Reimage-AWS-VM playbook for Microsoft Azure Sentinel uses the power of cloud computing and implements an Immutable Infrastructure approach as an automated threat response action. In case of an incident, the playbook identifies related AWS EC2 instances by IP address from the triggered incident and reimages this AWS EC2 instance with previously defined “golden” snapshot. As part of the Digital Forensic evidence gathering, Create-AWS-Snapshot playbook can be invoked first.
The main goal of automation is to mitigate MITRE ATT&CK Techniques related to the “Persistence” tactic in the most effective way and to reduce the MTTR metric.
Actions provided by the playbook:
- Identify EC2 instance Id and Region by provided IP address
- Search for EC2 instance tag ReDeploySnapshot in Snapshot ID
- Create a new volume from the snapshot
- Stop EC2 identified instance (if it is in running state).
- Detach the current root device.
- Attach new “golden“ volume as a rooted device
- Start a reimaged EC2 instance.
Note. Playbooks leverage Azure Logic Apps, therefore charges apply.
Additional details: https://medium.com/@adhorn/immutable-infrastructure-21f6613e7a23