IllusiveNetworks

Overview#


The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more. This integration was integrated and tested with version 130 of IllusiveNetworks

Configure IllusiveNetworks on Cortex XSOAR#

Use Cases#

  • Automatically collect data and forensics from new incidents detected by Illusive
  • Enrich SOC data by retrieving a rich set of incident and forensics information, including: 1) host details and forensics from a potentially compromised host, 2) a forensics timeline, 3) forensics analysis, 4) additional data
  • Auto-analyze collected data and calculate incident severity to speed up SOC response times
  • Collect forensics from any compromised host and retrieve a forensics timeline
  • Retrieve detailed lists of approved and suggested deceptive servers and users
  • Approve, delete, and query deceptive entities
  • Manage deception policy assignments per host
  • Retrieve attack surface insights for Crown Jewels and specific hosts

Configure IllusiveNetworks on Demisto#


####Illusive Console

  1. Open the Illusive Management console, navigate to Settings > General, and locate the API KEYS section. Generate a new API key with all permissions and copy the token at the end of the process.

####Demisto Console

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for IllusiveNetworks.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
api_tokenAPI TokenTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
fetch_timeThe initial time to fetch fromFalse
has_forensicsFetch only incidents with forensicsTrue
  1. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data#


{ "sourceIp": "10.90.10.25", "sourceOperatingSystem": null, "policyName": null, "incidentTypes": ["DECEPTION"], "riskInsights": {"stepsToDomainAdmin": null, "stepsToCrownJewel": null}, "deceptionFamilies": ["FAMILY_TYPE_BROWSERS"], "lastSeenUser": null, "closed": false, "unread": true, "flagged": false, "hasForensics": false, "incidentId": 32, "incidentTimeUTC": "2020-05-04T11:37:10.231Z", "sourceHostname": null, "userNotes": null }

Commands#


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. illusive-get-forensics-timeline
  2. illusive-get-asm-host-insight
  3. illusive-get-asm-cj-insight
  4. illusive-get-deceptive-users
  5. illusive-get-deceptive-servers
  6. illusive-is-deceptive-user
  7. illusive-is-deceptive-server
  8. illusive-add-deceptive-users
  9. illusive-add-deceptive-servers
  10. illusive-delete-deceptive-users
  11. illusive-delete-deceptive-servers
  12. illusive-assign-host-to-policy
  13. illusive-remove-host-from-policy
  14. illusive-run-forensics-on-demand
  15. illusive-get-incidents
  16. illusive-get-event-incident-id
  17. illusive-get-incident-events
  18. illusive-get-forensics-analyzers
  19. illusive-get-forensics-triggering-process-info
  20. illusive-get-forensics-artifacts

illusive-get-forensics-timeline#


Retrieve forensics timeline for a specific incident

Base Command#

illusive-get-forensics-timeline

Input#

Argument NameDescriptionRequired
incident_idThe desired incident IDRequired
start_dateThe starting date of the forensics timeline.Optional
end_dateThe last date of the forensics timeline.Optional

Context Output#

PathTypeDescription
Illusive.Forensics.Evidence.detailsStringThe forensics evidence details
Illusive.Forensics.Evidence.eventIdStringThe event ID
Illusive.Forensics.Evidence.idStringThe forensics evidence ID
Illusive.Forensics.Evidence.sourceStringThe Evidence source
Illusive.Forensics.Evidence.starredBooleanWhether the forensics evidence has been starred
Illusive.Forensics.Evidence.timeDateDate and time of the forensics evidence
Illusive.Forensics.Evidence.titleStringThe forensics evidence description
Illusive.Forensics.IncidentIdStringThe Incident Id
Illusive.Forensics.StatusStringThe process progress ( Done, InProgress)
Illusive.Forensics.Evidence.dateDateThe forensics evidence date

Command Example#

illusive-get-forensics-timeline incident_id=80 start_date="10 days" end_date="3 hours"

Human Readable Output#

datedetailseventIdidsourcestarredtimetitletype
2020-06-29 09:16:17.480id: 4
date: 2020-06-29 09:16:17.480
type: LOGIN
sourceIP: 172.27.102.12
trap: hr
injectedUserName: dgffg
injectedPassword: **
destinationIpAddress: 172.27.102.6
serviceType: WEB
data: Is Successful Login: false,
Accept-language: en-US,en;q=0.9,
Web Protocol: HTTP,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9,
Web Host: 172.27.102.6,
Web Url: /,
Authorization: Digest username="dgffg", realm="Domain Name", nonce="1593422172658:ad3f7cc0c86b52747fba1d68583c3827", uri="/", response="9f5d4174395c7d09460fc88e454713aa", opaque="9AC5ADA4A6317F9FB4F2B1211D8A7EFE", qop=auth, nc=00000002, cnonce="b000143183c56904",
Web Body: ,
Web Method: GET,
Upgrade-insecure-requests: 1,
Web User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,
Connection: keep-alive,
Cache-control: max-age=0,
Accept-encoding: gzip, deflate
hasForensics: No
title: WEB login attempt with the username dgffg to the deceptive URL 172.27.102.6/
4d59f0b0a-4a66-40d0-9565-563adc7534f1MANAGEMENTfalse1593422177480WEB login attempt with the username dgffg to the deceptive URL 172.27.102.6/EVENT

illusive-get-asm-host-insight#


Retrieve the specified host insights from Attack Surface Manager

Base Command#

illusive-get-asm-host-insight

Input#

Argument NameDescriptionRequired
hostnameOrIpThe hostname or IP address of the desired hostRequired

Context Output#

PathTypeDescription
Illusive.AttackSurfaceInsightsHost.DomainNameStringThe host domain
Illusive.AttackSurfaceInsightsHost.HostNameStringThe host hostname
Illusive.AttackSurfaceInsightsHost.HostTypeStringThe host type (Server, Workstation, Other)
Illusive.AttackSurfaceInsightsHost.IpAddressesStringThe host IP address
Illusive.AttackSurfaceInsightsHost.OperatingSystemNameStringThe host operating system name
Illusive.AttackSurfaceInsightsHost.OperatingSystemVersionStringThe host operating system version
Illusive.AttackSurfaceInsightsHost.OrganizationalUnitStringThe host Active Directory Organizational Unit
Illusive.AttackSurfaceInsightsHost.SourceConnectivityExposureNumberThe host Source Connectivity Exposure to crown jewels and domain user credentials
Command Example#

illusive-get-asm-host-insight hostnameOrIp=172.27.139.12

Human Readable Output#

Illusive ASM Host Insights#

domainNamehostNamehostTypeipAddressesoperatingSystemNameoperatingSystemVersionorganizationalUnitsourceConnectivityExposure
illusive.comwin5.illusive.comWorkstation172.27.139.12,::1,fe80::ffff:ffff:fffe,fe80::2d2d:5763:8c1a:7b9Windows 10clients0.0

illusive-get-asm-cj-insight#


Retrieve Crown-Jewels insights from Attack Surface Manager

Base Command#

illusive-get-asm-cj-insight

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Illusive.AttackSurfaceInsightsCrownJewel.dataUnknownThe number of connections to this Crown Jewel per service type
Illusive.AttackSurfaceInsightsCrownJewel.hostnameStringThe crown jewel hostname
Illusive.AttackSurfaceInsightsCrownJewel.machineTagAndSubTags.tagStringThe List of a crown jewel category and subcategory couplings
Illusive.AttackSurfaceInsightsCrownJewel.MachineTagAndSubTags.subTagStringThe List of a crown jewel category and subcategory couplings
Illusive.AttackSurfaceInsightsCrownJewel.targetExposureRankNumberThe crown jewel target exposure
Command Example#

illusive-get-asm-cj-insight

Human Readable Output#

Illusive ASM Crown Jewels Insights#

datahostnamemachineTagAndSubTagstargetExposureRank
{'key': 'RDP', 'value': 1}172.27.139.12{'tag': 'Mainframe', 'subTag': 'MAINFRAME'}0.0

illusive-get-deceptive-users#


Retrieve a list of all deceptive users

Base Command#

illusive-get-deceptive-users

Input#

Argument NameDescriptionRequired
typeThe status of the desired deceptive users (APPROVED, SUGGESTED, ALL)Optional

Context Output#

PathTypeDescription
Illusive.DeceptiveUser.userNameStringThe deceptive user name
Illusive.DeceptiveUser.domainNameStringThe deceptive user domain
Illusive.DeceptiveUser.policyNamesUnknownThe deception policies the deceptive user is assigned to
Illusive.DeceptiveUser.passwordStringThe deceptive user password
Illusive.DeceptiveUser.deceptiveStateStringThe deceptive user state (APPROVED, SUGGESTED, ALL)
Illusive.DeceptiveUser.adUserBooleanWhether the deceptive user is a genuine user in Active Directory
Illusive.DeceptiveUser.activeUserBooleanIn case the deceptive user is a real AD user, indicates whether he is active
Command Example#

!illusive-get-deceptive-users type=APPROVED

Human Readable Output#

Illusive Deceptive Users#

activeUseradUserdeceptiveStatedomainNamepasswordpolicyNamesusername
falsefalseAPPROVEDillusive.comPasswordFull Protectionuser1
falsefalseAPPROVEDillusive.comPasswordFull Protectionuser2

illusive-get-deceptive-servers#


Retrieve a list of all deceptive servers

Base Command#

illusive-get-deceptive-servers

Input#

Argument NameDescriptionRequired
typeThe status of the desired deceptive servers (APPROVED, SUGGESTED, ALL)Optional

Context Output#

PathTypeDescription
Illusive.DeceptiveServer.hostStringThe deceptive server hostname
Illusive.DeceptiveServer.policyNamesStringThe deception policies the deceptive server is assigned to
Illusive.DeceptiveServer.adHostBooleanWhether the deceptive server is a genuine machine in Active Directory
Illusive.DeceptiveServer.deceptiveStateStringThe deceptive server state (APPROVED, SUGGESTED, ALL)
Illusive.DeceptiveServer.serviceTypesStringThe deception services the deceptive server is assigned to
Command Example#

!illusive-get-deceptive-servers type=APPROVED

Human Readable Output#

Illusive Deceptive Servers#

adHostdeceptiveStatehostpolicyNamesserviceTypes
falseAPPROVEDserver1.illusive.comadiPo,
Full Protection
SHARE,
DB
falseAPPROVEDserver2.illusive.comFull ProtectionWEB,
DB
falseAPPROVEDserver3.illusive.comadiPo,
Full Protection
FTP,
SHARE,
DB

illusive-is-deceptive-user#


Retrieve whether a specified user is deceptive

Base Command#

illusive-is-deceptive-user

Input#

Argument NameDescriptionRequired
usernameThe username to be verifiedRequired

Context Output#

PathTypeDescription
Illusive.IsDeceptive.UsernameStringThe checked username
Illusive.IsDeceptive.IsDeceptiveUserBooleanIs the specified user conducted as a deceptive user
Command Example#

!illusive-is-deceptive-user username=user1

Human Readable Output#

Illusive Is Deceptive#

IsDeceptiveUserUsername
trueuser1

illusive-is-deceptive-server#


Retrieve whether a specified server is deceptive

Base Command#

illusive-is-deceptive-server

Input#

Argument NameDescriptionRequired
hostnameThe server hostname to be verifiedRequired

Context Output#

PathTypeDescription
Illusive.IsDeceptive.IsDeceptiveServerBooleanIs the specified server conducted as a deceptive server
Illusive.IsDeceptive.HostnameStringThe checked server hostname
Command Example#

!illusive-is-deceptive-server hostname=server5.illusive.com

Human Readable Output#

Illusive Is Deceptive#

HostnameIsDeceptiveServer
server5.illusive.comfalse

illusive-add-deceptive-users#


Add or approve deceptive users

Base Command#

illusive-add-deceptive-users

Input#

Argument NameDescriptionRequired
domain_nameThe deceptive user domainRequired
passwordThe deceptive user passwordRequired
policy_namesThe deception policies to be assigned to the new deceptive userOptional
usernameThe deceptive user nameRequired

Context Output#

There is no context output for this command.

Command Example#

!illusive-add-deceptive-users domain_name=illusive.com password=pass username=user3

Human Readable Output#

Illusive Add Deceptive User Succeeded#

domainNamepasswordpolicyNamesuserName
illusive.compassAll Policiesuser3

illusive-add-deceptive-servers#


Add or approve deceptive servers

Base Command#

illusive-add-deceptive-servers

Input#

Argument NameDescriptionRequired
hostThe deceptive server hostnameRequired
policy_namesThe deception policies to be assigned to the new deceptive serverOptional
service_typesThe deception services to be assigned to the new deceptive serverRequired

Context Output#

There is no context output for this command.

Command Example#

!Set key="serviceTypes" value="FTP"

!Set key="serviceTypes" value="SSH" append=true

!illusive-add-deceptive-servers host=server4.illusive.com service_types=${serviceTypes}

Human Readable Output#

Illusive Add Deceptive Server Succeeded#

hostpolicyNamesserviceTypes
server4.illusive.comAll PoliciesFTP,
SSH

illusive-delete-deceptive-users#


Delete deceptive users

Base Command#

illusive-delete-deceptive-users

Input#

Argument NameDescriptionRequired
deceptive_usersThe list of deceptive users to deleteRequired

Context Output#

There is no context output for this command.

Command Example#

!illusive-delete-deceptive-users deceptive_users=user3

Human Readable Output#

Deceptive User ['user3'] was successfully Deleted#

illusive-delete-deceptive-servers#


Delete deceptive servers

Base Command#

illusive-delete-deceptive-servers

Input#

Argument NameDescriptionRequired
deceptive_hostsThe list of deceptive servers to deleteRequired

Context Output#

There is no context output for this command.

Command Example#

!Set key="servers" value="server5.illusive.com"

!Set key="servers" value="server1.illusive.com" append=true

!illusive-delete-deceptive-servers deceptive_hosts=${servers}

Human Readable Output#

###Deceptive Servers ['server5.illusive.com', 'server1.illusive.com'] were successfully Deleted

illusive-assign-host-to-policy#


Assign a deception policy to domain hosts

Base Command#

illusive-assign-host-to-policy

Input#

Argument NameDescriptionRequired
policy_namePolicy name to assignRequired
hostsList of hosts to assign, in the following format: machine@domain.
Maximum number of hosts is 1000.
Required

Context Output#

There is no context output for this command.

Command Example#

!illusive-assign-host-to-policy hosts=WIN7@illusive.com policy_name="Full Protection"

Human Readable Output#

Illusive Assign Machines to Policy Succeeded#

hostsisAssignedpolicy_name
WIN7@illusive.comtrueFull Protection

illusive-remove-host-from-policy#


Remove deception policy assignment from domain hosts

Base Command#

illusive-remove-host-from-policy

Input#

Argument NameDescriptionRequired
hostsList of hosts to remove policy assignment from, in the following format: machine@domain.
Maximum number of hosts is 1000
Required

Context Output#

There is no context output for this command.

Command Example#

!illusive-remove-host-from-policy hosts=WIN7@illusive.com

Human Readable Output#

Illusive Remove Machines from All Policies Succeeded#

hostsisAssignedpolicy_name
WIN7@illusive.comfalse

illusive-run-forensics-on-demand#


Collect forensics on a specified host and retrieve the forensics timeline

Base Command#

illusive-run-forensics-on-demand

Input#

Argument NameDescriptionRequired
fqdn_or_ipThe host fqdn or IP address on which to collect forensicsRequired

Context Output#

PathTypeDescription
Illusive.Event.eventIdNumberThe created event ID of the operation
Command Example#

!illusive-run-forensics-on-demand fqdn_or_ip=172.27.139.12

Human Readable Output#

Illusive Run Forensics On Demand#

eventId
123

illusive-get-incidents#


Retrieve incidents

Base Command#

illusive-get-incidents

Input#

Argument NameDescriptionRequired
incident_idThe desired incident ID to retrieve.
If specified - other arguments are ignored and only a single incident can be retrieved
Optional
hostnamesThe list of hostnames to retrieve incidentsOptional
has_forensicsWhether to retrieve incidents with forensics onlyOptional
limitUse offset and limit for pagination.
The maximum limit is 100.
Optional
offsetUse offset and limit for pagination.Optional
start_datestart dateOptional

Context Output#

PathTypeDescription
Illusive.Incident.closedBooleanWhether the incident has been closed
Illusive.Incident.deceptionFamiliesStringThe deception families of the

deceptions used to trigger the incident | | Illusive.Incident.flagged | Boolean | Whether the incident has been flagged | | Illusive.Incident.hasForensics | Boolean | Whether incident has forensics | | Illusive.Incident.incidentId | Number | The Incident ID | | Illusive.Incident.incidentTimeUTC | Date | Date and time of the incident | | Illusive.Incident.incidentTypes | Unknown | Type of events detected | | Illusive.Incident.lastSeenUser | String | The user who last reviewed the incident | | Illusive.Incident.policyName | String | The compromised host's policy | | Illusive.Incident.riskInsights.stepsToCrownJewel | Number | The compromised host's lateral distance from Crown Jewels | | Illusive.Incident.riskInsights.stepsToDomainAdmin | Number | The compromised host's lateral distance from domain admin accounts | | Illusive.Incident.sourceHostname | String | The compromised host's name | | Illusive.Incident.sourceIp | String | The compromised host's IP address | | Illusive.Incident.sourceOperatingSystem | String | The compromised host's operating system | | Illusive.Incident.unread | Boolean | Whether the incident has been read | | Illusive.Incident.userNotes | String | The analyst's comments |

Command Example#

!illusive-get-incidents incident_id=28

Human Readable Output#

Illusive Incidents#

closeddeceptionFamiliesflaggedhasForensicsincidentIdincidentTimeUTCincidentTypeslastSeenUserpolicyNameriskInsightssourceHostnamesourceIpsourceOperatingSystemunreaduserNotes
falseFAMILY_TYPE_BROWSERSfalsefalse282020-04-20T06:44:33.207ZDECEPTIONstepsToDomainAdmin: null
stepsToCrownJewel: null
172.27.139.14false

illusive-get-event-incident-id#


Retrieve the incident ID of an event

Base Command#

illusive-get-event-incident-id

Input#

Argument NameDescriptionRequired
event_idThe Event idRequired

Context Output#

PathTypeDescription
Illusive.Event.incidentIdNumberThe Incident ID
Illusive.Event.eventIdNumberThe given event ID
Illusive.Event.statusStringThe status command ( Done, InProgress)
Command Example#

!illusive-get-event-incident-id event_id=80

Human Readable Output#

Illusive Get Incident#

eventIdincidentIdstatus
8072Done

illusive-get-incident-events#


Retrieve all the events that are associated with an incident

Base Command#

illusive-get-incident-events

Input#

Argument NameDescriptionRequired
incident_idThe incident ID on which to retrieve the associated eventsRequired
limitThe maximum number of events to retrieveOptional
offsetUse offset and limit for paginationOptional

Context Output#

PathTypeDescription
Illusive.Incident.incidentIdNumberThe corresponding incident ID
Illusive.Incident.eventsNumberNumberThe number of associated events
Illusive.Incident.Event.eventIdNumberThe event ID
Illusive.Incident.Event.eventTimeUTCDateThe event time
Illusive.Incident.Event.hasForensicsBooleanWhether the event has forensics

Command Example#

!illusive-get-incident-events incident_id=2

Human Readable Output#

Illusive get incident's events#

eventIdeventTimeUTChasForensics
42020-06-29T09:16:17.480Zfalse
32020-06-29T09:16:17.464Zfalse
22020-06-29T09:16:12.673Zfalse

illusive-get-forensics-analyzers#


Retrieve Illusive's forensics analyzers on a certain event

Base Command#

illusive-get-forensics-analyzers

Input#

Argument NameDescriptionRequired
event_idThe event ID to retrieve the forensics analyzers fromRequired

Context Output#

PathTypeDescription
Illusive.Event.incidentIdNumberThe corresponding incident ID
Illusive.Event.eventIdNumberThe corresponding event ID
Illusive.Event.ForensicsAnalyzers.analyzerNameStringThe forensics analyzer name
Illusive.Event.ForensicsAnalyzers.analyzerValueStringThe forensics analyzer description

Command Example#

!illusive-get-forensics-analyzers event_id=2

Human Readable Output#

Illusive Forensics Analyzers#

analyzerNameanalyzerValue
SummaryAn attempt to browse to the deceptive URL hr (172.27.102.6) was detected from 172.27.102.12
Event Source And DestinationEvent ID: 2
Event time: 2020-06-29T09:16:12.673Z
Event originated from 172.27.102.12
Event targeted hr (172.27.102.6)
WebA GET request was made to the url http://172.27.102.6/
Forensics Failure ReasonNo resolving for host 172.27.102.12

illusive-get-forensics-triggering-process-info#


Retrieve the triggering process information from Illusive's forensics

Base Command#

illusive-get-forensics-triggering-process-info

Input#

Argument NameDescriptionRequired
event_idThe event ID to retrieve the triggering process information fromRequired

Context Output#

PathTypeDescription
Illusive.Event.incidentIdNumberThe corresponding incident ID
Illusive.Event.eventIdNumberThe corresponding event ID
Illusive.Event.ForensicsTriggeringProcess.commandLineStringThe triggering process command line
Illusive.Event.ForensicsTriggeringProcess.connectionsNumNumberThe triggering process active connections
Illusive.Event.ForensicsTriggeringProcess.md5StringThe triggering process md5
Illusive.Event.ForensicsTriggeringProcess.sha256StringThe triggering process sha256
Illusive.Event.ForensicsTriggeringProcess.nameStringThe triggering process name
Illusive.Event.ForensicsTriggeringProcess.parentStringThe parent process of the triggering process
Illusive.Event.ForensicsTriggeringProcess.pathStringThe triggering process path
Illusive.Event.ForensicsTriggeringProcess.startTimeDateThe triggering process start time

Command Example#

!illusive-get-forensics-triggering-process-info event_id=5

Human Readable Output#

Illusive Triggering Processes Info#

commandLineconnectionsNummd5nameparentpathsha256startTime
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1472,8764100348922490764,5250110531070070503,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1900 /prefetch:8159E46D108805A743D2D88D04019370A05chrome.exechrome.exe(7848)C:\Program Files (x86)\Google\Chrome\Application\chrome.exeD7771E5F5090EF37BE554D5DD9E1C24C8CD83EBF284C48CC5D1EF45D02C0E77F2020-06-29T09:16:47.245+00:00

illusive-get-forensics-artifacts#


Retrieve forensics artifacts from Illusive's forensics

Base Command#

illusive-get-forensics-artifacts

Input#

Argument NameDescriptionRequired
event_idThe event ID to retrieve the forensics artifacts fromRequired
artifact_typeThe type of forensics artifact to retrieveRequired

Context Output#

There is no context output for this command.

Command Example#

!illusive-get-forensics-artifacts event_id=2

Human Readable Output#

event id 2 has no artifacts#