Loading . . .

Azure Sentinel Playbook Run-AWS-VM-PacketCapture

Sign Up Sign In

Run-AWS-VM-PacketCapture playbook for Microsoft Azure Sentinel enables ad-hoc traffic mirroring on the AWS EC2 instance. Main goal of automation is to help with Digital Forensic investigation and collection evidence in case of suspicion to presence of MITRE ATT&CK Techniques related to the “Command and Control” tactic especially in network segments not covered with IDS/IPS tools. Please refer SANS Institute Information Security Reading Room paper "Hunting Threats Inside Packet Captures" (Author: Muhammad Alharmeel, @MuAlharmeel) for Inspection of packet captures -PCAP- for signs of intrusions.

Traffic Mirroring is currently available only on virtualized Nitro-based instances. The following instances are built on the Nitro System: A1, C5, C5d, C5n, G4, I3en, Inf1, M5, M5a, M5ad, M5d, M5dn, M5n, M6g, p3dn.24xlarge, R5, R5a, R5ad, R5d, R5dn, R5n, T3, T3a, and z1d

Bare metal: a1.metal, c5.metal, c5d.metal, c5n.metal, i3.metal, i3en.metal, m5.metal, m5d.metal, m6g.metal, r5.metal, r5d.metal, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, u-18tb1.metal, u-24tb1.metal, and z1d.metal.

Note. Playbooks leverage Azure Logic Apps, therefore charges apply.

Additional details:

  • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances
  • https://www.sans.org/reading-room/whitepapers/threathunting/hunting-threats-packet-captures-38440