Illusive - Data Enrichment

This playbook is used for automatic enrichment of incidents in the organization network, with Illusive's set of forensics and data

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Illusive-Collect-Forensics-On-Demand

Integrations

  • IllusiveNetworks

Scripts

This playbook does not use any scripts.

Commands

  • illusive-get-forensics-analyzers
  • illusive-get-incidents
  • illusive-get-forensics-artifacts
  • illusive-get-forensics-timeline
  • setIncident
  • illusive-get-incident-events
  • illusive-get-forensics-triggering-process-info

Playbook Inputs


NameDescriptionDefault ValueRequired
illusive_incident_idIllusive incident ID
${incident.illusivenetworksid}Optional
fqdn_or_ipThe endpoint's fqdn or IP address
${Endpoint.Hostname}Optional

Playbook Outputs


PathDescriptionType
Illusive.Incident.incidentIdThe Incident IDnumber
Illusive.Incident.sourceHostnameThe compromised host's namestring
Illusive.Incident.sourceIpThe compromised host's IP addressstring
Illusive.Incident.sourceOperatingSystemThe compromised host's operating systemstring
Illusive.Incident.lastSeenUserThe user who last reviewed the incidentstring
Illusive.Incident.deceptionFamiliesThe deception families of the deceptions used to trigger
the incidentstring
Illusive.Incident.riskInsights.stepsToCrownJewelThe compromised host's lateral distance from Crown Jewelsnumber
Illusive.Incident.riskInsights.stepsToDomainAdminThe compromised host's lateral distance from domain admin accountsnumber
Illusive.Incident.eventsNumberThe number of associated eventsnumber
Illusive.Event.eventIdThe corresponding event IDnumber
Illusive.Event.incidentIdThe corresponding incident IDnumber
Illusive.Event.ForensicsAnalyzersThe forensics analyzerstring
Illusive.Event.ForensicsTriggeringProcess.commandLineThe triggering process command linestring
Illusive.Event.ForensicsTriggeringProcess.connectionsNumThe triggering process active connectionsnumber
Illusive.Event.ForensicsTriggeringProcess.md5The triggering process md5string
Illusive.Event.ForensicsTriggeringProcess.sha256The triggering process sha256string
Illusive.Event.ForensicsTriggeringProcess.nameThe triggering process namestring
Illusive.Event.ForensicsTriggeringProcess.parentThe parent process of the triggering processstring
Illusive.Event.ForensicsTriggeringProcess.pathThe triggering process pathstring
Illusive.Event.ForensicsTriggeringProcess.startTimeThe triggering process start timedate
Illusive.Incident.incidentTimeUTCDate and time of the incidentdate
Illusive.Incident.closedWhether the incident has been closedboolean
Illusive.Incident.flaggedWhether the incident has been flaggedboolean
Illusive.Incident.hasForensicsWhether incident has forensicsboolean
Illusive.Incident.incidentTypesType of events detectedstring
Illusive.Incident.policyNameThe compromised host's policystring
Illusive.Incident.unreadWhether the incident has been readboolean
Illusive.Incident.userNotesThe analyst's commentsstring

Playbook Image


Illusive - Data Enrichment