Illusive - Data Enrichment
This playbook is used for automatic enrichment of incidents in the organization network, with Illusive's set of forensics and data
Illusive Networks · 19 tasks · 2 inputs · 28 outputs
Inputs
illusive_incident_id— Illusive incident IDfqdn_or_ip— The endpoint's fqdn or IP address
Outputs
Illusive.Incident.incidentId— The Incident IDIllusive.Incident.sourceHostname— The compromised host's nameIllusive.Incident.sourceIp— The compromised host's IP addressIllusive.Incident.sourceOperatingSystem— The compromised host's operating systemIllusive.Incident.lastSeenUser— The user who last reviewed the incidentIllusive.Incident.deceptionFamilies— The deception families of the deceptions used to trigger the incidentIllusive.Incident.riskInsights.stepsToCrownJewel— The compromised host's lateral distance from Crown JewelsIllusive.Incident.riskInsights.stepsToDomainAdmin— The compromised host's lateral distance from domain admin accountsIllusive.Incident.eventsNumber— The number of associated eventsIllusive.Event.eventId— The corresponding event IDIllusive.Event.incidentId— The corresponding incident IDIllusive.Event.ForensicsAnalyzers— The forensics analyzerIllusive.Event.ForensicsTriggeringProcess.commandLine— The triggering process command lineIllusive.Event.ForensicsTriggeringProcess.connectionsNum— The triggering process active connectionsIllusive.Event.ForensicsTriggeringProcess.md5— The triggering process md5Illusive.Event.ForensicsTriggeringProcess.sha256— The triggering process sha256Illusive.Event.ForensicsTriggeringProcess.name— The triggering process nameIllusive.Event.ForensicsTriggeringProcess.parent— The parent process of the triggering processIllusive.Event.ForensicsTriggeringProcess.path— The triggering process pathIllusive.Event.ForensicsTriggeringProcess.startTime— The triggering process start timeIllusive.Incident.incidentTimeUTC— Date and time of the incidentIllusive.Incident.closed— Whether the incident has been closedIllusive.Incident.flagged— Whether the incident has been flaggedIllusive.Incident.hasForensics— Whether incident has forensicsIllusive.Incident.incidentTypes— Type of events detectedIllusive.Incident.policyName— The compromised host's policyIllusive.Incident.unread— Whether the incident has been readIllusive.Incident.userNotes— The analyst's comments
Commands used
illusive-get-forensics-analyzers
illusive-get-forensics-artifacts
illusive-get-forensics-timeline
illusive-get-forensics-triggering-process-info
illusive-get-incident-events
illusive-get-incidents
setIncident