AWS Systems Manager - Stop Managed EC2 Instances Host Entity Trigger

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook can be used by SOC Analysts to stop malicious or compromised EC2 instances in AWS. The playbook can be triggered from a Host entity context in an incident. The playbook takes the Hostname and stops the managed EC2 instances using the Instance ID. The playbook also adds a comment to the incident with instance that was stopped.

Attribute	Value
Type	Playbook
Solution	AWS Systems Manager
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	1
`function`	Built-in	0	6

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—

`function` (Built-in)

Action	Method	Endpoint	Other
Create_Automation_Shutdown_Document	—	—	functionId=`[concat(variables('AWSSSMFuntionsAppId'), '/functions/CreateDocument')]`
DeleteDocument	—	—	functionId=`[concat(variables('AWSSSMFuntionsAppId'), '/functions/DeleteDocument')]`
GetAutomationExecution	—	—	functionId=`[concat(variables('AWSSSMFuntionsAppId'), '/functions/GetAutomationExecution')]`
StartAutomationExecution	—	—	functionId=`[concat(variables('AWSSSMFuntionsAppId'), '/functions/StartAutomationExecution')]`
GetAutomationExecution_again	—	—	functionId=`[concat(variables('AWSSSMFuntionsAppId'), '/functions/GetAutomationExecution')]`
GetInventory	—	—	functionId=`/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97/resourceGroups/awssystemsmanager/providers/Microsoft.Web/sites/AWSSystemsManager/functions/GetInventory`

Additional Documentation

📄 Source: AWSSystemsManagerPlaybooks/AWS-SSM-StopManagedInstance-HostEntityTrigger/readme.md

AWS-SSM-StopManagedInstance-HostEntityTrigger

Summary

Playbook performs the following actions:

Get the Hostname from the Host Entity.
Get the Instance ID of Managed EC2 instance for given Hostname.
Stop the EC2 instance using the Instance ID.
Add a comment to the incident with the instance that was stopped.

Prerequisites

Prior to the deployment of this playbook, AWS Systems Manager API Function App Connector needs to be deployed under the same subscription.
Refer to AWS Systems Manager API Function App Connector documentation to obtain AWS Access Key ID, Secret Access Key and Region.

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- Playbook Name
- Functions App Name - Name of the Function App where the AWS Systems Manager API Function App Connector has been deployed.

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for other connections

b. Assign Playbook Microsoft Sentinel Responder Role

Select the Playbook (Logic App) resource
Click on Identity Blade
Choose System assigned tab
Click on Azure role assignments
Click on Add role assignments
Select Scope - Resource group
Select Subscription - where Playbook has been created
Select Resource group - where Playbook has been created
Select Role - Microsoft Sentinel Responder
Click Save

c. Function App Settings Update Instructions

Refer to AWS Systems Manager API Function App Connector documentation for Function App Application Settings (Access Key ID, Secret Access Key and Region) update instruction.

References