Quarantine AWS Instances from Alerts
Workflow #0006
This workflow fetches Geographically Unusual Remote Access
alerts from the Cisco Secure Cloud Analytics (SCA) API for the past hour. Then, for each of those alerts, it attempts to locate a matching Amazon Web Services (AWS) instance and restrict SSH access to its security group. Notifications are sent using Webex and an approval is requested to lift the quarantine restrictions.
Note: To automate handling of the approval tasks generated by this workflow, be sure to also import this workflow!
Change Log
Date | Notes |
---|---|
Nov 20, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Minor updates to naming and descriptions |
Feb 23, 2023 | - Update to Secure Cloud Analytics API Key variable description (Issue #235) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Cloud Analytics - Get Alerts
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Cloud Analytics (SCA)
- (Optional) Cisco Webex
- Amazon Web Services (AWS)
Workflow Steps
- Fetch global variables
- Calculate the time 1 hour ago
- Fetch
Geographically Unusual Remote Access
alerts from SCA for that time frame - Convert the alerts to a table
- If a Webex room name was provided, translate it into a room ID
- For each alert in the table:
- Check if the instance was already quarantined (if so, skip it)
- Get information about the instance from AWS and extract its security group
- Revoke SSH access to the group and add an exception for the CIDR network in the local variable
- Create an approval request to remove the instance from quarantine
- Send a Webex notification
Configuration
- Make sure
Default TargetGroup
includes theAWS Endpoint
target type (more info) - Set your AWS region in the
AWS Region
local variable - Add the CIDR network you want to exclude from SSH restrictions in the
CIDR IP to Exclude
local variable (so you can still get into the instance to fix it) - Add your Secure Cloud Analytics API key to the
Secure Cloud Analytics API Key
local variable (or, if you have an API key in a global variable already, set the local variable to the global’s value using theFetch Global Variables
group at the beginning of the workflow) - The
Approval request to undo AWS SSH quarantine
activity needs to be configured with a task requestor, owner, and assignees (the assignees will be able to approve or deny) - Important: Do not change the
Subject Line
of the approval task or the approval event trigger will stop working - See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Amazon Web Services | AWS Endpoint | Region: Your Region | Your AWS Account Key (see below) | |
Secure Cloud Analytics | HTTP Endpoint | Protocol: HTTPS Host: your-tenant.obsrvbl.com Path: api | None | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Your AWS Account Key | AWS Credentials | Access Key: AWS API Access Key Secret Key: AWS API Secret Key |