Fidelis Deception® RESTful API Guide

Version 9.8
October 2024
Copyright © 2024 by Fidelis Security LLC
All rights reserved worldwide.

Fidelis Security LLC

871 Marlborough Ave
Suite 100
Riverside, CA, 92507

Fidelis Deception® RESTful API Guide

Revised October 2024
Document ID: DEC_rest-api_20241009

Source: Technical Support

Users are granted permission to copy and/or distribute this document in its original electronic form and
print copies for personal use. This document cannot be modified or converted to any other electronic or
machine-readable form in whole or in part without prior written approval of Fidelis Security LLC.

While we have done our best to ensure that the material found in this document is accurate, Fidelis
Security LLC makes no guarantee that the information contained herein is error free.

2 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Table of Contents
INTRODUCTION ................................................................................................................................................ 4
GENERAL PARAMETERS AND RETURN CODES .................................................................................................. 4
AUTHENTICATION FOR APIS ............................................................................................................................ 4
Identify the CAS-ID from the CommandPost Login Page ........................................................................ 5
Manually Obtain the CAS-ID ............................................................................................................... 5
Use Python to Obtain the CAS-ID ....................................................................................................... 5
Submit a Login Request to Receive the TGC Cookies ............................................................................ 5
Manually Obtain the TGC Cookies ...................................................................................................... 5
Use Python to Obtain the TGC Cookies ............................................................................................. 6
Use the TGC Cookies for APIs Commands ............................................................................................. 6
Manually Use the TGC Cookies in the API Commands...................................................................... 6
Use Python to Make an API Call with the TGC Cookies .................................................................... 6
TERRAIN API – ASSETS................................................................................................................................... 6
Get All Assets ........................................................................................................................................... 6
Get Single Asset Data ............................................................................................................................ 12
Delete Asset Data ................................................................................................................................... 13
Edit Multiple Assets ................................................................................................................................ 14
TERRAIN API – SUBNETS AND DOMAINS ........................................................................................................ 15
Get All Subnets Data .............................................................................................................................. 15
Get All Groups and Domains Data ......................................................................................................... 15
Define Subnet ......................................................................................................................................... 16
DECEPTION – GENERAL................................................................................................................................. 17
Get All Emulated Decoys ........................................................................................................................ 17
Get All Decoy Servers ............................................................................................................................ 17
Configure Global Deception Settings ..................................................................................................... 17
DECOYS ........................................................................................................................................................ 23
Create Decoy .......................................................................................................................................... 23
Delete Decoy .......................................................................................................................................... 31
Edit Decoy .............................................................................................................................................. 32

3 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Introduction
This API guide describes the Elevate APIs that handle Fidelis Deception and Terrain.

General Parameters and Return Codes

This section describes general parameters and return codes for all Deception APIs.

Parameters
commandPostName=name
Required. Specifies the CommandPost to which to communicate. All the Deception APIs have
commandPostName as in input parameter.

• For a Hierarchical Manager (HM) system, specify the CommandPost.

• For a single CommandPost, use Console.

Example
commandPostName=Console

Return Codes
Code Description
200 Success
401 Unauthorized. Use does not have permissions for the API.
403 Forbidden. Login is required.
404 Not found.

Authentication for APIs

The APIs described in the guide that are for Deception and Terrain require authentication based on Ticket
Granting Cookie (TGC). You need to determine the TGC cookies for the CommandPost and specify the
cookies in the API commands.

To determine the TGC cookies:

• Identify the CAS-ID from the CommandPost login page

• Submit a request to receive the TGC cookies

You can then use the cookies for Deception and Terrain APIs commands.

This section describes how you can manually identify the CAS-ID, request the TGC cookies, and use the
TGC cookies for an API command. It also includes instructions for how to use Python to automate each
step.

Note: APIs that require uploading files require a different authentication that is not currently described
in this section/guide. If you require authentication for APIs that require uploading files, contact Fidelis
Support.

4 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Identify the CAS-ID from the CommandPost Login Page

Manually Obtain the CAS-ID

1. In a web browser, display the CommandPost login page at, https://host/cas/login, where host is
the host name or IP address of the CommandPost.

2. Using the web browser features, view the page source for the CommandPost login page.

3. In the page source, find the hidden parameter named execution.

4. Retrieve the entire value of the execution hidden parameter.

Use Python to Obtain the CAS-ID

Use the following Python code to automate the retrieval of the CAS-ID, where host is the host name or IP
address of the CommandPost.

def get_cas_id(host):
request = requests.get('https://'+host+'/cas/login', verify=False)
for line in str(request.content).split('\\n'):
if re.search("input type=\"hidden\"", line):
return line.split("value=\"")[1].split("\"")[0]
return ""

Submit a Login Request to Receive the TGC Cookies

Manually Obtain the TGC Cookies
Submit a POST request to the CommandPost login URL, https://host/cas/login, where host is the host
name or IP address of the CommandPost.

In the POST request, include the following parameters:

• username – user name to log in to the CommandPost

• password – the password for the user
• execution – the CAS-ID you obtained in the previous step
• _eventId – use: submit

Retrieve the TGC cookie from the response.

5 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Use Python to Obtain the TGC Cookies
Use the following Python code to automate obtaining the TGC cookie, where:

• host is the host name or IP address of the CommandPost

• CASID is the the CAS-ID you obtained in the previous step

login_response = requests.post('https://'+host+'/cas/login',
verify=False,
data={"username":USERNAME,"password":PASSWORD,"execution":CASID,"_event
Id":"submit"})

Use the TGC Cookies for APIs Commands

Manually Use the TGC Cookies in the API Commands
Specify the TCC cookie retrieved from the login command for HTTP API by adding the “Cookie” header to
the request. It is a standard HTTP header.

Use Python to Make an API Call with the TGC Cookies

Add the following Python code to each API command automate obtaining the TGC cookie, where:

• host is the host name or IP address of the CommandPost

• url is API URL
• cookies is the TGC cookies you retrieved from the previous step

Add the following command to each command. Example below for running a GET API to this URL: API-
URL

requests.get('https://'+host+url, verify=False, cookies=cookies)

Terrain API – Assets

Get All Assets
Path /mgm/rest/assets/getAll?commandPostName=name

Method POST

Request Body Schema application/json

Query Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Example
/mgm/rest/assets/getAll?commandPostName=Console

6 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Parameters
pagination={"page":number,"size":number}
Specify pagination for partial retrieval of information.

Example
{"pagination":{"page":1,"size":15}}

order:[list of {"column":"AssetField","direction":"direction"}]
Specify the sort order of the returned results.
"column":AssetField
Use one of the following values for AssetField:
ACTIVE_DIRECTORY_CONTAINER ANOMALIES_MAX_SCORE ANY_PORT
ACTIVE_DIRECTORY_GROUP ANY_COUNTRY_CODE ANY_STRING
ACTIVE_DIRECTORY_STRUCTURE ANY_COUNTRY_NAME ASSET_ID
AD_LOCATION ANY_DOMAIN ASSET_IDS
AGENT_ID ANY_ENDPOINT ASSET_IP
AGENT_TYPE ANY_ENDPOINT_IDS ASSET_NAME
ALERTS_COUNT ANY_IP ASSETS_COUNT
ALLOW_SET_AS_DECOY

BC_AUTO_UPDATING BREADCRUMBS_COUNT

CANARY_FILE_ID CLOUD_RESOURCE_NAME CONTAINER_IMAGE_NAME

CANARY_FILE_NAME CLOUD_RESOURCE_TYPE CONTAINER_IMAGE_REGISTARY
CLIENT_CLASSIFICATION CLOUD_STATE CONTAINER_IMAGE_VERSION
CLIENT_ID COMPONENT_ID CONTAINER_STATUS
CLIENT_PORT COMPONENT_NAME COUNT
CLOUD_COMPATIBILITY_STATUS COMPOSITE COUNT_DECOY_PODS
CLOUD_PROVIDER COMPUTER_ROLE COUNT_PODS
CLOUD_REGION CONTAINER_IMAGE_ID COVERAGE
CLOUD_RESOURCE_ID

DATA_SOURCE DECOY_TYPE DEPLOYMENT_STATUS

DECOY_ALIASES DECOY_USER_AD_STATUS DEST_IP
DECOY_IDS DECOY_USER_TYPE DEVICE_NAME
DECOY_IP DECRYPTION_ENABLED DEVICE_TYPE
DECOY_PORT DEPLOYMENT_IS_BLOCKED DIVERSITY_SCORE
DECOYS_COUNT DEPLOYMENT_IS_FORCED DOWNLOAD_KB
DECOY_STATUS DEPLOYMENT_PRIORITY

ENDPOINTS_COUNT EXPECTED_PROTOCOL EXTERNAL_ALERTS_COUNT

EXECUTION_TYPE

FILE_SYSTEM_ID FIRST_SEEN

GROUP_ID GROUP_NAME GROUP_TYPE

HAS_INCOMING HAS_SSL_SERVICES HAS_USER

HAS_OUTGOING

7 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

 IMPORTANCE IS_CLOUDPASSAGE_AGENT IS_IN_CLOUD
INSERT_TIME IS_COMMENTED IS_MCAFEE
IS_ACTIVE_CANARY IS_CRACKED IS_MINITRAPPED
IS_ACTIVE_DIRECTORY IS_DECOY IS_S1
IS_ADAPTIVE IS_DEFAULT_TAG IS_SERVER
IS_CARBON_BLACK IS_ENDPOINT IS_USING_DNS
IS_CLOUDPASSAGE IS_EXTERNAL

K8_NAMESPACE

LAST_ACCESS LAST_SEEN_DAY LAST_SEEN_HOUR

LAST_SEEN

MAC_ADDRESS MASTER_DECOY_ID

NAMESPACE_ID NIC NODE_TYPE

ORGANIZATION OS_TYPE OVA_ID

ORGANIZATION_UNIT OTHER_ASSET_ID OVA_NAME
OS_FAMILY OTHER_NODE_TYPE

PATH POD_SERVICE_TYPE PRIVATE_IP

POD_ID POD_START_TIME PROGRAM
POD_IP POD_STATUS PROTOCOL
POD_NAME POD_STATUS_TEXT PUBLIC_IP

REMOTE_CREDENTIALS_STATUS REMOTE_TASK_ACTION RISK

REMOTE_MODULE REMOTE_TASK_STATUS ROLE

SERVER_CLASSIFICATION SSL_DATA_NAME SUBNET_ID

SERVER_ID SSL_IS_SIGNED SUBNET_IMPORTANCE
SERVICE SSL_TYPE SUBNET_NAME
SEVERITY SUB_DECOYS_IDS_DIRECT SUBNET_RISK
SRC_IP SUBNET_CONFIG_STATUS SUBNET_SEVERITY
SSL_DATA_ID SUBNET_COVERAGE

TAG_COLOR TAG_SHAPE TOOL_IS_BLACKLISTED

TAG_DEFINITIONS THREAT_TACTIC TOOL_RISK
TAG_ID THREAT_TACTIC_ID TOOL_TYPE
TAG_NAME TOOL TRAFFIC_TYPE

UPLOAD_KB USER_ACCOUNT_SOURCE USER_FULL_NAME

USER USER_DEPARTMENT USER_ID
USER_ACCOUNT_DOMAIN USER_EMAIL USERS_COUNT
USER_ACCOUNT_NAME USER_FIRST_ACTIVITY USER_SOURCE

VALIDATION_ERROR VULNERABILITY_AUTH VULNERABILITY_SEVERITY

VENDOR VULNERABILITY_CATEGORY VULNERABILITY_SOURCE
VLAN VULNERABILITY_COUNT VULNERABILITY_STATUS
VULNERABILITY_ACCESS_COMPLEXITY VULNERABILITY_ID VULNERABILITY_TYPE
VULNERABILITY_ATTACK_VECTOR VULNERABILITY_SCORE

WEB_SERVER_ID WEB_SERVER_NAME

8 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

 "direction":"direction"
Specify DESC for descending or ASC for ascending.
Example
To sort assets by when they are seen for the first time in ascending order. If several assets are
first seen at the same time, perform a second sort by their IP address in ascending order.

{"order":[
{"column":"FIRST_SEEN","direction":"ASC"},
{"column":"ASSET_IP", "direction":"ASC"}]}

groupBy:{"columns":list of AssetField, "countOnly":true|false, "ignoreZeroValues":true|false}

Group assets by their AssetField values, as described in the order parameter above.

"countOnly":true|false
Whether to return counts of the columns or the values for the columns.

• true – return the count of the different groups specified by the columns parameter
• false – return the groups with their columns parameter values and their size

"ignoreZeroValues":true|false
When countOnly is true, whether to ignore zero values.

Example 1
The following shows the settings to return a count of assets grouped by their subnet and risk.
Note that assets with subnet_id value of 0 are assets without a subnet.

{"groupBy":{
"columns":["RISK","SUBNET_NAME"], "countOnly": false, "ignoreZeroValues":
false}}

The following shows sample results with subnet “10.6.64.0/22” that has:
• 5 assets with risk value of 1
• 25 assets with risk value of 2

{
"nodes": [
{
"SUBNET_NAME": "10.6.64.0/22",
"RISK": 1,
"COUNT": 5
},
{
"SUBNET_NAME": "10.6.64.0/22",
"RISK": 2,
"COUNT": 25
},

9 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

 Example 2
The following shows the settings to return a count of assets grouped by their roles.

{"groupBy":{
"columns":["ROLE"], "countOnly": false, "ignoreZeroValues": false}}

Sample results are:

{
"nodes": [
{
"ROLE": "ROUTER",
"COUNT": 5
},
{
"ROLE": "IT_SERVER",
"COUNT": 4
},
{
"ROLE": "PRINTER",
"COUNT": 18
},
{
"ROLE": "DOMAIN_NAME_SERVER",
"COUNT": 9
},
{
"ROLE": null,
"COUNT": 4499
},
{
"ROLE": "WORKSTATION",
"COUNT": 6025
},
{
"ROLE": "GENERAL_SERVER",
"COUNT": 2
}

10 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

 Example 3
The following shows the settings to count the non-empty subnets.

{"groupBy":{
"columns":["SUBNET_ID"], "countOnly": true, "ignoreZeroValues": true}}

Sample results are:

{
"nodes": [
{
"SUBNET_ID": 14
}
],
"conf": {
"numDecoys": 5,
"numAssets": 10557,
"numNoAuthAssets": 10557,
"numDecoysFiltered": 5,
"numNoAuthDecoys": 5,
"numAssetsFiltered": 10557
},
"subnets": null,
"groups": null,
"total": 1,
"sslDatas": null,
"containerImages": null
}

filter:{"composite":{"logic"=and|or , "filters":["simple": {"column": AssetField,

"operator":=|!=|>|>=|<|<=|IN|!IN|=~|, "value":string}, "simple":{}…]}}
Returns only assets that satisfy the specified filter.

Example
The following filter returns all assets that are either a workstation or a web server.
{
"filter": {
"composite": {
"logic": "or",
"filters": [
{
"simple": {
"column": "ROLE",
"operator": "=",
"value": "WORKSTATION"
}
},
{
"simple": {
"column": "ROLE",
"operator": "=",
"value": "WEB_SERVER"
}
}
]
}
}
}

11 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Example Using Multiple Parameters
This example shows parameters to return all the assets with Assets IDs that are different than 8960 and
are from subnet with Subnet ID 2. The results should have 15 results in one page and ordered by risk in
descending order.

URL /mgm/rest/assets/getAll?commandPostName=name
Request {"filter":{"composite":{"logic":"and","filters":[{"simple":{"column":"A
body SSET_ID","operator":"!=","value":"8960"}},{"simple":{"column":"SUBNET_I
D","operator":"=","value":"2"}}]}},"pagination":{"page":1,"size":15},"o
rder":[{"column":"RISK","direction":"DESC"}]}

Get Single Asset Data

Path /mgm/rest/assets/asset-ID?commandPostName=name

Path Parameters
asset-ID
Specifies the ID of the asset for which you want information.

Example
1725

Query Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Example
commandPostName=Console

Example
/mgm/rest/assets/1725&commandPostName=Console

12 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Delete Asset Data

Path /mgm/rest/assets/delete?nodeIds=asset-IDs&purgeAsset=true|false&forcePrompted
=true &forceDelete=true|false&&commandPostName=name

Method PUT

Query Parameters
nodeIds=asset-IDs
Specifies the IDs of the assets to delete. To specify multiple IDs, specify the parameter multiple times.

Example for a single ID

nodeIds=1725

Example for a mulitple IDs

nodeIds=1725&nodeIds=1025&nodeIds=1229

purgeAsset=true|false
Whether you want to also purge the alerts associated with the assets.

forcePrompted=true
Indicates you want to skip being prompted to confirm deleting assets with breadcrumbs. (Note that
prompt is insignificant when using the API.)

forceDelete=true|false
Whether to delete assets with breadcrumbs. Set to true to delete assets with breadcrumbs. Set to faluse
to skip deletion of assets with breadcrumbs. The default is false.

commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Examples
/mgm/rest/assets/delete?nodeIds=24&purgeAsset=true&commandPostName=Console

/mgm/rest/assets/delete?nodeIds=24&nodeIds=25&forcePrompted=true&forceDelete=true&
purgeAsset=true&commandPostName=Console

13 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Edit Multiple Assets

Path /mgm/rest/assets/editAssets?nodeIds=asset-IDs&role=asset-role&
osType=asset_OS &commandPostName=name

Method PUT

Parameters
nodeIds=asset-IDs
Specifies the IDs of the assets to delete. To specify multiple IDs, specify the parameter multiple times.

Example for a single ID

nodeIds=1725

Example for a mulitple IDs

nodeIds=1725&nodeIds=1025&nodeIds=1229

role=asset-role
Specifies the role of the decoy. Use one of the following:

CAMERA MED VOIP

DOMAIN_NAME_SERVER NONE WEB_SERVER
GENERAL_IOT PRINTER WORKSTATION
GENERAL_SERVER ROUTER
ICS SCANNER
IT_SERVER STORAGE
MAIL_SERVER SWITCH

Example
Role=ROUTER

osType=asset_OS
Specifies the operating system to use for the decoy. Use one of the following:

ANDROID UBUNTU_12_04 WINDOWS_2016

CENTOS_5_10 UBUNTU_14_04 WINDOWS_2019
CENTOS_6_5 UBUNTU_16_04 WINDOWS_7
CENTOS_7_2 WINDOWS_2003 WINDOWS_8
IOS WINDOWS_2008 WINDOWS_8_1
IOT WINDOWS_2008_R2 WINDOWS_10
OS_X_10_9 WINDOWS_2012 WINDOWS_VISTA
OS_X_10_13 WINDOWS_2012_R2 WINDOWS_XP
SUN_OS

Example
osType=WINDOWS_XP

14 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Example
/mgm/rest/assets/editAssets?nodeIds=20&
nodeIds=21&role=ROUTER&osType=CENTOS_7_2&commandPostName=Console

Terrain API – Subnets and Domains

Get All Subnets Data

Path /mgm/rest/subnets/getAll?commandPostName=name

Method POST

Request Body Schema application/json

Query Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Parameters
filter:{"composite":{"logic"=and|or , "filters":["simple": {"column": AssetField,
"operator":=|!=|>|>=|<|<=|IN|!IN|=~|, "value":string}, "simple":{}…]}}
Use the filter parameter from Terrain API – Assets to return only subnets with the filtered assets. The
system returns all subnets if you do not specify a parameter.

Example
URL /mgm/rest/subnets/getAll?commandPostName=name
Request {"filter": {"composite": {"logic": "or", "filters": [{"simple":
body {"column": "ROLE","operator": "=","value": "WORKSTATION"}}]}}}

Get All Groups and Domains Data

Path /mgm/rest/computerGroup?commandPostName=name

Method POST

Query Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

15 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Parameters
order:[list of {"column":"AssetField","direction":"direction"}]
Use the order parameter from Terrain API – Assets to order the results.

filter:{"composite":{"logic"=and|or , "filters":["simple": {"column": AssetField,

"operator":=|!=|>|>=|<|<=|IN|!IN|=~|, "value":string}, "simple":{}…]}}
Use the filter parameter from Terrain API – Assets to return only groups with the filtered assets.

Example
/mgm/rest/computerGroup/getAll?commandPostName=Console

Define Subnet

Path /mgm/rest/subnets?commandPostName=name

Method POST

Parameters
ipVersion=number
Specifies the IP version. For number, you must specify either 4 or 6.

subnetIp=ip
Specifies the internal IP address.

cidr=number
Specifies the CIDR.

commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Note:
You can only use this API when decoys are not configured on the specified subnet. For subnets that
contain decoy, you must manually edit the subnet on the Deception / Decoys / Decoys page.

Example
URL /mgm/rest/subnets?commandPostName=Console
Request {"ipVersion":4,"subnetIp":10.6.19.0,"cidr:"24,"approve":true}
body

16 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Deception – General
Get All Emulated Decoys

Path /mgm/rest/assets/getAllDecoys?commandPostName=name

Method GET

Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Form Parameters
See Get All Assets for parameters and examples.

Get All Decoy Servers

Path /mgm/rest/machine?commandPostName=name

Method GET

Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Example
/mgm/rest/machine?commandPostName=Console

Configure Global Deception Settings

Use this API to configure the global network and data deception features.

Path /mgm/rest/intguard/conf?commandPostName=name

Method PUT

Form Parameters
isIcmpEchoEnabled: true|false
Whether you want Decoys to respond with ICMP echo replies to ICMP echo requests.

Example
isIcmpEchoEnabled: true

17 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

isNBDSEnabled: true|false
Whether to send NetBios Domain Service (NBDS) broadcast packets with the Decoy details in the LAN.

Example
isNBDSEnabled: true

isStealthModeEnabled: true|false
Whether to use stealth mode. In stealth mode decoys do not respond to whitelisted IP addresses, for
example, scanners.

Example
isStealthModeEnabled: true

isWPADEnabled: true|false
Whether to enable Proxy Auto Discovery

Example
isWPADEnabled: true

isLLMNREnabled: true|false
Whether you want decoys to search for non-existing resources via Link-Local Multicast Name Resolution
(LLMNR).

Example
isLLMNREnabled: true

isARPSpoofingEabled: true|false
Whether you want decoys to attempt to open connections to other assets in the subnet and inject decoy
information to the Asset ARP table.

Example
isARPSpoofingEabled: true

ARPSpoofingFrequency: frequency
How often you want decoys to send ARP packets. Use one of the following:

• HIGH – Decoys send ARP packets every 2 minutes.

• MEDIUM – Decoys send ARP packets every 10 minutes.
• LOW – Decoys send ARP packets every 2 hours.

Example
ARPSpoofingFrequency: LOW
isArpMITMEnabled
isNbnsBroadcastReplyingEnabled
isDhcpDynamicDnsEnabled
isDecoyInteractionTimeoutEnabled
decoyInteractionTimeoutSec
vmAnalysisTimeoutSec

18 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

ARPSpoofingAssetsToInject: amount
The amount (percentage) of assets to which decoys are to send ARP packets. Use one of the following:

• FEW – Decoys send ARP packets to 5-10% of assets.

• SOME – Decoys send ARP packets to 20-30% of assets.
• MANY – Decoys send ARP packets to 40-50% of assets.

Example
ARPSpoofingAssetsToInject: FEW

isDNSEnabled: true|false
Whether you decoys periodically to validate their name and IP address settings on the DNS server.

Example
isDNSEnabled: true

fileSizeSpoofingMode: size
The size of the decoy file during download. Use one of the following:
• NO_SPOOFING – Use the original file size.
• LINEAR – Increase the file size linearly.
• INFINITE

Example
fileSizeSpoofingMode: LINEAR

isMacSpoofingEnabled: true|false
Whether you want each decoy to create a unique MAC address. Changing this configuration will only
affect new decoys that are created.

Example
isMacSpoofingEnabled: true

isInfiniteFoldersEnabled: true|false
Whether you want decoys to have random directories providing infinite traversal paths.
Example
isInfiniteFoldersEnabled=true

isRealFilesEnabled: true|false
Whether to enable the use of real files on decoys.
Example
isRealFilesEnabled: true

isWanAccessEnabled: true|false
Whether to allow real OS decoys access from the decoy to the public network.
Example
isWanAccessEnabled: true

19 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

isLanAccessEnabled: true|false
Whether to allow real OS decoys access from the decoy to the Internal network.
Example
isLanAccessEnabled: true

DNSFrequency: frequency
How often you want decoys to query the DNS server. Use one of the following:
• HIGH – Decoys query the DNS server every 2 hours.
• MEDIUM – Decoys query the DNS server every 10 hours.
• LOW – Decoys query the DNS server every 24 hours.

Example
DNSFrequency: HIGH

enableUpnp: true|false
Whether decoys will respond when directly accessed over UPnP.
Example
enableUpnp: true

enableUpnpNotify: true|false
Whether decoys will periodically send relevant NOTIFY multicast messages.

Example
enableUpnpNotify: true

isDhcpDiscoverEnabled: true|false
Whether a DHCP discover packet is sent on each subnet identified on the decoy NICs. The system uses
the responses for analysis and validation of the network configurations.

Example
isDhcpDiscoverEnabled: true

isGatewayValidationEnabled: true|false
Whether to enable subnet gateway validation by sending ARP packets from interface’s MAC address.

Example
isGatewayValidationEnabled: true

isMacSpoofingValidationEnabled: true|false
Whether to enable subnet gateway validation by sending ARP packets from a decoy’s MAC address. If
there are no decoys, the system sends the packet with a generated fake MAC address.

Example
isMacSpoofingValidationEnabled: true

20 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

isPeriodicDecoyValidationEnabled: true|false
Whether decoy IP addresses and MAC addresses are periodically validated for conflicts. Validation
occurs every 8 hours.

Example
isPeriodicDecoyValidationEnabled: true

isPreConfDecoyValidationEnabled: true|false
Whether you want the decoys IP addresses and MAC address validated before creation.

Example
isPreConfDecoyValidationEnabled: true

isWakeOnLanEthEnabled: true|false
Whether you want to monitor and trigger alerts on "Wake-on-LAN" packets sent to the decoys on layer 2.

Example
isWakeOnLanEthEnabled: true

isWakeOnLanUDPEnabled: true|false
Whether you want to monitor and trigger alerts on "Wake-on-LAN" packets sent to the decoys on layer 4.

Example
isWakeOnLanUDPEnabled: true

isArpMITMEnabled: true|false
Whether you want MITM attacks identified. Note that MAC spoofing must be enabled.

Example
isArpMITMEnabled: true

isNbnsBroadcastReplyingEnabled: true|false
Whether you want to enable decoy to respond to NBNS broadcasts.

Example
isNbnsBroadcastReplyingEnabled: true

isDhcpDynamicDnsEnabled: true|false
Whether you want the decoys to update the DHCP server with dynamic DNS data as part of the DHCP IP
allocation flow. The DHCP and DNS servers must be configured to enable dynamic DNS updates.

Example
isDhcpDynamicDnsEnabled: true

isDecoyInteractionTimeoutEnabled: true|false
Whether you want to enable the interaction timeout for emulated decoys.

Example
isDecoyInteractionTimeoutEnabled: true

21 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

decoyInteractionTimeoutSec: seconds
Set interaction timeout for emulated decoys. Specify timeout in seconds. Emulated decoys will disconnect
sessions after reaching this timeout.

Example
decoyInteractionTimeoutSec: 600

vmAnalysisTimeoutSec: seconds
Set the interaction timeout for real OS decoys. Specify timeout in seconds. Real OS decoys will
disconnect sessions after reaching this timeout and revert to their original state.

Example
vmAnalysisTimeoutSec: 600

Query Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Example
/mgm/rest/intguard/conf?commandPostName=Console
isIcmpEchoEnabled: true
isNBDSEnabled: true
isStealthModeEnabled: false
isWPADEnabled: false
isLLMNREnabled: false
isARPSpoofingEabled: true
ARPSpoofingFrequency: HIGH
ARPSpoofingAssetsToInject: SOME
isDNSEnabled: true
fileSizeSpoofingMode: NO_SPOOFING
isMacSpoofingEnabled: true
DNSFrequency: MEDIUM
isInfiniteFoldersEnabled: true
isRealFilesEnabled: true
isWanAccessEnabled: true
isLanAccessEnabled: false
enableUpnp: true
enableUpnpNotify: false
enableUpnpMsearchAnswer: false
isDhcpDiscoverEnabled: true
isGatewayValidationEnabled
isMacSpoofingValidationEnabled: true
isPeriodicDecoyValidationEnabled: true
isPreConfDecoyValidationEnabled: true
isWakeOnLanEthEnabled: true
isWakeOnLanUDPEnabled: true

22 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

isArpMITMEnabled: true
isNbnsBroadcastReplyingEnabled: true
isDhcpDynamicDnsEnabled: true
isDecoyInteractionTimeoutEnabled: true
decoyInteractionTimeoutSec: 600
vmAnalysisTimeoutSec: 600

Decoys
Create Decoy

Path /mgm/rest/deception/createDecoys?commandPostName=name

Method POST

JSON Body Parameters

decoyCount: number
Specifies the number of Decoys to create.

Example
decoyCount: 1

ipRanges: list
Specifies a list of Decoy IP Ranges if nodeIp is empty.

Example
ipRanges: [{ lowest:192.168.10.12, highest: 192.168.10.50, lowestInt:
3232238092, highestInt: 3232238130}]

approve: true|false
Specifies whether to force decoy creation even if the chosen IP addresses are used by assets.

Example
approve: true

ignoreSubnetValidation: true|false
Specifies whether to ignore the subnet’s gateway validation.
• When set to true, the subnet’s gateway validation is ignored.
• When set to false, the system does not allow decoy creation in non-validated subnets.

Example
ignoreSubnetValidation: true

23 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Decoy Properties (decoyProps)
subnetId: id
Specifies the ID of the subnet on which to create the decoy. To retrieve the subnets, use the Get All
Subnets Data API.

Example
subnetId: 5

hpRateLimit: type
Specifies the speed at which the decoy responds to packets. Use one of the following:

• VERY_LOW
• LOW
• NORMAL

Example
hpRateLimit: NORMAL

decoyCount: number
Specifies the number of Decoys to create.

Example
decoyCount: 1

createType: type
Specifies the decoy creation type. Use one of the following:

• SUGGESTION – Smart auto-generate of decoy content

• MAX_RISK – Auto-generate to maximize vulnerabilities on decoy
• RANDOM – Randomly generate decoy content
• CUSTOM – Custom decoy content
• VM – Real OS decoy

Example
createType: CUSTOM

decoyType: type
Specifies the type of decoy. Use one of the following:

• EMULATED
• VM
• ADDITIONAL_IP

Example
decoyType: EMULATED

24 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

hpMode: type
Specifies the way a decoy responds to packets sent on unopened ports. Use one of the following:

• ACCEPT
• REJECT
• DROP

Example
hpMode: DROP

deviceType: type
Specifies the type of device. Use one of the following:

• IOT
• COMPUTER

Example
deviceType: COMPUTER

osType: os
Specifies the operating system to use for the decoy. Use one of the following:

ANDROID UBUNTU_12_04 WINDOWS_2016

CENTOS_5_10 UBUNTU_14_04 WINDOWS_2019
CENTOS_6_5 UBUNTU_16_04 WINDOWS_7
CENTOS_7_2 WINDOWS_2003 WINDOWS_8
IOS WINDOWS_2008 WINDOWS_8_1
IOT WINDOWS_2008_R2 WINDOWS_10
OS_X_10_9 WINDOWS_2012 WINDOWS_VISTA
OS_X_10_13 WINDOWS_2012_R2 WINDOWS_XP
SUN_OS

Example
osType: WINDOWS_XP

computerRole: role
Specifies the role of the decoy. Use one of the following:

ALL MED SSH_SERVER

ANTIVIRUS_SERVER MEDIA_SERVER STORAGE
BITTORENT_SERVER NONE SWITCH
CAMERA OTHER_IOT VIRTUAL_MACHINE_SERVER
DATABASE_SERVER P2P_SERVER VOIP
DHCP_SERVER PRINTER VPN_SERVER
DOMAIN_NAME_SERVER PROXY_SERVER WEB_SERVER
FILE_SERVER REMOTE_ACCESS_SERVER WINS_SERVER
ICS ROUTER WORKSTATION_BASE
KMS_SERVER SCANNER WORKSTAION_DEV
MAIL_SERVER

Example
computerRole: DATABASE_SERVER

25 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

mgmtGroup: group
Specifies the alert management group for the decoy. The default is 1.

Example
mgmtGroup: 1

groupId: id
Specifies the ID of the group/domain of the decoy. To retrieve the group ID, use the Get All Groups and
Domains Data.

Example
groupId: 1

sslDataType: type
Specifies whether to use domain SSL configuration, global configuration, or create a new configuration by
template. Use one of the following:

• GLOBAL
• DOMAIN
• TEMPLATE

Example
sslDataType: GLOBAL

fileSystemId: id
Specifies the ID of the file system. This is relevant for user-defined file systems. The default is -1.

Example
fileSystemId: -1

nodeName: name
Specifies the name of decoy. For auto-name generation, omit this parameter or leave the value blank.

Example specifying a name

nodeName: decoy1

Example to allow auto-name generation

nodeName:

nodeIp: ip
Specifies the IP address or range of IP addresses available for the decoy. Specify a valid IP address or
range. You must specify an IP address if DHCP is not enabled.

Examples
nodeIp: 192.168.10.12

nodeIp: 192.168.10.12-192.168.10.50

26 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Subnet Properties (subnetProps)
subnetId: id
Specifies the ID of the subnet on which to create the decoy. To retrieve the subnets, use the Get All
Subnets Data API.

Example
subnetId: 5

"gateway": "string"
Specifies the subnet’s gateway.

Example
"gateway": "192.168.0.1"

"interfaceName": "string"
Specifies the subnet’s interface name.

Example
"interfaceName": "eth2"

vlan: tag
Specifies the VLAN to use for the Decoy. Use one of the following:

• 0 – for no VLAN.
• tag – valid VLAN tag

Example
vlan: 0

useIpsFromAdaptiveRanges: true|false
Specifies whether to use ipRanges if both nodeIp and ipRanges exist.

Example
useIpsFromAdaptiveRanges: false

vendor: vendor
Specifies the IOT device vendor.

Example
vendor: Cisco

deviceName: name
Specifies the IOT device vendor.

Example
deviceName: Cisco Switch

27 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

interfaceName: interface
Specifies the decoy interface. Specify a valid NIC on the Decoy server.

Example
interfaceName: eth1

componentId: id
Specifies the valid component ID of a Decoy server. Sensor ID is fetched by this parameter.

Example
componentId: 132

isDhcp: true|false
Whether to use DHCP for the decoy IP address.

Example
isDhcp:true

ovaId: id
Specifies the ova record ID in case of VM decoy creation.

Example
ovaId: 10

webServer: id
Specifies the ID of the web server to present on decoys with HTTP services.

Example
webserver: 30

sensorOffline: true|false
Specifies whether to force decoy creation even if the decoy sensor is offline.

Example
sensorOffline: true

masterDecoyId: id
Specifies the ID of the main decoy when decoyType is ADDITIONAL_IP.

Example
masterDecoyId: 5

wan: true|false
Specifies whether to allow Real OS decoys access from the decoy to the public network.

Example
wan: true

28 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

lan: true|false
Specifies whether to allow real OS decoys access from the decoy to the internal network.

Example
lan: true

isCloud: true|false
Specifies whether the decoy is a cloud decoy. This forces DHCP and sets vlan to 0.

Example
isCloud: true

advancedMap: json
Specifies advanced SSH settings for the decoy.

Example
advancedMap: {SSH: {SERVER: "{{CRLF}}Last login: {{LASTLOGIN}} on
tty1{{CRLF}}{{CRLF}}",HOME_DIRECTORY: "/Users/%username%"}}

macAddress: mac
Specifies the mac address for the decoy.

Example
mac: 12:34:56:78:90:ab

Query Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Example Create Five Emulated Decoys Using IP

{
"decoyProps": {
"subnetId": 10,
"hpRateLimit": "NORMAL",
"decoyCount": 5,
"createType": "CUSTOM",
"decoyType": "EMULATED",
"hpMode": "DROP",
"deviceType": "COMPUTER",
"osType": "WINDOWS_10",
"computerRole": "WORKSTATION_BASE",
"mgmtGroup": 1,
"sslDataType": "TEMPLATE",
"nodeIp": "10.6.64.200-10.6.64.204"
},
"subnetProps": {
"subnetId": 10,
"gateway": "10.6.64.1",
"interfaceName": "eth2",
"vlan": 1064,

29 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

 "isMacSpoofingAvailable": false,
"forceMacSpoofing": true,
"decoysRelativeNumber": true,
"decoysNumber": 8,
"sensorId": 10,
"isAdaptiveDhcp": false,
"maxAdaptiveDecoysToCreate": 50,
"isAutoConfigured": true,
"isGatewayAccessible": false,
"ipRanges": [],
"exsitingDecoysNum": 0,
"manualDecoysCount": 0,
"autoGeneratedDecoysCount": 0,
"miniTrappedDecoysCount": 0,
"recommendedDecoyNum": 0,
"decoyDeploymentPercentage": 0,
"decoyDeploymentCoverage": "NONE",
"maxDecoyNum": 1000,
"isCompleted": true,
"isEditable": true,
"subnetAddress": "10.6.64.0",
"mask": "255.255.252.0",
"isUserDefined": true,
"isOnRemovedSensor": false,
"machineId": 10,
"componentId": 4,
"componentName": "DS11",
"vmDecoysCount": 0,
"vmEnabled": false,
"assetsCount": 0,
"ipRangesSuggestion": [],
"isDhcpAvailable": false,
"isSuggested": false,
"configStatus": "DHCP_CONFIGURED",
"validationStatus": "GATEWAY_UNREACHABLE",
"isDeployable": true,
"dhcpDecoys": 0,
"customMacs": 0,
"hasMissingConfig": false,
"breadcrumbsAddSuggestionNum": 1,
"breadcrumbsDeploymentPercentage": 0,
"breadcrumbsDeploymentCoverage": "NONE",
"breadcrumbsDeploymentType": "MANUAL",
"breadcrumbAssetCount": 0,
"nodeIp": "10.6.64.200-10.6.64.204",
"enableVlanTag": true,
"subnetIp": "10.6.64.200"
},
"decoyCount": 5,
"ipOrRange": "10.6.64.200-10.6.64.204",
"ignoreSubnetValidation": true
}

30 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Delete Decoy

Path /mgm/rest/intguard/delete?commandPostName=name

Method PUT

Form Parameters
nodeIDs: ids
Specifies the IDs of the Decoys to delete.

Example
nodeIDs: 1725

approve: true|false
Specifies whether to force decoy deletion even if it was generated by adaptive deception.

Example
approve: true

sensorOffline: true|false
Specifies whether to force decoy deletion even if the decoy sensor is offline.

Example
sensorOffline: true

forceDeleteAdditionalIpDecoys: true|false
Specifies whether to force additional IP decoys deletion.

Example
forceDeleteAdditionalIpDecoys: true

Query Parameters
commandPostName=name
Specifies the CommandPost to which to communicate. For a single CommandPost, use Console. For a
Hierarchical Manager (HM) system, specify the CommandPost.

Example
/mgm/rest/intguard/delete?commandPostName=Console
nodeIds: 24

31 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.

Edit Decoy

Path /mgm/rest/intguard/decoyId?commandPostName=name

Method PUT

Parameters
Edit Decoy uses the same parameters as Create Decoy. For all parameters, descriptions, and usages,
see Create Decoy.

32 Copyright © 2024, Fidelis Security, LLC. All Rights Reserved.