https://community.splunk.com/t5/Splunk-SOAR/Example-of-how-to-protect-an-EC2-group-from-malicious-traffic/m-p/499330#M367 <P>Does anyone have examples of how to use Splunk Phantom to protect an EC2 group from malicious traffic?</P> Sun, 07 Jun 2020 16:35:16 GMT sloshburch 2020-06-07T16:35:16Z https://community.splunk.com/t5/Splunk-SOAR/Example-of-how-to-protect-an-EC2-group-from-malicious-traffic/m-p/499330#M367 <P>Does anyone have examples of how to use Splunk Phantom to protect an EC2 group from malicious traffic?</P> Sun, 07 Jun 2020 16:35:16 GMT https://community.splunk.com/t5/Splunk-SOAR/Example-of-how-to-protect-an-EC2-group-from-malicious-traffic/m-p/499330#M367 sloshburch 2020-06-07T16:35:16Z https://community.splunk.com/t5/Splunk-SOAR/Example-of-how-to-protect-an-EC2-group-from-malicious-traffic/m-p/499331#M368 <P><EM>The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the <A href="https://docs.splunk.com/Documentation/UseCases">Splunk Platform Use Cases</A> manual.</EM></P> <P><EM>For more information on this and other examples, download the free <A href="https://splunkbase.splunk.com/app/3435">Splunk Security Essentials</A> app on Splunkbase.</EM></P> <HR /> <P>Compromised Amazon EC2 credentials can give a malicious actor access to currently running instances and configurations, and the ability to start new instances and services. Detect suspicious behavior early so you can react quickly and further investigate suspicious behavior. </P> <H1>Load data</H1> <P><STRONG>How to implement:</STRONG> To run the Splunk Phantom EC2 Instance Isolation playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests AWS and audit trail events.</P> <P>Although there are several ways to get data into Phantom, this example uses the <A href="https://splunkbase.splunk.com/app/3411/">Phantom App for Splunk on Splunkbase</A>. Verify that the playbook is configured to operate on <CODE>splunk_events</CODE>.</P> <P>Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the <STRONG>Phantom Asset Configuration</STRONG> page, and that all assets are resolved on the <STRONG>Phantom Resolved Assets</STRONG> page.</P> <H1>Get insights</H1> <P>Isolate an EC2 instance by changing its security group in order to protect it from malicious traffic. You can start the EC2 Instance Isolation playbook alone or from another playbook.</P> <P>To find the playbook, go to the Phantom main menu, select Playbooks, and search for <CODE>ec2_instance_isolation</CODE>.</P> <P><STRONG>How to respond:</STRONG> You can modify the Splunk Phantom EC2 Instance Isolation using several of the available Phantom apps to increase the scope of the actions you can take. For example, you can add actions based on the type of alert that was triggered using the Phantom AWS WAF or AWS IAM app.</P> <H1>Help</H1> <P>For more support, <A href="https://answers.splunk.com/answers/ask.html?topics=usecase">post a question to the Splunk Answers community</A>.</P> Thu, 30 Jan 2020 22:31:57 GMT https://community.splunk.com/t5/Splunk-SOAR/Example-of-how-to-protect-an-EC2-group-from-malicious-traffic/m-p/499331#M368 sloshburch 2020-01-30T22:31:57Z