ExtraHop Reveal(x)

Mapper for ExtraHop detection.

The type of ExtraHop detection.

The resolution status of the detection.

The start time of detection.

Hostname of the ExtraHop Reveal(x) that created the detection

Appliance ID of the ExtraHop Reveal(x) that created the detection

The status of the detection

Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)

The timestamp when detection was last modified.

Raw list of participant objects associated with the ExtraHop Reveal(x) detection

The timestamp when detection was last updated.

The unique ID of the detection

The mitre tactics identified in detection.

The participants of a detection.

The mitre techniques identified in detection.

List of participant objects associated with the ExtraHop Reveal(x) detection

The time when offense ended.

Is user created?

The risk of the offense in integer.

Links an incident investigation back to the ExtraHop Detection that created it.

Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.

Default playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.

Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.

This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.

MITIGATION OPTIONS

• Disable Remote Desktop Services if they are not required
• Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
• Configure firewalls to block traffic on TCP port 3389

ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

Mapper for ExtraHop detection.

The type of ExtraHop detection.

The resolution status of the detection.

The start time of detection.

The status of the detection

Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x)

The timestamp when detection was last modified.

Raw list of participant objects associated with the ExtraHop Reveal(x) detection

The timestamp when detection was last updated.

The unique ID of the detection

The mitre tactics identified in detection.

The participants of a detection.

The mitre techniques identified in detection.

List of participant objects associated with the ExtraHop Reveal(x) detection

The time when offense ended.

Is user created?

The risk of the offense in integer.

Links an incident investigation back to the ExtraHop Detection that created it.

Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.

Default playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.

Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.

This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.

MITIGATION OPTIONS

• Disable Remote Desktop Services if they are not required
• Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
• Configure firewalls to block traffic on TCP port 3389

ExtraHop Reveal(x) for Cortex XSIAM is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.