Attivo Botsink
This Integration is part of the Attivo Botsink Pack.#
Use the Attivo BOTsink integration to pull Attivo events into Cortex XSOAR to initiate investigations, manage deception environments, and to deploy decoy systems.
This integration was tested with version Attivo BOTsink v4.1.1 and v4.1.3.
Use Cases
- Determine if an artifact is part of the deception environment
- Dynamically deploy decoy systems
- Search for events related to a specific attacker
Configure Attivo Botsink on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Attivo Botsink.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Botsink name or address
- BOTsink API credentials
- SSL Verification toggle
- Minimum severity when fetching events (Very High, High, Medium)
- Fetch incidents toggle
- Click Test to validate the URLs, token, and connection.
Fetched Incidents Data
The Attivo BOTsink plugin for Cortex XSOAR can optionally pull Attivo events into Cortex XSOAR to initiate investigations. The fetch_severity parameter specifies the lowest severity of event to pull (Very High, High, or Medium).
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Verify if a user is part of a deception environment: attivo-check-user
- Verify if a host is part of the deception environment: attivo-check-host
- Run a playbook configured on Attivo BOTsink: attivo-run-playbook
- Deploy a decoy system on a subnet: attivo-deploy-decoy
- Get events for an attacker IP address: attivo-get-events
- Get information for playbooks: attivo-list-playbooks
- Get information for network decoys: attivo-list-hosts
- Get a list of all deceptive users: attivo-list-users
1. Verify if a user is part of a deception environment
Checks whether a user is part of the deceptive environment.
Base Command
attivo-check-user
Input
| Argument Name | Description | Required |
|---|---|---|
| user | User to validate | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Attivo.User.IsDeceptive | boolean | Is the user part of the Deception environment |
| Attivo.User.Groups | unknown | If the user is part of the Deception environment, the member is a member of these groups |
Command Example
!attivo-check-user user="a-user-l-ftp-0"
Context Example
{
"Attivo": {
"User": {
"IsDeceptive": true,
"Groups": [
"a-user-l-ftp"
],
"Name": "a-user-l-ftp-0"
}
}
}
Human Readable Output
2. Verify if a host is part of a deception environment
Checks whether a host is part of the deception environment.
Base Command
attivo-check-host
Input
| Argument Name | Description | Required |
|---|---|---|
| host | Host name or IP address to validate | Required |
Command Example
!attivo-check-host host="linuxserver"
Context Example
{
"Attivo": {
"Host": {
"IsDeceptive": true,
"HostInfo": {
"name": [
"linuxserver"
],
"ip": "162.236.53.68",
"vlan": null,
"user_defined": true,
"mac": "52:54:00:9f:65:76",
"dhcp": false
}
}
}
}
Human Readable Output
3. Run a playbook configured on Attivo BOTsink
Run a pre-built Attivo playbook on the BOTsink appliance.
Base Command
attivo-run-playbook
Input
| Argument Name | Description | Required |
|---|---|---|
| playbook_name | Name of the prebuilt playbook | Required |
| attacker_ip | Malicious source IP | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Attivo.Playbook.Status | boolean | Was the playbook successful |
| Attivo.Playbook.Message | string | Complete status message |
Command Example
!attivo-run-playbook attacker_ip=172.16.2.20 playbook_name="Endpoint Forensics"
4. Deploy a decoy system on a subnet
Deploy a new network decoy
Base Command
attivo-deploy-decoy
Input
| Argument Name | Description | Required |
|---|---|---|
| vulnerable_ip | Used to determine which subnet to deploy to | Required |
| decoy_number | The number of decoys to deploy | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Attivo.DeployDecoy.Status | boolean | Was the network decoy successfully deployed |
| Attivo.DeployDecoy.Message | string | Complete status message |
Command Example
!attivo-deploy-decoy vulnerable_ip=172.16.40.55
Human Readable Output
1 new Attivo decoy(s) deployed on the subnet with 172.16.40.55
5. Get events for an attacker IP address
Retrieves events for a specific source IP.
Base Command
attivo-get-events
Input
| Argument Name | Description | Required |
|---|---|---|
| attacker_ip | Source IP address | Required |
| severity | The minimum Attivo severity for the events, default is "Medium"; "VeryHigh", "High", "Medium", "Low", "VeryLow", "SystemActivity" | Optional |
| alerts_start_date |
Date and time to start looking for events.
For example: 2018-12-10 or 2018-12-10T13:59:05Z |
Optional |
| alerts_end_date |
Date and time to stop looking for events.
For example: 2018-12-10 or 2018-12-10T13:59:05Z |
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Attivo.Events.Count | number | Total number of events retrieved |
| Attivo.Events.List.AttackName | unknown | Short name of the attack |
| Attivo.Events.List.Attack Phase | string | Kill chain phase of the attack |
| Attivo.Events.List.Server | string | Internal name of the target decoy |
| Attivo.Events.List.Target | string | Display name of the target decoy |
| Attivo.Events.List.TargetOS | string | Operating system of the target decoy |
| Attivo.Events.List.Attacker | string | Attacker IP address |
| Attivo.Events.List.Service | string | The attacked service |
| Attivo.Events.List.Timestamp | string | Time of the attack |
| Attivo.Events.List.TargetIP | string | IP address of the target decoy |
| Attivo.Events.List.Severity | string | Attivo severity of the attack |
Command Example
!attivo-get-events attacker_ip=CentOS70 alerts_start_date=2018-11-30T23:59:05Z alerts_end_date=2018-12-01T00:02:05Z
Context Example
{
"Attivo": {
"Events": {
"Count": 2,
"List": [
{
"geoip_src_latitude": null,
"Severity": "Medium",
"Service": "DNS SERVER",
"VLAN": null,
"AttackName": "DNS Response",
"TargetIP": "SinkHole",
"AttackPhase": "C&C",
"TargetOS": "CentOS 7.0",
"Timestamp": "2018-12-01T00:01:43.500Z",
"geoip_dest_city_name": null,
"geoip_dest_country_code2": null,
"geoip_dest_country_code3": null,
"Attacker": "CentOS70",
"Device": "0",
"geoip_src_country_code3": null,
"geoip_src_country_code2": null,
"Target": "SinkHole",
"Server": "ZZZ-BServer01",
"geoip_dest_latitude": null,
"geoip_src_country_name": null,
"geoip_src_longitude": null,
"geoip_dest_country_name": null,
"geoip_dest_longitude": null
},
{
"geoip_src_latitude": null,
"Severity": "Medium",
"Service": "DNS SERVER",
"VLAN": null,
"AttackName": "DNS Response",
"TargetIP": "SinkHole",
"AttackPhase": "C&C",
"TargetOS": "CentOS 7.0",
"Timestamp": "2018-12-01T00:01:38.500Z",
"geoip_dest_city_name": null,
"geoip_dest_country_code2": null,
"geoip_dest_country_code3": null,
"Attacker": "CentOS70",
"Device": "0",
"geoip_src_country_code3": null,
"geoip_src_country_code2": null,
"Target": "SinkHole",
"Server": "ZZZ-BServer01",
"geoip_dest_latitude": null,
"geoip_src_country_name": null,
"geoip_src_longitude": null,
"geoip_dest_country_name": null,
"geoip_dest_longitude": null
}
]
}
}
}
6. Get information for playbooks
List information about playbooks configured on the Attivo device
Base Command
attivo-list-playbooks
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
7. Get information for network decoys
List information about network decoys
Base Command
attivo-list-hosts
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Human Readable Output
8. Get a list of all deceptive users
Lists all deceptive users.
Base Command
attivo-list-users
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Human Readable Output
Known Limitations
This integration works with the Attivo BOTsink. You can only run the attivo-deploy-decoy using the physical appliance.