Skip to main content
All CollectionsTemplatesIntermediate
Handle Gem Alert for Root Usage - Workflow Template
Handle Gem Alert for Root Usage - Workflow Template

Receives an alert for a recent usage of Root credentials and validates it with the user trough Slack

Updated over a week ago

This workflow template handles security alerts related to the use of root credentials in AWS. Upon receiving an alert, it analyzes the source IP address and checks if more than three users used this IP in the past week; if so, the process stops to avoid confusion with shared IPs. If not, it sequentially contacts each user through Slack with a message containing event details, seeking validation. If a user confirms the action was legitimate, the alert is resolved automatically, streamlining the incident response process for potential credential misuse.

Trigger

Gem

Use Cases

CSPM

Workflow Breakdown

  1. Find all users who've used the same source IP address in the past week

  2. If the list contains more than 3 users, stop as this might be a shared IP address (e.g. office IP)

  3. Otherwise, generate a Slack message for each of the users, containing the relevant timeline events, and validate these actions with them

  4. If any of them answers they performed these actions ("Yes, it was me"), resolve the alert automatically, as this was a planned root action

Vendors

Slack, Utils, Gem

Workflow Output

Workflow will close Alerts that were validated by the user.

Did this answer your question?