sxo_aws_ir
sxo_aws_ir - Incident Response for EC2 in AWS
This workflow simplifies and automates incident response procedures for Amazon EC2 instances. If a compromise is suspected, the workflow can automate incident response procedures that are detailed in the published Amazon AWS Incident Response Guide, including:
- Enabling Termination Proctection
- Moving the compromised instance to an isolated security group.
- Removing the instance from auto-scaling groups (ASGs).
- Removing the instance from an elastic load balancer (ELB).
- Creating forensic snapshots of elastic block devices.
- Adding tags to compromised hosts.
Required Targets
- Amazon Web Services
Required Local Variables
- Isolation Security Group ID
- Target ELB ARN
Setup instructions
Browse to your SecureX orchestration instance. This will be a different URL depending on the region your account is in:
- US: https://securex-ao.us.security.cisco.com/orch-ui/workflows/
- EU: https://securex-ao.eu.security.cisco.com/orch-ui/workflows/
- APJC: https://securex-ao.apjc.security.cisco.com/orch-ui/workflows/
Import main workflow
-
In the left pane menu, select Workflows. Click on IMPORT to import the workflow.
-
Click on Browse and copy paste the content of the name-json-file.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.
-
Next steps, like updating targets / account keys and setting a trigger / running the workflow.
Update local variables, targets, and credentials
This workflow relies on details from your AWS environment including authentication, region, quarantine security group, and ELB detail.
Workflow
Notes
Please test this properly before implementing in a production environment. This is a sample workflow!
Use Case
Streamline Incident Response Using SecureX
Simplify, automate, and streamline incident response by integrating Secure X, Service Now, WebEx, with Umbrella & Cloud Security Analytics.
Use Case Description
CloudAIR simplifies and automates incident response procedures for Amazon EC2 instances. Running the workflow on a schedule, it will query Cisco Umbrella, Cisco Secure Cloud Analytics (formerly known as Stealthwatch Cloud), and Amazon GuardDuty to detect indications of compromise. If a compromise is suspected, the workflow will create a ServiceNow ticket, generate a remediation request and push instance details and request WebEx room.
Incident response procedures are detailed in the published Amazon AWS Incident Response Guide and include:
• Enabling Termination Protection
• Moving the compromised instance to an isolated security group.
• Removing the instance from auto-scaling groups (ASGs).
• Removing the instance from an elastic load balancer (ELB).
• Creating forensic snapshots of elastic block devices.• • Adding tags to compromised hosts.
Related Code Exchange Submission
•Please see the serverless relay module installation information here
•Code Exchange submission for this project
White Paper
Watch Brian Sak & Brennan Bouchard present at Devnet Create
Related Sandbox
Anyone may create a SecureX account for free.
DevNet Learning Labs
Get Started with theses SecureX Modules on Devnet
Solutions on Ecosystem Exchange
More SecureX solutions on Cisco Ecosystem Exchange here
Author(s)
This project was written and is maintained by the following individuals:
- Brian Sak brsak@cisco.com
Owner
Contributors
Github contributorCategories
Programming Languages
License
GNU General Public License v3.0
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View CommunityCisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.