ExtraHop Reveal(x)

Details
Content
Dependencies
Version History

Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

What does this integration do?

This integration enables the following investigative tasks and workflows in Cortex XSOAR as an automated response to ExtraHop Reveal(x) detections:

Create a Cortex XSOAR incident in real-time when a Reveal(x) detection identifies malicious or non-compliant behavior on your network.
Leverage Reveal(x) playbooks to respond with thousands of security actions that accelerate automated investigation and remediation.
Send real-time queries to Reveal(x) through the ExtraHop REST API that enable you to search for specific devices, network peers, active protocols, records, and packets that are part of your investigation.
Track tickets in Reveal(x) that link detections to your Cortex XSOAR investigation.

The following figures show an example of an ExtraHop Reveal(x) detection and the resulting playbook workflows in Cortex XSOAR.

ExtraHop detection card

Figure 1. Reveal(x) detection card for CVE-2019-0708 RDP Exploit Attempt

Cortex XSOAR playbook: ExtraHop Default

Figure 2. Reveal(x) Default playbook to set up ticket tracking and run the BlueKeep playbook

Cortex XSOAR playbook: ExtraHop CVE-2019-0708 BlueKeep

Figure 3. Reveal(x) CVE-2019-0708 BlueKeep playbook to automate detailed network investigation

ExtraHop Reveal(x) for Cortex XSIAM is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

What does this integration do?

This integration enables the following investigative tasks and workflows in Cortex XSIAM as an automated response to ExtraHop Reveal(x) detections:

Create a Cortex XSIAM incident in real-time when a Reveal(x) detection identifies malicious or non-compliant behavior on your network.
Leverage Reveal(x) playbooks to respond with thousands of security actions that accelerate automated investigation and remediation.
Send real-time queries to Reveal(x) through the ExtraHop REST API that enable you to search for specific devices, network peers, active protocols, records, and packets that are part of your investigation.
Track tickets in Reveal(x) that link detections to your Cortex XSIAM investigation.

The following figures show an example of an ExtraHop Reveal(x) detection and the resulting playbook workflows in Cortex XSIAM.

ExtraHop detection card

Figure 1. Reveal(x) detection card for CVE-2019-0708 RDP Exploit Attempt

Cortex XSIAM playbook: ExtraHop Default

Figure 2. Reveal(x) Default playbook to set up ticket tracking and run the BlueKeep playbook

Cortex XSIAM playbook: ExtraHop CVE-2019-0708 BlueKeep

Figure 3. Reveal(x) CVE-2019-0708 BlueKeep playbook to automate detailed network investigation

Automations

Name	Description
ExtraHopTrackIncidents	Links an incident investigation back to the ExtraHop Detection that created it.

Classifiers

Name	Description
ExtraHop Detections - Incoming Mapper	Mapper for ExtraHop detection.

Incident Fields

Name	Description
ExtraHop Reveal(x) Mitre Tactics	The mitre tactics identified in detection.
ExtraHop Reveal(x) Risk Score	The risk of the offense in integer.
ExtraHop Reveal(x) Mod Time	The timestamp when detection was last modified.
Detection Ticketed	Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)
Participants	List of participant objects associated with the ExtraHop Reveal(x) detection
ExtraHop Reveal(x) Detection Type	The type of ExtraHop detection.
ExtraHop Reveal(x) Resolution	The resolution status of the detection.
ExtraHop Reveal(x) Detection Devices
ExtraHop Reveal(x) Detection Participants	The participants of a detection.
ExtraHop Reveal(x) End Time	The time when offense ended.
ExtraHop Reveal(x) Start Time	The start time of detection.
ExtraHop Appliance ID	Appliance ID of the ExtraHop Reveal(x) that created the detection
ExtraHop Reveal(x) Detection Status	The status of the detection
ExtraHop Hostname	Hostname of the ExtraHop Reveal(x) that created the detection
ExtraHop Reveal(x) Detection ID	The unique ID of the detection
ExtraHop Reveal(x) Properties
ExtraHop Reveal(x) Update Time	The timestamp when detection was last updated.
Raw Participants	Raw list of participant objects associated with the ExtraHop Reveal(x) detection
ExtraHop Reveal(x) Mitre Techniques	The mitre techniques identified in detection.
ExtraHop Reveal(x) User Created	Is user created?

Incident Types

Name	Description
ExtraHop Detection

Integrations

Name	Description
ExtraHop Reveal(x) (Partner Contribution)	ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

Layouts

Name	Description
ExtraHop Detection

Playbooks

Name	Description
ExtraHop - Ticket Tracking v2	Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.
ExtraHop - CVE-2019-0708 (BlueKeep)	This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS Disable Remote Desktop Services if they are not required Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 Configure firewalls to block traffic on TCP port 3389
ExtraHop - Default	Default playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.
ExtraHop - Get Peers by Host	Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.

Automations

Name	Description
ExtraHopTrackIncidents	Links an incident investigation back to the ExtraHop Detection that created it.
ExtraHopTrackAlerts	Links an alert investigation back to the ExtraHop Detection that created it.

Classifiers

Name	Description
ExtraHop Detections - Incoming Mapper	Mapper for ExtraHop detection.

Incident Fields

Name	Description
ExtraHop Reveal(x) Update Time	The timestamp when detection was last updated.
ExtraHop Reveal(x) End Time	The time when offense ended.
ExtraHop Reveal(x) Detection ID	The unique ID of the detection
ExtraHop Reveal(x) Mitre Techniques	The mitre techniques identified in detection.
Raw Participants	Raw list of participant objects associated with the ExtraHop Reveal(x) detection
ExtraHop Reveal(x) Mod Time	The timestamp when detection was last modified.
Detection Ticketed	Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)
ExtraHop Reveal(x) Detection Participants	The participants of a detection.
ExtraHop Reveal(x) Resolution	The resolution status of the detection.
ExtraHop Reveal(x) Risk Score	The risk of the offense in integer.
ExtraHop Reveal(x) Start Time	The start time of detection.
ExtraHop Reveal(x) Detection Type	The type of ExtraHop detection.
ExtraHop Reveal(x) Mitre Tactics	The mitre tactics identified in detection.
ExtraHop Reveal(x) User Created	Is user created?
ExtraHop Reveal(x) Properties
Participants	List of participant objects associated with the ExtraHop Reveal(x) detection
ExtraHop Reveal(x) Detection Devices
ExtraHop Reveal(x) Detection Status	The status of the detection

Incident Types

Name	Description
ExtraHop Detection

Integrations

Name	Description
ExtraHop Reveal(x) (Partner Contribution)	ExtraHop Reveal(x) for Cortex XSIAM is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

Playbooks

Name	Description
ExtraHop - Default	Default playbook to run for all ExtraHop Detection alerts. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.
ExtraHop - Ticket Tracking v2	Links the Demisto alert back to the ExtraHop detection that created it for ticket tracking purposes.
ExtraHop - CVE-2019-0708 (BlueKeep)	This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS Disable Remote Desktop Services if they are not required Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 Configure firewalls to block traffic on TCP port 3389
ExtraHop - Get Peers by Host	Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (7)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Types	By: Cortex XSOAR

2.2.8 - 1320807 (August 28, 2024)

Integrations

Fixed an issue with the proxy setting.
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 36051
- 36062

Download

2.2.7 - 1142826 (July 2, 2024)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 35045

Download

2.2.6 - 1061293 (June 2, 2024)

Scripts

ExtraHopTrackIncidents

Updated the Docker image to: demisto/python3:3.10.14.95956.

Related pull requests:
- 34631
- 34076
- 34074
- 34075
- 34071
- 34072
- 34073

Download

2.2.5 - 1000160 (May 7, 2024)

Integrations

ExtraHop Reveal(x)

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 33388

Download

2.2.4 - R828628 (February 14, 2024)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32583
- 32584

Download

2.2.3 - 767481 (January 17, 2024)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32259

Download

2.2.2 - 743135 (January 4, 2024)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31967

Download

2.2.1 - R6592021 (October 13, 2023)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28758

Download

2.2.0 - R5866730 (July 25, 2023)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.12.63474.
Updated fetch_incidents to incorporate severity from detection risk score.

Related pull requests:
- 27587
- 27760

Download

2.1.1 - 5501210 (June 11, 2023)

Playbooks

ExtraHop - CVE-2019-0708 (BlueKeep)

Updated the playbook to use the generic cve command instead of CVE Search V2 which will be deprecated.

Related pull requests:
- 27341

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	September 23, 2020
Last Release	August 28, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.