Smokescreen IllusionBLACK

Smokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time. This integration was integrated and tested with version v3.10.7.4 of Smokescreen IllusionBLACK

Permissions

Configure Smokescreen IllusionBLACK on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Smokescreen IllusionBLACK.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
client_idIllusionBLACK API Client IdTrue
tokenIllusionBLACK External API TokenTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
first_fetchFirst fetch time for fetching incidents (2 days, 3 weeks, etc)False
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

illusionblack-get-ad-decoys


Gets a list of Active Directory decoys.

Base Command

illusionblack-get-ad-decoys

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
IllusionBlack.AdDecoyUnknownIllusionBLACK AD Decoy users.
Command Example

!illusionblack-get-ad-decoys

Context Example
{
"IllusionBlack": {
"AdDecoy": {
"first_name": "felix",
"last_name": "hunt",
"ou": "mumbai",
"state": "added",
"user_name": "sqladmin"
}
}
}
Human Readable Output

IllusionBLACK AD Decoys

First NameLast NameOuStateUser Name
felixhuntmumbaiaddedsqladmin

illusionblack-get-network-decoys


Gets a list of Network decoys.

Base Command

illusionblack-get-network-decoys

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
IllusionBlack.NetworkDecoyUnknownIllusionBLACK Network decoys.
Command Example

!illusionblack-get-network-decoys

Context Example
{
"IllusionBlack": {
"NetworkDecoy": [
{
"ip": "10.20.23.61",
"mac": "d0:43:1e:cd:cb:c2",
"name": "CTX-BACKUPS31",
"services": "web"
},
{
"ip": "10.20.23.64",
"mac": "a0:48:1c:ee:08:38",
"name": "GCP-CYBERARK",
"services": "web"
},
{
"ip": "10.20.23.63",
"mac": "00:fd:45:fa:6f:4d",
"name": "NEW-XEN",
"services": "web"
},
{
"ip": "10.20.23.65",
"mac": "14:b3:1f:08:84:6d",
"name": "PRIM-CYBERARK",
"services": "web, shares"
},
{
"ip": "10.20.23.62",
"mac": "20:a6:cd:00:6e:70",
"name": "SAP44",
"services": "web, shares"
},
{
"ip": "10.20.23.60",
"mac": "90:b1:1c:73:64:fc",
"name": "ARCOSNEW",
"services": "web"
}
]
}
}
Human Readable Output

IllusionBLACK Network Decoys

IpMacNameServices
10.20.23.61d0:43:1e💿cb:c2CTX-BACKUPS31web
10.20.23.64a0:48:1c:ee:08:38GCP-CYBERARKweb
10.20.23.6300:fd:45:fa:6f:4dNEW-XENweb
10.20.23.6514:b3:1f:08:84:6dPRIM-CYBERARKweb, shares
10.20.23.6220:a6:cd:00:6e:70SAP44web, shares
10.20.23.6090:b1:1c:73:64:fcARCOSNEWweb

illusionblack-get-ti-decoys


Gets a list of Threat Intel decoys.

Base Command

illusionblack-get-ti-decoys

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
IllusionBlack.TIDecoyUnknownIllusionBLACK TI Decoys.
Command Example

!illusionblack-get-ti-decoys

Context Example
{
"IllusionBlack": {
"TIDecoy": {
"dataset": "Finacle",
"ip": "10.20.23.67",
"name": "dev.smokescreen.io",
"server_type": "nginx/1.14.0 (Ubuntu)"
}
}
}
Human Readable Output

IllusionBLACK TI Decoys

DatasetIpNameServer Type
Finacle10.20.23.67dev.smokescreen.ionginx/1.14.0 (Ubuntu)

illusionblack-is-host-decoy


Checks if a host or IP address is a network decoy.

Base Command

illusionblack-is-host-decoy

Input
Argument NameDescriptionRequired
hostHostname or IP address to check.Required
Context Output
PathTypeDescription
IllusionBlack.IsHostDecoy.HostStringThe IP address or hostname submitted to IllusionBLACK to check.
IllusionBlack.IsHostDecoy.ValueBooleanThe boolean value whether the host is a decoy or not.
Command Example

!illusionblack-is-host-decoy host="SAP44"

Context Example
{
"IllusionBlack": {
"IsHostDecoy": {
"Host": "SAP44",
"Value": true
}
}
}
Human Readable Output

True

illusionblack-is-user-decoy


Checks if an Active Directory user is a decoy.

Base Command

illusionblack-is-user-decoy

Input
Argument NameDescriptionRequired
userActive Directory user name to check.Required
Context Output
PathTypeDescription
IllusionBlack.IsUserDecoy.UserStringThe AD username submitted to IllusionBLACK to check.
IllusionBlack.IsUserDecoy.ValueBooleanThe boolean value whether the user is a decoy or not.
Command Example

!illusionblack-is-user-decoy user="sqladmin"

Context Example
{
"IllusionBlack": {
"IsUserDecoy": {
"User": "sqladmin",
"Value": true
}
}
}
Human Readable Output

True

illusionblack-is-subdomain-decoy


Checks if a subdomain is a Threat Intel decoy.

Base Command

illusionblack-is-subdomain-decoy

Input
Argument NameDescriptionRequired
subdomainSubdomain to check. For example: dec.smokescreen.io.Required
Context Output
PathTypeDescription
IllusionBlack.IsSubdomainDecoy.SubdomainStringThe subdomain submitted to IllusionBLACK to check.
IllusionBlack.IsSubdomainDecoy.ValueBooleanThe boolean value whether the subdomain is a decoy or not.
Command Example

!illusionblack-is-subdomain-decoy subdomain="experience.illusionblack.com"

Context Example
{
"IllusionBlack": {
"IsSubdomainDecoy": {
"Subdomain": "experience.illusionblack.com",
"Value": false
}
}
}
Human Readable Output

False

illusionblack-get-events


Gets events from IllusionBLACK.

Base Command

illusionblack-get-events

Input
Argument NameDescriptionRequired
limitNumber of events. It can be between 1 and 1000.Optional
queryIllusionBLACK query. For example: "attacker.ip is \"1.2.3.4\""Optional
fromISO 8601 formatted date string.Optional
toISO 8601 formatted date string.Optional
Context Output
PathTypeDescription
IllusionBlack.EventUnknownIllusionBLACK Events.
Command Example

!illusionblack-get-events limit=3

Context Example
{
"IllusionBlack": {
"Event": [
{
"attacker.id": "ADMIN-PC-001\\admin",
"attacker.name": "ADMIN-PC-001\\admin",
"attacker.score": 175,
"attacker.threat_parse_ids": [
"lm_file_open",
"lm_file_active_monitoring"
],
"decoy.appliance.id": "cmc",
"decoy.appliance.name": "CMC",
"decoy.client.id": "experience",
"decoy.client.name": "experience",
"decoy.group": "Endpoint",
"decoy.id": "endpoint:admin-pc-001",
"decoy.name": "admin-pc-001",
"decoy.type": "endpoint",
"file.name": "C:\\Users\\admin\\Desktop\\passwords\\Passwords.xlsx",
"file.operation": "67",
"file.operation_string": "Read",
"file.process.command_line": "\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -executionpolicy bypass",
"file.process.domain_name": "ADMIN-PC-001",
"file.process.exit_code": -1,
"file.process.id": "10228",
"file.process.image_name": "powershell.exe",
"file.process.user_name": "admin",
"file.process.user_sid": "S-1-5-21-399445878-2258755057-882339928-1000",
"file.thread_id": "8588",
"id": "2020-02-25T09:49:15Z-76c99a22-03b9-439e-8638-37306c2d8e7f",
"kill_chain_phase": "Data Theft",
"mitre_ids": [
"T1005"
],
"record_type": "event",
"severity": "high",
"sub_type": "file",
"threat_parse_ids": [
"lm_file_open"
],
"timestamp": "2020-04-12T08:57:01Z",
"type": "endpoint",
"whitelisted": false
},
{
"attacker.id": "NT AUTHORITY\\SYSTEM",
"attacker.name": "NT AUTHORITY\\SYSTEM",
"attacker.score": 250,
"attacker.threat_parse_ids": [
"filetheft_unattend",
"lm_file_active_monitoring",
"lm_file_open"
],
"decoy.appliance.id": "cmc",
"decoy.appliance.name": "CMC",
"decoy.client.id": "experience",
"decoy.client.name": "experience",
"decoy.group": "Endpoint",
"decoy.id": "endpoint:admin-pc-001",
"decoy.name": "admin-pc-001",
"decoy.type": "endpoint",
"file.name": "C:\\Users\\admin\\Desktop\\passwords\\Passwords.xlsx",
"file.operation": "67",
"file.operation_string": "Read",
"file.process.command_line": "",
"file.process.domain_name": "NT AUTHORITY",
"file.process.exit_code": -1,
"file.process.id": "2824",
"file.process.image_name": "MsMpEng.exe",
"file.process.user_name": "SYSTEM",
"file.process.user_sid": "S-1-5-18",
"file.thread_id": "724",
"id": "2020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0",
"kill_chain_phase": "Data Theft",
"mitre_ids": [
"T1005"
],
"record_type": "event",
"severity": "high",
"sub_type": "file",
"threat_parse_ids": [
"lm_file_open"
],
"timestamp": "2020-04-12T08:57:01Z",
"type": "endpoint",
"whitelisted": false
},
{
"attacker.id": "ADMIN-PC-001\\admin",
"attacker.name": "ADMIN-PC-001\\admin",
"attacker.score": 175,
"attacker.threat_parse_ids": [
"lm_file_open",
"lm_file_active_monitoring"
],
"decoy.appliance.id": "cmc",
"decoy.appliance.name": "CMC",
"decoy.client.id": "experience",
"decoy.client.name": "experience",
"decoy.group": "Endpoint",
"decoy.id": "endpoint:admin-pc-001",
"decoy.name": "admin-pc-001",
"decoy.type": "endpoint",
"file.name": "C:\\Users\\admin\\Desktop\\docs\\vulnerability assessment report\\vulnerability assessment report.xlsx",
"file.operation": "65",
"file.operation_string": "Cleanup",
"file.process.command_line": "\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -executionpolicy bypass",
"file.process.domain_name": "ADMIN-PC-001",
"file.process.exit_code": -1,
"file.process.id": "10228",
"file.process.image_name": "powershell.exe",
"file.process.user_name": "admin",
"file.process.user_sid": "S-1-5-21-399445878-2258755057-882339928-1000",
"file.thread_id": "0",
"id": "2020-02-25T09:45:48Z-fa248a98-bc8a-4275-93c7-e63ff1ee8d34",
"kill_chain_phase": "Data Theft",
"mitre_ids": [
"T1005"
],
"record_type": "event",
"severity": "high",
"sub_type": "file",
"threat_parse_ids": [
"lm_file_active_monitoring"
],
"timestamp": "2020-04-12T08:53:20Z",
"type": "endpoint",
"whitelisted": false
}
]
}
}
Human Readable Output

IllusionBLACK Events

attacker.idattacker.nameattacker.scoreattacker.threat_parse_idsdecoy.appliance.iddecoy.appliance.namedecoy.client.iddecoy.client.namedecoy.groupdecoy.iddecoy.namedecoy.typefile.namefile.operationfile.operation_stringfile.process.command_linefile.process.domain_namefile.process.exit_codefile.process.idfile.process.image_namefile.process.user_namefile.process.user_sidfile.thread_ididkill_chain_phasemitre_idsrecord_typeseveritysub_typethreat_parse_idstimestamptypewhitelisted
ADMIN-PC-001\adminADMIN-PC-001\admin175lm_file_open,
lm_file_active_monitoring
cmcCMCexperienceexperienceEndpointendpoint:admin-pc-001admin-pc-001endpointC:\Users\admin\Desktop\passwords\Passwords.xlsx67Read"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypassADMIN-PC-001-110228powershell.exeadminS-1-5-21-399445878-2258755057-882339928-100085882020-02-25T09:49:15Z-76c99a22-03b9-439e-8638-37306c2d8e7fData TheftT1005eventhighfilelm_file_open2020-04-12T08:57:01Zendpointfalse
NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM250filetheft_unattend,
lm_file_active_monitoring,
lm_file_open
cmcCMCexperienceexperienceEndpointendpoint:admin-pc-001admin-pc-001endpointC:\Users\admin\Desktop\passwords\Passwords.xlsx67ReadNT AUTHORITY-12824MsMpEng.exeSYSTEMS-1-5-187242020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0Data TheftT1005eventhighfilelm_file_open2020-04-12T08:57:01Zendpointfalse
ADMIN-PC-001\adminADMIN-PC-001\admin175lm_file_open,
lm_file_active_monitoring
cmcCMCexperienceexperienceEndpointendpoint:admin-pc-001admin-pc-001endpointC:\Users\admin\Desktop\docs\vulnerability assessment report\vulnerability assessment report.xlsx65Cleanup"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypassADMIN-PC-001-110228powershell.exeadminS-1-5-21-399445878-2258755057-882339928-100002020-02-25T09:45:48Z-fa248a98-bc8a-4275-93c7-e63ff1ee8d34Data TheftT1005eventhighfilelm_file_active_monitoring2020-04-12T08:53:20Zendpointfalse

illusionblack-get-event-by-id


Gets a single event by the event ID.

Base Command

illusionblack-get-event-by-id

Input
Argument NameDescriptionRequired
idIllusionBLACK Event ID.Required
Context Output
PathTypeDescription
IllusionBlack.EventUnknownIllusionBLACK Single Event.
IllusionBlack.Event.attacker.idUnknownIllusionBLACK Event Attacker ID.
IllusionBlack.Event.decoy.idUnknownIllusionBLACK Event Decoy ID.
IllusionBlack.Event.idUnknownIllusionBLACK Event ID.
IllusionBlack.Event.severityUnknownIllusionBLACK Event Severity.
IllusionBlack.Event.typeUnknownIllusionBLACK Event Attack Type.
Command Example

!illusionblack-get-event-by-id id="2020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0"

Context Example
{
"IllusionBlack": {
"Event": {
"attacker.id": "NT AUTHORITY\\SYSTEM",
"attacker.name": "NT AUTHORITY\\SYSTEM",
"attacker.score": 250,
"attacker.threat_parse_ids": [
"filetheft_unattend",
"lm_file_active_monitoring",
"lm_file_open"
],
"decoy.appliance.id": "cmc",
"decoy.appliance.name": "CMC",
"decoy.client.id": "experience",
"decoy.client.name": "experience",
"decoy.group": "Endpoint",
"decoy.id": "endpoint:admin-pc-001",
"decoy.name": "admin-pc-001",
"decoy.type": "endpoint",
"file.name": "C:\\Users\\admin\\Desktop\\passwords\\Passwords.xlsx",
"file.operation": "67",
"file.operation_string": "Read",
"file.process.command_line": "",
"file.process.domain_name": "NT AUTHORITY",
"file.process.exit_code": -1,
"file.process.id": "2824",
"file.process.image_name": "MsMpEng.exe",
"file.process.user_name": "SYSTEM",
"file.process.user_sid": "S-1-5-18",
"file.thread_id": "724",
"id": "2020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0",
"kill_chain_phase": "Data Theft",
"mitre_ids": [
"T1005"
],
"record_type": "event",
"severity": "high",
"sub_type": "file",
"threat_parse_ids": [
"lm_file_open"
],
"timestamp": "2020-04-12T08:57:01Z",
"type": "endpoint",
"whitelisted": false
}
}
}
Human Readable Output

IllusionBLACK Single Event

attacker.idattacker.nameattacker.scoreattacker.threat_parse_idsdecoy.appliance.iddecoy.appliance.namedecoy.client.iddecoy.client.namedecoy.groupdecoy.iddecoy.namedecoy.typefile.namefile.operationfile.operation_stringfile.process.command_linefile.process.domain_namefile.process.exit_codefile.process.idfile.process.image_namefile.process.user_namefile.process.user_sidfile.thread_ididkill_chain_phasemitre_idsrecord_typeseveritysub_typethreat_parse_idstimestamptypewhitelisted
NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM250filetheft_unattend,
lm_file_active_monitoring,
lm_file_open
cmcCMCexperienceexperienceEndpointendpoint:admin-pc-001admin-pc-001endpointC:\Users\admin\Desktop\passwords\Passwords.xlsx67ReadNT AUTHORITY-12824MsMpEng.exeSYSTEMS-1-5-187242020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0Data TheftT1005eventhighfilelm_file_open2020-04-12T08:57:01Zendpointfalse