Documentation - Defused Cloud

Welcome! We are in the process of updating the documentation - please contact us with any unanswered questions.

Defused - Expand your Detection Capabilities with Better Data.

Defused is a SaaS deception platform that helps you easily build advanced detection and response capabilities.

Base features in a nutshell:

High-Fidelity Detection: Real-time alerts on suspicious activities through sophisticated detection and decoy engagement, enabling early breach detection and immediate response to prevent real damage.
Broad Coverage: Deploy customizable decoys across your network to mimic critical systems and lure attackers away from valuable assets, effectively enhancing your threat detection capabilities.
Low Overhead: Controlled via a single cloud interface, Defused is designed for busy professionals, offering efficient decoy deployment and maintenance with minimal overhead.
Multiple Deploy Modes: Defused VM & Defused Cloud Decoy provide coverage for network-level capabilities, Defused Windows Agent for host-level capabilities.

Why Defused?

Defused provides a straightforward and fast way to build high-fidelity detection capabilities into almost any type of environment, whether you run IT, OT, cloud, or any other type of infrastructure. Defused offers a plug-and-play experience for augmenting your infrastructure with an active deception layer.

In contrast to the traditional detection approach, which typically involves crunching massive amounts of logs and applying rules to detect what is bad and what is not, using an active deception layer approach moves you beyond just passively detecting and provides numerous other benefits.

First, it amplifies your threat signal quality by alerting only from activity that tries to exploit the deceptive layer.
Second, using an active approach can slow down or completely deter an attacker trying to advance through your infrastructure, directly eliminating or greatly reducing downstream breach costs.
Third, the deception layer can act as a digital security twin of your environment, producing actionable risk insights about your overall security posture.

Defused offers various capabilities that can be deployed to detect and deter attacks across the lifecycle of an attack. A capability means a specific type of active deception element used for a specific attack or tactic. Currently, Defused offers over 150 capabilities.

Most capabilities are click-and-deploy, meaning they require little to no fine-tuning, considerations for false positives, parsing, or similar efforts. Examples of active components include decoys—false but attractive-looking targets for attackers to go after. See our capabilities section for more information on what Defused offers.

Whether you are a one-person IT team or part of a larger SOC team, Defused provides you the means to expand your detection capabilities with Better Data.

Decoy Architecture

Almost all of our decoys are emulations, excluding the Attacker Engagement Module which can be used to link full environments into emulated decoys.

There are great benefits to running with an emulation-based stack. It grants high versatility in deciding what kind of signals we send back to adversaries. Take, for example, the Responder decoy, which allows you to freely choose what username and password you want to relay back to the attacker. It's a simple example, but the power of modifying your decoy infrastructure, even in response to external events, can bring significant advantages whilst removing the risk of higher-interaction honeypots & decoys.

We also believe this delivers the best risk-reward balance for defenders. It enables us to easily deliver decoys that are able to collect very specific telemetry (for example, detections of specific vulnerabilities attempted to being exploited) without having to actually run vulnerable services on your network - which would introduce a large risk of breakout and potential of being used as a propagation point.

Defused doesn't carry this class of risk.

Plans

Defused offers three distinct plans, each with its own set of features and capabilities.

You can view the capabilities offered by each plan on our pricing page.

Get Started

Decoys are a viable option for almost any location - like a specific network (financial, HR, manufacturing), DMZ, a lab environment, or similar.

Defused VM is deployed via your virtualization software, e.g. VMWare Vsphere, ESXi or similar. The Virtual Machine Applications section lists available Defused VM flavours.

Defused Cloud Decoys are deployed on top of popular cloud services, e.g. Amazon EC2.

The Defused Windows Agent runs on Windows 10 and 11, and newer Windows Server versions.

Enterprise plans have the availability to run Defused Virtual Machines in standalone mode.

I want to deploy capabilities into a virtual machine environment, such as an on-premise-type environment.

Follow the Defused VM track to deploy your first decoy server.

I want to deploy capabilities onto a cloud resource, such as AWS EC2 or similar.

Follow the Defused Cloud Decoy track to deploy the Cloud Decoy.

I want to add capabilities to a Windows machine.

Follow the Defused Windows Agent track to deploy the Cloud Decoy.

Defused VM

Defused VM is currently offered in the following formats:

KVM: Most Linux distros already have KVM kernel modules and userspace tools available through their packaging systems. This is the easiest and recommended way of using KVM. More information: https://www.linux-kvm.org/page/Downloads

Post-install Actions (Defused VM)

Logging into the Defused VM

From your host computer or server, log into your decoy server's management interface - using the setup example IP address here as an example, your local decoy server would be accessed at https://192.168.100.12/. Remember your GUI IP address may be different! You should be presented with a login screen.

XXXXXXXXXX

Linking into the Cloud

You don't have an API key yet. Generate it in Settings under "API Access".

Connecting the decoy server to the cloud is a quick and easy process.

On the left hand navigation, under Server Configuration, click Cloud.

Here, give your local decoy server a location name you can use to identify the VM (like "DMZ") and set the Poll Frequency (how often the local server should check for configuration updates from the cloud).

Now, click "Save" and then click "Poll".

Your decoy server is now registered with the cloud management interface and transmits alert activity into the cloud. Well done! You should be able to see your newly registered decoy server in the cloud management interface under Decoy Management --> Decoy Servers:

Defused VM - Deploying your First Decoy

This section is undergoing an update. Please check back later, we appreciate your patience.

Let's spin up your first decoy!

For a trial decoy, we will use the local server deploy function. On the side navigation menu, click "Decoy" (the plus sign) and simply use one of the Quick Templates to set up a test decoy. Select one of the quick templates and give it a name - then click "Quick Deploy."

Your decoy is now configured but not live yet. To deploy it onto the network, go to Settings, then Decoy Configuration and click Apply Config:

Once the apply finishes, your local decoy server is now armed with it's first decoy - and ready to capture attacks!

Testing and Updating

Testing Instructions

You can now test your local decoys by, for example, scanning them and doing test attacks against them.

Example: scanning my decoys

To view how a decoy looks on your network, you can use Nmap tool to scan the decoy. See Nmap web pages (https://nmap.org/) on installing NMAP.

After installing Nmap, use the command

$ nmap -Sv IP_ADDR

where IP_ADDR is the IP address of the decoy, to determine service/version information. On console, you should see something like the following ouput after Nmap has been executed. Exact values depend on what services/emulations you have running on the decoy's IP address.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 12:04 EET Nmap scan report for IP_ADDR Host is up (0.00012s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Exim smtpd 4.69 Service Info: Host: smtp.WINNT.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

Example: doing a test attack

To test an exploit decoy, you can use Metasploit Framework. See the Metasploit web pages about installing instructions for Metasploit.

After installing Metasploit Framework, use following command sequence. This example is for vulnerability CVE-1999-0512 "A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers." Substitute IP_ADDR with your decoy's IP address.

$ msfconsole msf5 > use auxiliary/scanner/smtp/smtp_enum
msf5 auxiliary(scanner/smtp/smtp_enum) > set rhosts IP_ADDR
rhosts => IP_ADDR
msf5 auxiliary(scanner/smtp/smtp_enum) > run

On console, you should see something like this when Metasploit runs the exploit sequence:

[*] 172.17.0.2:25 - 172.17.0.2:25 Banner: 220-smtp.WINNT.com ESMTP Exim 4.69 #1 Thu, 26 Mar 2020 09:59:56 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
[+] 172.17.0.2:25 - 172.17.0.2:25 Users found: , 4Dgifts, Debian-exim, Debian-snmp, EZsetup, OutOfBox, _apt, abrt, adm, admin, administrator, anon, arpwatch...
[*] 172.17.0.2:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

An alert for exploit attempt should now pop up on your local and cloud server (if the cloud server is connected.)

Example: Testing a Windows Honey File

Open a honey file, such as C:\unattend.txt, to activate the event logger.

Defused continuously scans the event logger, forwarding pertinent events to the Defused cloud dashboard as alerts.

Note: Event detection latency for honey files may extend up to 1 minute. This is because the monitoring agent prioritizes lightweight operation and checks for new events at specific time intervals.

Updating a Connected Server

Updating a cloud-connected decoy server is incredibly easy.

If updating from the local server, simply go to settings and under 'Decoy Configuration', click the 'Update Decoys' or 'Update GUI' button.

Note: the update may take a couple of minutes to complete.

Once the package install completes, the new decoy definitions in the update are ready for use.

If updating from the cloud, go to Decoy Servers and flag the "Update Decoy Engine" action on the server(s) you wish to be updated. The update will commence on the next poll cycle.

Updating a Standalone Server

Updating a standalone server (for example, a server placed into a network without internet connectivity) is also relatively straightforward.

Per the delivery mechanism chosen, you will receive a new decoy package file from us.

First, use a method of choice to transfer the new decoy package file onto the decoy server host. For example, using scp as the transfer method:

scp /path/to/image/file.tgz user@address:/opt/aves/images

Now that the new decoy package file is on the local decoy server, on the side navigation, go to Decoy Packages and select the active "default" package.

Under the package information screen, click 'Refresh' and you should see the new decoy package file under the header 'List of installable image packages'.

Click on the link to the new decoy package file and you should be presented with a overview of the new decoy package contents.

Then, simply click on "Install Package to Server" which will install the new decoy package onto the server.

Note! This may take a minute to complete.

Once the package install completes, the new decoy definitions in the package file are ready for use.

Defused Cloud Decoy Installation

Installation will take you 5-10 minutes

No-infrastucture Install NEW!

You can now deploy into the Defused Managed Decoy Network, allowing you to run Defused without infrastructure by deploying decoys into a network we manage. This provides the convenience of running our tool without the necessity of provisioning any infrastructure.

Each VM/Cloud deployable capability has an option called "Deploy To Cloud", which deploys the selected capability into our managed network.

Prerequisites

Start with a fresh install of Ubuntu (22.04 & 20.04) or Amazon Linux 2 or 2023.

More distros coming soon.

Install required Ansible packages:

Elevate yourself to root.

sudo su

Update & install Ansible.

apt update && apt install -y ansible
Elevate yourself to root.

sudo su

Update & install Ansible.

amazon-linux-extras install ansible2 -y
Elevate yourself to root.

sudo su

Update & install Ansible.

dnf install -y ansible

Download and Run the Playbook

This Content Requires An Account

You have to login to view this resource. Create a Starter account to access this other platform features.

AWS Autodeploy

If you're deploying Defused into AWS, you can pass the below bash script directly into the user data field to perform the configuration automatically.

This Content Requires An Account

You have to login to view this resource. Register for a free Starter plan to access this and other platform features.

Post-install

The installer connects the decoy directly to the Defused Cloud. No further actions are needed - you're all set!

The newly deployed decoy will be visible in the decoy servers list. The installer also automatically installs the selected decoy type and sets up alerting.

Alert Testing

This section introduces the "Live Exploit Simulation" tool, allowing you to test our alerting system by launching a safe, controlled exploit against a deployed decoy. This hands-on approach helps you understand the alert generation process and the effectiveness of the detection mechanisms in a real-life scenario.

This Content Requires An Account

You have to login to view this resource. Register for a free Starter plan to access this and other platform features.

Firewall Rules

Many cloud providers automatically open some standard ports and block others. To see which ports your selected decoy type uses, check the capabilities page. Then, ensure these ports are open on your cloud computing instance.

When using the Managed Decoy Network as the deployment method, the relevant ports are whitelisted automatically.

Defused Windows Agent Installation Guide

Installation will take you 5-10 minutes

Prerequisites

Before starting the installation process, ensure that your Windows system runs either Windows 10 or 11. An active internet connection is required for downloading additional dependencies.

Downloading the Agent

The Defused Windows Agent can be downloaded from the downloads page. Navigate to the page and locate the agent's installer, then click on it to start the download.

Agent Capabilities

The Defused Windows Agent attempts to automatically apply all available Windows Host capabilities listed under "Host Agent" on the capabilities page.

Installation Steps

The platform only stores information about the deployment paths and properties of honeyfiles to help you inventory & monitor them on target systems. Additionally, the system hostname is used to identify agent locations. No other data is collected.

1. Start a command prompt window as an Administrator.
2. Navigate to the folder you downloaded the Defused MSI installer into.
3. Install the Defused Windows Agent by running:

msiexec /i Defused.msi APIKEY= CONNECT="None"

For Defused Subscribers, if you have an existing Defused VM running you can autoconnect your Windows Capabilities to existing Decoys by adding the "CONNECT" parameter:

msiexec /i Defused.msi APIKEY= CONNECT="decoy-server-name-here"

4. The installer will run and silently boot the Defused Windows Agent in the background.

Post Installation

Upon successful installation, a notification will appear in your Defused Cloud Management Dashboard. This notification confirms the registration of the newly installed agent.

Defused Windows Agent Components

agent.exe This executable is responsible for alert monitoring. Once deployed, it continually scans for alert events and forwards them to Defused Cloud Managament for processing and potential incident creation.

generator.exe This executable generates decoy configurations locally on your system. It is only run on setup and on any update events.

clean.exe This is an uninstaller executable. Running this file will remove all deployed decoys and agents from your system, reverting it to a pre-deployment state. See the next section on how to use the uninstaller.

Uninstalling the Agent

The Defused installation package contains an uninstaller (clean.exe) which is triggered via the command line using the --apikey="your-api-key-here" syntax. It will remove all honey files from your system and uninstall the program.

Troubleshooting

If you encounter any issues during the installation or usage of the "Defused Windows Agent", refer to our troubleshooting guide or contact our support team for assistance.

Decoys

Deploy Logic

Below you will learn how the deployment works for the various deploy types Defused offers.

1. Deploying to the Defused VM

You can deploy decoys to a Virtual Machine (VM) directly from the Defused cloud platform. This allows you to send decoys from the cloud into any currently deployed and active Defused virtual machines.

Once you have one or more Defused Virtual Machines running, navigate to the Capabilities page to select and deploy capabilities into your local networks.
2. Deploying to the Windows Agent

The Defused Agent attempts to autodeploy all available capabilities where possible, providing a hands-off approach to deploying credential and other on-host decoys across your Windows endpoints.

You may view available Windows Agent capabilities on the Capabilities page by selecting and deploy capabilities into your local networks.
3. Deploy via Cloud Agent

The decoy for the Cloud Agent is provided with the deploy code. The Defused documentation provides an interactive configuration generator that can be passed, for example, to the EC2 user data field when deploying decoys into AWS environments.

Visit the Cloud Decoys section to learn more about cloud deployment and view the deploy automation configuration.

Detection Logic

The detection logic of decoys matches incoming attack traffic with the appropriate label best suited to gauge its severity.

Detection events are mapped on the decoy side to match the best hit within the decoy detection parameters. Alerts like 'Vulnerability Exploited' and 'Service Scan' can be generally considered to be highly accurate.

If a decoy has a vulnerability emulator enabled, traffic that does not exploit the vulnerability fully but is still recognized by the decoy is generally labelled as 'Possible exploit attempt.' Note that this is not a direct guarantee that the traffic was aiming to exploit, as sometimes e.g. a network scanner may trigger this in a vulnerability emulation.

Read more about the detection login in the Incidents and Alerts > Alert Overview section.

Attacker Engagement Module

The Attacker Engagement Module creates a post-exploit sandbox environment where an attacker can be dropped into for further analysis of their actions.

The Attacker Engagement Module enable monitoring and recording post-breach attacker actions in real time, and also collect any files dropped by the attacker into the shell environment.

Not all decoy types currently contain Attacker Engagement Module - the Sandbox label denotes decoys with the Attacker Engagement Module embedded when deploying via Capabilities.

Functionalities

Cloud Integration

The cloud enables management of the local decoy servers without having to actively log into the local servers.

Currently, you can remotely manage the following actions from the cloud:

Alert Aggregration (collect all alerts from all servers into the cloud)
New decoy deployment
Decoy deletion from local environments
Updating decoy definitions
Updating the GUI (coming on the next update)

The local server uses your API key to communicate into the cloud. If you haven't already, generate yourself a key in Settings. Note that the key is only visible to you when generating it, so remember to store it somewhere, e.g. a password manager or a similar solution.

When the Cloud Integration is enabled, depending on the Poll Interval variable set on the local server, the local server checks the cloud for new actions to be done based on this interval. It is recommended to set the poll interval at a fairly low number, e.g. 120 seconds.

Capabilities

The Capabilities page in Defused Cloud contains ready-made templates for quickly deploying new decoy types into your local environments. A prerequisite for using Capabilities is enabling the Cloud Integration.

Capabilities contains both individual decoy templates that can be selected for deployment one-by-one and, as a developing functionality, Decoy Bundles which deploy multiple decoy types to cover a specific capability set on the network.

Teams

Adding team members to the Defused platform enhances collaboration by enabling users to share incidents, manage them, and communicate via the incident view.

Managing Teams

To begin the process, go to the Settings tab on your dashboard.

Inside Settings, click on the Team submenu.

Creating a Team

If you are not in a team yet and wish to create one, you can create a team by clicking the "Create Team" button. This will create a team for you and make you the administrator of the team.

Adding Members

Here you can add new team members by entering their email addresses. If the email is not found on the platform, an invitation is sent to them to sign up, and on signup the user is automatically added to your team.

Only team admins can add and delete new teammembers.

Team members can share incidents with one another. This is useful for coordinating responses to issues.

Once team members are added, they can manage incidents and communicate with each other directly in the incident view.

Automation

Automation helps you discover and automate how to structure your decoy operations, for example by highlighting and automatically deploying relevant new decoy types to your decoy servers.

Automation is a beta feature and available only for Defused Enterprise Accounts.

Incidents & Alerts

Alerts

Alerts are generated when a decoy comes in touch with any sort of activity, like network traffic or user interaction. Each alert is contextually labelled with details appropriate to the decoy type - such as CVE numbers if the attack is targetting a vulnerability, MITRE ATT&CK tactics & techniques, attacker source IP (if the activity is network-based) and further information where applicable, like a raw representation of the network data. The ultimate purpose is to provide the defender with easy decision making on managing the alert(s).

It is worth considering that all Defused alerts come with a preloaded context - namely, that they are arriving from a decoy that exists purely to seek out anomalous behaviour. Depending on the type of alert, even something fairly benign-looking may warrant further investigation.

One distinct advantage Defused-sourced alerts provide is that they are extremely human-readable. Since we retain full control of what types of action the attacker can take, we can also very easily label their activities quite distinctively.

Defused provides the following taxonomy for alerts, with examples of what constitutes each activity:

Minor - For example benign network traffic, such as regular GET requests
Medium - For example active reconaissance (NMAP scans and such)
Major - For example vulnerability exploits, reverse shell spawns

As mentioned earlier, it's important to consider even minor events in their proper context. If you are operating a Defused decoy in an internal low-traffic network and receive a web request to a decoy resource, this should raise some concerns that something unusual may be happening. Additionally, if a scan begins targeting the same network from a non-authorized source, it warrants further investigation and may be a strong signal of a legitimate compromise.

Managing Alerts and Incidents

Alert Views

Defused has two ways to show you these alerts: 'Verbose' and 'Condensed.'

In 'Verbose,' you see a detailed list of every single alert. In 'Condensed,' alerts from the same attacker and close in time are grouped together for quick review. Per default, alerts are grouped by the Condensed view.

Incident Views

You can group one or more alerts into a single Incident, which lets you see the selected alerts on a single timeline. You can also easily share this Incident with your team using a special link.

If sandbox events occur, 'Incident Mode' activates automatically. This groups related alerts for you, no extra steps needed.

Forensics files

Decoys with the shell emulator enabled can collect files transferred into them by the attacker. The files become available for download for the user in the incident view tab. Files also persist on the decoy server in case the attacker attempts to delete the artifacts on the machine.

Integrations

ServiceNow

The ServiceNow integration allows you to connect your ServiceNow account to the application, enabling you to create and manage tickets directly from alerts. This integration helps streamline your incident management and ticketing process by connecting directly with your ServiceNow instance.

Configuration Status

The configuration status of the ServiceNow integration is displayed within the application. If the status is Configured, your ServiceNow account is successfully connected. If the status is Not Connected, you need to configure the integration.

Configuration Steps

Follow these steps to configure your ServiceNow integration.

ServiceNow Instance Location:
Enter the URL of your ServiceNow instance in the format https://devXXXX.service-now.com/.
ServiceNow Credentials:
Provide the username and password for your ServiceNow account.
ServiceNow Priority:
Set the priority for tickets created from the integration. Enter a value between 1 and 5.
ServiceNow Table (Optional):
Specify the ServiceNow table for the tickets. By default, tickets are created in the "incident" table. You can specify other tables like "problem" or "change."
ServiceNow Caller ID:
Enter the caller ID for the tickets. Leave this field empty to use the default test account.

After filling in the required fields, click Link Accounts or Update Config to save your settings.

Usage

Once configured, the "Create Incident (ServiceNow)" button becomes available in each of the alert views.

Troubleshooting

If you encounter any issues with the integration, check the following:

Ensure that your ServiceNow instance URL is correct and accessible.
Verify that your ServiceNow credentials are valid and have the necessary permissions.
Check if the ServiceNow instance allows API access and if the user has appropriate roles.
Refer to the ServiceNow documentation for additional troubleshooting steps.

Slack

The Slack integration allows you to send events and alerts directly to a Slack channel of choice using an incoming webhook. This integration helps you keep your team updated in real-time by sending critical notifications to your preferred Slack channel.

Configuration Status

The status of the Slack integration is displayed within the application. If the status is Configured, your Slack webhook is successfully set up. If the status is Not Connected, you need to configure the webhook.

Configuration Steps

Follow these steps to configure the Slack integration using an incoming webhook.

Click the "Add to Slack" Button
Use the "Add to Slack" button in the Slack Integration page to initiate the Slack incoming webhook setup.
Authorize the App and Select a Channel
A new window will open, prompting you to select a Slack workspace and authorize the Defused Slackbot. You will need to have sufficient user privileges on the select workspace for installing the Defused Slackbot.
You will also choose a Slack channel where you want to send alerts.

Once authorized, a webhook URL will be automatically generated and configured in your Defused app. This URL will be used to send events to your Slack channel. A notification will confirm the Defused App has been added to your selected channel.

Selecting an Interval

Once you have enabled the incoming webhook, you may configure the frequency of the webhook triggering. The default is 60 minutes, meaning each alert severity will only trigger once during this interval.

Email

The Email integration allows you to receive alerts and notifications directly to your preferred email address. This ensures you are kept informed of critical events even when you are not actively monitoring the application.

Configuration Status

The status of the Email integration is displayed within the application. If the status is Configured, your email forwarding is successfully set up. If the status is Not Configured, you need to enable the email integration.

Configuration Steps

Follow these steps to configure the Email integration for forwarding alerts.

Navigate to the Email Integration Page
Go to the Email Integration page in your application.
Enable the Email Integration
Click the "Enable" slider to activate email forwarding. This will turn on the functionality to send alerts and notifications to your email address.
Configure Email Settings (Optional)
Optionally, you can configure the email interval and external address forwarding. These settings allow you to customize the frequency of email alerts and specify an alternative email address for notifications.
- Frequency (minutes): Set the interval at which you want to receive email notifications. Each alert severity will trigger an email once within this frequency. The default is 60 minutes.
- External Address Forwarding: Enter external email addresses if you prefer to forward alert email to different addresses from the email specified in your Defused account.

Webhooks

Webhooks allow you to define HTTP endpoints that are triggered automatically when specific Defused alert events occur.

Webhook Configuration Fields

Webhook Name (required)

This name is used internally to differentiate between different webhooks. Choose a descriptive name that reflects the purpose or the alert type the webhook is associated with.

Webhook URL (required)

Enter the full URL (including the protocol, e.g., https:// of the endpoint that will receive the webhook data. This URL must be accessible from the internet and capable of handling HTTP POST requests.

HTTP Auth

HTTP Authentication provides three options for authentication:

(None: No authentication required.)
Basic: Basic HTTP authentication using a username and password.
Bearer: Bearer token authentication for secure access.
API Key: Authentication using an API key included in the request headers.

Select the appropriate authentication method based on your webhook endpoint's security requirements.

Headers These headers can be used to provide additional context or authentication information required by the receiving endpoint. Headers may be added by clickling the "Add Header" button, after which two input fields for keys and values are added. You may add multiple custom headers.

Defused Alert Fields

Defused alert fields are automatically included in the webhook payload and provide detailed information about the alert event. These fields are enclosed within <<>> symbols in the JSON data and should not be modified.

Alert Type

Example:"alert": "Vulnerability Exploited"

Attacker IP

Example:"attackerip": "192.168.1.10"

Decoy IP

Example:"decoyip": "10.0.0.5"

Decoy Name

Example:"decoyname": "Decoy-Server-01"

Datetime

Example:"datetime": "2024-06-08T14:32:00Z"

Location

Example:"location": "Data Center 1"

Raw Data

Example:"rawdata": "{ 'event': 'suspicious_activity', 'details': '...' }"

JSON Data Field

Users can add their own JSON elements to the webhook payload. The defused alert fields enclosed within <<>> symbols must remain unchanged. You can add any custom fields or modify existing ones, as long as the defused alert fields are preserved.

{
  "alert": "<>",
  "attackerip": "<>",
  "decoyip": "<>",
  "decoyname": "<>",
  "datetime": "<>",
  "location": "<>",
  "rawdata": "<>",
  "customfield": "Your value here"
}

HTTP Representation & Copy as cURL

An HTTP Representation of your currently configured webhook is displayed at the end of the form:

curl -X POST "YOUR_WEBHOOK_URL" \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer YOUR_TOKEN" \
            -d '{ 
                "Alert Type": "<>", 
                "Attacker IP": "<>", 
                "Decoy IP": "<>", 
                "Decoy Name": "<>", 
                "Datetime": "<>", 
                "Location": "<>", 
                "Raw Data": "<>",
                "Custom Field": "Your value here" 
            }'

Clicking "Copy as cURL" copies your webhook as a cURL command, enabling easy testing of the endpoint you're adding the webhook to.

Save Webhook

After filling out all the required fields, click the "Save Webhook" button to save your configuration. This will ensure that your webhook is triggered when an alert event matching your criteria occurs.

Troubleshooting & FAQ

This Content Requires An Account

You have to login to view this resource. Register for a free Starter plan to access this and other platform features.

Upgrade Options

Defused Tactical

The Defused Tactical Layer offers an extensive set of capabilities designed to enhance your security posture. With a total of 140 capabilities, this layer provides a comprehensive solution for both external and internal threat detection and mitigation.

Monthly Price From: $999 (excl. VAT)
External and Internal: Coverage for both environments
Up to 10 Decoy Servers: Deploy up to 10 decoy servers to mislead and detect adversaries
All Decoy Server Capabilities: Includes the full range of decoy server functionalities
Premium Support: Access to dedicated support services
Tailoring as an Added Option: Customization options available to fit your specific needs
Integrations (excl. AD): Supports multiple integrations excluding Active Directory

You may upgrade to Defused Tactical using the in-app Upgrade button, located in the dropdown menu in the top right corner.

Defused Enterprise

The Defused Enterprise Layer is tailored for large-scale operations, offering a robust set of capabilities that ensure comprehensive protection across your entire infrastructure. This layer is ideal for organizations needing extensive coverage and advanced features.

External, Internal, and Identity: Comprehensive coverage for all environments and identity management
Unlimited Servers and Agents: Deploy an unlimited number of servers and agents for maximum flexibility
Enterprise Support: Access to high-level, priority support services
Limited Tailoring Included: Includes customization options to suit your organization’s needs
Integrations: Supports a wide range of integrations for seamless operation
Role-based Administration: Advanced administration with role-based access control

Please schedule an interactive session with us to discuss upgrading to Defused Enterprise.

Alerts 0

Decoys

Deployed

Capabilities

Integrations

Docs

Settings

Events 0

Defused - Expand your Detection Capabilities with Better Data.

Why Defused?

Decoy Architecture

Plans

Get Started

Defused VM

Virtual Machine Applications

This Content Requires An Account

Defused VM - VMWare (Starter)

Video Tutorial

This Content Requires An Account

Prerequisites

Download the Files

Unzip the File

Open in VMware Workstation

Power On the Virtual Machine

After Powering on the Defused VM

Defused VM - ESXi

Prerequisites

Login & Create

Select Files & Storage

Port Group & Network Settings

Power on your VM

Starting the Decoy Server (non-autoconfig)

Using the Defused VM - KVM

Prerequisites

This Content Requires An Account

Installing the Server

Starting the Decoy Server

Inside the Decoy Server

Networking Setup

Defused VM - Hyper-V

Prerequisites

Create the Decoy Server Virtual Machine

Specify Name and Location

Specify Generation

Assign Memory

Connect Virtual Hard Disk

Finish

Before Powering on Your Defused Server

Networking – Test Setup

Networking – Production Setup

Boot Order

Connecting your Defused Server to the network

Starting the Decoy Server

Post-install Actions (Defused VM)

Logging into the Defused VM

Linking into the Cloud

Defused VM - Deploying your First Decoy

Testing and Updating

Testing Instructions

Example: scanning my decoys

Example: doing a test attack

Example: Testing a Windows Honey File

Updating a Connected Server

Updating a Standalone Server

Defused Cloud Decoy Installation

No-infrastucture Install NEW!

Prerequisites

Download and Run the Playbook

This Content Requires An Account

AWS Autodeploy

This Content Requires An Account

Post-install

Alert Testing

This Content Requires An Account

Firewall Rules

Defused Windows Agent Installation Guide

Prerequisites

Downloading the Agent

Agent Capabilities

Installation Steps