Attivo Botsink

Use the Attivo BOTsink integration to pull Attivo events into Demisto to initiate investigations, manage deception environments, and to deploy decoy systems.

This integration was tested with version Attivo BOTsink v4.1.1 and v4.1.3.

Use Cases

  • Determine if an artifact is part of the deception environment
  • Dynamically deploy decoy systems
  • Search for events related to a specific attacker

Configure Attivo Botsink on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Attivo Botsink.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Botsink name or address
    • BOTsink API credentials
    • SSL Verification toggle
    • Minimum severity when fetching events (Very High, High, Medium)
    • Fetch incidents toggle
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data

The Attivo BOTsink plugin for Demisto can optionally pull Attivo events into Demisto to initiate investigations. The fetch_severity parameter specifies the lowest severity of event to pull (Very High, High, or Medium).

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Verify if a user is part of a deception environment: attivo-check-user
  2. Verify if a host is part of the deception environment: attivo-check-host
  3. Run a playbook configured on Attivo BOTsink: attivo-run-playbook
  4. Deploy a decoy system on a subnet: attivo-deploy-decoy
  5. Get events for an attacker IP address: attivo-get-events
  6. Get information for playbooks: attivo-list-playbooks
  7. Get information for network decoys: attivo-list-hosts
  8. Get a list of all deceptive users: attivo-list-users

1. Verify if a user is part of a deception environment


Checks whether a user is part of the deceptive environment.

Base Command

attivo-check-user

Input
Argument Name Description Required
user User to validate Required

Context Output
Path Type Description
Attivo.User.IsDeceptive boolean Is the user part of the Deception environment
Attivo.User.Groups unknown If the user is part of the Deception environment, the member is a member of these groups

Command Example
!attivo-check-user user="a-user-l-ftp-0"
Context Example
{
    "Attivo": {
        "User": {
            "IsDeceptive": true, 
            "Groups": [
                "a-user-l-ftp"
            ], 
            "Name": "a-user-l-ftp-0"
        }
    }
}
Human Readable Output

image

2. Verify if a host is part of a deception environment


Checks whether a host is part of the deception environment.

Base Command

attivo-check-host

Input
Argument Name Description Required
host Host name or IP address to validate Required

Command Example
!attivo-check-host host="linuxserver"
Context Example
{
    "Attivo": {
        "Host": {
            "IsDeceptive": true, 
            "HostInfo": {
                "name": [
                    "linuxserver"
                ], 
                "ip": "162.236.53.68", 
                "vlan": null, 
                "user_defined": true, 
                "mac": "52:54:00:9f:65:76", 
                "dhcp": false
            }
        }
    }
}
Human Readable Output

image

3. Run a playbook configured on Attivo BOTsink


Run a pre-built Attivo playbook on the BOTsink appliance.

Base Command

attivo-run-playbook

Input
Argument Name Description Required
playbook_name Name of the prebuilt playbook Required
attacker_ip Malicious source IP Required

Context Output
Path Type Description
Attivo.Playbook.Status boolean Was the playbook successful
Attivo.Playbook.Message string Complete status message

Command Example
!attivo-run-playbook attacker_ip=172.16.2.20 playbook_name="Endpoint Forensics"

4. Deploy a decoy system on a subnet


Deploy a new network decoy

Base Command

attivo-deploy-decoy

Input
Argument Name Description Required
vulnerable_ip Used to determine which subnet to deploy to Required
decoy_number The number of decoys to deploy Optional

Context Output
Path Type Description
Attivo.DeployDecoy.Status boolean Was the network decoy successfully deployed
Attivo.DeployDecoy.Message string Complete status message

Command Example
!attivo-deploy-decoy vulnerable_ip=172.16.40.55
Human Readable Output

1 new Attivo decoy(s) deployed on the subnet with 172.16.40.55

5. Get events for an attacker IP address


Retrieves events for a specific source IP.

Base Command

attivo-get-events

Input
Argument Name Description Required
attacker_ip Source IP address Required
severity The minimum Attivo severity for the events, default is "Medium"; "VeryHigh", "High", "Medium", "Low", "VeryLow", "SystemActivity" Optional
alerts_start_date Date and time to start looking for events.
For example: 2018-12-10 or 2018-12-10T13:59:05Z
Optional
alerts_end_date Date and time to stop looking for events.
For example: 2018-12-10 or 2018-12-10T13:59:05Z
Optional

Context Output
Path Type Description
Attivo.Events.Count number Total number of events retrieved
Attivo.Events.List.AttackName unknown Short name of the attack
Attivo.Events.List.Attack Phase string Kill chain phase of the attack
Attivo.Events.List.Server string Internal name of the target decoy
Attivo.Events.List.Target string Display name of the target decoy
Attivo.Events.List.TargetOS string Operating system of the target decoy
Attivo.Events.List.Attacker string Attacker IP address
Attivo.Events.List.Service string The attacked service
Attivo.Events.List.Timestamp string Time of the attack
Attivo.Events.List.TargetIP string IP address of the target decoy
Attivo.Events.List.Severity string Attivo severity of the attack

Command Example
!attivo-get-events attacker_ip=CentOS70 alerts_start_date=2018-11-30T23:59:05Z alerts_end_date=2018-12-01T00:02:05Z
Context Example
{
    "Attivo": {
        "Events": {
            "Count": 2, 
            "List": [
                {
                    "geoip_src_latitude": null, 
                    "Severity": "Medium", 
                    "Service": "DNS SERVER", 
                    "VLAN": null, 
                    "AttackName": "DNS Response", 
                    "TargetIP": "SinkHole", 
                    "AttackPhase": "C&C", 
                    "TargetOS": "CentOS 7.0", 
                    "Timestamp": "2018-12-01T00:01:43.500Z", 
                    "geoip_dest_city_name": null, 
                    "geoip_dest_country_code2": null, 
                    "geoip_dest_country_code3": null, 
                    "Attacker": "CentOS70", 
                    "Device": "0", 
                    "geoip_src_country_code3": null, 
                    "geoip_src_country_code2": null, 
                    "Target": "SinkHole", 
                    "Server": "ZZZ-BServer01", 
                    "geoip_dest_latitude": null, 
                    "geoip_src_country_name": null, 
                    "geoip_src_longitude": null, 
                    "geoip_dest_country_name": null, 
                    "geoip_dest_longitude": null
                }, 
                {
                    "geoip_src_latitude": null, 
                    "Severity": "Medium", 
                    "Service": "DNS SERVER", 
                    "VLAN": null, 
                    "AttackName": "DNS Response", 
                    "TargetIP": "SinkHole", 
                    "AttackPhase": "C&C", 
                    "TargetOS": "CentOS 7.0", 
                    "Timestamp": "2018-12-01T00:01:38.500Z", 
                    "geoip_dest_city_name": null, 
                    "geoip_dest_country_code2": null, 
                    "geoip_dest_country_code3": null, 
                    "Attacker": "CentOS70", 
                    "Device": "0", 
                    "geoip_src_country_code3": null, 
                    "geoip_src_country_code2": null, 
                    "Target": "SinkHole", 
                    "Server": "ZZZ-BServer01", 
                    "geoip_dest_latitude": null, 
                    "geoip_src_country_name": null, 
                    "geoip_src_longitude": null, 
                    "geoip_dest_country_name": null, 
                    "geoip_dest_longitude": null
                }
            ]
        }
    }
}

6. Get information for playbooks


List information about playbooks configured on the Attivo device

Base Command

attivo-list-playbooks

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

7. Get information for network decoys


List information about network decoys

Base Command

attivo-list-hosts

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Human Readable Output

image

8. Get a list of all deceptive users


Lists all deceptive users.

Base Command

attivo-list-users

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Human Readable Output

image

Known Limitations

This integration works with the Attivo BOTsink. You can only run the attivo-deploy-decoy using the physical appliance.