Illusive - Incident Escalation

This playbook is used for creating an automatic analysis of the Illusive's incident details, in order to end up with a certain score or a set of insights that will enable automatic decisions and actions.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

  • IllusiveNetworks

Scripts

  • Set

Commands

  • illusive-get-incidents
  • setIncident
  • illusive-get-forensics-analyzers
  • illusive-get-incident-events

Playbook Inputs


NameDescriptionDefault ValueRequired
proximity_thresholdThe maximum number of steps from crown jewel, or domain admin credentials to determine the proximity as high-risk3Optional
events_thresholdThe minimum number of associated events to determine this incident as a multiple-events incident1Optional
proximity_weightThe unified score in case the proximity to a crown jewel and/ or the proximity to domain admin credentials is under the specified threshold30Optional
triggering_weightThe unified score in case the triggering process has been found malicious and/ or the triggering deception is ransomware60Optional
events_weightThe score in case the number of events in the inspected incident is above the specified threshold5Optional
rdp_weightThe score in case there is an active RDP connection to the source host5Optional
illusive_incident_idThe incident ID of the Illusive Networks Incident${incident.illusivenetworksid}Required

Playbook Outputs


PathDescriptionType
Illusive.IncidentEscalationPlaybook.incidentIdThe corresponding incident IDnumber
Illusive.IncidentEscalationPlaybook.isCloseToCrownJewelWhether the proximity to a crown jewel is under a certain thresholdboolean
Illusive.IncidentEscalationPlaybook.isCloseToAdminCredentialsWhether the proximity to domain admin credentials is under a certain thresholdboolean
Illusive.IncidentEscalationPlaybook.isMultipleEventsWhether the number of associated events is above a certain thresholdboolean
Illusive.IncidentEscalationPlaybook.isTriggeringProcessMaliciousWhether the triggering process has been found malicious by VirusTotalboolean
Illusive.IncidentEscalationPlaybook.isActiveRdpConnectionWhether there is an active RDP connection to the source hostboolean
Illusive.IncidentEscalationPlaybook.isRansomwareWhether the triggering deception is ransomwareboolean
Illusive.IncidentEscalationPlaybook.incidentScoreThe accumulated score of the incidentboolean

Playbook Image


Illusive - Incident Escalation