Skip to main content
All CollectionsTemplatesIntermediate
Handle Gem Alert for Root Usage - Workflow Template
Handle Gem Alert for Root Usage - Workflow Template

Receives an alert for a recent usage of Root credentials and validates it with the user trough Slack

Updated over 6 months ago

This workflow template handles security alerts related to the use of root credentials in AWS. Upon receiving an alert, it analyzes the source IP address and checks if more than three users used this IP in the past week; if so, the process stops to avoid confusion with shared IPs. If not, it sequentially contacts each user through Slack with a message containing event details, seeking validation. If a user confirms the action was legitimate, the alert is resolved automatically, streamlining the incident response process for potential credential misuse.

Take Me to the Template

Trigger

Gem

Use Cases

CSPM

Workflow Breakdown

  1. Find all users who've used the same source IP address in the past week

  2. If the list contains more than 3 users, stop as this might be a shared IP address (e.g. office IP)

  3. Otherwise, generate a Slack message for each of the users, containing the relevant timeline events, and validate these actions with them

  4. If any of them answers they performed these actions ("Yes, it was me"), resolve the alert automatically, as this was a planned root action

Vendors

Slack, Utils, Gem

Workflow Output

Workflow will close Alerts that were validated by the user.

Related Articles
Handle Orca Alert for IAM Role with Admin Permissions - Workflow Template
Enable AWS S3 Bucket Versioning on Lacework Alert - Workflow Template
Handle AWS S3 Bucket Should Enforce HTTPS Alert from Orca - Workflow Template
Validate Gem Alert Events in Slack - Workflow Template
Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow Template
Did this answer your question?