Illusive-SentinelIncident-Response

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Attribute	Value
Type	Playbook
Solution	Illusive Active Defense
Source	View on GitHub

⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	3
`http`	Built-in	0	33

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Update_Sentinel_Incident_for_MDE_Host_Isolation	put	`/Incidents`	—
Update_Sentinel_Incident_for_Process_Isolation	put	`/Incidents`	—
Update_Sentinel_Incident_for_Host_Isolation	put	`/Incidents`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Generate_the_token_for_Azure_Sentinel_Incident	POST	`https://login.microsoftonline.com/@{parameters('Azure Tenant Id')}/oauth2/token`	—
Get_Illusive_Incident_Details	GET	`@{parameters('Illusive Base URL')}/api/v2/incidents/incident?incident_id=@{variables('Illusive Incident Id')}`	—
Get_incident_with_the_name	GET	`https://management.azure.com/subscriptions/@{triggerBody()?['WorkspaceSubscriptionId']}/resourceGroups/@{triggerBody()?['WorkspaceResourceGroup']}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('Workspace_Name')}/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/title eq 'Illusive Incident: @{variables('Illusive Incident Id')}'`	—
Authorize_MDE_for_Process_Isolation	POST	`https://login.microsoftonline.com/@{parameters('MDE Tenant Id')}/oauth2/v2.0/token`	—
MDE_call_to_fetch_The_Machine_Id_with_IP_for_process_for_multiple_resource	GET	`https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='@{body('Parse_Illusive_Incident_Details')?['sourceIp']}',timestamp=@{body('Parse_Illusive_Incident_Details')?['incidentTimeUTC']})`	—
MDE_call_to_fetch_The_Machine_Id_with_hostname_for_process	GET	`https://api.securitycenter.microsoft.com/api/machines/?$filter=computerDnsName eq '@{body('Parse_Illusive_Incident_Details')?['sourceHostname']}'`	—
MDE_call_to_fetch_The_Machine_Id_with_IP_for_process	GET	`https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='@{body('Parse_Illusive_Incident_Details')?['sourceIp']}',timestamp=@{body('Parse_Illusive_Incident_Details')?['incidentTimeUTC']})`	—
MDE_call_to_fetch_The_Machine_Id_with_IP_for_process_with_no_SourceHostName	GET	`https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='@{body('Parse_Illusive_Incident_Details')?['sourceIp']}',timestamp=@{body('Parse_Illusive_Incident_Details')?['incidentTimeUTC']})`	—
Get_Files_in_MDE_using_SHA256_of_the_process	GET	`https://api.securitycenter.microsoft.com/api/files/@{items('For_each_of_the_Processes')?['sha256']}`	—
Isolate_the_host_with_MDE	POST	`https://api.securitycenter.microsoft.com/api/machines/@{items('For_each')?['id']}/isolate`	—
Isolate_process_with_MDE	POST	`https://api.securitycenter.microsoft.com/api/machines/@{items('For_each')?['id']}/StopAndQuarantineFile`	—
Authorize_Crowdstrike_for_process	POST	`@{parameters('Crowdstrike Base URL')}/oauth2/token`	—
Crowdstrike_call_to_fetch_all_Processes	POST	`@{parameters('Crowdstrike Base URL')}/real-time-response/combined/batch-command/v1`	—
Crowdstrike_call_to_fetch_the_batch_Session_id	POST	`@{parameters('Crowdstrike Base URL')}/real-time-response/combined/batch-init-session/v1`	—
Isolating_the_Process_of_Crowdstrike	POST	`@{parameters('Crowdstrike Base URL')}/real-time-response/combined/batch-active-responder-command/v1`	—
Get_machine_id_using_localip	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=local_ip:'@{body('Parse_Illusive_Incident_Details')?['sourceIp']}'`	—
Crowdstrike_call_to_fetch_the_Machine_Id_with_hostname_for_Process	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=machine_domain:'@{variables('Machine Domain')}'&host:'@{variables('Machine Host')}'`	—
Crowdstrike_call_to_fetch_the_Machine_Id_with_IP_for_Process	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=local_ip:'@{body('Parse_Illusive_Incident_Details')?['sourceIp']}'`	—
Crowdstrike_call_to_fetch_the_Machine_Id_with_IP_for_Process_with_no_sourceip	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=local_ip:'@{body('Parse_Illusive_Incident_Details')?['sourceIp']}'`	—
Authorize_Crowdstrike	POST	`@{parameters('Crowdstrike Base URL')}/oauth2/token`	—
Get_machine_id_using_localip_for_Host	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=local_ip:'@{body('Parse_Illusive_Incident_Details')?['sourceIp']}'`	—
Crowdstrike_call_to_fetch_the_Machine_Id_with_hostname	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=machine_domain:'@{variables('Machine Domain')}'&host:'@{variables('Machine Host')}'`	—
Crowdstrike_call_to_fetch_the_Machine_Id_with_IP	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=local_ip:'@{body('Parse_Illusive_Incident_Details')?['sourceIp']}'`	—
Crowdstrike_call_to_fetch_the_Machine_Id_with_IP_with_no_sourceip	GET	`@{parameters('Crowdstrike Base URL')}/devices/queries/devices/v1?filter=local_ip:'@{body('Parse_Illusive_Incident_Details')?['sourceIp']}'`	—
Isolate_the_host_using_Crowdstrike	POST	`@{parameters('Crowdstrike Base URL')}/devices/entities/devices-actions/v2?action_name=contain`	—
Authorize_MDE	POST	`https://login.microsoftonline.com/@{parameters('Azure Tenant Id')}/oauth2/v2.0/token`	—
MDE_call_to_fetch_The_Machine_Id_with_IP_for_more_resources_in_Host	GET	`https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='@{body('Parse_Illusive_Incident_Details')?['sourceIp']}',timestamp=@{body('Parse_Illusive_Incident_Details')?['incidentTimeUTC']})`	—
MDE_call_to_fetch_The_Machine_Id_with_host	GET	`https://api.securitycenter.microsoft.com/api/machines/?$filter=computerDnsName eq '@{body('Parse_Illusive_Incident_Details')?['sourceHostname']}'`	—
MDE_call_to_fetch_The_Machine_Id_with_IP	GET	`https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='@{body('Parse_Illusive_Incident_Details')?['sourceIp']}',timestamp=@{body('Parse_Illusive_Incident_Details')?['incidentTimeUTC']})`	—
MDE_call_to_fetch_The_Machine_Id_with_IP_with_sourceIP	GET	`https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='@{body('Parse_Illusive_Incident_Details')?['sourceIp']}',timestamp=@{body('Parse_Illusive_Incident_Details')?['incidentTimeUTC']})`	—
Isolate_Host_using_MDE	POST	`https://api.securitycenter.microsoft.com/api/machines/@{items('For_each_resources_for_MDE')?['id']}/isolate`	—
Get_Events_of_the_Incident	GET	`@{parameters('Illusive Base URL')}/api/v1/incidents/events?incident_id=@{variables('Illusive Incident Id')}`	—
Get_Triggering_Process_of_the_Events	GET	`@{parameters('Illusive Base URL')}/api/v1/forensics/triggering_process_info?event_id=@{max(variables('EventId'))}`	—

Additional Documentation

📄 Source: Illusive-SentinelIncident-Response/readme.md

Illusive Incident Response Playbook

The Incident Response playbook leverages Sentinel analytic rules and CrowdStrike or Microsoft Defender for Endpoint integration to automate incident response when specified Illusive incidents are discovered.

Use this playbook to quickly stop or slow down ransomware attacks and critical incidents detected by Illusive in your organization. Upon detection, Sentinel is instructed to use the triggering process information reported by Illusive remove or kill the process. If the triggering process cannot be killed, Sentinel is instructed to isolate the host. These capabilities are available for organizations with CrowdStrike Falcon or Microsoft Defender for Endpoint.

Playbook workflow
Playbook execution
Access Playbook
Playbook retry mechanism

Playbook Workflow

Perform the general solution setup. (see instructions here)
Add API permissions to the Azure app
Enable Microsoft Defender for Endpoint (Only when using MDE for incident response)
Create the Illusive playbook
Connect the playbook to Azure Sentinel

Add API permissions to the Azure app

From the Azure console, find the Azure app you created to run the Illusive Sentinel Solution.

Go to API Permissions.

Click Add a permission.

Under Request API permissions>API’s my organization uses, search for and select WindowsDefenderATP, select select Delegated permissions and check the following permissions:

Machine.Isolate – to isolate device
Machine.Read – to find agent ID - to collect data from a single machine.
File.Read.All – for process handling, find and erase/stop suspicious executables
Machine.StopAndQuarantine – for process handling, find and erase/stop suspicious executables

Select Application permissions and check the following permissions:

Machine.Isolate – to isolate device
Machine.Read.All – to find agent ID – to query all machines and collect device information even if we don’t have a device ID.
File.Read.All – for process handling, find and erase/stop suspicious executables
Machine.StopAndQuarantine – for process handling, find and erase/stop suspicious executables

Click Add permissions.

Once all the API permissions are added, click Grant admin consent for Default Directory and click Yes.

Verify admin consent has been granted. This step is important, even if the admin consent status is green. Only a Global Admin can approve admin consent requests.
1. Go to Enterprise>Admin Consent requests.
2. Go to My pending and verify that this permission is not pending.
  The result should look like this:

Enable Microsoft Defender for Endpoint

Allow the Illusive Incident Response playbook to stop an attack by triggering an incident response from MDE.

Attention: If you use CrowdStrike as your incident response tool, you can skip this procedure.

From the Azure Search bar, search for the Subscription in which MDE is installed.
Click on the existing Subscription.
Click Security in the Subscription menu.
Ensure Microsoft Defender for Endpoint is On.
If MDE is off, click Security Center.
Find the Azure Defender card and click Enable Azure Defender.

[Content truncated...]