EC2 Instance Isolation


Isolate an EC2 instance by changing its security group in order to protect it from malicious traffic. This playbook can be started alone or used from another playbook after doing investigation and notification.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection, Insider Threat, SOC Automation


Account Compromise, Account Sharing, Cloud Security, IAM Analytics, Insider Threat, SaaS

Security Impact

Compromised AWS credentials can allow a malicious actor access to currently running instances and configurations as well as the ability to start new instances and services. By detecting suspicious behavior early this playbook allows for a security team to react quickly and further investigate any suspicious behavior.

Alert Volume

Very Low


Stage 5

Data Sources

Audit Trail

   How to Implement

This playbook can be triggered off of several example searches available in the Security Essentials app to take immediate action to quarantine an instance when suspicious behavior has been detected.

   How To Respond

Depending on the use case, this playbook can be modified using several of the available Phantom apps to increase the scope of the actions taken in this playbook. For example using the AWS WAF or AWS IAM app, additional actions can be added based on the type of alert triggered.


EC2 Instance Isolation Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data