Details
Content
Dependencies
Version History

Enrich SOC incident triage and investigation data with valuable Illusive information and forensics, and manage the way Illusive deploys deceptions across the network.

Illusive Networks

This pack includes XSIAM content.

Incident Response

Provide SOC teams with automated collection and analysis of Illusive incidents and the option to extend Illusive data and forensics analysis to other potentially malicious activities discovered on your network.

Automatically collect data and forensics from new incidents detected by Illusive
Enrich SOC data by retrieving a rich set of incident and forensics information, including: 1) host details and forensics from a potentially compromised host, 2) a forensics timeline, 3) forensics analysis, 4) additional data
Auto-analyze collected data and calculate incident severity to speed up SOC response times
Collect forensics from any compromised host and retrieve a forensics timeline

Deceptions and Attack Surface Manager

Manage the Illusive’s deceptive entities and deception policies to control the way Illusive deploys deceptions across the network, and gain insight into your network’s topography.

Retrieve detailed lists of approved and suggested deceptive servers and users
Approve, delete, and query deceptive entities
Manage deception policy assignments per host
Retrieve attack surface insights for Crown Jewels and specific hosts

Illusive Networks

This pack includes XSIAM content.

Incident Response

Automatically collect data and forensics from new incidents detected by Illusive
Enrich SOC data by retrieving a rich set of incident and forensics information, including: 1) host details and forensics from a potentially compromised host, 2) a forensics timeline, 3) forensics analysis, 4) additional data
Auto-analyze collected data and calculate incident severity to speed up SOC response times
Collect forensics from any compromised host and retrieve a forensics timeline

Deceptions and Attack Surface Manager

Manage the Illusive’s deceptive entities and deception policies to control the way Illusive deploys deceptions across the network, and gain insight into your network’s topography.

Retrieve detailed lists of approved and suggested deceptive servers and users
Approve, delete, and query deceptive entities
Manage deception policy assignments per host
Retrieve attack surface insights for Crown Jewels and specific hosts

Collect Events from Vendor

In order to use the collector, you can use the following option to collect events from the vendor:

Broker VM

You will need to configure the vendor and product for this specific collector.

Broker VM

You will need to use the information described here.\
You can configure the specific vendor and product for this instance.

Navigate to Settings -> Configuration -> Data Broker -> Broker VMs.
Right-click, and select Syslog Collector -> Configure.
When configuring the Syslog Collector, set:
- illusive as vendor
- illusive as product

Classifiers

Name	Description
Illusive Networks - Classifier	Classifies Illusive Networks incidents.
Illusive Networks - Incoming Mapper	Maps incoming Illusive Networks incident fields.

Incident Fields

Name	Description
Illusive Networks Has Forensics
Illusive Networks Last Seen User
Illusive Networks Host Name
Illusive Networks Steps To Crown Jewel
Illusive Networks Deception Families
Illusive Networks Id
Illusive Networks Source Operating System
Illusive Networks Steps To Domain Admin
Illusive Networks Events Number

Incident Types

Name	Description
Illusive Networks Incident

Integrations

Name	Description
IllusiveNetworks (Partner Contribution)	The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more.

Layouts

Name	Description
Illusive Networks Incident	Illusive Networks Incident Layout

Playbooks

Name	Description
Illusive - Data Enrichment	This playbook is used for automatic enrichment of incidents in the organization network, with Illusive's set of forensics and data
Illusive - Incident Escalation	This playbook is used for creating an automatic analysis of the Illusive's incident details, in order to end up with a certain score or a set of insights that will enable automatic decisions and actions.
Illusive-Collect-Forensics-On-Demand	This playbook is used to collect forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.
Illusive-Retrieve-Incident	This playbook is used for retrieving an extensive view over a detected incident by retrieving the incident details and a forensics timeline if and when forensics have been successfully collected.

Classifiers

Name	Description
Illusive Networks - Classifier	Classifies Illusive Networks incidents.
Illusive Networks - Incoming Mapper	Maps incoming Illusive Networks incident fields.

Incident Fields

Name	Description
Illusive Networks Has Forensics
Illusive Networks Events Number
Illusive Networks Steps To Crown Jewel
Illusive Networks Steps To Domain Admin
Illusive Networks Id
Illusive Networks Deception Families
Illusive Networks Source Operating System

Incident Types

Name	Description
Illusive Networks Incident

Integrations

Name	Description
IllusiveNetworks (Partner Contribution)	The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more.

Modeling Rules

Name	Description
Illusive Networks

Playbooks

Name	Description
Illusive-Retrieve-Alert	This playbook is used for retrieving an extensive view over a detected alert by retrieving the alert details and a forensics timeline if and when forensics have been successfully collected.
Illusive - Alert Escalation	This playbook is used for creating an automatic analysis of the Illusive's alert details, in order to end up with a certain score or a set of insights that will enable automatic decisions and actions.
Illusive - Data Enrichment	This playbook is used for automatic enrichment of alerts in the organization network, with Illusive's set of forensics and data
Illusive-Collect-Forensics-On-Demand	This playbook is used to collect forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	March 19, 2020
Last Release	April 11, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Illusive Networks

Illusive Networks

Incident Response

Deceptions and Attack Surface Manager

Illusive Networks

Incident Response

Deceptions and Attack Surface Manager

Collect Events from Vendor

Broker VM

Integrations

IllusiveNetworks

Integrations

IllusiveNetworks

Integrations

IllusiveNetworks

Integrations

IllusiveNetworks

Integrations

IllusiveNetworks

Integrations

IllusiveNetworks

Integrations

IllusiveNetworks

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER