This project demonstrates a complete, closed-loop Security Orchestration, Automation, and Response (SOAR) pipeline. It uses Terraform to provision a vulnerable AWS environment, Splunk to detect a simulated web shell attack, and a custom Python webhook to automatically block the attacker's IP address at the network layer (AWS NACL).
- IaC: Terraform
- Cloud: AWS (EC2, VPC, S3, NACL)
- SIEM: Splunk Enterprise
- Automation: Python (Flask, Boto3), systemd
- Attack: An attacker uploads a malicious PHP web shell to the EC2 web server.
- Logging: The vulnerable application writes a
Successful_Uploadevent to/var/log/vulnapp.log. - Log Sync: A cron job on the EC2 instance syncs the log file to an AWS S3 bucket every minute.
- Ingestion: The Splunk Add-on for AWS ingests the log data from the S3 bucket.
- Detection: A scheduled Splunk alert runs every minute, searching for the
Successful_Uploadevent from attackers not already on a blocklist. - Action (Webhook): If a new attacker is found, the alert sends a webhook notification to a custom Python Flask service.
- Response (Block): The Flask service uses Boto3 to add a
DENYrule for the attacker's IP to the AWS Network ACL with a high-priority rule number. - State Management: The alert adds the newly blocked IP to a
blocked_ips.csvlookup file to prevent re-triggering.
Full setup instructions for the Terraform infrastructure, the EC2 web server, Splunk configuration, and the automation service are detailed within the respective directories.
To destroy all cloud resources, navigate to the terraform directory and run terraform destroy.