Isolate-AWS-VM playbook for Microsoft Azure Sentinel isolates AWS EC2 instances from a network with goals to prevent an attack or worm spreading across enterprise networks and to disrupt Exfiltration / Command & Control (C2) network channels. In case of an incident, the playbook identifies related AWS EC2 instances by IP address from the triggered incident, removes any existing security groups, and applies “deny all'' security group to the identified AWS EC2 instance. Security group “deny all' allows connection only to hosts required for active investigation and mitigation actions, like SIEM log collector, AV / EDR management station, GRR management, Nextron Systems Asgard management, etc. AWS EC2 instances will be up and running to prevent loss of evidence related to memory and running princesses. The main goal of automation is to reduce MTTR, minimize a time gap between security incident detection, and blocking attack spraying to reduce an impact.
Note. Playbooks leverage Azure Logic Apps, therefore charges apply.
MITRE ATT&CK Mitigations:
- M1037 Filter Network Traffic https://attack.mitre.org/mitigations/M1037/
- M1035 Limit Access to Resource Over Network https://attack.mitre.org/mitigations/M1035/