Step 1:
When D3 is alerted to a potential cryptojacking event, the analyst can trigger an incident-specific cryptojacking playbook.
Step 2:
D3 investigates the IOCs, determining the reputation of the URLs and IPs, and blocks them if necessary.
Step 3:
Simultaneously, D3 retrieves logs from Datadog or another integrated tool and also retrieves the details of the affected instance.
Step 4:
D3 retrieves the security group details of the affected instance and the analyst decides if the EC2 or hosts need to be quarantined. D3 then quarantines the EC instance and takes a volume snapshot.
Step 5:
Simultaneously, D3 queries the mapping list to get the McAfee ePO system name, groups, and system details.
Step 6:
D3 then orchestrates a scan of the EC2 instance via ePO.
Step 7:
Finally, D3 generates a summary report of the incident.