This is a SecureX playbook to automate quarantine through AWS IAM upon receiving Stealthwatch Cloud alerts. In this playbook, we use an e-mail trigger to start the workflow. When Stealthwatch Cloud gets an alert, it will send an e-mail to a mailbox. SecureX is configured with an IMAP listener on this mailbox to collect the alert e-mail. When the e-mail is retrieved, the workflow will parse the information to only keep the AWS Username that created the alert. Later, it will apply a specific new policy for this user in order to limit what he is able to do. Once the user has been remediated a notification can be send through Webex Teams There are lots of different possible scenario here is an example :
https://www.youtube.com/watch?v=2OS3SgVVFdU
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
- Configure e-mail in Stealthwatch Cloud : In Stealthwatch Cloud --> Top Right wheel --> Services/Webhooks --> E-mail
- E-mail address to be used to send Secure Cloud Analytics Alert
- Account Keys to be configured : --> Mailbox used - in my case I used a simple Gmail account. --> AWS Credentials
- Variables (optional) --> Webex Team key
- Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
- US: https://securex-ao.us.security.cisco.com/orch-ui/workflows/
- EU: https://securex-ao.eu.security.cisco.com/orch-ui/workflows/
- APJC: https://securex-ao.apjc.security.cisco.com/orch-ui/workflows/
-
In the left hand menu, select Variables.
-
Next steps.
- In the left pane menu, select Workflows. Click on IMPORT to import the workflow.
- Click on Browse and copy paste the content of the SWC-AWS IAM Workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.
- Next steps, like updating targets / account keys and setting a trigger / running the workflow.
- Configure e-mail in Stealthwatch Cloud : In Stealthwatch Cloud --> Settings --> Services/Webhooks --> E-mail
- Please test this properly before implementing in a production environment. This is a sample workflow!
- Remi VACHER (Cisco)