EC2 Instance Isolation

Description

Isolate an EC2 instance by changing its security group in order to protect it from malicious traffic. This playbook can be started alone or used from another playbook after doing investigation and notification.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Insider Threat, SOC Automation

Category

Account Compromise, IAM Analytics, Account Sharing, SaaS, Insider Threat, Cloud Security

Security Impact

Compromised AWS credentials can allow a malicious actor access to currently running instances and configurations as well as the ability to start new instances and services. By detecting suspicious behavior early this playbook allows for a security team to react quickly and further investigate any suspicious behavior.

Alert Volume

Very Low (?)

SPL Difficulty

None

Journey

Stage 5

Data Sources

AWS
Audit Trail

   How to Implement

This playbook can be triggered off of several example searches available in the Security Essentials app to take immediate action to quarantine an instance when suspicious behavior has been detected.

   How To Respond

Depending on the use case, this playbook can be modified using several of the available Phantom apps to increase the scope of the actions taken in this playbook. For example using the AWS WAF or AWS IAM app, additional actions can be added based on the type of alert triggered.

   Help

EC2 Instance Isolation Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data