Illusive

Cyware Orchestrate

Illusive

App Vendor: Illusive Networks

Connector Category: Network Security

Connector Version: 1.0.0

API Version: 1.0.0

About App

Illusive reduces cyber risk by shrinking the attack surface and stopping attacker movement. Illusive creates a hostile environment for attackers, depriving them of the means to progress towards critical assets after breaching the perimeter.

The Illusive app is configured with the Orchestrate application to perform the following actions:

Action Name	Description
List Crown Jewel Connection Violations	This action lists all violations for crown jewels.
List Azure Privileged Identities Violations	This action lists all violations for Azure privileged identities.
List Domain User Credential Violations	This action retrieves a list of all the domain user credential violations for a specified hostname or violating user.
List Local User Admin Violations	This action lists all violations for local user admins.
List Shadow Admin Violations	This action lists all the shadow admin violations for a specified shadowing username or shadowed AD user group.
List Suspicious Files Violations	This action retrieves a list of all the suspicious file violations for a specified hostname, filename, or hash.
List Incidents	This action lists and filters incidents.
Get Events from Incident ID	This action retrieves a list of associated events using an incident ID.
Get Incident Details	This action describes an incident.
Get Incident Timeline	This action retrieves the forensics timeline for a specific incident or decoy.
Get Existing Forensics	This action retrieves the forensics timeline for a specific incident or decoy.
Get Forensic Analyser for Events	This action retrieves the forensics timeline for a specific incident or decoy.
Get Forensic Artifacts for Events	This action retrieves the forensics artifacts for an event

Configuration Parameters

The following configuration parameters are required for the Illusive app to communicate with the Illusive enterprise application. The parameters can be configured by creating instances in the app.

Parameter	Description	Field Type	Required/Optional	Comments
API token	Enter the API token to authenticate.	Password	Required
Base URL	Enter the base URL. Example: "https://illusivemgmt.domain.tld%22/"	Text	Required

Parameter

Description

Field Type

Required/Optional

Comments

API token

Enter the API token to authenticate.

Password

Required

Base URL

Enter the base URL.

Example:

"https://illusivemgmt.domain.tld%22/"

Text

Required

Action: List Crown Jewel Connection Violations

This action lists all violations for crown jewels

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Host Identifier	Enter the hostname or IP address. Example: "domain.com"	Text	Required
Identifier Type	Enter the identifier type. Example: "hostname"	Text	Required	Allowed values: hostname crown_jewel
Offset	Enter the ordinal number of the first result to return. Example: 100	Integer	Optional	A value of 100 returns values starting from the 100th result.
Limit	Enter the maximum number of results to return in this request. Example: 100	Integer	Optional	A value of 80 sends up to 80 results in this request.

Example Request

[
    {
        "host_identifier": "domain.com",
        "identifier_type": "hostname"
    }
]

Action: List Azure Privileged Identities Violations

This action list all violations for Azure privileged identities.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
AD User Status	Enter the Ad user status. Example: "enabled"	Text	Optional	Allowed values: enabled disabled not_found not_available
Identity	Enter the name of the user or application.	Text	Optional
Identity type	Enter the Azure identity type. Example: "user"	Text	Optional	Allowed values: user application
Offset	<span>Enter the ordinal number of the first result to return.</span><span>Example:</span> 100	Integer	Optional	A value of 100 returns values starting from the 100th result.
Limit	<span>Enter the maximum number of results to return in this request.</span><span>Example:</span> 100	Integer	Optional	A value of 80 sends up to 80 results in this request

Example Request

[
    {
        "ad_user_status": "enabled"
    }
]

Action: List Domain User Credential Violations

This retrieves a list of all the domain user credential violations for a specified hostname or violating user.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Identifier	<div>Enter the hostname or IP address.</div><div>Example:</div><div>"domain.com"</div>	Text	Required
Identity type	<div>Enter the Azure identity type.</div><div>Example:</div><div>"username"</div>	Text	Required	Allowed values: hostname username
Offset	<div><div>Enter the ordinal number of the first result to return.</div></div><div><div>Example:</div></div> 100	Integer	Optional	A value of 100 returns values starting from the 100th result.
Limit	<div><div>Enter the maximum number of results to return in this request.</div></div><div><div>Example:</div></div> 100	Integer	Optional	A value of 80 sends up to 80 results in this request.

Example Request

[
    {
        "identifier": "domain.com",
        "identity_type": "hostname"
    }
]

Action: List Local User Admin Violations

This action retrieves all violations for local user admins.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Host Identifier	Enter the identifier of violating host. Example: "hostname"	Text	Required
Offset	Enter the ordinal number of the first result to return. Example: 100	Integer	Optional	A value of 100 returns values starting from the 100th result.
Limit	Enter the maximum number of results to return in this request. Example: 100	Integer	Optional	A value of 80 sends up to 80 results in this request.

Parameter

Description

Field Type

Required/Optional

Comments

Host Identifier

Enter the identifier of violating host.

Example:

"hostname"

Text

Required

Offset

Enter the ordinal number of the first result to return.

Example:

100

Integer

Optional

A value of 100 returns values starting from the 100th result.

Limit

Enter the maximum number of results to return in this request.

Example:

100

Integer

Optional

A value of 80 sends up to 80 results in this request.

Example Request

[
    {
        "host_identifier": "hostname"
    }
]

Action: List Shadow Admin Violations

This action retrieves a list of all the shadow admin violations for a specified shadowing username or shadowed AD user group.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Identifier	Enter the shadow admin username or name of the shadowed AD user group. Example: "admin-user"	Text	Required
Identifier Type	Enter the identifier type. Example: "shadow_admin_name"	Text	Required	Allowed values: shadow_admin_name shadowed_object_name
Offset	Enter the ordinal number of the first result to return. Example: 100	Integer	Optional	A value of 100 returns values starting from the 100th result.
Limit	Enter the maximum number of results to return in this request. Example: 100	Integer	Optional	A value of 80 sends up to 80 results in this request.

Example Request

[
   {
      "identifier":"admin-user",
      "identifier_type":"shadow_admin_name"
   }
]

Action: List Suspicious Files Violations

This action retrieves a list of all the suspicious file violations for a specified hostname, filename, or hash.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
File Identifier	Enter the identifier name of the file or hash. Example: "filename.pdf"	Text	Optional
File Identifier Type	Enter the file identifier type. Example: "file_name"	Text	Optional	Allowed values: file_name, hash
Host Identifier	Enter the host identifier.	Text	Optional
Offset	Enter the ordinal number of the first result to return. Example: 100	Integer	Optional	A value of 100 returns values starting from the 100th result.
Limit	Enter the maximum number of results to return in this request. Example: 100	Integer	Optional	A value of 80 sends up to 80 results in this request.

Action: List Incidents

This action lists and filters incidents.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Has Forensics	Enter the preference to retrieve only incidents with forensics. Example: yes	Text	Optional	Default value: no
Hostnames	Enter the incident source hostname.	Text	Optional	Default value: all hosts
Start Date	Enter the query start time/date.	Text	Optional	Default value: all dates
Limit	Enter the number of records to retrieve. Example: 20	Integer	Optional	Default value: 10
Offset	Enter the number of records to skip before returning records.	Integer	Optional	Default value: 0

Action: Get Events from Incident ID

This action specifies an incident ID and retrieves a list of associated events.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Incident ID	Get only incidents with forensics. Example: yes	Text	Optional	Default value: no
Limit	Enter the number of records to retrieve. Example: 20	Integer	Optional	Default value: 10
Offset	Enter the number of records to skip before returning records. Example: 2	Integer	Optional	Default value: 0

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID

Get only incidents with forensics.

Example:

yes

Text

Optional

Default value:

Limit

Enter the number of records to retrieve.

Example:

Integer

Optional

Default value:

Offset

Enter the number of records to skip before returning records.

Example:

Integer

Optional

Default value:

Action: Get Incident Details

This action retrieves incident details.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Incident ID	Enter the incident ID to retrieve incident details. Example: 124231	Integer	Required

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID

Enter the incident ID to retrieve incident details.

Example:

124231

Integer

Required

Example Request

[
    {
        "incident_id": 124231
    }
]

Action: Get Incident Timeline

This action retrieves the forensics timeline for a specific incident or decoy.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Incident ID	Enter the incident ID to get a timeline for the incident. Example: 124231	Integer	Required
Decoy Host Name	Enter the host name to retrieve the full decoy timeline.	Text	Optional
Start Date	Enter the beginning date and time of the forensics timeline.	Text	Optional	By default, it is fixed one year prior to the current system date and time unless a specific start date and time is provided.
End Date	Enter the end date and time of the forensics timeline.	Text	Optional	By default, it is fixed at the current system date and time, unless a specific end date and time is provided.

Action: Get Existing Forensics

This action retrieves the forensics timeline for a specific incident or decoy.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Event ID	Enter the unique Illusive event ID number. Example: 4688	Integer	Required
Forensic Type	Enter the forensic type. Example: "host_info"	Text	Required	Allowed Types: host_info prefetch_info shim_cache_info user_assist_info installed_programs_info - power_shell_history startup_processes running_processes session_info

Parameter

Description

Field Type

Required/Optional

Comments

Event ID

Enter the unique Illusive event ID number.

Example:

4688

Integer

Required

Forensic Type

Enter the forensic type.

Example:

"host_info"

Text

Required

Allowed Types:

host_info
prefetch_info
shim_cache_info
user_assist_info
installed_programs_info - power_shell_history startup_processes
running_processes
session_info

Example Request

[
   {
      "event_id":4688,
      "forensic_type":"host_info"
   }
]

Action: Get Forensic Analyser for Events

This action retrieves the forensics timeline for a specific incident or decoy.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Event ID	Enter the unique illusive event ID number. Example: 4688	Integer	Required

Parameter

Description

Field Type

Required/Optional

Comments

Event ID

Enter the unique illusive event ID number.

Example: 4688

Integer

Required

Example Request

[
   {
      "event_id":4688
   }
]

Action: Get Forensic Artifacts for Events

This action retrieves the forensics artifacts for an event.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Event ID	Enter the unique Illusive event ID number. Example: 4688	Integer	Required
Artifact Type	Enter the artifacts to retrieve. Example: "desktop_screenshots"	Text	Required	Allowed type: desktop_screenshots

Parameter

Description

Field Type

Required/Optional

Comments

Event ID

Enter the unique Illusive event ID number.

Example:

4688

Integer

Required

Artifact Type

Enter the artifacts to retrieve.

Example:

"desktop_screenshots"

Text

Required

Allowed type:

desktop_screenshots

Example Request

[
   {
      "event_id":4688,
      "artifact_type":"desktop_screenshots"
   }
]

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.

Cyware Orchestrate

Illusive

About App

Configuration Parameters

Action: List Crown Jewel Connection Violations

Action: List Azure Privileged Identities Violations

Action: List Domain User Credential Violations

Action: List Local User Admin Violations

Action: List Shadow Admin Violations

Action: List Suspicious Files Violations

Action: List Incidents

Action: Get Events from Incident ID

Action: Get Incident Details

Action: Get Incident Timeline

Action: Get Existing Forensics

Action: Get Forensic Analyser for Events

Action: Get Forensic Artifacts for Events

Search results