When D3 is alerted to a potential cryptojacking event, the analyst can trigger an incident-specific cryptojacking playbook.
D3 investigates the IOCs, determining the reputation of the URLs and IPs, and blocks them if necessary.
Simultaneously, D3 retrieves logs from Datadog or another integrated tool and also retrieves the details of the affected instance.
D3 retrieves the security group details of the affected instance and the analyst decides if the EC2 or hosts need to be quarantined. D3 then quarantines the EC instance and takes a volume snapshot.
Simultaneously, D3 queries the mapping list to get the McAfee ePO system name, groups, and system details.
D3 then orchestrates a scan of the EC2 instance via ePO.
Finally, D3 generates a summary report of the incident.