• 0
    Create a Defused account
    to access platform features!     Sign Up
    • Home
    • Documentation
    Welcome! We are in the process of updating the documentation - please contact us with any unanswered questions.

    Defused - Expand your Detection Capabilities with Better Data.

    Defused is a SaaS deception platform that helps you easily build advanced detection and response capabilities.

    Base features in a nutshell:

    • High-Fidelity Detection: Real-time alerts on suspicious activities through sophisticated detection and decoy engagement, enabling early breach detection and immediate response to prevent real damage.
    • Broad Coverage: Deploy customizable decoys across your network to mimic critical systems and lure attackers away from valuable assets, effectively enhancing your threat detection capabilities.
    • Low Overhead: Controlled via a single cloud interface, Defused is designed for busy professionals, offering efficient decoy deployment and maintenance with minimal overhead.
    • Multiple Deploy Modes: Defused VM & Defused Cloud Decoy provide coverage for network-level capabilities, Defused Windows Agent for host-level capabilities.

    Why Defused?

    Defused provides a straightforward and fast way to build high-fidelity detection capabilities into almost any type of environment, whether you run IT, OT, cloud, or any other type of infrastructure. Defused offers a plug-and-play experience for augmenting your infrastructure with an active deception layer.

    In contrast to the traditional detection approach, which typically involves crunching massive amounts of logs and applying rules to detect what is bad and what is not, using an active deception layer approach moves you beyond just passively detecting and provides numerous other benefits.

    First, it amplifies your threat signal quality by alerting only from activity that tries to exploit the deceptive layer. Second, using an active approach can slow down or completely deter an attacker trying to advance through your infrastructure, directly eliminating or greatly reducing downstream breach costs. Third, the deception layer can act as a digital security twin of your environment, producing actionable risk insights about your overall security posture.

    Defused offers various capabilities that can be deployed to detect and deter attacks across the lifecycle of an attack. A capability means a specific type of active deception element used for a specific attack or tactic. Currently, Defused offers over 150 capabilities.

    Most capabilities are click-and-deploy, meaning they require little to no fine-tuning, considerations for false positives, parsing, or similar efforts. Examples of active components include decoys—false but attractive-looking targets for attackers to go after. See our capabilities section for more information on what Defused offers.

    Whether you are a one-person IT team or part of a larger SOC team, Defused provides you the means to expand your detection capabilities with Better Data.

    Account Types

    Defused offers three distinct account types, each with its own set of features and capabilities.

    You can view the capabilities offered by each account level on our pricing page.

    Get Started

    Decoys can usually be deployed into any location - like a specific network (financial, HR, manufacturing), DMZ, a lab environment, or similar.

    The Defused Windows Agent runs on Windows 10 and 11.

    Defused VM is deployed via your virtualization software, e.g. VMWare Vsphere, ESXi or similar. The Virtual Machine Images section lists available Defused VM flavours.

    The other main deployment line is using the Defused Cloud Decoy to deploy on top of popular cloud services, e.g. Amazon EC2.

    Tactical and Enterprise accounts can opt to run their Defused VM's in standalone mode.

    I want to deploy capabilities into a virtual machine environment, such as an on-premise-type environment.

    Follow the Defused VM track to deploy your first decoy server.

    I want to deploy capabilities onto a cloud resource, such as AWS EC2 or similar.

    Follow the Defused Cloud Decoy track to deploy the Cloud Decoy.

    I want to add capabilities to a Windows machine.

    Follow the Defused Windows Agent track to deploy the Cloud Decoy.

    Getting Started

    Defused Cloud Decoy

    Defused Windows Agent

    Defused VM

    Decoys

    Functionalities

    Incidents & Alerts

    Integrations

    FAQ

    Getting Started

    Defused Cloud Decoy

    Defused Windows Agent

    Defused VM

    Decoys

    Functionalities

    Incidents & Alerts

    Integrations

    FAQ

    Defused Cloud Decoy Installation

    Time Icon Installation will take you 5-10 minutes

    No-infrastucture Install NEW!

    You can now deploy into the Defused Managed Decoy Network, allowing you to test Defused by deploying decoys into a network we manage. This provides the convenience of testing our tool without the necessity of provisioning any infrastructure. After a duration of 1 hour, both the decoys and the network they reside on will automatically vanish.

    Each VM/Cloud deployable capability has an option called "Deploy To Cloud", which deploys the selected capability into our managed network.

    Prerequisites

    Start with a fresh install of Ubuntu (22.04 & 20.04) or Amazon Linux 2 or 2023.

    More distros coming soon.

    Install required Ansible packages:

    • Elevate yourself to root.

      sudo su

      Update & install Ansible.

      apt update && apt install -y ansible

    • Elevate yourself to root.

      sudo su

      Update & install Ansible.

      amazon-linux-extras install ansible2 -y

    • Elevate yourself to root.

      sudo su

      Update & install Ansible.

      dnf install -y ansible

    Download and Run the Playbook

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    AWS Autodeploy

    If you're deploying Defused into AWS, you can pass the below bash script directly into the user data field to perform the configuration automatically.

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    Post-install

    The installer connects the decoy directly to the Defused Cloud. No further actions are needed - you're all set!

    The newly deployed decoy will be visible in the decoy servers list. The installer also automatically installs the selected decoy type and sets up alerting.

    Alert Testing

    This section introduces the "Live Exploit Simulation" tool, allowing you to test our alerting system by launching a safe, controlled exploit against a deployed decoy. This hands-on approach helps you understand the alert generation process and the effectiveness of the detection mechanisms in a real-life scenario.

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    Firewall Rules

    Many cloud providers automatically open some standard ports and block others. To see which ports your selected decoy type uses, check the capabilities page. Then, ensure these ports are open on your cloud computing instance.

    When using the Managed Decoy Network as the deployment method, the relevant ports are whitelisted automatically.

    Defused Windows Agent Installation Guide

    Time Icon Installation will take you 5-10 minutes

    Prerequisites

    Before starting the installation process, ensure that your Windows system runs either Windows 10 or 11. An active internet connection is required for downloading additional dependencies.

    Downloading the Agent

    The Defused Windows Agent can be downloaded from the downloads page. Navigate to the page and locate the agent's installer, then click on it to start the download.

    Agent Capabilities

    The Defused Windows Agent attempts to automatically apply all available Windows Host capabilities listed under "Host Agent" on the capabilities page.

    Installation Steps

    The platform only stores information about the deployment paths and properties of honeyfiles to help you inventory & monitor them on target systems. Additionally, the system hostname is used to identify agent locations. No other data is collected.

    1. Start a command prompt window as an Administrator.
    2. Navigate to the folder you downloaded the Defused MSI installer into.
    3. Install the Defused Windows Agent by running:

    msiexec /i Defused.msi APIKEY= CONNECT="None"

    For Defused Subscribers, if you have an existing Defused VM running you can autoconnect your Windows Capabilities to existing Decoys by adding the "CONNECT" parameter:

    msiexec /i Defused.msi APIKEY= CONNECT="decoy-server-name-here"

    4. The installer will run and silently boot the Defused Windows Agent in the background.

    Post Installation

    Upon successful installation, a notification will appear in your Defused Cloud Management Dashboard. This notification confirms the registration of the newly installed agent.

    Defused Windows Agent Components

    agent.exe This executable is responsible for alert monitoring. Once deployed, it continually scans for alert events and forwards them to Defused Cloud Managament for processing and potential incident creation.

    generator.exe This executable generates decoy configurations locally on your system. It is only run on setup and on any update events.

    clean.exe This is an uninstaller executable. Running this file will remove all deployed decoys and agents from your system, reverting it to a pre-deployment state. See the next section on how to use the uninstaller.

    Uninstalling the Agent

    The Defused installation package contains an uninstaller (clean.exe) which is triggered via the command line using the --apikey="your-api-key-here" syntax. It will remove all honey files from your system and uninstall the program.

    Troubleshooting

    If you encounter any issues during the installation or usage of the "Defused Windows Agent", refer to our troubleshooting guide or contact our support team for assistance.

    Defused VM

    Time Icon Installation will take you 20-30 minutes

    Defused VM is currently offered in the following formats:

    KVM
    Most Linux distros already have KVM kernel modules and userspace tools available through their packaging systems. This is the easiest and recommended way of using KVM. More information: https://www.linux-kvm.org/page/Downloads
    VMWare
    Images for platforms like ESXi, Workstation and VMWare player is available.
    Hyper-V
    An image for Hyper-V Manager is available.

    Virtual Machine Images

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    When you've downloaded your image, find your install instructions on the navigation column on the right.

    Using the Defused VM - KVM

    Prerequisites

    This link contains an additional installer script to get up and running as fast as possible.

    The local install script (aves-freemium.sh) will automate a lot of your decoy installment procedure. Download and place it into the same folder as your decoy server image:

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    First, ensure you have the necessary KVM packages on the host machine.

    • In Fedora/CentOs:

      yum -y install virt-viewer virt-manager qemu-kvm bridge-utils net-tools virt-install libvirt

    • In Debian/Ubuntu:

      apt install -y virt-viewer virt-manager qemu-kvm bridge-utils net-tools virtinst libvirt-daemon-system

      • Installing the Server

      Once all necessary KVM packages are installed onto the host, copy/move the decoy server image (.qcow2) and your install script (.sh) into the following directory:

      cp aves-freemium.* /var/lib/libvirt/images/

      Now, jump into /var/lib/libvirt/images and edit the decoy server's ethernet interface according to your host machine interface:

      cd /var/lib/libvirt/images

      ip addr #your ethernet interface should start with "eth*", "eno*", "ens*", "enp*" or similar

      sudo nano aves-freemium.sh # edit ethernet interfaces here

      When editing aves-freemium.sh, change MANAGEMENT_INTERFACE and DECOY_INTERFACE according to your ethernet interface(s) (e.g. enp2s0).

      Starting the Decoy Server

      In /var/lib/libvirt/images on the host machine:

      chmod a+x aves-freemium.sh

      sudo ./aves-freemium.sh

      Your decoy server should now install and start.

      Inside the Decoy Server

      If you're using a graphical desktop, the decoy server (KVM) window should pop up automatically after executing aves-freemium.sh. If not:

      • 1) Use virt-manager to connect to KVM graphical desktop
      • 2) Use virtual machine console for text based connection:

        • virsh console aves-freemium

      There should be a login prompt when the server has successfully started. Use the user/password combination

      XXXXXXXXXX Sign up to view the password
      when logging in. Remember to change this password after your first login.

      user: [decoy-server-user], password: [decoy-server-password]

      sudo su [password]

      Networking Setup

      Now, we'll set up networking inside the decoy server image.

      Run our networking script inside the decoy server image to auto-setup networking:

      sudo /opt/aves/avestool -d #this generates /opt/aves/aves.conf

      Check what IP address was set up for your decoy server. It will look something like the following:

      ip a #check the IP address of the GUI for access to it

      Aves

      This is the address where you can access your decoy server's management interface. We need to visit soon it to connect your decoy server with your cloud management. Finally, reboot the decoy server to ensure it has configured correctly:

      sudo reboot #Restart KVM

      Your decoy server networking is now set up. It may take a couple minutes to reboot. You can now jump into the Logging into the Local Server section.

      Defused VM - ESXi

      Prerequisites

      This guide assumes you have the VMware ESXi installed.

      • Login & Create

        Login to the ESXi host and right click Virtual Machines - then click Create/Register VM.

      • Select Files & Storage

        Give the virtual machine a name then click Click to select files or drag/drop.

        Locate the *.ovf and *.vmdk files that make up your VM, select them.

        Select a datastore to store the virtual machine on, then click Next.

      • Port Group & Network Settings

        Note! These settings are required for the decoys to have proper networking.

        Right-click Networking in the VMware Host Client inventory and click Add port group from the pop-up menu.

        Enter a name for the new port group.

        Set the VLAN ID to configure VLAN handling in the port group.

        Select a virtual switch from the drop-down menu.

        Expand Security and enable the following options:

        • Security -> Promiscuous mode
        • Accept Security -> MAC address changes
        • Accept Security->Forged transmits

        Click Add.

        Your port group is created.

      • Power on your VM

        You can now power on your VM.

        • Starting the Decoy Server

        Now that the server is running, we'll set up networking inside the decoy server image. The default freemium credentials are

        XXXXXXXXXX Sign up to view the password

        user: [decoy-server-user], password: [decoy-server-password]

        sudo su [password]

        Run our networking script inside the decoy server image to auto-setup networking:

        /opt/aves/avestool -d

        Check what IP address was set up for your decoy server. It will look something like the following:

        ip a

        Aves

        This is the address where you can access your decoy server's management interface. Before logging into the GUI, reboot the decoy server to ensure it has configured correctly:

        reboot

        Your decoy server networking is now set up. It may a minute to reboot.

        You can now jump over to the section Logging into the Local Server.

        Defused VM - Hyper-V

        Prerequisites

        This guide assumes you have the Hyper-V Manager installed.

        Create the Decoy Server Virtual Machine

        Open Hyper-V Manager and create a new virtual machine with the following settings:

        • Specify Name and Location

          Give your virtual machine a name of choosing. (e.g. DefusedVM1)

        • Specify Generation

          Select Generation 1.

        • Assign Memory

          We suggest a minimum of 2048MB for the VM. You can keep dynamic memory checked.

        • Connect Virtual Hard Disk

          Select “Use an existing virtual hard disk” and set it to the Defused virtual hard disk file provided to you.

        • Finish

          You can now click “Finish” and complete the install.

        Before Powering on Your Defused Server

        There’s a few extra configurations needed before powering on the Defused Server.

        Networking – Test Setup

        For testing purposes, a simple NAT network setup will be sufficient. In the Hyper-V Manager, go to “Virtual Switch Manager” and create a new External virtual switch. Then, connect this to your network adapter of choice.

        This setup will make both the management UI and the decoys available in the same network as your host machine (i.e. the machine running your Hyper-V Manager.)

        Networking – Production Setup

        For production deployments, we highly recommend setting up the decoy interface and the management interface into separate network. For Defused customers, we offer complementary networking help over Zoom - please consult with us for suggestions how to set your decoys up in the most safe manner.

        Boot Order

        Set “IDE” to be on the top of the boot order list.

        Connecting your Defused Server to the network

        If you did not already have a ready virtual network switch when creating the virtual machine, right click on your Defused VM on the main screen of Hyper-V Manager and click “Settings.”

        Under the list of hardware, find “Network Adapter” and change the virtual switch from “not connected” to the new virtual switch created in the above step.

        Before clicking “Apply”, make sure to also enable MAC address spoofing under the “Advanced Features” tab (see image below):

        Click apply and your networking setup will be done.

        You can now power on the VM.

        Starting the Decoy Server

        Now that the server is running, we'll set up networking inside the decoy server image. Log in with your supplied credentials:

        user: [decoy-server-user], password: [decoy-server-password]

        sudo su [password]

        Run our networking script inside the decoy server image to auto-setup networking:

        /opt/aves/avestool -d

        Check what IP address was set up for your decoy server. It will look something like the following:

        ip a

        Aves

        This is the address where you can access your decoy server's management interface. Before logging into the GUI, reboot the decoy server to ensure it has configured correctly:

        reboot

        Your decoy server networking is now set up. It may a minute to reboot.

        You can now jump over to the section Logging into the Local Server.

    Post-install Actions (Defused VM)

    Logging into the Defused VM

    From your host computer or server, log into your decoy server's management interface - using the setup example IP address here as an example, your local decoy server would be accessed at https://192.168.100.12/. Remember your GUI IP address may be different! You should be presented with a login screen.

    Aves

    Log in with the default credentials:

    XXXXXXXXXX Sign up to view the password

    Linking into the Cloud

    You don't have an API key yet. Generate it in Settings under "API Access".

    Connecting the decoy server to the cloud is a quick and easy process.

    On the left hand navigation, under Server Configuration, click Cloud.

    Here, give your local decoy server a location name (like "DMZ") and set the Poll Frequency (how often the local server should check for configuration updates from the cloud).

    Aves

    Now, click "Save" and then click "Poll".

    Your decoy server is now registered with the cloud management interface and transmits alert activity into the cloud. Well done! You should be able to see your newly registered decoy server in the cloud management interface under Decoy Management --> Decoy Servers:

    Aves

    Defused VM - Deploying your First Decoy

    This section is undergoing an update. Please check back later, we appreciate your patience.

    Let's spin up your first decoy!

    For a trial decoy, we will use the local server deploy function. On the side navigation menu, click "Decoy" (the plus sign) and simply use one of the Quick Templates to set up a test decoy. Select one of the quick templates and give it a name - then click "Quick Deploy."

    Aves

    Your decoy is now configured but not live yet. To deploy it onto the network, go to Settings, then Decoy Configuration and click Apply Config:

    Aves

    Once the apply finishes, your local decoy server is now armed with it's first decoy - and ready to capture attacks!

    Testing and Updating

    Testing Instructions

    You can now test your local decoys by, for example, scanning them and doing test attacks against them.

    Example: scanning my decoys

    To view how a decoy looks on your network, you can use Nmap tool to scan the decoy. See Nmap web pages (https://nmap.org/) on installing NMAP.

    After installing Nmap, use the command

    $ nmap -Sv IP_ADDR

    where IP_ADDR is the IP address of the decoy, to determine service/version information. On console, you should see something like the following ouput after Nmap has been executed. Exact values depend on what services/emulations you have running on the decoy's IP address.

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 12:04 EET Nmap scan report for IP_ADDR Host is up (0.00012s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Exim smtpd 4.69 Service Info: Host: smtp.WINNT.com
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

    Example: doing a test attack

    To test an exploit decoy, you can use Metasploit Framework. See the Metasploit web pages about installing instructions for Metasploit.

    After installing Metasploit Framework, use following command sequence. This example is for vulnerability CVE-1999-0512 "A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers." Substitute IP_ADDR with your decoy's IP address.

    $ msfconsole msf5 > use auxiliary/scanner/smtp/smtp_enum
    msf5 auxiliary(scanner/smtp/smtp_enum) > set rhosts IP_ADDR
    rhosts => IP_ADDR
    msf5 auxiliary(scanner/smtp/smtp_enum) > run

    On console, you should see something like this when Metasploit runs the exploit sequence:

    [*] 172.17.0.2:25 - 172.17.0.2:25 Banner: 220-smtp.WINNT.com ESMTP Exim 4.69 #1 Thu, 26 Mar 2020 09:59:56 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
    [+] 172.17.0.2:25 - 172.17.0.2:25 Users found: , 4Dgifts, Debian-exim, Debian-snmp, EZsetup, OutOfBox, _apt, abrt, adm, admin, administrator, anon, arpwatch...
    [*] 172.17.0.2:25 - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    An alert for exploit attempt should now pop up on your local and cloud server (if the cloud server is connected.)

    Example: Testing a Windows Honey File

    Open a honey file, such as C:\unattend.txt, to activate the event logger.

    Defused continuously scans the event logger, forwarding pertinent events to the Defused cloud dashboard as alerts.

    Note: Event detection latency for honey files may extend up to 1 minute. This is because the monitoring agent prioritizes lightweight operation and checks for new events at specific time intervals.

    Updating a Connected Server

    Updating a cloud-connected decoy server is incredibly easy.

    If updating from the local server, simply go to settings and under 'Decoy Configuration', click the 'Update Decoys' or 'Update GUI' button.

    Note: the update may take a couple of minutes to complete.

    Once the package install completes, the new decoy definitions in the update are ready for use.

    If updating from the cloud, go to Decoy Servers and flag the "Update Decoy Engine" action on the server(s) you wish to be updated. The update will commence on the next poll cycle.

    Updating a Standalone Server

    Updating a standalone server (for example, a server placed into a network without internet connectivity) is also relatively straightforward.

    Per the delivery mechanism chosen, you will receive a new decoy package file from us.

    First, use a method of choice to transfer the new decoy package file onto the decoy server host. For example, using scp as the transfer method:

    scp /path/to/image/file.tgz user@address:/opt/aves/images

    Now that the new decoy package file is on the local decoy server, on the side navigation, go to Decoy Packages and select the active "default" package.

    Under the package information screen, click 'Refresh' and you should see the new decoy package file under the header 'List of installable image packages'.

    Click on the link to the new decoy package file and you should be presented with a overview of the new decoy package contents.

    Then, simply click on "Install Package to Server" which will install the new decoy package onto the server.

    Note! This may take a minute to complete.

    Once the package install completes, the new decoy definitions in the package file are ready for use.

    Decoys

    Deploy How-To

    If you followed the documentation on your first deployment, you'll already be aware that you can deploy decoys both from the local Decoy Server as well as from the Capabilities page (if the local Decoy Server is connected to Defused Cloud.)

    Detection Logic

    The detection logic of decoys matches incoming attack traffic with the appropriate label best suited to gauge its severity.

    Detection events are mapped on the decoy side to match the best hit within the decoy detection parameters. Alerts like 'Vulnerability Exploited' and 'Service Scan' can be generally considered to be highly accurate.

    If a decoy has a vulnerability emulator enabled, traffic that does not exploit the vulnerability fully but is still recognized by the decoy is generally labelled as 'Possible exploit attempt.' Note that this is not a direct guarantee that the traffic was aiming to exploit, as sometimes e.g. a network scanner may trigger this in a vulnerability emulation.

    Dynamic Sandbox

    The Dynamic Sandbox creates a post-exploit sandbox environment where an attacker can be dropped into for further analysis of their actions.

    The sandbox environments monitor and record attacker actions in real time, and also collect any files dropped by the attacker into the shell environment.

    Not all decoy types currently contain sandbox environments - the Sandbox label denotes decoys with embedded sandbox environments when deploying via Capabilities.

    Functionalities

    Cloud Integration

    The cloud enables management of the local decoy servers without having to actively log into the local servers.

    Currently, you can remotely manage the following actions from the cloud:

    • Alert Aggregration (collect all alerts from all servers into the cloud)
    • New decoy deployment
    • Decoy deletion from local environments
    • Updating decoy definitions
    • Updating the GUI (coming on the next update)

    The local server uses your API key to communicate into the cloud. If you haven't already, generate yourself a key in Settings. Note that the key is only visible to you when generating it, so remember to store it somewhere, e.g. a password manager or a similar solution.

    When the Cloud Integration is enabled, depending on the Poll Interval variable set on the local server, the local server checks the cloud for new actions to be done based on this interval. It is recommended to set the poll interval at a fairly low number, e.g. 120 seconds.

    Capabilities

    The Capabilities page in Defused Cloud contains ready-made templates for quickly deploying new decoy types into your local environments. A prerequisite for using Capabilities is enabling the Cloud Integration.

    Capabilities contains both individual decoy templates that can be selected for deployment one-by-one and, as a developing functionality, Decoy Bundles which deploy multiple decoy types to cover a specific capability set on the network.

    Teams

    Adding team members to the Defused platform enhances collaboration by enabling users to share incidents, manage them, and communicate via the incident view.

    To begin the process, go to the Settings tab on your dashboard.

    Inside Settings, click on the Team submenu.

    Creating a Team

    If you are not in a team yet and wish to create one, you can create a team by clicking the "Create Team" button. This will create a team for you and make you the administrator of the team.

    Adding Members

    Here you can add new team members by entering their email addresses. If the email is not found on the platform, an invitation is sent to them to sign up, and on signup the user is automatically added to your team.

    Only team admins can add and delete new teammembers.

    Sharing Incidents

    Team members can share incidents with one another. This is useful for coordinating responses to issues.

    Once team members are added, they can manage incidents and communicate with each other directly in the incident view.

    Automation

    Automation helps you discover and automate how to structure your decoy operations, for example by highlighting and automatically deploying relevant new decoy types to your decoy servers.

    Automation is a beta feature and available only for Defused Enterprise Accounts.

    Credits

    Upcoming feature - full documentation coming soon.

    Incidents & Alerts

    Alerts

    Alerts are generated when a decoy is attacked. Each alert is contextually labelled with useful details like CVE numbers denoting which attack vector was used, MITRE ATT&CK tactics, attacker source IP and further information where applicable, like a raw representation of the network data. This ultimate is designed to make it easier for the defender to make decisions on the alerts.

    Defused has two ways to show you these alerts: 'Verbose' and 'Condensed.' In 'Verbose,' you see a detailed list of every single alert. In 'Condensed,' alerts from the same attacker and close in time are grouped together for quick review.

    Incident View

    You can group many alerts into one Incident. This lets you see related alerts together. You can also easily share this Incident with teammates using a special link.

    If sandbox events occur, 'Incident Mode' activates automatically. This groups related alerts for you, no extra steps needed.

    Forensics files

    Decoys with the shell emulator enabled can collect files transferred into them by the attacker. The files become available for download for the user in the incident view tab. Files also persist on the decoy server in case the attacker attempts to delete the artifacts on the machine.

    Integrations

    ServiceNow

    The ServiceNow integration allows you to connect your ServiceNow account to the application, enabling you to create and manage tickets directly from alerts. This integration helps streamline your incident management and ticketing process by connecting directly with your ServiceNow instance.

    Configuration Status

    The configuration status of the ServiceNow integration is displayed within the application. If the status is Configured, your ServiceNow account is successfully connected. If the status is Not Connected, you need to configure the integration.

    Configuration Steps
    Follow these steps to configure your ServiceNow integration.

    1. ServiceNow Instance Location:

      Enter the URL of your ServiceNow instance in the format https://devXXXX.service-now.com/.

    2. ServiceNow Credentials:

      Provide the username and password for your ServiceNow account.

    3. ServiceNow Priority:

      Set the priority for tickets created from the integration. Enter a value between 1 and 5.

    4. ServiceNow Table (Optional):

      Specify the ServiceNow table for the tickets. By default, tickets are created in the "incident" table. You can specify other tables like "problem" or "change."

    5. ServiceNow Caller ID:

      Enter the caller ID for the tickets. Leave this field empty to use the default test account.

    After filling in the required fields, click Link Accounts or Update Config to save your settings.

    Usage

    Once configured, the "Create Incident (ServiceNow)" button becomes available in each of the alert views.

    Troubleshooting

    If you encounter any issues with the integration, check the following:

    • Ensure that your ServiceNow instance URL is correct and accessible.
    • Verify that your ServiceNow credentials are valid and have the necessary permissions.
    • Check if the ServiceNow instance allows API access and if the user has appropriate roles.
    • Refer to the ServiceNow documentation for additional troubleshooting steps.

    Slack

    The Slack integration allows you to send events and alerts directly to a Slack channel of choice using an incoming webhook. This integration helps you keep your team updated in real-time by sending critical notifications to your preferred Slack channel.

    Configuration Status

    The status of the Slack integration is displayed within the application. If the status is Configured, your Slack webhook is successfully set up. If the status is Not Connected, you need to configure the webhook.

    Configuration Steps

    Follow these steps to configure the Slack integration using an incoming webhook.

    1. Click the "Add to Slack" Button

      Use the "Add to Slack" button in the Slack Integration page to initiate the Slack incoming webhook setup.

      Add to Slack
    2. Authorize the App and Select a Channel

      A new window will open, prompting you to select a Slack workspace and authorize the Defused Slackbot. You will need to have sufficient user privileges on the select workspace for installing the Defused Slackbot.
      You will also choose a Slack channel where you want to send alerts.

      Slack Integration Example

      Once authorized, a webhook URL will be automatically generated and configured in your Defused app. This URL will be used to send events to your Slack channel. A notification will confirm the Defused App has been added to your selected channel.

      Added to Slack
    Selecting an Interval

    Once you have enabled the incoming webhook, you may configure the frequency of the webhook triggering. The default is 60 minutes, meaning each alert severity will only trigger once during this interval.

    Slack Integration Example

    Email

    The Email integration allows you to receive alerts and notifications directly to your preferred email address. This ensures you are kept informed of critical events even when you are not actively monitoring the application.

    Configuration Status

    The status of the Email integration is displayed within the application. If the status is Configured, your email forwarding is successfully set up. If the status is Not Configured, you need to enable the email integration.

    Configuration Steps

    Follow these steps to configure the Email integration for forwarding alerts.

    1. Navigate to the Email Integration Page

      Go to the Email Integration page in your application.

      Email Integration Example
    2. Enable the Email Integration

      Click the "Enable" slider to activate email forwarding. This will turn on the functionality to send alerts and notifications to your email address.

      EMail Integration Example
    3. Configure Email Settings (Optional)

      Optionally, you can configure the email interval and external address forwarding. These settings allow you to customize the frequency of email alerts and specify an alternative email address for notifications.

      • Frequency (minutes): Set the interval at which you want to receive email notifications. Each alert severity will trigger an email once within this frequency. The default is 60 minutes.
      • External Address Forwarding: Enter external email addresses if you prefer to forward alert email to different addresses from the email specified in your Defused account.

    Webhooks

    Webhooks allow you to define HTTP endpoints that are triggered automatically when specific Defused alert events occur.

    Webhook Configuration Fields
    Webhook Name (required)

    This name is used internally to differentiate between different webhooks. Choose a descriptive name that reflects the purpose or the alert type the webhook is associated with.

    Webhook URL (required)

    Enter the full URL (including the protocol, e.g., https:// of the endpoint that will receive the webhook data. This URL must be accessible from the internet and capable of handling HTTP POST requests.

    HTTP Auth

    HTTP Authentication provides three options for authentication:

    • (None: No authentication required.)
    • Basic: Basic HTTP authentication using a username and password.
    • Bearer: Bearer token authentication for secure access.
    • API Key: Authentication using an API key included in the request headers.

    Select the appropriate authentication method based on your webhook endpoint's security requirements.

    Headers These headers can be used to provide additional context or authentication information required by the receiving endpoint. Headers may be added by clickling the "Add Header" button, after which two input fields for keys and values are added. You may add multiple custom headers.

    Defused Alert Fields

    Defused alert fields are automatically included in the webhook payload and provide detailed information about the alert event. These fields are enclosed within <<>> symbols in the JSON data and should not be modified.

    Alert Type

    Example:"alert": "Vulnerability Exploited"

    Attacker IP

    Example:"attackerip": "192.168.1.10"

    Decoy IP

    Example:"decoyip": "10.0.0.5"

    Decoy Name

    Example:"decoyname": "Decoy-Server-01"

    Datetime

    Example:"datetime": "2024-06-08T14:32:00Z"

    Location

    Example:"location": "Data Center 1"

    Raw Data

    Example:"rawdata": "{ 'event': 'suspicious_activity', 'details': '...' }"

    JSON Data Field

    Users can add their own JSON elements to the webhook payload. The defused alert fields enclosed within <<>> symbols must remain unchanged. You can add any custom fields or modify existing ones, as long as the defused alert fields are preserved.

    {
  "alert": "<>",
  "attackerip": "<>",
  "decoyip": "<>",
  "decoyname": "<>",
  "datetime": "<>",
  "location": "<>",
  "rawdata": "<>",
  "customfield": "Your value here"
}
    HTTP Representation & Copy as cURL

    An HTTP Representation of your currently configured webhook is displayed at the end of the form:

    curl -X POST "YOUR_WEBHOOK_URL" \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer YOUR_TOKEN" \
            -d '{ 
                "Alert Type": "<>", 
                "Attacker IP": "<>", 
                "Decoy IP": "<>", 
                "Decoy Name": "<>", 
                "Datetime": "<>", 
                "Location": "<>", 
                "Raw Data": "<>",
                "Custom Field": "Your value here" 
            }'

    Clicking "Copy as cURL" copies your webhook as a cURL command, enabling easy testing of the endpoint you're adding the webhook to.

    Save Webhook

    After filling out all the required fields, click the "Save Webhook" button to save your configuration. This will ensure that your webhook is triggered when an alert event matching your criteria occurs.

    FAQ

    A Capabilities template is disabled and says "Available after decoy engine update."

    The Decoy Server VM you're trying to deploy into doesn't have a new enough decoy engine. You can update the engine in the local server by setting the "Update Decoy Engine" action to trigger on the next update cycle.

    The top navigation bar says I have "unapplied decoys."

    In Defused Cloud, if you use Capabilities to deploy a decoy type into a location (or a Decoy Bundle), you need to set the "Send new decoys" action onto the server you have deployed the decoys into.

    In Defused Standalone, if you use the "New Decoy" menu to deploy decoys, you need to run "Apply Config" under Settings whenever you have created new decoy configurations.

    Deploying...

    Processing. Please wait...