IllusiveNetworks

Overview


The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more. This integration was integrated and tested with version xx of IllusiveNetworks

Use Cases


  • Retrieve detected incidents with a rich set of details and a forensics timeline
  • Collect forensics from any compromised host and retrieve a forensics timeline
  • Manage deceptive entities - retrieve detailed lists, approve suggested, delete, and query
  • Manage deception policy assignments per host
  • Retrieve attack surface insights for Crown Jewels and specific hosts

Configure IllusiveNetworks on Demisto


####Illusive Console 1. Open the Illusive Management console, navigate to Settings > General, and locate the API KEYS section. Generate a new API key with all permissions and copy the token at the end of the process.

####Demisto Console 1. Navigate to Settings > Integrations > Servers & Services. 2. Search for IllusiveNetworks. 3. Click Add instance to create and configure a new integration instance.

ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
api_tokenAPI TokenTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
fetch_timeThe initial time to fetch fromFalse
  1. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


{ "sourceIp": "10.90.10.25", "sourceOperatingSystem": null, "policyName": null, "incidentTypes": ["DECEPTION"], "riskInsights": {"stepsToDomainAdmin": null, "stepsToCrownJewel": null}, "deceptionFamilies": ["FAMILY_TYPE_BROWSERS"], "lastSeenUser": null, "closed": false, "unread": true, "flagged": false, "hasForensics": false, "incidentId": 32, "incidentTimeUTC": "2020-05-04T11:37:10.231Z", "sourceHostname": null, "userNotes": null }

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. illusive-get-forensics-timeline 2. illusive-get-asm-host-insight 3. illusive-get-asm-cj-insight 4. illusive-get-deceptive-users 5. illusive-get-deceptive-servers 6. illusive-is-deceptive-user 7. illusive-is-deceptive-server 8. illusive-add-deceptive-users 9. illusive-add-deceptive-servers 10. illusive-delete-deceptive-users 11. illusive-delete-deceptive-servers 12. illusive-assign-host-to-policy 13. illusive-remove-host-from-policy 14. illusive-run-forensics-on-demand 15. illusive-get-incidents 16. illusive-get-event-incident-id

illusive-get-forensics-timeline


Retrieve forensics timeline for a specific incident

Base Command

illusive-get-forensics-timeline

Input
Argument NameDescriptionRequired
incident_idThe desired incident IDRequired
start_dateThe starting date of the forensics timeline.Optional
end_dateThe last date of the forensics timeline.Optional
Context Output
PathTypeDescription
Illusive.Forensics.Evidence.detailsStringThe forensics evidence details
Illusive.Forensics.Evidence.eventIdStringThe event ID
Illusive.Forensics.Evidence.idStringThe forensics evidence ID
Illusive.Forensics.Evidence.sourceStringThe Evidence source
Illusive.Forensics.Evidence.starredBooleanWhether the forensics evidence has been starred
Illusive.Forensics.Evidence.timeDateDate and time of the forensics evidence
Illusive.Forensics.Evidence.titleStringThe forensics evidence description
Illusive.Forensics.IncidentIdStringThe Incident Id
Illusive.Forensics.StatusStringThe process progress ( Done, InProgress)
Command Example

illusive-get-forensics-timeline incident_id=80 start_date="10 days" end_date="3 hours"

Human Readable Output

Illusive Forensics Timeline

detailseventIdidsourcestarredtimetitletype
date: 2020-04-21 15:04:26.234
serviceType: EXTERNAL
hasForensics: No
data: API call source IP: 172.16.1.42
sourceIP: 172.27.139.14
id: 90
type: EXTERNAL
title: [External] Event 90
90ad552472-9132-4b80-8e4e-092dadd56f24MANAGEMENTfalse1587481466234[External] Event 90EVENT
date: 2020-04-21 15:05:21.035
serviceType: EXTERNAL
hasForensics: No
data: API call source IP: 172.16.1.42
sourceIP: 172.27.139.14
id: 92
type: EXTERNAL
title: [External] Event 92
92421c517d-a252-4aec-a492-2ad6486ad6abMANAGEMENTfalse1587481521035[External] Event 92EVENT

illusive-get-asm-host-insight


Retrieve the specified host insights from Attack Surface Manager

Base Command

illusive-get-asm-host-insight

Input
Argument NameDescriptionRequired
hostnameOrIpThe hostname or IP address of the desired hostRequired
Context Output
PathTypeDescription
Illusive.AttackSurfaceInsightsHost.DomainNameStringThe host domain
Illusive.AttackSurfaceInsightsHost.HostNameStringThe host hostname
Illusive.AttackSurfaceInsightsHost.HostTypeStringThe host type (Server, Workstation, Other)
Illusive.AttackSurfaceInsightsHost.IpAddressesStringThe host IP address
Illusive.AttackSurfaceInsightsHost.OperatingSystemNameStringThe host operating system name
Illusive.AttackSurfaceInsightsHost.OperatingSystemVersionStringThe host operating system version
Illusive.AttackSurfaceInsightsHost.OrganizationalUnitStringThe host Active Directory Organizational Unit
Illusive.AttackSurfaceInsightsHost.SourceConnectivityExposureNumberThe host Source Connectivity Exposure to crown jewels and domain user credentials
Command Example

illusive-get-asm-host-insight hostnameOrIp=172.27.139.12

Human Readable Output

Illusive ASM Host Insights

domainNamehostNamehostTypeipAddressesoperatingSystemNameoperatingSystemVersionorganizationalUnitsourceConnectivityExposure
illusive.comwin5.illusive.comWorkstation172.27.139.12,::1,fe80::ffff:ffff:fffe,fe80::2d2d:5763:8c1a:7b9Windows 10clients0.0

illusive-get-asm-cj-insight


Retrieve Crown-Jewels insights from Attack Surface Manager

Base Command

illusive-get-asm-cj-insight

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Illusive.AttackSurfaceInsightsCrownJewel.dataUnknownThe number of connections to this Crown Jewel per service type
Illusive.AttackSurfaceInsightsCrownJewel.hostnameStringThe crown jewel hostname
Illusive.AttackSurfaceInsightsCrownJewel.machineTagAndSubTags.tagStringThe List of a crown jewel category and subcategory couplings
Illusive.AttackSurfaceInsightsCrownJewel.MachineTagAndSubTags.subTagStringThe List of a crown jewel category and subcategory couplings
Illusive.AttackSurfaceInsightsCrownJewel.targetExposureRankNumberThe crown jewel target exposure
Command Example

illusive-get-asm-cj-insight

Human Readable Output

Illusive ASM Crown Jewels Insights

datahostnamemachineTagAndSubTagstargetExposureRank
{'key': 'RDP', 'value': 1}172.27.139.12{'tag': 'Mainframe', 'subTag': 'MAINFRAME'}0.0

illusive-get-deceptive-users


Retrieve a list of all deceptive users

Base Command

illusive-get-deceptive-users

Input
Argument NameDescriptionRequired
typeThe status of the desired deceptive users (APPROVED, SUGGESTED, ALL)Optional
Context Output
PathTypeDescription
Illusive.DeceptiveUser.userNameStringThe deceptive user name
Illusive.DeceptiveUser.domainNameStringThe deceptive user domain
Illusive.DeceptiveUser.policyNamesUnknownThe deception policies the deceptive user is assigned to
Illusive.DeceptiveUser.passwordStringThe deceptive user password
Illusive.DeceptiveUser.deceptiveStateStringThe deceptive user state (APPROVED, SUGGESTED, ALL)
Illusive.DeceptiveUser.adUserBooleanWhether the deceptive user is a genuine user in Active Directory
Illusive.DeceptiveUser.activeUserBooleanIn case the deceptive user is a real AD user, indicates whether he is active
Command Example

!illusive-get-deceptive-users type=APPROVED

Human Readable Output

Illusive Deceptive Users

activeUseradUserdeceptiveStatedomainNamepasswordpolicyNamesusername
falsefalseAPPROVEDillusive.comPasswordFull Protectionuser1
falsefalseAPPROVEDillusive.comPasswordFull Protectionuser2

illusive-get-deceptive-servers


Retrieve a list of all deceptive servers

Base Command

illusive-get-deceptive-servers

Input
Argument NameDescriptionRequired
typeThe status of the desired deceptive servers (APPROVED, SUGGESTED, ALL)Optional
Context Output
PathTypeDescription
Illusive.DeceptiveServer.hostStringThe deceptive server hostname
Illusive.DeceptiveServer.policyNamesStringThe deception policies the deceptive server is assigned to
Illusive.DeceptiveServer.adHostBooleanWhether the deceptive server is a genuine machine in Active Directory
Illusive.DeceptiveServer.deceptiveStateStringThe deceptive server state (APPROVED, SUGGESTED, ALL)
Illusive.DeceptiveServer.serviceTypesStringThe deception services the deceptive server is assigned to
Command Example

!illusive-get-deceptive-servers type=APPROVED

Human Readable Output

Illusive Deceptive Servers

adHostdeceptiveStatehostpolicyNamesserviceTypes
falseAPPROVEDserver1.illusive.comadiPo,
Full Protection
SHARE,
DB
falseAPPROVEDserver2.illusive.comFull ProtectionWEB,
DB
falseAPPROVEDserver3.illusive.comadiPo,
Full Protection
FTP,
SHARE,
DB

illusive-is-deceptive-user


Retrieve whether a specified user is deceptive

Base Command

illusive-is-deceptive-user

Input
Argument NameDescriptionRequired
usernameThe username to be verifiedRequired
Context Output
PathTypeDescription
Illusive.IsDeceptive.UsernameStringThe checked username
Illusive.IsDeceptive.IsDeceptiveUserBooleanIs the specified user conducted as a deceptive user
Command Example

!illusive-is-deceptive-user username=user1

Human Readable Output

Illusive Is Deceptive

IsDeceptiveUserUsername
trueuser1

illusive-is-deceptive-server


Retrieve whether a specified server is deceptive

Base Command

illusive-is-deceptive-server

Input
Argument NameDescriptionRequired
hostnameThe server hostname to be verifiedRequired
Context Output
PathTypeDescription
Illusive.IsDeceptive.IsDeceptiveServerBooleanIs the specified server conducted as a deceptive server
Illusive.IsDeceptive.HostnameStringThe checked server hostname
Command Example

!illusive-is-deceptive-server hostname=server5.illusive.com

Human Readable Output

Illusive Is Deceptive

HostnameIsDeceptiveServer
server5.illusive.comfalse

illusive-add-deceptive-users


Add or approve deceptive users

Base Command

illusive-add-deceptive-users

Input
Argument NameDescriptionRequired
domain_nameThe deceptive user domainRequired
passwordThe deceptive user passwordRequired
policy_namesThe deception policies to be assigned to the new deceptive userOptional
usernameThe deceptive user nameRequired
Context Output

There is no context output for this command.

Command Example

!illusive-add-deceptive-users domain_name=illusive.com password=pass username=user3

Human Readable Output

Illusive Add Deceptive User Succeeded

domainNamepasswordpolicyNamesuserName
illusive.compassAll Policiesuser3

illusive-add-deceptive-servers


Add or approve deceptive servers

Base Command

illusive-add-deceptive-servers

Input
Argument NameDescriptionRequired
hostThe deceptive server hostnameRequired
policy_namesThe deception policies to be assigned to the new deceptive serverOptional
service_typesThe deception services to be assigned to the new deceptive serverRequired
Context Output

There is no context output for this command.

Command Example

!Set key="serviceTypes" value="FTP"

!Set key="serviceTypes" value="SSH" append=true

!illusive-add-deceptive-servers host=server4.illusive.com service_types=${serviceTypes}

Human Readable Output

Illusive Add Deceptive Server Succeeded

hostpolicyNamesserviceTypes
server4.illusive.comAll PoliciesFTP,
SSH

illusive-delete-deceptive-users


Delete deceptive users

Base Command

illusive-delete-deceptive-users

Input
Argument NameDescriptionRequired
deceptive_usersThe list of deceptive users to deleteRequired
Context Output

There is no context output for this command.

Command Example

!illusive-delete-deceptive-users deceptive_users=user3

Human Readable Output

Deceptive User ['user3'] was successfully Deleted

illusive-delete-deceptive-servers


Delete deceptive servers

Base Command

illusive-delete-deceptive-servers

Input
Argument NameDescriptionRequired
deceptive_hostsThe list of deceptive servers to deleteRequired
Context Output

There is no context output for this command.

Command Example

!Set key="servers" value="server5.illusive.com"

!Set key="servers" value="server1.illusive.com" append=true

!illusive-delete-deceptive-servers deceptive_hosts=${servers}

Human Readable Output

###Deceptive Servers ['server5.illusive.com', 'server1.illusive.com'] were successfully Deleted

illusive-assign-host-to-policy


Assign a deception policy to domain hosts

Base Command

illusive-assign-host-to-policy

Input
Argument NameDescriptionRequired
policy_namePolicy name to assignRequired
hostsList of hosts to assign, in the following format: machine@domain.
Maximum number of hosts is 1000.
Required
Context Output

There is no context output for this command.

Command Example

!illusive-assign-host-to-policy hosts=WIN7@illusive.com policy_name="Full Protection"

Human Readable Output

Illusive Assign Machines to Policy Succeeded

hostsisAssignedpolicy_name
WIN7@illusive.comtrueFull Protection

illusive-remove-host-from-policy


Remove deception policy assignment from domain hosts

Base Command

illusive-remove-host-from-policy

Input
Argument NameDescriptionRequired
hostsList of hosts to remove policy assignment from, in the following format: machine@domain.
Maximum number of hosts is 1000
Required
Context Output

There is no context output for this command.

Command Example

!illusive-remove-host-from-policy hosts=WIN7@illusive.com

Human Readable Output

Illusive Remove Machines from All Policies Succeeded

hostsisAssignedpolicy_name
WIN7@illusive.comfalse

illusive-run-forensics-on-demand


Collect forensics on a specified host and retrieve the forensics timeline

Base Command

illusive-run-forensics-on-demand

Input
Argument NameDescriptionRequired
fqdn_or_ipThe host fqdn or IP address on which to collect forensicsRequired
Context Output
PathTypeDescription
Illusive.Event.eventIdStringThe created event ID of the operation
Command Example

!illusive-run-forensics-on-demand fqdn_or_ip=172.27.139.12

Human Readable Output

Illusive Run Forensics On Demand

eventId
123

illusive-get-incidents


Retrieve incidents

Base Command

illusive-get-incidents

Input
Argument NameDescriptionRequired
incident_idThe desired incident ID to retrieve.
If specified - other arguments are ignored and only a single incident can be retrieved
Optional
hostnamesThe list of hostnames to retrieve incidentsOptional
has_forensicsWhether to retrieve incidents with forensics onlyOptional
limitUse offset and limit for pagination.
The maximum limit is 100.
Optional
offsetUse offset and limit for pagination.Optional
start_datestart dateOptional
Context Output
PathTypeDescription
Illusive.Incident.closedBooleanWhether the incident has been closed
Illusive.Incident.deceptionFamiliesStringThe deception families of the

deceptions used to trigger the incident | | Illusive.Incident.flagged | Boolean | Whether the incident has been flagged | | Illusive.Incident.hasForensics | Boolean | Whether incident has forensics | | Illusive.Incident.incidentId | Number | The Incident ID | | Illusive.Incident.incidentTimeUTC | Date | Date and time of the incident | | Illusive.Incident.incidentTypes | Unknown | Type of events detected | | Illusive.Incident.lastSeenUser | String | The user who last reviewed the incident | | Illusive.Incident.policyName | String | The compromised host's policy | | Illusive.Incident.riskInsights.stepsToCrownJewel | Number | The compromised host?s lateral distance from Crown Jewels | | Illusive.Incident.riskInsights.stepsToDomainAdmin | Number | The compromised host?s lateral distance from domain admin accounts | | Illusive.Incident.sourceHostname | String | The compromised host's name | | Illusive.Incident.sourceIp | String | The compromised host?s IP address | | Illusive.Incident.sourceOperatingSystem | String | The compromised host?s operating system | | Illusive.Incident.unread | Boolean | Whether the incident has been read | | Illusive.Incident.userNotes | String | The analyst?s comments |

Command Example

!illusive-get-incidents incident_id=28

Human Readable Output

Illusive Incidents

closeddeceptionFamiliesflaggedhasForensicsincidentIdincidentTimeUTCincidentTypeslastSeenUserpolicyNameriskInsightssourceHostnamesourceIpsourceOperatingSystemunreaduserNotes
falseFAMILY_TYPE_BROWSERSfalsefalse282020-04-20T06:44:33.207ZDECEPTIONstepsToDomainAdmin: null
stepsToCrownJewel: null
172.27.139.14false

illusive-get-event-incident-id


Retrieve the incident ID of an event

Base Command

illusive-get-event-incident-id

Input
Argument NameDescriptionRequired
event_idThe Event idRequired
Context Output
PathTypeDescription
Illusive.Event.incidentIdStringThe Incident ID
Illusive.Event.eventIdStringThe given event ID
Illusive.Event.statusStringThe status command ( Done, InProgress)
Command Example

!illusive-get-event-incident-id event_id=80

Human Readable Output

Illusive Get Incident

eventIdincidentIdstatus
8072Done