Smokescreen IllusionBLACK
Smokescreen IllusionBLACK Pack.#
This Integration is part of theSmokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time. This integration was integrated and tested with version v3.10.7.4 of Smokescreen IllusionBLACK
#
Permissions#
Configure Smokescreen IllusionBLACK in CortexParameter | Description | Required |
---|---|---|
url | Server URL (e.g. https://example.net\) | True |
client_id | IllusionBLACK API Client Id | True |
token | IllusionBLACK External API Token | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
first_fetch | First fetch time for fetching incidents (2 days, 3 weeks, etc) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
illusionblack-get-ad-decoysGets a list of Active Directory decoys.
#
Base Commandillusionblack-get-ad-decoys
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.AdDecoy | Unknown | IllusionBLACK AD Decoy users. |
#
Command Example!illusionblack-get-ad-decoys
#
Context Example#
Human Readable Output#
IllusionBLACK AD DecoysFirst Name | Last Name | Ou | State | User Name |
---|---|---|---|---|
felix | hunt | mumbai | added | sqladmin |
#
illusionblack-get-network-decoysGets a list of Network decoys.
#
Base Commandillusionblack-get-network-decoys
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.NetworkDecoy | Unknown | IllusionBLACK Network decoys. |
#
Command Example!illusionblack-get-network-decoys
#
Context Example#
Human Readable Output#
IllusionBLACK Network DecoysIp | Mac | Name | Services |
---|---|---|---|
10.20.23.61 | d0:43:1e💿cb:c2 | CTX-BACKUPS31 | web |
10.20.23.64 | a0:48:1c:ee:08:38 | GCP-CYBERARK | web |
10.20.23.63 | 00:fd:45:fa:6f:4d | NEW-XEN | web |
10.20.23.65 | 14:b3:1f:08:84:6d | PRIM-CYBERARK | web, shares |
10.20.23.62 | 20:a6:cd:00:6e:70 | SAP44 | web, shares |
10.20.23.60 | 90:b1:1c:73:64:fc | ARCOSNEW | web |
#
illusionblack-get-ti-decoysGets a list of Threat Intel decoys.
#
Base Commandillusionblack-get-ti-decoys
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.TIDecoy | Unknown | IllusionBLACK TI Decoys. |
#
Command Example!illusionblack-get-ti-decoys
#
Context Example#
Human Readable Output#
IllusionBLACK TI DecoysDataset | Ip | Name | Server Type |
---|---|---|---|
Finacle | 10.20.23.67 | dev.smokescreen.io | nginx/1.14.0 (Ubuntu) |
#
illusionblack-is-host-decoyChecks if a host or IP address is a network decoy.
#
Base Commandillusionblack-is-host-decoy
#
InputArgument Name | Description | Required |
---|---|---|
host | Hostname or IP address to check. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.IsHostDecoy.Host | String | The IP address or hostname submitted to IllusionBLACK to check. |
IllusionBlack.IsHostDecoy.Value | Boolean | The boolean value whether the host is a decoy or not. |
#
Command Example!illusionblack-is-host-decoy host="SAP44"
#
Context Example#
Human Readable OutputTrue
#
illusionblack-is-user-decoyChecks if an Active Directory user is a decoy.
#
Base Commandillusionblack-is-user-decoy
#
InputArgument Name | Description | Required |
---|---|---|
user | Active Directory user name to check. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.IsUserDecoy.User | String | The AD username submitted to IllusionBLACK to check. |
IllusionBlack.IsUserDecoy.Value | Boolean | The boolean value whether the user is a decoy or not. |
#
Command Example!illusionblack-is-user-decoy user="sqladmin"
#
Context Example#
Human Readable OutputTrue
#
illusionblack-is-subdomain-decoyChecks if a subdomain is a Threat Intel decoy.
#
Base Commandillusionblack-is-subdomain-decoy
#
InputArgument Name | Description | Required |
---|---|---|
subdomain | Subdomain to check. For example: dec.smokescreen.io. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.IsSubdomainDecoy.Subdomain | String | The subdomain submitted to IllusionBLACK to check. |
IllusionBlack.IsSubdomainDecoy.Value | Boolean | The boolean value whether the subdomain is a decoy or not. |
#
Command Example!illusionblack-is-subdomain-decoy subdomain="experience.illusionblack.com"
#
Context Example#
Human Readable OutputFalse
#
illusionblack-get-eventsGets events from IllusionBLACK.
#
Base Commandillusionblack-get-events
#
InputArgument Name | Description | Required |
---|---|---|
limit | Number of events. It can be between 1 and 1000. | Optional |
query | IllusionBLACK query. For example: "attacker.ip is \"1.2.3.4\"" | Optional |
from | ISO 8601 formatted date string. | Optional |
to | ISO 8601 formatted date string. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.Event | Unknown | IllusionBLACK Events. |
#
Command Example!illusionblack-get-events limit=3
#
Context Example#
Human Readable Output#
IllusionBLACK Eventsattacker.id | attacker.name | attacker.score | attacker.threat_parse_ids | decoy.appliance.id | decoy.appliance.name | decoy.client.id | decoy.client.name | decoy.group | decoy.id | decoy.name | decoy.type | file.name | file.operation | file.operation_string | file.process.command_line | file.process.domain_name | file.process.exit_code | file.process.id | file.process.image_name | file.process.user_name | file.process.user_sid | file.thread_id | id | kill_chain_phase | mitre_ids | record_type | severity | sub_type | threat_parse_ids | timestamp | type | whitelisted |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ADMIN-PC-001\admin | ADMIN-PC-001\admin | 175 | lm_file_open, lm_file_active_monitoring | cmc | CMC | experience | experience | Endpoint | endpoint:admin-pc-001 | admin-pc-001 | endpoint | C:\Users\admin\Desktop\passwords\Passwords.xlsx | 67 | Read | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass | ADMIN-PC-001 | -1 | 10228 | powershell.exe | admin | S-1-5-21-399445878-2258755057-882339928-1000 | 8588 | 2020-02-25T09:49:15Z-76c99a22-03b9-439e-8638-37306c2d8e7f | Data Theft | T1005 | event | high | file | lm_file_open | 2020-04-12T08:57:01Z | endpoint | false |
NT AUTHORITY\SYSTEM | NT AUTHORITY\SYSTEM | 250 | filetheft_unattend, lm_file_active_monitoring, lm_file_open | cmc | CMC | experience | experience | Endpoint | endpoint:admin-pc-001 | admin-pc-001 | endpoint | C:\Users\admin\Desktop\passwords\Passwords.xlsx | 67 | Read | NT AUTHORITY | -1 | 2824 | MsMpEng.exe | SYSTEM | S-1-5-18 | 724 | 2020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0 | Data Theft | T1005 | event | high | file | lm_file_open | 2020-04-12T08:57:01Z | endpoint | false | |
ADMIN-PC-001\admin | ADMIN-PC-001\admin | 175 | lm_file_open, lm_file_active_monitoring | cmc | CMC | experience | experience | Endpoint | endpoint:admin-pc-001 | admin-pc-001 | endpoint | C:\Users\admin\Desktop\docs\vulnerability assessment report\vulnerability assessment report.xlsx | 65 | Cleanup | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass | ADMIN-PC-001 | -1 | 10228 | powershell.exe | admin | S-1-5-21-399445878-2258755057-882339928-1000 | 0 | 2020-02-25T09:45:48Z-fa248a98-bc8a-4275-93c7-e63ff1ee8d34 | Data Theft | T1005 | event | high | file | lm_file_active_monitoring | 2020-04-12T08:53:20Z | endpoint | false |
#
illusionblack-get-event-by-idGets a single event by the event ID.
#
Base Commandillusionblack-get-event-by-id
#
InputArgument Name | Description | Required |
---|---|---|
id | IllusionBLACK Event ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IllusionBlack.Event | Unknown | IllusionBLACK Single Event. |
IllusionBlack.Event.attacker.id | Unknown | IllusionBLACK Event Attacker ID. |
IllusionBlack.Event.decoy.id | Unknown | IllusionBLACK Event Decoy ID. |
IllusionBlack.Event.id | Unknown | IllusionBLACK Event ID. |
IllusionBlack.Event.severity | Unknown | IllusionBLACK Event Severity. |
IllusionBlack.Event.type | Unknown | IllusionBLACK Event Attack Type. |
#
Command Example!illusionblack-get-event-by-id id="2020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0"
#
Context Example#
Human Readable Output#
IllusionBLACK Single Eventattacker.id | attacker.name | attacker.score | attacker.threat_parse_ids | decoy.appliance.id | decoy.appliance.name | decoy.client.id | decoy.client.name | decoy.group | decoy.id | decoy.name | decoy.type | file.name | file.operation | file.operation_string | file.process.command_line | file.process.domain_name | file.process.exit_code | file.process.id | file.process.image_name | file.process.user_name | file.process.user_sid | file.thread_id | id | kill_chain_phase | mitre_ids | record_type | severity | sub_type | threat_parse_ids | timestamp | type | whitelisted |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
NT AUTHORITY\SYSTEM | NT AUTHORITY\SYSTEM | 250 | filetheft_unattend, lm_file_active_monitoring, lm_file_open | cmc | CMC | experience | experience | Endpoint | endpoint:admin-pc-001 | admin-pc-001 | endpoint | C:\Users\admin\Desktop\passwords\Passwords.xlsx | 67 | Read | NT AUTHORITY | -1 | 2824 | MsMpEng.exe | SYSTEM | S-1-5-18 | 724 | 2020-02-25T09:49:15Z-0950f80f-7571-4382-b4b8-5e04c160c4c0 | Data Theft | T1005 | event | high | file | lm_file_open | 2020-04-12T08:57:01Z | endpoint | false |