ExtraHop Reveal(x)

Appliance ID of the ExtraHop Reveal(x) that created the detection

The unique ID of the detection

The time when offense ended.

The timestamp when detection was last updated.

The type of ExtraHop detection.

The mitre techniques identified in detection.

List of participant objects associated with the ExtraHop Reveal(x) detection

Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)

Hostname of the ExtraHop Reveal(x) that created the detection

Is user created?

The risk of the offense in integer.

The timestamp when detection was last modified.

The participants of a detection.

The status of the detection

The start time of detection.

The resolution status of the detection.

The mitre tactics identified in detection.

Raw list of participant objects associated with the ExtraHop Reveal(x) detection

Links an incident investigation back to the ExtraHop Detection that created it.

Mapper for ExtraHop detection.

This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.

MITIGATION OPTIONS

• Disable Remote Desktop Services if they are not required
• Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
• Configure firewalls to block traffic on TCP port 3389

Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.

Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.

Default playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.

ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

The unique ID of the detection

The time when offense ended.

The timestamp when detection was last updated.

The type of ExtraHop detection.

The mitre techniques identified in detection.

List of participant objects associated with the ExtraHop Reveal(x) detection

Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)

Is user created?

The risk of the offense in integer.

The timestamp when detection was last modified.

The participants of a detection.

The status of the detection

The start time of detection.

The resolution status of the detection.

The mitre tactics identified in detection.

Raw list of participant objects associated with the ExtraHop Reveal(x) detection

Links an incident investigation back to the ExtraHop Detection that created it.

Links an alert investigation back to the ExtraHop Detection that created it.

Mapper for ExtraHop detection.

This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.

MITIGATION OPTIONS

• Disable Remote Desktop Services if they are not required
• Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
• Configure firewalls to block traffic on TCP port 3389

Links the Demisto alert back to the ExtraHop detection that created it for ticket tracking purposes.

Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.

Default playbook to run for all ExtraHop Detection alerts. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.

ExtraHop Reveal(x) for Cortex XSIAM is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.