]},{"id":"step-10","name":"Report findings and implement least-privilege NHI access","type":"notification","description":"Report incident findings to security leadership, affected system owners, and the DevSecOps team. Document the root cause, timeline, blast radius, and all remediation steps. Initiate a least-privilege review for all NHIs involved — reduce permissions to the minimum required for function. If regulated data was accessed (PII, PCI, PHI), engage legal and compliance for breach notification assessment. File lessons learned in the runbook for future NHI compromise scenarios.\n","automation_hint":"Least privilege review tools: IAM Access Analyzer (AWS), Azure AD Access Reviews, GCP IAM Recommender AWS IAM Recommender: aws iam generate-service-last-accessed-details --arn Access review: GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions PagerDuty: pd incident create --title \"IR-015 NHI Compromise: \" JIRA: Create security incident ticket with compliance label if regulated data accessed\n","outputs":["incident_report_filed","least_privilege_remediation_initiated","breach_notification_assessed","lessons_learned_documented"]}],"post_incident":["Implement a complete NHI inventory — every service account, API key, and OAuth token must have a documented owner and purpose","Enforce maximum credential lifetime: 90 days for API keys, 24 hours for CI/CD tokens, instant rotation via OIDC where possible","Migrate from long-lived static credentials to dynamic short-lived credentials (OIDC for CI/CD, IRSA for EKS, Workload Identity for GKE)","Deploy secrets scanning with push protection in all code repositories — block credential commits before they land","Enable automated credential rotation via HashiCorp Vault, AWS Secrets Manager, or equivalent platform","Conduct quarterly NHI access reviews — revoke service accounts unused for >90 days","Implement anomaly detection for NHI behavior — baseline normal activity and alert on deviations","Require peer review and security approval for all CI/CD pipeline changes that modify secrets access or add new permissions","Enforce code signing for pipeline artifacts and pin all third-party CI/CD actions to verified commit SHAs"],"metrics":{"avg_resolution_time":"85m","false_positive_rate":"8%","escalation_rate":"40%"},"filename":"IR-015-nhi-compromise.yaml","githubUrl":"https://github.com/costnimbus/soc-playbooks/blob/main/playbooks/identity/IR-015-nhi-compromise.yaml"}],"categories":["cloud","data-loss","email-security","endpoint","identity","insider-threat","network","ransomware","supply-chain"],"severities":["critical","high","medium"]}],["$La"],"$Lb"]}],{},null,false,false]},null,false,false]},null,false,false],"$Lc",false]],"m":"$undefined","G":["$d",[]],"S":true}

SOC Incident ResponsePlaybooks

Phishing Email Investigation

Malware Endpoint Containment

Brute Force Authentication Attack

AWS Unauthorized Access via CloudTrail Anomaly

Data Exfiltration via DLP Alert

Ransomware Initial Response and Containment

Insider Threat Investigation

Cloud Resource Hijacking (Cryptomining and Unauthorized Compute)

Software Supply Chain Compromise

Privilege Escalation Detection and Response

AI/ML Model Abuse and Training Data Poisoning

API Abuse and Credential Stuffing Attack Response

SaaS Account Compromise (M365, Google Workspace, Slack)

Container and Kubernetes Security Incident Response

Non-Human Identity (NHI) Compromise — Service Accounts, API Keys, and CI/CD Tokens

SOC Incident Response
Playbooks