Illusive-SentinelIncident-Response

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Attribute Value
Type Playbook
Solution Illusive Active Defense
Source View on GitHub

⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.

Additional Documentation

📄 Source: Illusive-SentinelIncident-Response/readme.md

Illusive Incident Response Playbook

The Incident Response playbook leverages Sentinel analytic rules and CrowdStrike or Microsoft Defender for Endpoint integration to automate incident response when specified Illusive incidents are discovered.

Use this playbook to quickly stop or slow down ransomware attacks and critical incidents detected by Illusive in your organization. Upon detection, Sentinel is instructed to use the triggering process information reported by Illusive remove or kill the process. If the triggering process cannot be killed, Sentinel is instructed to isolate the host. These capabilities are available for organizations with CrowdStrike Falcon or Microsoft Defender for Endpoint.

  1. Playbook workflow
  2. Playbook execution
  3. Access Playbook
  4. Playbook retry mechanism

Playbook Workflow

  1. Perform the general solution setup. (see instructions here)
  2. Add API permissions to the Azure app
  3. Enable Microsoft Defender for Endpoint (Only when using MDE for incident response)
  4. Create the Illusive playbook
  5. Connect the playbook to Azure Sentinel

Add API permissions to the Azure app

  1. From the Azure console, find the Azure app you created to run the Illusive Sentinel Solution.
  2. Go to API Permissions.
  3. Click Add a permission.
  4. Under Request API permissions>API’s my organization uses, search for and select WindowsDefenderATP, select select Delegated permissions and check the following permissions: - Machine.Isolate – to isolate device - Machine.Read – to find agent ID - to collect data from a single machine. - File.Read.All – for process handling, find and erase/stop suspicious executables - Machine.StopAndQuarantine – for process handling, find and erase/stop suspicious executables
  5. Select Application permissions and check the following permissions:
    • Machine.Isolate – to isolate device
    • Machine.Read.All – to find agent ID – to query all machines and collect device information even if we don’t have a device ID.
    • File.Read.All – for process handling, find and erase/stop suspicious executables
    • Machine.StopAndQuarantine – for process handling, find and erase/stop suspicious executables
  6. Click Add permissions.
  7. Once all the API permissions are added, click Grant admin consent for Default Directory and click Yes.
  8. Verify admin consent has been granted. This step is important, even if the admin consent status is green. Only a Global Admin can approve admin consent requests.
  9. Go to Enterprise>Admin Consent requests.
  10. Go to My pending and verify that this permission is not pending.
    The result should look like this:

Enable Microsoft Defender for Endpoint

Allow the Illusive Incident Response playbook to stop an attack by triggering an incident response from MDE.

Attention: If you use CrowdStrike as your incident response tool, you can skip this procedure.

  1. From the Azure Search bar, search for the Subscription in which MDE is installed.


  2. Click on the existing Subscription.
  3. Click Security in the Subscription menu.
  4. Ensure Microsoft Defender for Endpoint is On.


  5. If MDE is off, click Security Center.


  6. Find the Azure Defender card and click Enable Azure Defender.

[Content truncated...]

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Illusive Active Defense