AWS Systems Manager - Stop Managed EC2 Instances
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook can be used by SOC Analysts to stop malicious or compromised EC2 instances in AWS. This playbook uses AWS Systems Manager API to stop the EC2 instances. The playbook can be triggered from an incident in Microsoft Sentinel. The playbook takes the Hostnames and Private IP addresses from the incident entities and stops the EC2 instances using the Instance IDs. The playbook also adds a comment to the incident with the list of instances that were stopped.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | AWS Systems Manager |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
function |
Built-in | 0 | 6 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_Automation_Shutdown_Document | — | — | functionId=[concat(variables('AWSSSMFuntionsAppId'), '/functions/CreateDocument')] |
| DeleteDocument | — | — | functionId=[concat(variables('AWSSSMFuntionsAppId'), '/functions/DeleteDocument')] |
| GetAutomationExecution | — | — | functionId=[concat(variables('AWSSSMFuntionsAppId'), '/functions/GetAutomationExecution')] |
| StartAutomationExecution | — | — | functionId=[concat(variables('AWSSSMFuntionsAppId'), '/functions/StartAutomationExecution')] |
| GetAutomationExecution_again | — | — | functionId=[concat(variables('AWSSSMFuntionsAppId'), '/functions/GetAutomationExecution')] |
| GetInventory | — | — | functionId=[concat(variables('AWSSSMFuntionsAppId'), '/functions/GetInventory')] |
Additional Documentation
📄 Source: AWSSystemsManagerPlaybooks/AWS-SSM-StopManagedInstance/readme.md
AWS-SSM-StopManagedInstance
Summary
This playbook can be used by SOC Analysts to stop malicious or compromised EC2 instances in AWS. This playbook uses AWS Systems Manager API to stop the EC2 instances. The playbook can be triggered from an incident in Microsoft Sentinel. The playbook takes the Hostnames and Private IP addresses from the incident entities and stops the EC2 instances using the Instance IDs. The playbook also adds a comment to the incident with the list of instances that were stopped.
Playbook performs the following actions:
- Get the Hostnames and Private IP addresses from incident entities.
- Get the Instance IDs of Managed EC2 instances using the Hostnames and Private IP Addresses.
- Stop the EC2 instances using the Instance IDs.
- Add a comment to the incident with the list of instances that were stopped.
Prerequisites
- Prior to the deployment of this playbook, AWS Systems Manager API Function App Connector needs to be deployed under the same subscription.
- Refer to AWS Systems Manager API Function App Connector documentation to obtain AWS Access Key ID, Secret Access Key and Region.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name
- Functions App Name - Name of the Function App where the AWS Systems Manager API Function App Connector has been deployed.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configure Playbook in Microsoft Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident that contains IP Addresses or Hostnames. In the Entity mapping section of the analytics rule creation workflow, IP Address should be mapped to Address identifier of the IP entity type and Hostname should be mapped to Hostname identifier of the Host entity type. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook. Check the documentation to learn more about automation rules.
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save
d. Function App Settings Update Instructions
Refer to AWS Systems Manager API Function App Connector documentation for Function App Application Settings (Access Key ID, Secret Access Key and Region) update instruction.
References
- AWS Systems Manager API Documentation
- AWS Systems Manager User Guide
- AWS Systems Manager Boto3 Documentation
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊