ExtraHop Reveal(x)

Details
Content
Dependencies
Version History

Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

What does this integration do?

This integration enables the following investigative tasks and workflows in Cortex XSOAR as an automated response to ExtraHop Reveal(x) detections:

Create a Cortex XSOAR incident in real-time when a Reveal(x) detection identifies malicious or non-compliant behavior on your network.
Leverage Reveal(x) playbooks to respond with thousands of security actions that accelerate automated investigation and remediation.
Send real-time queries to Reveal(x) through the ExtraHop REST API that enable you to search for specific devices, network peers, active protocols, records, and packets that are part of your investigation.
Track tickets in Reveal(x) that link detections to your Cortex XSOAR investigation.

The following figures show an example of an ExtraHop Reveal(x) detection and the resulting playbook workflows in Cortex XSOAR.

ExtraHop detection card

Figure 1. Reveal(x) detection card for CVE-2019-0708 RDP Exploit Attempt

Cortex XSOAR playbook: ExtraHop Default

Figure 2. Reveal(x) Default playbook to set up ticket tracking and run the BlueKeep playbook

Cortex XSOAR playbook: ExtraHop CVE-2019-0708 BlueKeep

Figure 3. Reveal(x) CVE-2019-0708 BlueKeep playbook to automate detailed network investigation

# Extrahop RevealX
## Overview
ExtraHop RevealX 360 is a cloud-based security platform that provides comprehensive visibility and advanced threat detection across your network. It helps organizations quickly identify and respond to security threats in hybrid and multi-cloud environments. By leveraging machine learning and behavioral analytics, RevealX 360 monitors network traffic to spot suspicious activities and potential risks in real time.

This pack includes:

Rest API log collection for detection logs
Modeling Rules for detection logs

Configure an instance for ExtraHop Reveal(x)

How to create REST API Credentials:

You must have system and access administration privileges.

Log in to RevealX 360.
Click the System Settings icon - at the top right of the page and then click All Administration.
Click API Access.
Click Create Credentials.
In the Name field, type a name for the credentials.
In the Privileges field, specify a privilege level for the credentials. The privilege level determines which actions can be performed with the credential. Do not grant more privileges to REST API credentials than needed because it can create a security risk. For example, applications that only retrieve metrics should not be granted credentials that grant administrative privileges. For more information about each privilege level, see User privileges.

Note: System and Access Administration privileges are similar to Full write privileges and allow the credentials to connect sensors and Trace appliances to RevealX 360.*

In the Packet Access field, specify whether you can retrieve packets and session keys with the credentials.
Click Save. The Copy REST API Credentials pane appears.
Under ID, click Copy to Clipboard and save the ID to your local machine.
Under Secret, click Copy to Clipboard and save the secret to your local machine.
Click Done.

For more information, see the following guide here

Configure ExtraHop Reveal(x) in Cortex XSIAM

Parameter	Description	Required
Your server URL		True
Client Id	The client ID generated on your ExtraHop system that is required for authentication if connecting to ExtraHop Reveal(x) 360.	True
Client Secret	The client secret generated on your ExtraHop system that is required for authentication if connecting to ExtraHop Reveal(x) 360.	True
Trust any certificate (not secure)		False
Use system proxy settings		False
Fetch events		False
Maximum number of events per fetch	Defines the maximum number of audits events per fetch cycle. Default value: 25000.	True

Commands

You can execute these commands from the CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

revealx-get-events

Retrieves a list of audit log events from the Extrahop RevealX instance.

Base Command

revealx-get-events

Input

Argument Name	Description	Required
should_push_events	Set this argument to true in order to create events, otherwise it will only display them. Possible values are: true, false. Default is false.	Required
max_events	Returns no more than the specified number of detections.	Optional

Context Output

There is no context output for this command.

ExtraHop Reveal(x) for Cortex is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

What does this integration do?

This integration enables the following investigative tasks and workflows in Cortex as an automated response to ExtraHop Reveal(x) detections:

Create a Cortex incident in real-time when a Reveal(x) detection identifies malicious or non-compliant behavior on your network.
Leverage Reveal(x) playbooks to respond with thousands of security actions that accelerate automated investigation and remediation.
Send real-time queries to Reveal(x) through the ExtraHop REST API that enable you to search for specific devices, network peers, active protocols, records, and packets that are part of your investigation.
Track tickets in Reveal(x) that link detections to your Cortex investigation.

The following figures show an example of an ExtraHop Reveal(x) detection and the resulting playbook workflows in Cortex.

ExtraHop detection card

Figure 1. Reveal(x) detection card for CVE-2019-0708 RDP Exploit Attempt

Cortex playbook: ExtraHop Default

Figure 2. Reveal(x) Default playbook to set up ticket tracking and run the BlueKeep playbook

Cortex playbook: ExtraHop CVE-2019-0708 BlueKeep

Figure 3. Reveal(x) CVE-2019-0708 BlueKeep playbook to automate detailed network investigation

Automations

Name	Description
ExtraHopTrackIncidents	Links an incident investigation back to the ExtraHop Detection that created it.

Classifiers

Name	Description
ExtraHop Detections - Incoming Mapper	Mapper for ExtraHop detection.

Incident Fields

Name	Description
ExtraHop Reveal(x) Start Time	The start time of detection.
ExtraHop Reveal(x) Mod Time	The timestamp when detection was last modified.
Raw Participants	Raw list of participant objects associated with the ExtraHop Reveal(x) detection
ExtraHop Reveal(x) End Time	The time when offense ended.
Participants	List of participant objects associated with the ExtraHop Reveal(x) detection
ExtraHop Reveal(x) Detection Devices
ExtraHop Reveal(x) Mitre Tactics	The mitre tactics identified in detection.
ExtraHop Reveal(x) Update Time	The timestamp when detection was last updated.
ExtraHop Reveal(x) Mitre Techniques	The mitre techniques identified in detection.
ExtraHop Reveal(x) Properties
ExtraHop Reveal(x) Risk Score	The risk of the offense in integer.
ExtraHop Reveal(x) Detection ID	The unique ID of the detection
ExtraHop Reveal(x) Detection Status	The status of the detection
Detection Ticketed	Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)
ExtraHop Reveal(x) Detection Participants	The participants of a detection.
ExtraHop Reveal(x) Resolution	The resolution status of the detection.
ExtraHop Reveal(x) Detection Type	The type of ExtraHop detection.
ExtraHop Reveal(x) User Created	Is user created?
ExtraHop Appliance ID	Appliance ID of the ExtraHop Reveal(x) that created the detection
ExtraHop Hostname	Hostname of the ExtraHop Reveal(x) that created the detection

Incident Types

Name	Description
ExtraHop Detection

Integrations

Name	Description
ExtraHop Reveal(x) (Partner Contribution)	ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

Layouts

Name	Description
ExtraHop Detection

Playbooks

Name	Description
ExtraHop - Default	Default playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.
ExtraHop - Get Peers by Host	Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.
ExtraHop - CVE-2019-0708 (BlueKeep)	This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS Disable Remote Desktop Services if they are not required Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 Configure firewalls to block traffic on TCP port 3389
ExtraHop - Ticket Tracking v2	Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.

Automations

Name	Description
ExtraHopTrackIncidents	Links an incident investigation back to the ExtraHop Detection that created it.
ExtraHopTrackAlerts	Links an alert investigation back to the ExtraHop Detection that created it.

Classifiers

Name	Description
ExtraHop Detections - Incoming Mapper	Mapper for ExtraHop detection.

Incident Fields

Name	Description
ExtraHop Reveal(x) Detection Status	The status of the detection
ExtraHop Reveal(x) Start Time	The start time of detection.
ExtraHop Reveal(x) Detection Type	The type of ExtraHop detection.
ExtraHop Reveal(x) Properties
Participants	List of participant objects associated with the ExtraHop Reveal(x) detection
Detection Ticketed	Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)
ExtraHop Reveal(x) Mitre Techniques	The mitre techniques identified in detection.
Raw Participants	Raw list of participant objects associated with the ExtraHop Reveal(x) detection
ExtraHop Reveal(x) Mitre Tactics	The mitre tactics identified in detection.
ExtraHop Reveal(x) Mod Time	The timestamp when detection was last modified.
ExtraHop Reveal(x) End Time	The time when offense ended.
ExtraHop Reveal(x) Detection ID	The unique ID of the detection
ExtraHop Reveal(x) Detection Participants	The participants of a detection.
ExtraHop Reveal(x) Resolution	The resolution status of the detection.
ExtraHop Reveal(x) User Created	Is user created?
ExtraHop Reveal(x) Detection Devices
ExtraHop Reveal(x) Update Time	The timestamp when detection was last updated.
ExtraHop Reveal(x) Risk Score	The risk of the offense in integer.

Incident Types

Name	Description
ExtraHop Detection

Integrations

Name	Description
ExtraHop Reveal(x) (Partner Contribution)	ExtraHop Reveal(x) for Cortex is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
ExtraHop Reveal(x) Event Collector	ExtraHop Reveal(x) is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

Modeling Rules

Name	Description
ExtraHop RevealX Modeling Rule

Playbooks

Name	Description
ExtraHop - CVE-2019-0708 (BlueKeep)	This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS Disable Remote Desktop Services if they are not required Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 Configure firewalls to block traffic on TCP port 3389
ExtraHop - Default	Default playbook to run for all ExtraHop Detection alerts. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.
ExtraHop - Get Peers by Host	Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.
ExtraHop - Ticket Tracking v2	Links the Demisto alert back to the ExtraHop detection that created it for ticket tracking purposes.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (7)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

2.3.2 - R3481649 (May 21, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 39731

Download

2.3.1 - 3247809 (April 27, 2025)

Integrations

Updated the logic to validate the minimum required firmware version for ExtraHop.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39730
- 39715

Download

2.3.0 - 3175665 (April 20, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 39545

Download

2.2.11 - 3042633 (April 2, 2025)

Integrations

ExtraHop Reveal(x)

Metadata and documentation improvements.

Scripts

ExtraHopTrackIncidents

Metadata and documentation improvements.

Related pull requests:
- 39088

Download

2.2.10 - R2988527 (March 26, 2025)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37567
- 37564
- 37565

Download

2.2.9 - 1748140 (December 4, 2024)

Scripts

ExtraHopTrackIncidents

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

2.2.8 - R1738579 (December 2, 2024)

Integrations

ExtraHop Reveal(x)

Fixed an issue with the proxy setting.
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 36051
- 36062

Download

2.2.7 - 1142826 (July 2, 2024)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 35045

Download

2.2.6 - 1061293 (June 2, 2024)

Scripts

ExtraHopTrackIncidents

Updated the Docker image to: demisto/python3:3.10.14.95956.

Related pull requests:
- 34631
- 34076
- 34074
- 34075
- 34071
- 34072
- 34073

Download

2.3.2 - R3481649 (May 21, 2025)

Modeling Rules

New: ExtraHop RevealX Modeling Rule

New: Added a new modeling rule for detection logs

Related pull requests:
- 39731

Download

2.3.1 - 3247809 (April 27, 2025)

Integrations

ExtraHop Reveal(x)

Updated the logic to validate the minimum required firmware version for ExtraHop.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39730
- 39715

Download

2.3.0 - 3175665 (April 20, 2025)

Integrations

New: ExtraHop Reveal(x) Event Collector

New: ExtraHop Reveal(x) event collector integration for Cortex XSIAM - fetch detections from ExtraHop Reveal(x) (Available from Cortex XSIAM 2.5).

Related pull requests:
- 39545

Download

2.2.11 - 3042633 (April 2, 2025)

Integrations

ExtraHop Reveal(x)

Metadata and documentation improvements.

Scripts

ExtraHopTrackIncidents

Metadata and documentation improvements.

Related pull requests:
- 39088

Download

2.2.10 - R2988527 (March 26, 2025)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37567
- 37564
- 37565

Download

2.2.9 - 1748140 (December 4, 2024)

Scripts

ExtraHopTrackIncidents

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

2.2.8 - R1738579 (December 2, 2024)

Integrations

ExtraHop Reveal(x)

Fixed an issue with the proxy setting.
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 36051
- 36062

Download

2.2.7 - 1142826 (July 2, 2024)

Integrations

ExtraHop Reveal(x)

Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 35045

Download

2.2.6 - 1063016 (June 2, 2024)

Scripts

ExtraHopTrackIncidents

Updated the Docker image to: demisto/python3:3.10.14.95956.

Related pull requests:
- 34631
- 34076
- 34074
- 34075
- 34071
- 34072
- 34073

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	September 23, 2020
Last Release	May 21, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.