This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

License: CISCO
published

Features

Automated Remediation with SecureX for Secure Cloud Analytics and AWS IAM

This is a SecureX playbook to automate quarantine through AWS IAM upon receiving Stealthwatch Cloud alerts. In this playbook, we use an e-mail trigger to start the workflow. When Stealthwatch Cloud gets an alert, it will send an e-mail to a mailbox.
SecureX is configured with an IMAP listener on this mailbox to collect the alert e-mail.
When the e-mail is retrieved, the workflow will parse the information to only keep the AWS Username that created the alert.
Later, it will apply a specific new policy for this user in order to limit what he is able to do. Once the user has been remediated a notification can be send through Webex Teams
There are lots of different possible scenario here is an example :

https://www.youtube.com/watch?v=2OS3SgVVFdU

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

Configure

  • Configure e-mail in Stealthwatch Cloud :
    In Stealthwatch Cloud --> Top Right wheel --> Services/Webhooks --> E-mail

Requirements

  • E-mail address to be used to send Secure Cloud Analytics Alert

Required Target

  • Target to be configured
    --> AWS Account

Required Account Keys

  • Account Keys to be configured :
    --> Mailbox used - in my case I used a simple Gmail account.
    --> AWS Credentials

Required Global Variables

  • Variables (optional)
    --> Webex Team key

Setup instructions

Configure Global Variables

  1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
  1. In the left hand menu, select Variables.

  2. Next steps.

Import main workflow

  1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow.

  1. Click on Browse and copy paste the content of the SWC-AWS IAM Workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

  1. Next steps, like updating targets / account keys and setting a trigger / running the workflow.

Secure Cloud Analytics Configuration

  • Configure e-mail in Stealthwatch Cloud :
    In Stealthwatch Cloud --> Settings --> Services/Webhooks --> E-mail

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!

Author(s)

  • Remi VACHER (Cisco)

Use Case

License: CISCO published

Automated Remediation with SecureX for Secure Cloud Analytics and AWS IAM

This is a SecureX playbook to automate quarantine through AWS IAM upon receiving Stealthwatch Cloud alerts. In this playbook, we use an e-mail trigger to start the workflow. When Stealthwatch Cloud gets an alert, it will send an e-mail to a mailbox. SecureX is configured with an IMAP listener on this mailbox to collect the alert e-mail. When the e-mail is retrieved, the workflow will parse the information to only keep the AWS Username that created the alert. Later, it will apply a specific new policy for this user in order to limit what he is able to do. Once the user has been remediated a notification can be send through Webex Teams There are lots of different possible scenario here is an example :

https://www.youtube.com/watch?v=2OS3SgVVFdU

View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Programming Languages

  • License

    Other

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.