Link Search Menu Expand Document

Quarantine AWS Instances from Alerts

Workflow #0006

This workflow fetches Geographically Unusual Remote Access alerts from the Secure Cloud Analytics (SCA) API for the past hour. Then, for each of those alerts, it attempts to locate a matching AWS instance and restrict SSH access to its security group. Notifications are sent using Webex Teams and an approval is requested to lift the quarantine restrictions.

Note: To automate handling of the approval tasks generated by this workflow, be sure to also import this workflow!

GitHub


Requirements

  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed below
  • A Secure Cloud Analytics instance
  • An Amazon Web Services account with instances monitored by SCA
  • (Optional) A Webex Teams access token and room name to post messages to

Note: You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!


Workflow Steps

  1. (Optional) Add global variables to local variables
  2. Calculate the start/end times for a 1 hour period of time
  3. Fetch Geographically Unusual Remote Access alerts from SCA for that time frame
  4. Convert the alerts to a table
  5. If a Teams room name was provided, translate it into a room ID
  6. For each alert in the table:
    • Check if the instance was already quarantined (if so, skip it)
    • Get information about the instance from AWS and extract its security group
    • Revoke SSH access to the group and add an exception for the CIDR network in the local variable
    • Create an approval request to remove the instance from quarantine
    • Send a Webex Teams notification

Configuration

  • Make sure Default TargetGroup includes the AWS Endpoint target type (more info)
  • Set your AWS region in the AWS Region local variable
  • Add the CIDR network you want to exclude from SSH restrictions in the CIDR IP to Exclude local variable (so you can still get into the instance to fix it)
  • Add your SCA API key to the Secure Cloud Analytics API Key local variable (or, if you have an API key in a global variable already, set the local variable to the global’s value using the Fetch Global Variables group at the beginning of the workflow)
  • The Approval request to undo AWS SSH quarantine activity needs to be configured with a task requestor, owner, and assignees (the assignees will be able to approve or deny)
  • Important: Do not change the Subject Line of the approval task or the approval event trigger will stop working
  • See this page for information on configuring the workflow for Webex Teams

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Amazon Web Services AWS Endpoint Region: Your Region
Your AWS Account Key (see below)  
Secure Cloud Analytics HTTP Endpoint Protocol: HTTPS
Host: your-tenant.obsrvbl.com
Path: api
None  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
Your AWS Account Key AWS Credentials Access Key: AWS API Access Key
Secret Key: AWS API Secret Key