⚠️ Illusive Active Defense

⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

Attribute	Value
Publisher
Support Tier
Solution Folder	Illusive Active Defense

Data Connectors
Content Items
Additional Documentation

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Content Items

This solution includes 2 content item(s) (0 in solution, 2 discovered 🔍):

Content Type	Total	In Solution	Discovered
Playbooks	2	0	2

Playbooks

Name	Description	Tables Used
Illusive-SentinelIncident-Enrichment ⚠️		-
Illusive-SentinelIncident-Response ⚠️		-

⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.

Additional Documentation

📄 Source: Illusive Active Defense/README.md

image

Illusive Active Defense Sentinel Solution

Instructions for configuring, running, and using the Illusive Active Defense Sentinel solution.

Executive summary
Basic requirements
Workflow
Locate the Sentinel workspace
Azure application setup
Generate an Illusive API key
Configure Illusive to send logs to a Linux-based syslog server
Deploy solution package or deploy playbooks
Configure the Illusive analytic rule
Access and view the playbook

Executive summary

Configure Sentinel and load custom playbooks to have Illusive open Sentinel incidents, populate them with Illusive-based information, and automate incident response.

This solution contains the following components:

Incident Enrichment playbook – leverages Sentinel analytic rules to discover Illusive-based alerts and report the associated data and forensics as Sentinel incident sets.
Use this playbook to enrich Sentinel security incidents originating from Illusive with Illusive incident and forensics information. Illusive continues to enrich relevant Sentinel incidents as new events are detected. This is done using the Illusive API resource.
Incident Response playbook – leverages CrowdStrike or Microsoft Defender for Endpoint integration to automate incident response when specified Illusive incidents are discovered.
Use this playbook to quickly stop or slow down ransomware attacks and critical incidents detected by Illusive in your organization. Upon detection, Sentinel is instructed to use the triggering process information reported by Illusive remove or kill the process. If the triggering process cannot be killed, Sentinel is instructed to isolate the host. These capabilities are available for organizations with CrowdStrike Falcon or Microsoft Defender for Endpoint.
Analytic Rule - Trigger a Sentinel alert upon detecting an Illusive event and create a Sentinel incident. The Sentinel incident will correspond to the Illusive incident and will include all subsequent associated Illusive events. The Illusive solution playbooks require the analytic rule to operate.

Basic requirements (set up in advance)

To use the Illusive Active Defense solution, you must have the following:

[Content truncated...]