IllusiveNetworks

Overview


The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more. This integration was integrated and tested with version 130 of IllusiveNetworks

Configure IllusiveNetworks on Cortex XSOAR

Use Cases

  • Automatically collect data and forensics from new incidents detected by Illusive
  • Enrich SOC data by retrieving a rich set of incident and forensics information, including: 1) host details and forensics from a potentially compromised host, 2) a forensics timeline, 3) forensics analysis, 4) additional data
  • Auto-analyze collected data and calculate incident severity to speed up SOC response times
  • Collect forensics from any compromised host and retrieve a forensics timeline
  • Retrieve detailed lists of approved and suggested deceptive servers and users
  • Approve, delete, and query deceptive entities
  • Manage deception policy assignments per host
  • Retrieve attack surface insights for Crown Jewels and specific hosts

Configure IllusiveNetworks on Demisto


####Illusive Console

  1. Open the Illusive Management console, navigate to Settings > General, and locate the API KEYS section. Generate a new API key with all permissions and copy the token at the end of the process.

####Demisto Console

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for IllusiveNetworks.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
api_tokenAPI TokenTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
fetch_timeThe initial time to fetch fromFalse
has_forensicsFetch only incidents with forensicsTrue
  1. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


{ "sourceIp": "10.90.10.25", "sourceOperatingSystem": null, "policyName": null, "incidentTypes": ["DECEPTION"], "riskInsights": {"stepsToDomainAdmin": null, "stepsToCrownJewel": null}, "deceptionFamilies": ["FAMILY_TYPE_BROWSERS"], "lastSeenUser": null, "closed": false, "unread": true, "flagged": false, "hasForensics": false, "incidentId": 32, "incidentTimeUTC": "2020-05-04T11:37:10.231Z", "sourceHostname": null, "userNotes": null }

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. illusive-get-forensics-timeline
  2. illusive-get-asm-host-insight
  3. illusive-get-asm-cj-insight
  4. illusive-get-deceptive-users
  5. illusive-get-deceptive-servers
  6. illusive-is-deceptive-user
  7. illusive-is-deceptive-server
  8. illusive-add-deceptive-users
  9. illusive-add-deceptive-servers
  10. illusive-delete-deceptive-users
  11. illusive-delete-deceptive-servers
  12. illusive-assign-host-to-policy
  13. illusive-remove-host-from-policy
  14. illusive-run-forensics-on-demand
  15. illusive-get-incidents
  16. illusive-get-event-incident-id
  17. illusive-get-incident-events
  18. illusive-get-forensics-analyzers
  19. illusive-get-forensics-triggering-process-info
  20. illusive-get-forensics-artifacts

illusive-get-forensics-timeline


Retrieve forensics timeline for a specific incident

Base Command

illusive-get-forensics-timeline

Input

Argument NameDescriptionRequired
incident_idThe desired incident IDRequired
start_dateThe starting date of the forensics timeline.Optional
end_dateThe last date of the forensics timeline.Optional

Context Output

PathTypeDescription
Illusive.Forensics.Evidence.detailsStringThe forensics evidence details
Illusive.Forensics.Evidence.eventIdStringThe event ID
Illusive.Forensics.Evidence.idStringThe forensics evidence ID
Illusive.Forensics.Evidence.sourceStringThe Evidence source
Illusive.Forensics.Evidence.starredBooleanWhether the forensics evidence has been starred
Illusive.Forensics.Evidence.timeDateDate and time of the forensics evidence
Illusive.Forensics.Evidence.titleStringThe forensics evidence description
Illusive.Forensics.IncidentIdStringThe Incident Id
Illusive.Forensics.StatusStringThe process progress ( Done, InProgress)
Illusive.Forensics.Evidence.dateDateThe forensics evidence date

Command Example

illusive-get-forensics-timeline incident_id=80 start_date="10 days" end_date="3 hours"

Human Readable Output

datedetailseventIdidsourcestarredtimetitletype
2020-06-29 09:16:17.480id: 4
date: 2020-06-29 09:16:17.480
type: LOGIN
sourceIP: 172.27.102.12
trap: hr
injectedUserName: dgffg
injectedPassword: **
destinationIpAddress: 172.27.102.6
serviceType: WEB
data: Is Successful Login: false,
Accept-language: en-US,en;q=0.9,
Web Protocol: HTTP,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9,
Web Host: 172.27.102.6,
Web Url: /,
Authorization: Digest username="dgffg", realm="Domain Name", nonce="1593422172658:ad3f7cc0c86b52747fba1d68583c3827", uri="/", response="9f5d4174395c7d09460fc88e454713aa", opaque="9AC5ADA4A6317F9FB4F2B1211D8A7EFE", qop=auth, nc=00000002, cnonce="b000143183c56904",
Web Body: ,
Web Method: GET,
Upgrade-insecure-requests: 1,
Web User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,
Connection: keep-alive,
Cache-control: max-age=0,
Accept-encoding: gzip, deflate
hasForensics: No
title: WEB login attempt with the username dgffg to the deceptive URL 172.27.102.6/
4d59f0b0a-4a66-40d0-9565-563adc7534f1MANAGEMENTfalse1593422177480WEB login attempt with the username dgffg to the deceptive URL 172.27.102.6/EVENT

illusive-get-asm-host-insight


Retrieve the specified host insights from Attack Surface Manager

Base Command

illusive-get-asm-host-insight

Input

Argument NameDescriptionRequired
hostnameOrIpThe hostname or IP address of the desired hostRequired

Context Output

PathTypeDescription
Illusive.AttackSurfaceInsightsHost.DomainNameStringThe host domain
Illusive.AttackSurfaceInsightsHost.HostNameStringThe host hostname
Illusive.AttackSurfaceInsightsHost.HostTypeStringThe host type (Server, Workstation, Other)
Illusive.AttackSurfaceInsightsHost.IpAddressesStringThe host IP address
Illusive.AttackSurfaceInsightsHost.OperatingSystemNameStringThe host operating system name
Illusive.AttackSurfaceInsightsHost.OperatingSystemVersionStringThe host operating system version
Illusive.AttackSurfaceInsightsHost.OrganizationalUnitStringThe host Active Directory Organizational Unit
Illusive.AttackSurfaceInsightsHost.SourceConnectivityExposureNumberThe host Source Connectivity Exposure to crown jewels and domain user credentials
Command Example

illusive-get-asm-host-insight hostnameOrIp=172.27.139.12

Human Readable Output

Illusive ASM Host Insights

domainNamehostNamehostTypeipAddressesoperatingSystemNameoperatingSystemVersionorganizationalUnitsourceConnectivityExposure
illusive.comwin5.illusive.comWorkstation172.27.139.12,::1,fe80::ffff:ffff:fffe,fe80::2d2d:5763:8c1a:7b9Windows 10clients0.0

illusive-get-asm-cj-insight


Retrieve Crown-Jewels insights from Attack Surface Manager

Base Command

illusive-get-asm-cj-insight

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
Illusive.AttackSurfaceInsightsCrownJewel.dataUnknownThe number of connections to this Crown Jewel per service type
Illusive.AttackSurfaceInsightsCrownJewel.hostnameStringThe crown jewel hostname
Illusive.AttackSurfaceInsightsCrownJewel.machineTagAndSubTags.tagStringThe List of a crown jewel category and subcategory couplings
Illusive.AttackSurfaceInsightsCrownJewel.MachineTagAndSubTags.subTagStringThe List of a crown jewel category and subcategory couplings
Illusive.AttackSurfaceInsightsCrownJewel.targetExposureRankNumberThe crown jewel target exposure
Command Example

illusive-get-asm-cj-insight

Human Readable Output

Illusive ASM Crown Jewels Insights

datahostnamemachineTagAndSubTagstargetExposureRank
{'key': 'RDP', 'value': 1}172.27.139.12{'tag': 'Mainframe', 'subTag': 'MAINFRAME'}0.0

illusive-get-deceptive-users


Retrieve a list of all deceptive users

Base Command

illusive-get-deceptive-users

Input

Argument NameDescriptionRequired
typeThe status of the desired deceptive users (APPROVED, SUGGESTED, ALL)Optional

Context Output

PathTypeDescription
Illusive.DeceptiveUser.userNameStringThe deceptive user name
Illusive.DeceptiveUser.domainNameStringThe deceptive user domain
Illusive.DeceptiveUser.policyNamesUnknownThe deception policies the deceptive user is assigned to
Illusive.DeceptiveUser.passwordStringThe deceptive user password
Illusive.DeceptiveUser.deceptiveStateStringThe deceptive user state (APPROVED, SUGGESTED, ALL)
Illusive.DeceptiveUser.adUserBooleanWhether the deceptive user is a genuine user in Active Directory
Illusive.DeceptiveUser.activeUserBooleanIn case the deceptive user is a real AD user, indicates whether he is active
Command Example

!illusive-get-deceptive-users type=APPROVED

Human Readable Output

Illusive Deceptive Users

activeUseradUserdeceptiveStatedomainNamepasswordpolicyNamesusername
falsefalseAPPROVEDillusive.comPasswordFull Protectionuser1
falsefalseAPPROVEDillusive.comPasswordFull Protectionuser2

illusive-get-deceptive-servers


Retrieve a list of all deceptive servers

Base Command

illusive-get-deceptive-servers

Input

Argument NameDescriptionRequired
typeThe status of the desired deceptive servers (APPROVED, SUGGESTED, ALL)Optional

Context Output

PathTypeDescription
Illusive.DeceptiveServer.hostStringThe deceptive server hostname
Illusive.DeceptiveServer.policyNamesStringThe deception policies the deceptive server is assigned to
Illusive.DeceptiveServer.adHostBooleanWhether the deceptive server is a genuine machine in Active Directory
Illusive.DeceptiveServer.deceptiveStateStringThe deceptive server state (APPROVED, SUGGESTED, ALL)
Illusive.DeceptiveServer.serviceTypesStringThe deception services the deceptive server is assigned to
Command Example

!illusive-get-deceptive-servers type=APPROVED

Human Readable Output

Illusive Deceptive Servers

adHostdeceptiveStatehostpolicyNamesserviceTypes
falseAPPROVEDserver1.illusive.comadiPo,
Full Protection
SHARE,
DB
falseAPPROVEDserver2.illusive.comFull ProtectionWEB,
DB
falseAPPROVEDserver3.illusive.comadiPo,
Full Protection
FTP,
SHARE,
DB

illusive-is-deceptive-user


Retrieve whether a specified user is deceptive

Base Command

illusive-is-deceptive-user

Input

Argument NameDescriptionRequired
usernameThe username to be verifiedRequired

Context Output

PathTypeDescription
Illusive.IsDeceptive.UsernameStringThe checked username
Illusive.IsDeceptive.IsDeceptiveUserBooleanIs the specified user conducted as a deceptive user
Command Example

!illusive-is-deceptive-user username=user1

Human Readable Output

Illusive Is Deceptive

IsDeceptiveUserUsername
trueuser1

illusive-is-deceptive-server


Retrieve whether a specified server is deceptive

Base Command

illusive-is-deceptive-server

Input

Argument NameDescriptionRequired
hostnameThe server hostname to be verifiedRequired

Context Output

PathTypeDescription
Illusive.IsDeceptive.IsDeceptiveServerBooleanIs the specified server conducted as a deceptive server
Illusive.IsDeceptive.HostnameStringThe checked server hostname
Command Example

!illusive-is-deceptive-server hostname=server5.illusive.com

Human Readable Output

Illusive Is Deceptive

HostnameIsDeceptiveServer
server5.illusive.comfalse

illusive-add-deceptive-users


Add or approve deceptive users

Base Command

illusive-add-deceptive-users

Input

Argument NameDescriptionRequired
domain_nameThe deceptive user domainRequired
passwordThe deceptive user passwordRequired
policy_namesThe deception policies to be assigned to the new deceptive userOptional
usernameThe deceptive user nameRequired

Context Output

There is no context output for this command.

Command Example

!illusive-add-deceptive-users domain_name=illusive.com password=pass username=user3

Human Readable Output

Illusive Add Deceptive User Succeeded

domainNamepasswordpolicyNamesuserName
illusive.compassAll Policiesuser3

illusive-add-deceptive-servers


Add or approve deceptive servers

Base Command

illusive-add-deceptive-servers

Input

Argument NameDescriptionRequired
hostThe deceptive server hostnameRequired
policy_namesThe deception policies to be assigned to the new deceptive serverOptional
service_typesThe deception services to be assigned to the new deceptive serverRequired

Context Output

There is no context output for this command.

Command Example

!Set key="serviceTypes" value="FTP"

!Set key="serviceTypes" value="SSH" append=true

!illusive-add-deceptive-servers host=server4.illusive.com service_types=${serviceTypes}

Human Readable Output

Illusive Add Deceptive Server Succeeded

hostpolicyNamesserviceTypes
server4.illusive.comAll PoliciesFTP,
SSH

illusive-delete-deceptive-users


Delete deceptive users

Base Command

illusive-delete-deceptive-users

Input

Argument NameDescriptionRequired
deceptive_usersThe list of deceptive users to deleteRequired

Context Output

There is no context output for this command.

Command Example

!illusive-delete-deceptive-users deceptive_users=user3

Human Readable Output

Deceptive User ['user3'] was successfully Deleted

illusive-delete-deceptive-servers


Delete deceptive servers

Base Command

illusive-delete-deceptive-servers

Input

Argument NameDescriptionRequired
deceptive_hostsThe list of deceptive servers to deleteRequired

Context Output

There is no context output for this command.

Command Example

!Set key="servers" value="server5.illusive.com"

!Set key="servers" value="server1.illusive.com" append=true

!illusive-delete-deceptive-servers deceptive_hosts=${servers}

Human Readable Output

###Deceptive Servers ['server5.illusive.com', 'server1.illusive.com'] were successfully Deleted

illusive-assign-host-to-policy


Assign a deception policy to domain hosts

Base Command

illusive-assign-host-to-policy

Input

Argument NameDescriptionRequired
policy_namePolicy name to assignRequired
hostsList of hosts to assign, in the following format: machine@domain.
Maximum number of hosts is 1000.
Required

Context Output

There is no context output for this command.

Command Example

!illusive-assign-host-to-policy hosts=WIN7@illusive.com policy_name="Full Protection"

Human Readable Output

Illusive Assign Machines to Policy Succeeded

hostsisAssignedpolicy_name
WIN7@illusive.comtrueFull Protection

illusive-remove-host-from-policy


Remove deception policy assignment from domain hosts

Base Command

illusive-remove-host-from-policy

Input

Argument NameDescriptionRequired
hostsList of hosts to remove policy assignment from, in the following format: machine@domain.
Maximum number of hosts is 1000
Required

Context Output

There is no context output for this command.

Command Example

!illusive-remove-host-from-policy hosts=WIN7@illusive.com

Human Readable Output

Illusive Remove Machines from All Policies Succeeded

hostsisAssignedpolicy_name
WIN7@illusive.comfalse

illusive-run-forensics-on-demand


Collect forensics on a specified host and retrieve the forensics timeline

Base Command

illusive-run-forensics-on-demand

Input

Argument NameDescriptionRequired
fqdn_or_ipThe host fqdn or IP address on which to collect forensicsRequired

Context Output

PathTypeDescription
Illusive.Event.eventIdNumberThe created event ID of the operation
Command Example

!illusive-run-forensics-on-demand fqdn_or_ip=172.27.139.12

Human Readable Output

Illusive Run Forensics On Demand

eventId
123

illusive-get-incidents


Retrieve incidents

Base Command

illusive-get-incidents

Input

Argument NameDescriptionRequired
incident_idThe desired incident ID to retrieve.
If specified - other arguments are ignored and only a single incident can be retrieved
Optional
hostnamesThe list of hostnames to retrieve incidentsOptional
has_forensicsWhether to retrieve incidents with forensics onlyOptional
limitUse offset and limit for pagination.
The maximum limit is 100.
Optional
offsetUse offset and limit for pagination.Optional
start_datestart dateOptional

Context Output

PathTypeDescription
Illusive.Incident.closedBooleanWhether the incident has been closed
Illusive.Incident.deceptionFamiliesStringThe deception families of the

deceptions used to trigger the incident | | Illusive.Incident.flagged | Boolean | Whether the incident has been flagged | | Illusive.Incident.hasForensics | Boolean | Whether incident has forensics | | Illusive.Incident.incidentId | Number | The Incident ID | | Illusive.Incident.incidentTimeUTC | Date | Date and time of the incident | | Illusive.Incident.incidentTypes | Unknown | Type of events detected | | Illusive.Incident.lastSeenUser | String | The user who last reviewed the incident | | Illusive.Incident.policyName | String | The compromised host's policy | | Illusive.Incident.riskInsights.stepsToCrownJewel | Number | The compromised host's lateral distance from Crown Jewels | | Illusive.Incident.riskInsights.stepsToDomainAdmin | Number | The compromised host's lateral distance from domain admin accounts | | Illusive.Incident.sourceHostname | String | The compromised host's name | | Illusive.Incident.sourceIp | String | The compromised host's IP address | | Illusive.Incident.sourceOperatingSystem | String | The compromised host's operating system | | Illusive.Incident.unread | Boolean | Whether the incident has been read | | Illusive.Incident.userNotes | String | The analyst's comments |

Command Example

!illusive-get-incidents incident_id=28

Human Readable Output

Illusive Incidents

closeddeceptionFamiliesflaggedhasForensicsincidentIdincidentTimeUTCincidentTypeslastSeenUserpolicyNameriskInsightssourceHostnamesourceIpsourceOperatingSystemunreaduserNotes
falseFAMILY_TYPE_BROWSERSfalsefalse282020-04-20T06:44:33.207ZDECEPTIONstepsToDomainAdmin: null
stepsToCrownJewel: null
172.27.139.14false

illusive-get-event-incident-id


Retrieve the incident ID of an event

Base Command

illusive-get-event-incident-id

Input

Argument NameDescriptionRequired
event_idThe Event idRequired

Context Output

PathTypeDescription
Illusive.Event.incidentIdNumberThe Incident ID
Illusive.Event.eventIdNumberThe given event ID
Illusive.Event.statusStringThe status command ( Done, InProgress)
Command Example

!illusive-get-event-incident-id event_id=80

Human Readable Output

Illusive Get Incident

eventIdincidentIdstatus
8072Done

illusive-get-incident-events


Retrieve all the events that are associated with an incident

Base Command

illusive-get-incident-events

Input

Argument NameDescriptionRequired
incident_idThe incident ID on which to retrieve the associated eventsRequired
limitThe maximum number of events to retrieveOptional
offsetUse offset and limit for paginationOptional

Context Output

PathTypeDescription
Illusive.Incident.incidentIdNumberThe corresponding incident ID
Illusive.Incident.eventsNumberNumberThe number of associated events
Illusive.Incident.Event.eventIdNumberThe event ID
Illusive.Incident.Event.eventTimeUTCDateThe event time
Illusive.Incident.Event.hasForensicsBooleanWhether the event has forensics

Command Example

!illusive-get-incident-events incident_id=2

Human Readable Output

Illusive get incident's events

eventIdeventTimeUTChasForensics
42020-06-29T09:16:17.480Zfalse
32020-06-29T09:16:17.464Zfalse
22020-06-29T09:16:12.673Zfalse

illusive-get-forensics-analyzers


Retrieve Illusive's forensics analyzers on a certain event

Base Command

illusive-get-forensics-analyzers

Input

Argument NameDescriptionRequired
event_idThe event ID to retrieve the forensics analyzers fromRequired

Context Output

PathTypeDescription
Illusive.Event.incidentIdNumberThe corresponding incident ID
Illusive.Event.eventIdNumberThe corresponding event ID
Illusive.Event.ForensicsAnalyzers.analyzerNameStringThe forensics analyzer name
Illusive.Event.ForensicsAnalyzers.analyzerValueStringThe forensics analyzer description

Command Example

!illusive-get-forensics-analyzers event_id=2

Human Readable Output

Illusive Forensics Analyzers

analyzerNameanalyzerValue
SummaryAn attempt to browse to the deceptive URL hr (172.27.102.6) was detected from 172.27.102.12
Event Source And DestinationEvent ID: 2
Event time: 2020-06-29T09:16:12.673Z
Event originated from 172.27.102.12
Event targeted hr (172.27.102.6)
WebA GET request was made to the url http://172.27.102.6/
Forensics Failure ReasonNo resolving for host 172.27.102.12

illusive-get-forensics-triggering-process-info


Retrieve the triggering process information from Illusive's forensics

Base Command

illusive-get-forensics-triggering-process-info

Input

Argument NameDescriptionRequired
event_idThe event ID to retrieve the triggering process information fromRequired

Context Output

PathTypeDescription
Illusive.Event.incidentIdNumberThe corresponding incident ID
Illusive.Event.eventIdNumberThe corresponding event ID
Illusive.Event.ForensicsTriggeringProcess.commandLineStringThe triggering process command line
Illusive.Event.ForensicsTriggeringProcess.connectionsNumNumberThe triggering process active connections
Illusive.Event.ForensicsTriggeringProcess.md5StringThe triggering process md5
Illusive.Event.ForensicsTriggeringProcess.sha256StringThe triggering process sha256
Illusive.Event.ForensicsTriggeringProcess.nameStringThe triggering process name
Illusive.Event.ForensicsTriggeringProcess.parentStringThe parent process of the triggering process
Illusive.Event.ForensicsTriggeringProcess.pathStringThe triggering process path
Illusive.Event.ForensicsTriggeringProcess.startTimeDateThe triggering process start time

Command Example

!illusive-get-forensics-triggering-process-info event_id=5

Human Readable Output

Illusive Triggering Processes Info

commandLineconnectionsNummd5nameparentpathsha256startTime
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1472,8764100348922490764,5250110531070070503,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1900 /prefetch:8159E46D108805A743D2D88D04019370A05chrome.exechrome.exe(7848)C:\Program Files (x86)\Google\Chrome\Application\chrome.exeD7771E5F5090EF37BE554D5DD9E1C24C8CD83EBF284C48CC5D1EF45D02C0E77F2020-06-29T09:16:47.245+00:00

illusive-get-forensics-artifacts


Retrieve forensics artifacts from Illusive's forensics

Base Command

illusive-get-forensics-artifacts

Input

Argument NameDescriptionRequired
event_idThe event ID to retrieve the forensics artifacts fromRequired
artifact_typeThe type of forensics artifact to retrieveRequired

Context Output

There is no context output for this command.

Command Example

!illusive-get-forensics-artifacts event_id=2

Human Readable Output

event id 2 has no artifacts