Reimage-Azure-VM playbook for Microsoft Azure Sentinel uses the power of cloud computing and implements an Immutable Infrastructure approach as an automated threat response action. In case of an incident, the playbook identifies related Azure VM instances by IP address from the triggered incident and reimages this Azure VM instance with previously defined “golden” snapshot via OS Disk Swap. As part of the Digital Forensic evidence gathering, Create-Azure-VM-Snapshot playbook can be invoked first.
The main goal of automation is to mitigate MITRE ATT&CK Techniques related to the “Persistence” tactic in the most effective way and to reduce the MTTR metric.
Actions provided by the playbook:
- Identify Azure VM instance by provided IP address
- Search for Azure VM instance tag ReDeploySnapshot
- Create a new volume from the snapshot
- Stop Azure VM identified instance (if it is in running state)
- Detach the current root device
- Attach new “golden“ volume via OS Disk Swap
- Start a reimaged Azure VM instance.
Note. Playbooks leverage Azure Logic Apps, therefore charges apply.
Additional details: https://medium.com/@adhorn/immutable-infrastructure-21f6613e7a23