Incident Response Automation Utilizing the StackStorm Framework

By: Grace Lombardi

With the ever-growing need for cyber security the ability to easily automate the collection of logs and alerts to a centralized system is essential for any business.  The developers of StackStorm describe their system as “A platform for integration and automation across services and tools, taking actions in response to events [1]”. StackStorm is an open-source software that I have worked very closely with over the last 3 years. For me personally I have used the system to create actions and sensors that could utilize various companies’ APIs to make quick and easy actions and sensors that could simplify incident response. StackStorm also provides a functionality to create workflows that can connect different companies APIs by using a drag and drop atmosphere to create automation. These workflows can be used to go from preliminary intrusion detection to containment and investigation to eradication and documentation to complete all the stages of incident response. Some of the API’s I have used with this system include various AWS systems (CloudTrail, GuardDuty, Inspector), various Microsoft systems (ATP, Azure AD, O365), various Cisco systems (Meraki, Umbrella), Carbon Black, and Duo among many others. It is very simple to use any API in StackStorm and I have never run into one that did not work well with it. I have provided an example action and sensor for the VirusTotal API on my GitHub.

How to Setup StackStorm

StackStorm is simple to startup and start working with. In this example I will be explaining how to set up a StackStorm instance running in Vagrant and how to create both an action and a sensor. Due to StackStorm’s open-source nature I first recommend that you join their Slack as several of the developers are around to help with any issues you may run into or if you have a question on the best way to implement an action or a sensor with a specific API. To get access to the slack please visit this link. StackStorm is easy to install and run on a Vagrant box by using the following four commands [2]:

Once the box is setup run ipconfig to find your IP then visit that IP with your internet browser. It may pop up that this site is unsafe if that is the case just type “this site is unsafe” and it will take you to the StackStorm UI. The default credentials are Username= st2admin and Password = Ch@ngeMe to login as the admin. You can now start developing actions and sensors to use in your StackStorm instance.

What are Actions

            Actions in StackStorm are used to do quick API calls by just passing a few variables and clicking run. This can be used for automation in Workflows that will be mentioned later in this article. Most of the time actions are used for quick informative API calls such as returning lists of objects and status updates for systems. Actions are very simple to create and just require a python file and a YAML file. The StackStorm docs have a good explanation of the steps to create an action and how to get it running on your Vagrant box [3]. Actions can also be triggered by a rule when it meets the certain requirement specified by the rule. This allows you to combine sensors and actions to run together.

What are Sensors

            Sensors are very versatile. There are two main types of sensors in StackStorm: normal sensors and polling sensors. Normal sensors are triggered by rules that launch the sensor. This allows you to have actions or polling sensors that can trigger normal sensors. These just run once and return payloads to the UI with the information collected. Polling sensors are the more commonly used of the two. Most polling sensors run every two minutes and make various API calls that return payloads that show up in the UI. Polling sensors are great to use for incident response as they can autonomously check if new logs were added or if a security tool has caught any alerts. It is helpful to also use Kafka with StackStorm to save the payloads that are received so they can be used to deescalate security breaches. Sensors require a python file with the main code to do the API calls and a YAML file to specify the triggers. The StackStorm docs have a good explanation of the steps to create both types of sensors [4].

What are Workflows

            Workflows are used to create automation. They can be used to connect various actions and sensors together to complete a workflow process. In incident response this can be used to go from first detection to collection to notification to automate the remediation process. StackStorm makes it very easy to create these workflows as you can drag and drop various actions and sensors in the UI, and it will connect them to flow from one to the next. Workflows can also be run like actions by either manually running them or having them triggered by a rule. StackStorm uses Orquesta workflows and the StackStorm docs provide instructions on how to build a workflow [5].

Why You Should Try Using StackStorm

            StackStorm makes making API wrappers super simple and the learning curve to using it is not very challenging. I would recommend that anyone that uses API calls regularly or use a lot of cron jobs should try using StackStorm to have a more condense environment to work in. The open-source nature of StackStorm means that is constantly updating and becoming better and if there is an aspect of it you don’t like you can change it. The community around StackStorm is very welcoming and I have truly enjoyed working with them for the last few years. The StackStorm GitHub also contains several already written actions and sensors for various security products that I encourage you to all try playing with [6]. With the growing interest of automation in the security field I believe that StackStorm is a great resource to use in any company for automation purposes.







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s