ExtraHop Reveal(x) v2
Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
ExtraHop Reveal(x) Playbooks
- ExtraHop - Default
- ExtraHop - CVE-2019-0708 (BlueKeep)
- ExtraHop - Ticket Tracking
- ExtraHop - Get Peers by Host
Use Cases
- Create incidents for every detection that ExtraHop Reveal(x) surfaces in real-time.
- Enable guided investigation and response through playbooks and automation scripts.
- Interrogate the ExtraHop Reveal(x) REST API using the simple and powerful Demisto CLI.
Detailed Description
Visit the ExtraHop + Demisto Setup Guide for detailed integration instructions.
Fetch Incidents
Incidents are pushed in via the Demisto REST API by a trigger running on the ExtraHop Reveal(x) appliance.
Configure ExtraHop Reveal(x) on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for ExtraHop Reveal(x).
-
Click
Add instance
to create and configure a new integration instance.
- Name : a name to identify the ExtraHop appliance.
- API Key : the value of the ExtraHop API key that was generated while configuring the ExtraHop appliance.
- URL : the URL of the ExtraHop appliance including the protocol (e.g. https://).
- Trust any certificate : whether to verify the SSL certificate on REST API requests.
- Use System Proxy : whether to use the system configured proxy for requests.
- Click Test to validate the new instance by querying the ExtraHop version from the REST API. If the test fails, check the instance configuration including the Trust any certificate (Not Secure) setting for correctness.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get all alert rules: extrahop-get-alert-rules
- Query records: extrahop-query-records
- Search for devices: extrahop-device-search
- Add or remove devices from the watchlist: extrahop-edit-watchlist
- Get all devices on the watchlist: extrahop-get-watchlist
- Create a new alert rule: extrahop-create-alert-rule
- Modify an alert rule: extrahop-edit-alert-rule
- Link an ExtraHop Detection to a Demisto Investigation: extrahop-track-ticket
- Get all peers for a device: extrahop-get-peers
- Get all active network protocols for a device: extrahop-get-protocols
- Add or remove a tag from devices: extrahop-tag-devices
- Get a link to a Live Activity Map: extrahop-get-activity-map
- Search for specific packets: extrahop-search-packets
1. Get all alert rules
Get all alert rules from ExtraHop.
Base Command
extrahop-get-alert-rules
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|
Context Output
| Path | Type | Description |
|---|---|---|
| Extrahop.Alert.Operator | String | b'The logical operator applied when comparing the value of the operand field to alert conditions.' |
| Extrahop.Alert.FieldName | String | b'The name of the monitored metric.' |
| Extrahop.Alert.NotifySnmp | Boolean | b'Indicates whether to send an SNMP trap when an alert is generated. ' |
| Extrahop.Alert.Operand | String | b'The value to compare against alert conditions.' |
| Extrahop.Alert.IntervalLength | Number | b'The length of the alert interval, expressed in seconds.' |
| Extrahop.Alert.Author | String | b'The name of the user that created the alert. ' |
| Extrahop.Alert.Name | String | b'The unique, friendly name for the alert.' |
| Extrahop.Alert.FieldName2 | String | b'The second monitored metric when applying a ratio.' |
| Extrahop.Alert.RefireInterval | Number | b'The time interval in which alert conditions are monitored, expressed in seconds.' |
| Extrahop.Alert.ModTime | Number | b'The time of the most recent update, expressed in milliseconds since the epoch. ' |
| Extrahop.Alert.Units | String | b'The interval in which to evaluate the alert condition.' |
| Extrahop.Alert.ApplyAll | Boolean | b'Indicates whether the alert is assigned to all available data sources.' |
| Extrahop.Alert.Type | String | b'The type of alert.' |
| Extrahop.Alert.FieldOp | String | b'The type of comparison between the "field_name" and "field_name2" fields when applying a ratio.' |
| Extrahop.Alert.Id | Number | b'The unique identifier for the alert.' |
| Extrahop.Alert.Disabled | Boolean | b'Indicates whether the alert is disabled.' |
| Extrahop.Alert.Description | String | b'An optional description for the alert.' |
| Extrahop.Alert.Severity | Number | b'The severity level of the alert.' |
| Extrahop.Alert.StatName | String | b'The statistic name for the alert.' |
Command Example
!extrahop-get-alert-rules
Context Example
{
"ExtraHop": {
"Alert": [
{
"ApplyAll": false,
"Author": "ExtraHop",
"Description": "Alert triggered when ratio of web errors is greater than 5%.",
"Disabled": true,
"FieldName": "rsp_error",
"FieldName2": "rsp",
"FieldOp": "/",
"Id": 11,
"IntervalLength": 30,
"ModTime": 1522964293585,
"Name": "Web Error Ratio - Red",
"NotifySnmp": false,
"Operand": ".05",
"Operator": ">",
"RefireInterval": 300,
"Severity": 1,
"StatName": "extrahop.application.http",
"Type": "threshold",
"Units": "none"
},
{
"ApplyAll": false,
"Author": "ExtraHop",
"Description": "Alert triggered when ratio of web errors is greater than 1%.",
"Disabled": true,
"FieldName": "rsp_error",
"FieldName2": "rsp",
"FieldOp": "/",
"Id": 12,
"IntervalLength": 30,
"ModTime": 1522964293596,
"Name": "Web Error Ratio - Orange",
"NotifySnmp": false,
"Operand": ".01",
"Operator": ">",
"RefireInterval": 300,
"Severity": 3,
"StatName": "extrahop.application.http",
"Type": "threshold",
"Units": "none"
}
]
}
}
Human Readable Output
Found 2 Alert(s)
| Apply All | Author | Description | Disabled | Field Name | Field Name2 | Field Op | Id | Interval Length | Mod Time | Name | Notify Snmp | Operand | Operator | Refire Interval | Severity | Stat Name | Type | Units |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| false | ExtraHop | Alert triggered when ratio of web errors is greater than 5%. | true | rsp_error | rsp | / | 11 | 30 | 1522964293585 | Web Error Ratio - Red | false | .05 | > | 300 | 1 | extrahop.application.http | threshold | none |
| false | ExtraHop | Alert triggered when ratio of web errors is greater than 1%. | true | rsp_error | rsp | / | 12 | 30 | 1522964293596 | Web Error Ratio - Orange | false | .01 | > | 300 | 3 | extrahop.application.http | threshold | none |
2. Query records
Query records from ExtraHop.
Base Command
extrahop-query-records
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| query_from | The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -10m to begin the search with records created 10 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Required |
| query_until | The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. A 0 value specifies that the search will end with records created at the time of the request. A negative value specifies that the search will end with records created at a time in the past relative to the current time. For example, specify -5m to end the search with records created 5 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| limit | The maximum number of entries to return. | Optional |
| offset | The number of records to skip in the query results. | Optional |
| field1 | The name of the field in the record to be filtered. The query compares field1 to value1 and applies the compare method specified by the operator1 parameter. If the specified field name is ".any", the union of all field values will be searched. If the specified field name is ".ipaddr" or ".port", the client, server, sender, and receiver roles are included in the search. | Optional |
| operator1 | The compare method applied when matching value1 against the field1 contents. | Optional |
| value1 | The value that the query attempts to match. The query compares this value to the contents of the field1 parameter and applies the compare method specified by the operator1 parameter. | Optional |
| field2 | The name of the field in the record to be filtered. The query compares field2 to value2 and applies the compare method specified by the operator2 parameter. If the specified field name is ".any", the union of all field values will be searched. If the specified field name is ".ipaddr" or ".port", the client, server, sender, and receiver roles are included in the search. | Optional |
| operator2 | The compare method applied when matching value2 against the field2 contents. | Optional |
| value2 | The value that the query attempts to match. The query compares this value to the contents of the field2 parameter and applies the compare method specified by the operator2 parameter. | Optional |
| match_type | The match operator to use when chaining the search fields of 1 and 2 together. For example, to find HTTP records with status code 500 or a processing time greater than 100ms (set match_type=or, field1=statusCode, operator1==, value1=500, field2=processingTime, operator2=> value2=100, types=http). | Optional |
| types | A list of one or more record formats for the query to filter on, comma separated. The query returns only records that match the specified formats. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ExtraHop.Record.Type | string | b'The record format.' |
| ExtraHop.Record.Source.timestamp | Number | b'The timestamp of the item.' |
| ExtraHop.Record.Source.detection | string | b'The detection type that committed the record.' |
| ExtraHop.Record.Source.ex.isSuspicious | Boolean | b'Marked as suspicious by Threat Intelligence.' |
| ExtraHop.Record.Source.accessTime | Number | b'Access Time' |
| ExtraHop.Record.Source.ackCode | String | b'Ack Code' |
| ExtraHop.Record.Source.ackId | String | b'Ack ID' |
| ExtraHop.Record.Source.adminQueue | String | b'Admin Queue' |
| ExtraHop.Record.Source.age | Number | b'Age' |
| ExtraHop.Record.Source.alertCode | Number | b'Alert Code' |
| ExtraHop.Record.Source.alertLevel | String | b'Alert Level' |
| ExtraHop.Record.Source.answer | Unknown | b'Answer' |
| ExtraHop.Record.Source.answers | Unknown | b'Answers' |
| ExtraHop.Record.Source.appName | String | b'Application Name' |
| ExtraHop.Record.Source.application | Unknown | b'Application' |
| ExtraHop.Record.Source.args | String | b'Arguments' |
| ExtraHop.Record.Source.authDomain | String | b'Authentication Domain' |
| ExtraHop.Record.Source.authMethod | String | b'Authentication Method' |
| ExtraHop.Record.Source.authResult | Number | b'Auth Result' |
| ExtraHop.Record.Source.authType | Number | b'Auth Type' |
| ExtraHop.Record.Source.authenticator | String | b'Authenticator' |
| ExtraHop.Record.Source.bindDN | String | b'Bind Distinguished Name' |
| ExtraHop.Record.Source.bytes | Number | b'Bytes' |
| ExtraHop.Record.Source.cName | String | b'Canonical Endpoint' |
| ExtraHop.Record.Source.cNameType | String | b'Client Name Type' |
| ExtraHop.Record.Source.cNames | String | b'Client Name Components' |
| ExtraHop.Record.Source.cRealm | String | b'Client Realm' |
| ExtraHop.Record.Source.callId | String | b'Call ID' |
| ExtraHop.Record.Source.certificateFingerprint | String | b'Certificate Fingerprint' |
| ExtraHop.Record.Source.certificateIsSelfSigned | Boolean | b'Certificate Self Signed' |
| ExtraHop.Record.Source.certificateIssuer | String | b'Certificate Issuer' |
| ExtraHop.Record.Source.certificateKeySize | Number | b'Certificate Key Size' |
| ExtraHop.Record.Source.certificateNotAfter | Number | b'Certificate Not After' |
| ExtraHop.Record.Source.certificateNotBefore | Number | b'Certificate Not Before' |
| ExtraHop.Record.Source.certificateSignatureAlgorithm | String | b'Certificate Signature Algorithm' |
| ExtraHop.Record.Source.certificateSubject | String | b'Certificate Subject' |
| ExtraHop.Record.Source.certificateSubjectAlternativeNames | String | b'Certificate Subject Alternative Names' |
| ExtraHop.Record.Source.channel | String | b'Channel' |
| ExtraHop.Record.Source.cipherSuite | String | b'Cipher Suite' |
| ExtraHop.Record.Source.client.type | String | b'Client Type' |
| ExtraHop.Record.Source.client.value | String | b'Client Discovery ID' |
| ExtraHop.Record.Source.clientAddr.type | String | b'Client IP Address Type' |
| ExtraHop.Record.Source.clientAddr.value | String | b'Client IP Address Value' |
| ExtraHop.Record.Source.clientBuild | String | b'Client Build' |
| ExtraHop.Record.Source.clientBytes | Number | b'Client Bytes' |
| ExtraHop.Record.Source.clientCGPMsgCount | Number | b'Client CGP Messages' |
| ExtraHop.Record.Source.clientCertificateRequested | Boolean | b'Client Certificate Requested' |
| ExtraHop.Record.Source.clientCipherAlgorithm | String | b'Client Cipher Algorithm' |
| ExtraHop.Record.Source.clientCompressionAlgorithm | String | b'Client Compression Algorithm' |
| ExtraHop.Record.Source.clientImplementation | String | b'Client Implementation' |
| ExtraHop.Record.Source.clientL2Bytes | Number | b'Client L2 Bytes' |
| ExtraHop.Record.Source.clientLatency | Number | b'Client Latency' |
| ExtraHop.Record.Source.clientMacAlgorithm | String | b'Client MAC Algorithm' |
| ExtraHop.Record.Source.clientMachine | String | b'Client Machine' |
| ExtraHop.Record.Source.clientMsgCount | Number | b'Client Messages' |
| ExtraHop.Record.Source.clientName | String | b'Client Name' |
| ExtraHop.Record.Source.clientPkts | Number | b'Client Packets' |
| ExtraHop.Record.Source.clientPort | Number | b'Client Port' |
| ExtraHop.Record.Source.clientPrincipalName | String | b'Client Principal Name' |
| ExtraHop.Record.Source.clientRTO | Number | b'Client RTO' |
| ExtraHop.Record.Source.clientReqDelay | Number | b'Client Request Delay' |
| ExtraHop.Record.Source.clientType | String | b'ICA Client Type' |
| ExtraHop.Record.Source.clientVersion | String | b'Client Version' |
| ExtraHop.Record.Source.clientZeroWnd | Number | b'Client Zero Windows' |
| ExtraHop.Record.Source.collection | String | b'Collection' |
| ExtraHop.Record.Source.command | String | b'Command' |
| ExtraHop.Record.Source.contentType | String | b'Content Type' |
| ExtraHop.Record.Source.conversationId | Number | b'Conversation ID' |
| ExtraHop.Record.Source.cookie | String | b'Cookie' |
| ExtraHop.Record.Source.correlationId | String | b'Correlation ID' |
| ExtraHop.Record.Source.cwd | String | b'Current Working Directory' |
| ExtraHop.Record.Source.dataSize | Number | b'Data Size' |
| ExtraHop.Record.Source.database | String | b'Database' |
| ExtraHop.Record.Source.deltaBytes | Number | b'Delta Bytes' |
| ExtraHop.Record.Source.deltaPkts | Number | b'Delta Packets' |
| ExtraHop.Record.Source.desktopHeight | Number | b'Desktop Height' |
| ExtraHop.Record.Source.desktopWidth | Number | b'Desktop Width' |
| ExtraHop.Record.Source.destination | String | b'Destination' |
| ExtraHop.Record.Source.dn | String | b'Distinguished Name' |
| ExtraHop.Record.Source.domain | String | b'Domain' |
| ExtraHop.Record.Source.drops | Number | b'Drops' |
| ExtraHop.Record.Source.dscpName | String | b'DSCP' |
| ExtraHop.Record.Source.dstQueueMgr | String | b'Destination Queue Manager' |
| ExtraHop.Record.Source.dups | Number | b'Dups' |
| ExtraHop.Record.Source.duration | Number | b'Duration' |
| ExtraHop.Record.Source.egressInterface | Unknown | b'Egress Interface' |
| ExtraHop.Record.Source.error | String | b'Error' |
| ExtraHop.Record.Source.errorDetail | String | b'Error Detail' |
| ExtraHop.Record.Source.expiration | Number | b'Expiration' |
| ExtraHop.Record.Source.first | Number | b'First' |
| ExtraHop.Record.Source.flowId | String | b'Flow' |
| ExtraHop.Record.Source.format | String | b'Format' |
| ExtraHop.Record.Source.frameCutDuration | Number | b'Frame Cut Duration' |
| ExtraHop.Record.Source.frameSendDuration | Number | b'Frame Send Duration' |
| ExtraHop.Record.Source.from | String | b'From' |
| ExtraHop.Record.Source.functionId | Number | b'Function ID' |
| ExtraHop.Record.Source.functionName | String | b'Function Name' |
| ExtraHop.Record.Source.fwdReqClientAddr.type | String | b'Forwarded Request Client IP Address Type' |
| ExtraHop.Record.Source.fwdReqClientAddr.value | String | b'Forwarded Request Client IP Address Value' |
| ExtraHop.Record.Source.fwdReqHost | String | b'Forwarded Request Host' |
| ExtraHop.Record.Source.fwdReqIsEncrypted | Boolean | b'Forwarded Request Is Encrypted' |
| ExtraHop.Record.Source.fwdReqServerName | String | b'Forwarded Request Server Name' |
| ExtraHop.Record.Source.fwdReqServerPort | Number | b'Forwarded Request Server Port' |
| ExtraHop.Record.Source.gwAddr.type | String | b'Gateway IP Address Type' |
| ExtraHop.Record.Source.gwAddr.value | String | b'Gateway IP Address Value' |
| ExtraHop.Record.Source.handshakeTime | Number | b'Handshake Time' |
| ExtraHop.Record.Source.hasSDP | Boolean | b'Has SDP' |
| ExtraHop.Record.Source.hassh | String | b'HASSH' |
| ExtraHop.Record.Source.hasshServer | String | b'HASSH Server' |
| ExtraHop.Record.Source.heartbeatPayloadLength | Number | b'Heartbeat Payload Length' |
| ExtraHop.Record.Source.heartbeatType | Number | b'Heartbeat Type' |
| ExtraHop.Record.Source.hitCount | Number | b'Hit Count' |
| ExtraHop.Record.Source.hopLimit | Number | b'Hop Limit' |
| ExtraHop.Record.Source.host | String | b'Host' |
| ExtraHop.Record.Source.htype | Number | b'Hardware Address Type' |
| ExtraHop.Record.Source.ingressInterface | Unknown | b'Ingress Interface' |
| ExtraHop.Record.Source.interface | String | b'Interface' |
| ExtraHop.Record.Source.isAborted | Boolean | b'Aborted' |
| ExtraHop.Record.Source.isAuthoritative | Boolean | b'Authoritative' |
| ExtraHop.Record.Source.isBinaryProtocol | Boolean | b'Binary Protocol' |
| ExtraHop.Record.Source.isCheckingDisabled | Boolean | b'Checking Disabled' |
| ExtraHop.Record.Source.isCleanShutdown | Boolean | b'Clean Shutdown' |
| ExtraHop.Record.Source.isClientDiskRead | Boolean | b'Client Disk Read' |
| ExtraHop.Record.Source.isClientDiskWrite | Boolean | b'Client Disk Write' |
| ExtraHop.Record.Source.isCommandCreate | Boolean | b'Create Command' |
| ExtraHop.Record.Source.isCommandDelete | Boolean | b'Delete Command' |
| ExtraHop.Record.Source.isCommandFileInfo | Boolean | b'FileInfo Command' |
| ExtraHop.Record.Source.isCommandLock | Boolean | b'Lock Command' |
| ExtraHop.Record.Source.isCommandRead | Boolean | b'Read Command' |
| ExtraHop.Record.Source.isCommandRename | Boolean | b'Rename Command' |
| ExtraHop.Record.Source.isCommandWrite | Boolean | b'Write Command' |
| ExtraHop.Record.Source.isCompressed | Boolean | b'Compressed' |
| ExtraHop.Record.Source.isEncrypted | Boolean | b'Encrypted' |
| ExtraHop.Record.Source.isNoReply | Boolean | b'No Reply' |
| ExtraHop.Record.Source.isPipelined | Boolean | b'Pipelined' |
| ExtraHop.Record.Source.isRecursionAvailable | Boolean | b'Recursion Available' |
| ExtraHop.Record.Source.isRecursionDesired | Boolean | b'Recursion Desired' |
| ExtraHop.Record.Source.isRenegotiate | Boolean | b'Renegotiate' |
| ExtraHop.Record.Source.isReqAborted | Boolean | b'Request Aborted' |
| ExtraHop.Record.Source.isReqTimeout | Boolean | b'Request Timed Out' |
| ExtraHop.Record.Source.isReqTruncated | Boolean | b'Request Truncated' |
| ExtraHop.Record.Source.isRspAborted | Boolean | b'Response Aborted' |
| ExtraHop.Record.Source.isRspChunked | Boolean | b'Chunked' |
| ExtraHop.Record.Source.isRspCompressed | Boolean | b'Rsp Compressed' |
| ExtraHop.Record.Source.isRspImplicit | Boolean | b'Response Implicit' |
| ExtraHop.Record.Source.isRspTruncated | Boolean | b'Response Truncated' |
| ExtraHop.Record.Source.isSQLi | Boolean | b'Contains SQLi' |
| ExtraHop.Record.Source.isSharedSession | Boolean | b'Shared Session' |
| ExtraHop.Record.Source.isSubOperation | Boolean | b'Is a suboperation' |
| ExtraHop.Record.Source.isWeakCipherSuite | Boolean | b'Weak Cipher Suite' |
| ExtraHop.Record.Source.isXSS | Boolean | b'Contains XSS' |
| ExtraHop.Record.Source.ja3Hash | String | b'JA3 Hash' |
| ExtraHop.Record.Source.ja3sHash | String | b'JA3S Hash' |
| ExtraHop.Record.Source.jitter | Number | b'Jitter' |
| ExtraHop.Record.Source.kexAlgorithm | String | b'KEX Algorithm' |
| ExtraHop.Record.Source.keyboardLayout | String | b'Keyboard Layout' |
| ExtraHop.Record.Source.l2Bytes | Number | b'L2 Bytes' |
| ExtraHop.Record.Source.l7proto | String | b'L7 Protocol' |
| ExtraHop.Record.Source.label | String | b'Label' |
| ExtraHop.Record.Source.last | Number | b'Last' |
| ExtraHop.Record.Source.launchParams | String | b'Parameters' |
| ExtraHop.Record.Source.loadTime | Number | b'Load Time' |
| ExtraHop.Record.Source.loginTime | Number | b'Login Time' |
| ExtraHop.Record.Source.method | String | b'Method' |
| ExtraHop.Record.Source.missCount | Number | b'Miss Count' |
| ExtraHop.Record.Source.mos | Number | b'MOS' |
| ExtraHop.Record.Source.msgClass | String | b'Message Class' |
| ExtraHop.Record.Source.msgCode | Number | b'Message Code' |
| ExtraHop.Record.Source.msgFormat | String | b'Message Format' |
| ExtraHop.Record.Source.msgId | Number | b'Message ID' |
| ExtraHop.Record.Source.msgLength | Number | b'Message Length' |
| ExtraHop.Record.Source.msgSize | Number | b'Message Size' |
| ExtraHop.Record.Source.msgText | String | b'Message Text' |
| ExtraHop.Record.Source.msgType | String | b'Message Type' |
| ExtraHop.Record.Source.network | Unknown | b'Flow Network' |
| ExtraHop.Record.Source.networkAddr.type | String | b'Flow Network IP Address Type' |
| ExtraHop.Record.Source.networkAddr.value | String | b'Flow Network IP Address Value' |
| ExtraHop.Record.Source.networkLatency | Number | b'Network Latency' |
| ExtraHop.Record.Source.nextHop.type | String | b'Next Hop IP Address Type' |
| ExtraHop.Record.Source.nextHop.value | String | b'Next Hop IP Address Value' |
| ExtraHop.Record.Source.nextHopMTU | Number | b'Next Hop MTU' |
| ExtraHop.Record.Source.notAfter | Number | b'Certificate Not After' |
| ExtraHop.Record.Source.offeredAddr.type | String | b'Offered IP Address Type' |
| ExtraHop.Record.Source.offeredAddr.value | String | b'Offered IP Address Value' |
| ExtraHop.Record.Source.offset | Number | b'Offset' |
| ExtraHop.Record.Source.opcode | String | b'Opcode' |
| ExtraHop.Record.Source.operation | String | b'Operation' |
| ExtraHop.Record.Source.option | String | b'Options' |
| ExtraHop.Record.Source.origin | String | b'Origin' |
| ExtraHop.Record.Source.outOfOrder | Number | b'Out Of Order' |
| ExtraHop.Record.Source.path | String | b'Path' |
| ExtraHop.Record.Source.payloadType | String | b'Payload Type' |
| ExtraHop.Record.Source.payloadTypeId | Number | b'Payload Type ID' |
| ExtraHop.Record.Source.persistent | Boolean | b'Persistent' |
| ExtraHop.Record.Source.pkts | Number | b'Packets' |
| ExtraHop.Record.Source.pointer | Number | b'Pointer' |
| ExtraHop.Record.Source.printerName | String | b'Printer Name' |
| ExtraHop.Record.Source.priority | Number | b'Priority' |
| ExtraHop.Record.Source.procedure | String | b'Procedure' |
| ExtraHop.Record.Source.processingTime | Number | b'Processing Time' |
| ExtraHop.Record.Source.program | String | b'Program' |
| ExtraHop.Record.Source.proto | String | b'IP Protocol' |
| ExtraHop.Record.Source.protocol | String | b'Protocol' |
| ExtraHop.Record.Source.putAppName | String | b'Put Application Name' |
| ExtraHop.Record.Source.qname | String | b'Query Name' |
| ExtraHop.Record.Source.qtype | String | b'Query Type' |
| ExtraHop.Record.Source.query | String | b'Query' |
| ExtraHop.Record.Source.queue | String | b'Queue' |
| ExtraHop.Record.Source.queueMgr | String | b'Queue Manager' |
| ExtraHop.Record.Source.rFactor | Number | b'R Factor' |
| ExtraHop.Record.Source.realm | String | b'Server Realm' |
| ExtraHop.Record.Source.receiver.type | String | b'Receiver Type' |
| ExtraHop.Record.Source.receiver.value | String | b'Receiver Discovery ID' |
| ExtraHop.Record.Source.receiverAddr.type | String | b'Receiver IP Address Type' |
| ExtraHop.Record.Source.receiverAddr.value | String | b'Receiver IP Address Value' |
| ExtraHop.Record.Source.receiverAsn | Number | b'Receiver ASN' |
| ExtraHop.Record.Source.receiverBytes | Number | b'Receiver Bytes' |
| ExtraHop.Record.Source.receiverIsBroker | Boolean | b'To Broker' |
| ExtraHop.Record.Source.receiverL2Bytes | Number | b'Receiver L2 Bytes' |
| ExtraHop.Record.Source.receiverPkts | Number | b'Receiver Packets' |
| ExtraHop.Record.Source.receiverPort | Number | b'Receiver Port' |
| ExtraHop.Record.Source.receiverPrefixLength | Number | b'Receiver Prefix Length' |
| ExtraHop.Record.Source.receiverRTO | Number | b'Receiver RTO' |
| ExtraHop.Record.Source.receiverZeroWnd | Number | b'Receiver Zero Windows' |
| ExtraHop.Record.Source.recipient | String | b'Recipient' |
| ExtraHop.Record.Source.recipientList | String | b'Recipient List' |
| ExtraHop.Record.Source.redeliveryCount | Number | b'Redelivery Count' |
| ExtraHop.Record.Source.referer | String | b'Referer' |
| ExtraHop.Record.Source.renameDirChanged | Boolean | b'Rename Directory Changed' |
| ExtraHop.Record.Source.replyTo | String | b'Reply To' |
| ExtraHop.Record.Source.reqBytes | Number | b'Request Bytes' |
| ExtraHop.Record.Source.reqKey | String | b'Request Key' |
| ExtraHop.Record.Source.reqL2Bytes | Number | b'Request L2 Bytes' |
| ExtraHop.Record.Source.reqPdu | String | b'Request PDU Type' |
| ExtraHop.Record.Source.reqPkts | Number | b'Request Packets' |
| ExtraHop.Record.Source.reqRTO | Number | b'Request RTO' |
| ExtraHop.Record.Source.reqSize | Number | b'Request Size' |
| ExtraHop.Record.Source.reqTimeToLastByte | Number | b'Req Time To Last Byte' |
| ExtraHop.Record.Source.reqTransferTime | Number | b'Request Transfer Time' |
| ExtraHop.Record.Source.requestedColorDepth | String | b'Requested Color Depth' |
| ExtraHop.Record.Source.requestedProtocols | String | b'Requested Protocols' |
| ExtraHop.Record.Source.resolvedQueue | String | b'Resolved Queue' |
| ExtraHop.Record.Source.resolvedQueueMgr | String | b'Resolved Queue Manager' |
| ExtraHop.Record.Source.resource | String | b'Resource' |
| ExtraHop.Record.Source.responseQueue | String | b'Response Queue' |
| ExtraHop.Record.Source.roundTripTime | Number | b'Round Trip Time' |
| ExtraHop.Record.Source.rspBytes | Number | b'Response Bytes' |
| ExtraHop.Record.Source.rspL2Bytes | Number | b'Response L2 Bytes' |
| ExtraHop.Record.Source.rspPdu | String | b'Response PDU Type' |
| ExtraHop.Record.Source.rspPkts | Number | b'Response Packets' |
| ExtraHop.Record.Source.rspRTO | Number | b'Response RTO' |
| ExtraHop.Record.Source.rspSize | Number | b'Response Size' |
| ExtraHop.Record.Source.rspTimeToFirstByte | Number | b'Rsp Time To First Byte' |
| ExtraHop.Record.Source.rspTimeToFirstHeader | Number | b'Rsp Time To First Header' |
| ExtraHop.Record.Source.rspTimeToFirstPayload | Number | b'Rsp Time To First Payload' |
| ExtraHop.Record.Source.rspTimeToLastByte | Number | b'Rsp Time To Last Byte' |
| ExtraHop.Record.Source.rspTransferTime | Number | b'Response Transfer Time' |
| ExtraHop.Record.Source.rspVersion | String | b'Response Version' |
| ExtraHop.Record.Source.rto | Number | b'RTO' |
| ExtraHop.Record.Source.sNameType | String | b'Server Name Type' |
| ExtraHop.Record.Source.sNames | String | b'Server Name Components' |
| ExtraHop.Record.Source.saslMechanism | String | b'SASL Mechanism' |
| ExtraHop.Record.Source.searchFilter | String | b'Search Filter' |
| ExtraHop.Record.Source.searchScope | String | b'Search Scope' |
| ExtraHop.Record.Source.selectedProtocol | String | b'Selected Protocol' |
| ExtraHop.Record.Source.sender.type | String | b'Sender Type' |
| ExtraHop.Record.Source.sender.value | String | b'Sender Discovery ID' |
| ExtraHop.Record.Source.senderAddr.type | String | b'Sender IP Address Type' |
| ExtraHop.Record.Source.senderAddr.value | String | b'Sender IP Address Value' |
| ExtraHop.Record.Source.senderAsn | Number | b'Sender ASN' |
| ExtraHop.Record.Source.senderBytes | Number | b'Sender Bytes' |
| ExtraHop.Record.Source.senderIsBroker | Boolean | b'From Broker' |
| ExtraHop.Record.Source.senderL2Bytes | Number | b'Sender L2 Bytes' |
| ExtraHop.Record.Source.senderPkts | Number | b'Sender Packets' |
| ExtraHop.Record.Source.senderPort | Number | b'Sender Port' |
| ExtraHop.Record.Source.senderPrefixLength | Number | b'Sender Prefix Length' |
| ExtraHop.Record.Source.senderRTO | Number | b'Sender RTO' |
| ExtraHop.Record.Source.senderZeroWnd | Number | b'Sender Zero Windows' |
| ExtraHop.Record.Source.seqNum | Number | b'Sequence Number' |
| ExtraHop.Record.Source.server.type | String | b'Server Type' |
| ExtraHop.Record.Source.server.value | String | b'Server Discovery ID' |
| ExtraHop.Record.Source.serverAddr.type | String | b'Server IPv4 Address Type' |
| ExtraHop.Record.Source.serverAddr.value | String | b'Server IPv4 Address Value' |
| ExtraHop.Record.Source.serverBytes | Number | b'Server Bytes' |
| ExtraHop.Record.Source.serverCGPMsgCount | Number | b'Server CGP Messages' |
| ExtraHop.Record.Source.serverCipherAlgorithm | String | b'Server Cipher Algorithm' |
| ExtraHop.Record.Source.serverCompressionAlgorithm | String | b'Server Compression Algorithm' |
| ExtraHop.Record.Source.serverImplementation | String | b'Server Implementation' |
| ExtraHop.Record.Source.serverL2Bytes | Number | b'Server L2 Bytes' |
| ExtraHop.Record.Source.serverMacAlgorithm | String | b'Server MAC Algorithm' |
| ExtraHop.Record.Source.serverMsgCount | Number | b'Server Messages' |
| ExtraHop.Record.Source.serverPkts | Number | b'Server Packets' |
| ExtraHop.Record.Source.serverPort | Number | b'Server Port' |
| ExtraHop.Record.Source.serverPrincipalName | String | b'Server Principal Name' |
| ExtraHop.Record.Source.serverRTO | Number | b'Server RTO' |
| ExtraHop.Record.Source.serverVersion | String | b'Server Version' |
| ExtraHop.Record.Source.serverZeroWnd | Number | b'Server Zero Windows' |
| ExtraHop.Record.Source.share | String | b'Share' |
| ExtraHop.Record.Source.source | String | b'Source' |
| ExtraHop.Record.Source.sqli | String | b'Potential SQLi' |
| ExtraHop.Record.Source.srcQueueMgr | String | b'Source Queue Manager' |
| ExtraHop.Record.Source.ssrc | Number | b'Sender SSRC' |
| ExtraHop.Record.Source.statement | String | b'Statement' |
| ExtraHop.Record.Source.status | String | b'Status' |
| ExtraHop.Record.Source.statusCode | Number | b'Status Code' |
| ExtraHop.Record.Source.statusText | String | b'Status Text' |
| ExtraHop.Record.Source.table | String | b'Table' |
| ExtraHop.Record.Source.target | String | b'Target' |
| ExtraHop.Record.Source.tcpFlags | Number | b'TCP Flags' |
| ExtraHop.Record.Source.thinkTime | Number | b'Think Time' |
| ExtraHop.Record.Source.tickChannel | String | b'Tick Channel' |
| ExtraHop.Record.Source.ticketHash | String | b'Encrypted Ticket Hash' |
| ExtraHop.Record.Source.till | String | b'Till' |
| ExtraHop.Record.Source.title | String | b'Title' |
| ExtraHop.Record.Source.to | String | b'To' |
| ExtraHop.Record.Source.totalMsgLength | Number | b'Total Msg Length' |
| ExtraHop.Record.Source.transferBytes | Number | b'Bytes Transferred' |
| ExtraHop.Record.Source.txId | Number | b'Transaction ID' |
| ExtraHop.Record.Source.unitId | Number | b'Unit ID' |
| ExtraHop.Record.Source.uri | String | b'URI' |
| ExtraHop.Record.Source.user | String | b'User' |
| ExtraHop.Record.Source.userAgent | String | b'User Agent' |
| ExtraHop.Record.Source.vbucket | Number | b'vBucket' |
| ExtraHop.Record.Source.version | String | b'Version' |
| ExtraHop.Record.Source.vlan | Number | b'VLAN' |
| ExtraHop.Record.Source.vxlanVNI | Number | b'VxLAN VNI' |
| ExtraHop.Record.Source.warning | String | b'Warning' |
| ExtraHop.Record.Source.xss | String | b'Potential XSS' |
Command Example
!extrahop-query-records query_from=-6h limit=2
Context Example
{
"ExtraHop": {
"Record": [
{
"Id": "AW1goQmvylOgLDUmuFLT",
"Index": "extrahop-11-2019-9-24-0",
"Sort": [
1569284181528.201
],
"Source": {
"client": {
"type": "device",
"value": [
"fff41107140a0000"
]
},
"clientAddr": {
"type": "ipaddr4",
"value": "172.16.34.152"
},
"clientPort": 34140,
"clientZeroWnd": 0,
"ex": {
"isSuspicious": false
},
"flowId": "0cac4df05d896054",
"host": "prod1.example.com",
"isPipelined": false,
"isReqAborted": false,
"isRspAborted": false,
"isRspChunked": false,
"isRspCompressed": false,
"isSQLi": false,
"isXSS": false,
"method": "POST",
"processingTime": 233.318,
"referer": "http://prod1.example.com/login?from=%2F",
"reqBytes": 1160,
"reqL2Bytes": 1518,
"reqPkts": 5,
"reqRTO": 0,
"reqSize": 64,
"reqTimeToLastByte": 0,
"roundTripTime": 0.245,
"rspBytes": 346,
"rspL2Bytes": 1284,
"rspPkts": 8,
"rspRTO": 0,
"rspSize": 0,
"rspTimeToFirstHeader": 233.318,
"rspTimeToLastByte": 234.528,
"rspVersion": "1.1",
"server": {
"type": "device",
"value": [
"fff4c3090a0a0000"
]
},
"serverAddr": {
"type": "ipaddr4",
"value": "172.16.34.161"
},
"serverPort": 80,
"serverZeroWnd": 0,
"statusCode": 302,
"timestamp": 1569284181528.201,
"uri": "prod1.example.com/j_acegi_security_check",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
},
"Type": "~http"
},
{
"Id": "AW1gQF7uylOgLDUmoClO",
"Index": "extrahop-11-2019-9-23-0",
"Sort": [
1569277857270.787
],
"Source": {
"args": "",
"client": {
"type": "device",
"value": [
"fff48dff0a0a0000"
]
},
"clientAddr": {
"type": "ipaddr4",
"value": "172.16.34.11"
},
"clientPort": 1920,
"clientZeroWnd": 0,
"cwd": "/",
"detection": [
"anonymous_ftp"
],
"ex": {
"isSuspicious": false
},
"flowId": "037efd385d8947a0",
"isReqAborted": false,
"isRspAborted": false,
"method": "PASS",
"processingTime": 0.25,
"reqBytes": 22,
"reqL2Bytes": 490,
"reqPkts": 6,
"reqRTO": 0,
"rspBytes": 21,
"rspL2Bytes": 239,
"rspPkts": 2,
"rspRTO": 0,
"server": {
"type": "device",
"value": [
"fff45a060a0a0000"
]
},
"serverAddr": {
"type": "ipaddr4",
"value": "172.16.34.231"
},
"serverPort": 21,
"serverZeroWnd": 0,
"statusCode": 230,
"timestamp": 1569277857270.787,
"user": "anonymous"
},
"Type": "~ftp"
}
]
}
}
Human Readable Output
Showing 2 out of 15 Record(s) Found.
| client | clientAddr | clientPort | clientZeroWnd | ex | flowId | host | isPipelined | isReqAborted | isRspAborted | isRspChunked | isRspCompressed | isSQLi | isXSS | method | processingTime | referer | reqBytes | reqL2Bytes | reqPkts | reqRTO | reqSize | reqTimeToLastByte | roundTripTime | rspBytes | rspL2Bytes | rspPkts | rspRTO | rspSize | rspTimeToFirstHeader | rspTimeToLastByte | rspVersion | server | serverAddr | serverPort | serverZeroWnd | statusCode | timestamp | uri | userAgent |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
type: device
value: fff41107140a0000 |
type: ipaddr4
value: 172.16.34.152 |
34140 | 0 | isSuspicious: false | 0cac4df05d896054 | prod1.example.com | false | false | false | false | false | false | false | POST | 233.318 | http://prod1.example.com/login?from=%2F | 1160 | 1518 | 5 | 0 | 64 | 0 | 0.245 | 346 | 1284 | 8 | 0 | 0 | 233.318 | 234.528 | 1.1 |
type: device
value: fff4c3090a0a0000 |
type: ipaddr4
value: 172.16.34.161 |
80 | 0 | 302 | 1569284181528.201 | prod1.example.com/j_acegi_security_check | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 |
|
type: device
value: fff48dff0a0a0000 |
type: ipaddr4
value: 172.16.34.11 |
1920 | 0 | isSuspicious: false | 037efd385d8947a0 | false | false | PASS | 0.25 | 22 | 490 | 6 | 0 | 21 | 239 | 2 | 0 |
type: device
value: fff45a060a0a0000 |
type: ipaddr4
value: 172.16.34.231 |
21 | 0 | 230 | 1569277857270.787 |
3. Search for devices
Search for devices in ExtraHop.
Base Command
extrahop-device-search
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the device. This searches for matches on all ExtraHop name fields (DHCP, DNS, NetBIOS, Cisco Discovery Protocol, etc). | Optional |
| ip | The IP address of the device. | Optional |
| mac | The MAC address of the device. | Optional |
| role | The role of the device. | Optional |
| software | The OS of the device. | Optional |
| tag | A tag present on the device. | Optional |
| vendor | The vendor of the device, based on MAC address via OUI lookup. | Optional |
| discover_time | The time that device was first seen by ExtraHop, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with the following unit suffixes: ms, s, m, h, d, w, M, y. For example, to look one day back enter -1d or -24h. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| vlan | The VLAN ID of the Virtual LAN that the device is on. | Optional |
| activity | The activity of the device. | Optional |
| operator | The compare method applied when matching the fields against their values. For example, to find devices with names that begin with 'SEA1' (set name=SEA1, operator=startswith) | Optional |
| match_type | The match operator to use when chaining the search fields together. For example, to find all HTTP servers running Windows on the network (set match_type=and, role=http_server, software=windows). | Optional |
| active_from | The beginning timestamp for the request. Return only devices active after this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| active_until | The ending timestamp for the request. Return only devices active before this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| limit | The maximum number of devices to return. | Optional |
| l3_only | Only returns layer 3 devices by filtering out any layer 2 parent devices. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ExtraHop.Device.Macaddr | String | b'The MAC Address of the device.' |
| ExtraHop.Device.DeviceClass | String | b'The class of the device.' |
| ExtraHop.Device.UserModTime | Number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| ExtraHop.Device.AutoRole | String | b'The role automatically detected by the ExtraHop.' |
| ExtraHop.Device.ParentId | Number | b'The ID of the parent device.' |
| ExtraHop.Device.Vendor | String | b'The device vendor.' |
| ExtraHop.Device.Analysis | string | b'The level of analysis preformed on the device.' |
| ExtraHop.Device.DiscoveryId | String | b'The UUID given by the Discover appliance.' |
| ExtraHop.Device.DefaultName | String | b'The default name of the device.' |
| ExtraHop.Device.DisplayName | String | b'The display name of device.' |
| ExtraHop.Device.OnWatchlist | Boolean | b'Whether the device is on the advanced analysis whitelist.' |
| ExtraHop.Device.ModTime | Number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| ExtraHop.Device.IsL3 | Boolean | b'Indicates whether the device is a Layer 3 device.' |
| ExtraHop.Device.Role | String | b'The role of the device.' |
| ExtraHop.Device.DiscoverTime | Number | b'The time that the device was discovered.' |
| ExtraHop.Device.Id | Number | b'The ID of the device.' |
| ExtraHop.Device.Ipaddr4 | String | b'The IPv4 address of the device.' |
| ExtraHop.Device.Vlanid | Number | b'The ID of VLan.' |
| ExtraHop.Device.Ipaddr6 | string | b'The IPv6 address of the device.' |
| ExtraHop.Device.NodeId | number | b'The Node ID of the Discover appliance.' |
| ExtraHop.Device.Description | string | b'A user customizable description of the device.' |
| ExtraHop.Device.DnsName | string | b'The DNS name associated with the device.' |
| ExtraHop.Device.DhcpName | string | b'The DHCP name associated with the device.' |
| ExtraHop.Device.CdpName | string | b'The Cisco Discovery Protocol name associated with the device.' |
| ExtraHop.Device.NetbiosName | string | b'The NetBIOS name associated with the device.' |
| ExtraHop.Device.Url | string | b'Link to the device details page in ExtraHop.' |
Command Example
!extrahop-device-search limit=2
Context Example
{
"ExtraHop": {
"Device": [
{
"Analysis": "l2_exempt",
"AnalysisLevel": 4,
"AutoRole": "other",
"DefaultName": "Dell A9B1F6",
"DeviceClass": "node",
"DhcpName": "Win3-Web",
"DiscoverTime": 1569277980000,
"DiscoveryId": "509a4ca9b1f60000",
"DisplayName": "Win3-Web",
"ExtrahopId": "509a4ca9b1f60000",
"Id": 18628,
"IsL3": false,
"Macaddr": "70:F6:4C:A3:C2:F0",
"ModTime": 1569278201104,
"OnWatchlist": false,
"Role": "other",
"Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.509a4ca9b1f60000/overview/",
"UserModTime": 1569277990763,
"Vendor": "Dell",
"Vlanid": 0
},
{
"Analysis": "l2_exempt",
"AnalysisLevel": 4,
"AutoRole": "other",
"DefaultName": "Device a0510b0e4e210000",
"DeviceClass": "node",
"DhcpName": "PG1NP0ZR",
"DiscoverTime": 1569276630000,
"DiscoveryId": "a0510b0e4e210000",
"DisplayName": "PF1NP0ZR",
"ExtrahopId": "a0510b0e4e210000",
"Id": 18627,
"IsL3": false,
"Macaddr": "B1:62:1C:1F:5F:32",
"ModTime": 1569276641503,
"OnWatchlist": false,
"Role": "other",
"Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.a0510b0e4e210000/overview/",
"UserModTime": 1569276640285,
"Vlanid": 0
}
]
}
}
Human Readable Output
2 Device(s) Found
| Display Name | IP Address | MAC Address | Role | Vendor | URL |
|---|---|---|---|---|---|
| Win3-Web | 70:F6:4C:A3:C2:F0 | other | Dell | [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.509a4ca9b1f60000/overview/) | |
| PG1NP0ZR | B1:62:1C:1F:5F:32 | other | [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.a0510b0e4e210000/overview/) |
4. Add or remove devices from the watchlist
Add or remove devices from the watchlist in ExtraHop.
Base Command
extrahop-edit-watchlist
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| add | The list of IP Addresses or ExtraHop API IDs of the devices to add, comma separated. | Optional |
| remove | The list of IP Addresses or ExtraHop API IDs of the devices to remove, comma separated. | Optional |
Context Output
There are no context output for this command.
Command Example
!extrahop-edit-watchlist add=172.16.34.152
Human Readable Output
Successful Modification
5. Get all devices on the watchlist
Get all devices on the watchlist in ExtraHop.
Base Command
extrahop-get-watchlist
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|
Context Output
| Path | Type | Description |
|---|---|---|
| Extrahop.Device.Macaddr | String | b'The MAC Address of the device.' |
| Extrahop.Device.DeviceClass | String | b'The class of this device. ' |
| Extrahop.Device.UserModTime | Number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| Extrahop.Device.AutoRole | String | b'The role automatically detected by the ExtraHop. ' |
| Extrahop.Device.ParentId | Number | b'The ID of the parent device.' |
| Extrahop.Device.Vendor | String | b'The device vendor.' |
| Extrahop.Device.Analysis | string | b'The level of analysis preformed on the device.' |
| Extrahop.Device.DiscoveryId | String | b'The UUID given by the Discover appliance.' |
| Extrahop.Device.DefaultName | String | b'The default name for this device.' |
| Extrahop.Device.DisplayName | String | b'The display name of device.' |
| Extrahop.Device.OnWatchlist | Boolean | b'Whether the device is on the advanced analysis whitelist.' |
| Extrahop.Device.ModTime | Number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| Extrahop.Device.IsL3 | Boolean | b'Indicates whether the device is a Layer 3 device.' |
| Extrahop.Device.Role | String | b'The role of the device. ' |
| Extrahop.Device.DiscoverTime | Number | b'The time that the device was discovered.' |
| Extrahop.Device.Id | Number | b'The ID of the device.' |
| Extrahop.Device.Ipaddr4 | String | b'The IPv4 address for this device.' |
| Extrahop.Device.Vlanid | Number | b'The unique identifier for the VLAN this device is associated with.' |
| ExtraHop.Device.Ipaddr6 | string | b'The IPv6 address of the device.' |
| ExtraHop.Device.NodeId | number | b'The Node ID of the Discover appliance.' |
| ExtraHop.Device.Description | string | b'A user customizable description of the device.' |
| ExtraHop.Device.DnsName | string | b'The DNS name associated with the device.' |
| ExtraHop.Device.DhcpName | string | b'The DHCP name associated with the device.' |
| ExtraHop.Device.CdpName | string | b'The Cisco Discovery Protocol name associated with the device.' |
| ExtraHop.Device.NetbiosName | string | b'The NetBIOS name associated with the device.' |
| ExtraHop.Device.Url | string | b'Link to the device details page in ExtraHop.' |
Command Example
!extrahop-get-watchlist
Context Example
{
"ExtraHop": {
"Device": [
{
"Analysis": "advanced",
"AnalysisLevel": 2,
"AutoRole": "other",
"DefaultName": "Device 172.16.34.152",
"DeviceClass": "node",
"DhcpName": "dem-is-to",
"DiscoverTime": 1522964970000,
"DiscoveryId": "fff49b080a0a0000",
"DisplayName": "dem-is-to",
"DnsName": "dem-is-to.example.com",
"ExtrahopId": "fff49b080a0a0000",
"Id": 1554,
"Ipaddr4": "172.16.34.152",
"IsL3": true,
"Macaddr": "63:65:11:A1:3B:2B",
"ModTime": 1569283538898,
"NetbiosName": "DEMISTO",
"OnWatchlist": true,
"ParentId": 1445,
"Role": "other",
"Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff49b080a0a0000/overview/",
"UserModTime": 1522964985837,
"Vlanid": 0
}
]
}
}
Human Readable Output
1 Device(s) Found
| Display Name | IP Address | MAC Address | Role | Vendor | URL |
|---|---|---|---|---|---|
| dem-is-to | 172.16.34.152 | 63:65:11:A1:3B:2B | other | [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff49b080a0a0000/overview/) |
6. Create a new alert rule
Create a new alert rule in ExtraHop.
Base Command
extrahop-create-alert-rule
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| apply_all | Indicates whether the alert is assigned to all available data sources. | Required |
| disabled | Indicates whether the alert is disabled. | Required |
| name | The unique, friendly name for the alert. | Required |
| notify_snmp | Indicates whether to send an SNMP trap when an alert is generated. | Required |
| refire_interval | The time interval in which alert conditions are monitored, expressed in seconds. | Required |
| severity | The severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. Supported values: 0, 1, 2, 3, 4, 5, 6, 7 | Required |
| type | The type of alert. | Required |
| object_type | The type of metric source monitored by the alert configuration. Only applicable to detection alerts. | Optional |
| protocols | The list of monitored protocols. Only applicable to detection alerts. | Optional |
| field_name | The name of the monitored metric. Only applicable to threshold alerts. | Optional |
| field_name2 | The second monitored metric when applying a ratio. Only applicable to threshold alerts. | Optional |
| stat_name | The statistic name for the alert. Only applicable to threshold alerts. | Optional |
| units | The interval in which to evaluate the alert condition. Only applicable to threshold alerts. Supported values: "none", "period", "1 sec", "1 min", "1 hr" | Optional |
| interval_length | The length of the alert interval, expressed in seconds. Only applicable to threshold alerts. Supported values: 30, 60, 120, 300, 600, 900, 1200, 1800 | Optional |
| operand | The value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts. | Optional |
| operator | The logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. | Optional |
| field_op | The type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. | Optional |
| param | The first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | Optional |
| param2 | The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | Optional |
Context Output
There are no context output for this command.
Command Example
!extrahop-create-alert-rule apply_all=false disabled=true name="Demisto Test Alert" notify_snmp=false refire_interval=3600 severity=3 type=threshold object_type=device operator=> operand=0.1 field_name=rsp_error field_name2=rsp field_op=/ units=none stat_name="extrahop.application.http"
Human Readable Output
Successfully Created
7. Modify an alert rule
Modify an alert rule in ExtraHop.
Base Command
extrahop-edit-alert-rule
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| alert_id | The unique identifier for the alert. | Required |
| apply_all | Indicates whether the alert is assigned to all available data sources. | Required |
| disabled | Indicates whether the alert is disabled. | Required |
| name | The unique, friendly name for the alert. | Required |
| notify_snmp | Indicates whether to send an SNMP trap when an alert is generated. | Required |
| field_name | The name of the monitored metric. Only applicable to threshold alerts. | Optional |
| stat_name | The statistic name for the alert. Only applicable to threshold alerts. | Optional |
| units | The interval in which to evaluate the alert condition. Only applicable to threshold alerts. | Optional |
| interval_length | The length of the alert interval, expressed in seconds. Only applicable to threshold alerts. | Optional |
| operand | The value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts. | Optional |
| refire_interval | The time interval in which alert conditions are monitored, expressed in seconds. | Required |
| severity | The severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. | Required |
| type | The type of alert. | Required |
| object_type | The type of metric source monitored by the alert configuration. Only applicable to detection alerts. | Optional |
| protocols | The list of monitored protocols. Only applicable to detection alerts. | Optional |
| operator | The logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. | Optional |
| field_name2 | The second monitored metric when applying a ratio. Only applicable to threshold alerts. | Optional |
| field_op | The type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. | Optional |
| param | The first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | Optional |
| param2 | The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | Optional |
Context Output
There are no context output for this command.
Command Example
!extrahop-edit-alert-rule alert_id=32 apply_all=false disabled=true name="Demisto Test" notify_snmp=false refire_interval=3600 severity=3 type=threshold object_type=device operator=> operand=0.1 field_name=rsp_error field_name2=rsp field_op=/ units=none stat_name="extrahop.application.http" interval_length=30
Human Readable Output
Successful Modification
8. Link an ExtraHop Detection to a Demisto Investigation
Link an ExtraHop Detection to a Demisto Investigation.
Base Command
extrahop-track-ticket
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The ID of the Demisto Incident to ticket track. | Required |
| detection_id | The ID of the ExtraHop Detection to ticket track. | Required |
| incident_owner | Owner of the incident. | Optional |
| incident_status | Status of the incident. 0=New, 1=In-progress, 2=Closed. | Optional |
| incident_close_reason | Reason the incident was closed | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ExtraHop.TicketId | string | b'Demisto Incident ID successfully tracked to ExtraHop Detection' |
Command Example
!extrahop-track-ticket detection_id=25910 incident_id=40360 incident_owner='colinw' incident_status=1
Context Example
{
"ExtraHop": {
"TicketId": "40360"
}
}
Human Readable Output
Successful Modification
9. Get all peers for a device
Get all peers for a device from ExtraHop.
Base Command
extrahop-get-peers
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| ip_or_id | The IP Address or ExtraHop API ID of the source device to get peer devices. | Required |
| query_from | The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| query_until | The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| peer_role | The role of the peer device in relation to the origin device. | Optional |
| protocol | A filter to only return peers that the source device has communicated with over this protocol. If no value is set, the object includes any protocol. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ExtraHop.Device.Macaddr | string | b'The MAC Address of the device.' |
| ExtraHop.Device.DeviceClass | string | b'The class of the device.' |
| ExtraHop.Device.UserModTime | number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| ExtraHop.Device.AutoRole | string | b'The role automatically detected by the ExtraHop.' |
| ExtraHop.Device.ParentId | number | b'The ID of the parent device.' |
| ExtraHop.Device.Vendor | string | b'The device vendor.' |
| ExtraHop.Device.Analysis | string | b'The level of analysis preformed on the device.' |
| ExtraHop.Device.DiscoveryId | string | b'The UUID given by the Discover appliance.' |
| ExtraHop.Device.DefaultName | string | b'The default name of the device.' |
| ExtraHop.Device.DisplayName | string | b'The display name of device.' |
| ExtraHop.Device.OnWatchlist | boolean | b'Whether the device is on the advanced analysis whitelist.' |
| ExtraHop.Device.ModTime | number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| ExtraHop.Device.IsL3 | boolean | b'Indicates whether the device is a Layer 3 device.' |
| ExtraHop.Device.Role | string | b'The role of the device.' |
| ExtraHop.Device.DiscoverTime | number | b'The time that the device was discovered.' |
| ExtraHop.Device.Id | number | b'The ID of the device.' |
| ExtraHop.Device.Ipaddr4 | string | b'The IPv4 address of the device.' |
| ExtraHop.Device.Vlanid | number | b'The ID of VLan.' |
| ExtraHop.Device.Ipaddr6 | string | b'The IPv6 address of the device.' |
| ExtraHop.Device.NodeId | number | b'The Node ID of the Discover appliance.' |
| ExtraHop.Device.Description | string | b'A user customizable description of the device.' |
| ExtraHop.Device.DnsName | string | b'The DNS name associated with the device.' |
| ExtraHop.Device.DhcpName | string | b'The DHCP name associated with the device.' |
| ExtraHop.Device.CdpName | string | b'The Cisco Discovery Protocol name associated with the device.' |
| ExtraHop.Device.NetbiosName | string | b'The NetBIOS name associated with the device.' |
| ExtraHop.Device.Url | string | b'Link to the device details page in ExtraHop.' |
| ExtraHop.Device.ClientProtocols | string | b'The list of protocols the peer device is communicating as a client.' |
| ExtraHop.Device.ServerProtocols | string | b'The list of protocols the peer device is communicating as a server.' |
Command Example
!extrahop-get-peers ip_or_id=172.16.34.23
Context Example
{
"ExtraHop": {
"Device": [
{
"Analysis": "advanced",
"AnalysisLevel": 1,
"AutoRole": "other",
"DefaultName": "VMware 172.16.34.161",
"DeviceClass": "node",
"DhcpName": "joker.example.com",
"DiscoverTime": 1522964910000,
"DiscoveryId": "fff4bb070a0a0000",
"DisplayName": "joker.example.com",
"DnsName": "joker.example.com",
"ExtrahopId": "fff4bb070a0a0000",
"Id": 374,
"Ipaddr4": "172.16.34.161",
"IsL3": true,
"Macaddr": "11:1D:3A:3C:3E:BE",
"ModTime": 1569284586752,
"OnWatchlist": false,
"ParentId": 18018,
"Role": "other",
"ServerProtocols": [
"TCP:SSL:LDAP",
"TCP:SSL"
],
"Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff4bb070a0a0000/overview/",
"UserModTime": 1564016944279,
"Vendor": "VMware",
"Vlanid": 0
},
{
"Analysis": "discovery",
"AnalysisLevel": 3,
"AutoRole": "other",
"ClientProtocols": [
"TCP:HTTP"
],
"DefaultName": "Qumranet 172.16.34.11",
"DeviceClass": "node",
"DhcpName": "soundboard2",
"DiscoverTime": 1533851220000,
"DiscoveryId": "fff44001150a0000",
"DisplayName": "soundboard2",
"DnsName": "soundboard2.example.com",
"ExtrahopId": "fff44001150a0000",
"Id": 10751,
"Ipaddr4": "172.16.34.11",
"IsL3": true,
"Macaddr": "11:2B:5B:27:12:9D",
"ModTime": 1569279163337,
"OnWatchlist": false,
"ParentId": 10746,
"Role": "other",
"ServerProtocols": [
"TCP:OTHER"
],
"Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff44001150a0000/overview/",
"UserModTime": 1533851289829,
"Vendor": "Qumranet",
"Vlanid": 0
}
]
}
}
Human Readable Output
2 Peer Device(s) Found
| Display Name | IP Address | MAC Address | Role | Protocols | URL | Vendor |
|---|---|---|---|---|---|---|
| joker.example.com | 172.16.34.161 | 11:1D:3A:3C:3E:BE | other |
Client:
Server: TCP:SSL:LDAP, TCP:SSL |
[View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff4bb070a0a0000/overview/) | VMware |
| soundboard2 | 172.16.34.11 | 11:2B:5B:27:12:9D | other |
Client: TCP:HTTP
Server: TCP:OTHER |
[View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff44001150a0000/overview/) | Qumranet |
10. Get all active network protocols for a device
Get all active network protocols for a device from ExtraHop.
Base Command
extrahop-get-protocols
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| ip_or_id | The IP Address or ExtraHop API ID of the device to get all active network protocols. | Required |
| query_from | The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| query_until | The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ExtraHop.Device.Macaddr | string | b'The MAC Address of the device.' |
| ExtraHop.Device.DeviceClass | string | b'The class of the device.' |
| ExtraHop.Device.UserModTime | number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| ExtraHop.Device.AutoRole | string | b'The role automatically detected by the ExtraHop.' |
| ExtraHop.Device.ParentId | number | b'The ID of the parent device.' |
| ExtraHop.Device.Vendor | string | b'The device vendor.' |
| ExtraHop.Device.Analysis | string | b'The level of analysis preformed on the device.' |
| ExtraHop.Device.DiscoveryId | string | b'The UUID given by the Discover appliance.' |
| ExtraHop.Device.DefaultName | string | b'The default name of the device.' |
| ExtraHop.Device.DisplayName | string | b'The display name of device.' |
| ExtraHop.Device.OnWatchlist | boolean | b'Whether the device is on the advanced analysis whitelist.' |
| ExtraHop.Device.ModTime | number | b'The time of the most recent update, expressed in milliseconds since the epoch.' |
| ExtraHop.Device.IsL3 | boolean | b'Indicates whether the device is a Layer 3 device.' |
| ExtraHop.Device.Role | string | b'The role of the device.' |
| ExtraHop.Device.DiscoverTime | number | b'The time that the device was discovered.' |
| ExtraHop.Device.Id | number | b'The ID of the device.' |
| ExtraHop.Device.Ipaddr4 | string | b'The IPv4 address of the device.' |
| ExtraHop.Device.Vlanid | number | b'The ID of VLan.' |
| ExtraHop.Device.Ipaddr6 | string | b'The IPv6 address of the device.' |
| ExtraHop.Device.NodeId | number | b'The Node ID of the Discover appliance.' |
| ExtraHop.Device.Description | string | b'A user customizable description of the device.' |
| ExtraHop.Device.DnsName | string | b'The DNS name associated with the device.' |
| ExtraHop.Device.DhcpName | string | b'The DHCP name associated with the device.' |
| ExtraHop.Device.CdpName | string | b'The Cisco Discovery Protocol name associated with the device.' |
| ExtraHop.Device.NetbiosName | string | b'The NetBIOS name associated with the device.' |
| ExtraHop.Device.Url | string | b'Link to the device details page in ExtraHop.' |
| ExtraHop.Device.ClientProtocols | string | b'The list of protocols the peer device is communicating as a client.' |
| ExtraHop.Device.ServerProtocols | string | b'The list of protocols the peer device is communicating as a server.' |
Command Example
!extrahop-get-protocols ip_or_id=172.16.34.11
Context Example
{
"ExtraHop": {
"Device": [
{
"Analysis": "advanced",
"AnalysisLevel": 2,
"AutoRole": "http_server",
"ClientProtocols": [
"TCP:SSL:LDAP",
"TCP:SSL",
"TCP:OTHER",
"UDP:NTP",
"UDP:DNS"
],
"DefaultName": "Qumranet 172.16.34.11",
"DeviceClass": "node",
"DhcpName": "soundboard2",
"DiscoverTime": 1533851430000,
"DiscoveryId": "fff40601150a0000",
"DisplayName": "tme-lab-ubuntu",
"ExtrahopId": "fff40601150a0000",
"Id": 10754,
"Ipaddr4": "172.16.34.11",
"IsL3": true,
"Macaddr": "11:2B:5B:27:12:9D",
"ModTime": 1569276433204,
"OnWatchlist": true,
"ParentId": 10748,
"Role": "http_server",
"ServerProtocols": [
"TCP:HTTP"
],
"Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff40601150a0000/overview/",
"UserModTime": 1569284010207,
"Vendor": "Qumranet",
"Vlanid": 0
}
]
}
}
Human Readable Output
Device Activity Found
| Display Name | IP Address | MAC Address | Protocols (Client) | Protocols (Server) | Role | Vendor | URL |
|---|---|---|---|---|---|---|---|
| soundboard2 | 172.16.34.11 | 11:2B:5B:27:12:9D | TCP:SSL:LDAP, TCP:SSL, TCP:OTHER, UDP:NTP, UDP:DNS | TCP:HTTP | http_server | Qumranet | [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff40601150a0000/overview/) |
11. Add or remove a tag from devices
Add or remove a tag from devices in ExtraHop.
Base Command
extrahop-tag-devices
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| tag | The case-sensitive value of the tag. | Optional |
| add | The list of IP Addresses or ExtraHop API IDs of the devices to tag, comma separated. | Optional |
| remove | The list of IP Addresses or ExtraHop API IDs of the devices to remove the tag from, comma separated. | Optional |
Context Output
There are no context output for this command.
Command Example
!extrahop-tag-devices tag='demisto' add=172.16.34.11
Human Readable Output
Successful Modification
12. Get a link to a Live Activity Map
Get a link to a visual activity map in ExtraHop.
Base Command
extrahop-get-activity-map
Required Permissions
- Full write privileges
Input
| Argument Name | Description | Required |
|---|---|---|
| ip_or_id | The IP Address or ExtraHop API ID of the source device to get an activity map. | Required |
| time_interval | The time interval of the live activity map, expressed as the "Last" 30 minutes. For example, specify a value of 30 minutes to get an activity map showing the time range of the last 30 minutes. This field is ignored if from_time and until_time are provided. | Optional |
| from_time | The beginning timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch. | Optional |
| until_time | The ending timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch. | Optional |
| peer_role | The role of the peer devices in relation to the source device. For example, specifying a peer_role of client will show All Clients communicating with the source device. Additionally specifying a protocol of HTTP will result in further filtering and only showing HTTP Clients communicating with the source device. | Optional |
| protocol | The protocol over which the source device is communicating. For example, specifying a protocol of HTTP show only HTTP Clients and HTTP Servers communicating with the source device. Additionally specifying a peer_role of client will result in further filtering and only showing HTTP Clients communicating with the source device. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ExtraHop.ActivityMap | string | b'The link to a visual activity map in ExtraHop.' |
Command Example
!extrahop-get-activity-map ip_or_id=172.16.34.11 time_interval="6 hours"
Context Example
{
"ExtraHop": {
"ActivityMap": "https://test1.extrahop.com/extrahop/#/activitymaps?appliance_id=a74b9b6aa9e44de9baedcf8112c27ec4&discovery_id=fff40601150a0000&from=6&interval_type=HR&object_type=device&protocol=any&role=any&until=0"
}
}
Human Readable Output
[View Live Activity Map in ExtraHop](https://test1.extrahop.com/extrahop/#/activitymaps?appliance_id=a74b9b6aa9e44de9baedcf8112c27ec4&discovery_id=fff40601150a0000&from=6&interval_type=HR&object_type=device&protocol=any&role=any&until=0)
13. Search for specific packets
Search for specific packets in ExtraHop.
Base Command
extrahop-search-packets
Required Permissions
- Full write privileges
- Packet and Session Key Access
Input
| Argument Name | Description | Required |
|---|---|---|
| output | The output format. A pcap file, A keylog.txt file that can be loaded in wireshark to decode ssl packets, or a zip file containing both a packets.pcap and keylog.txt. | Optional |
| limit_bytes | The maximum number of bytes to return. | Optional |
| limit_search_duration | The maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. | Optional |
| query_from | The beginning timestamp of the time range the search will include, expressed in milliseconds since the epoch. A negative value specifies that the search will begin with packets captured at a time in the past relative to the current time. For example, specify -10m to begin the search with packets captured 10 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Required |
| query_until | The ending timestamp of the time range the search will include, expressed in milliseconds since the epoch. A 0 value specifies that the search will end with packets captured at the time of the search. A negative value specifies that the search will end with packets captured at a time in the past relative to the current time. For example, specify -5m to end the search with packets captured 5 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | Optional |
| bpf | The Berkeley Packet Filter (BPF) syntax for the packet search. | Optional |
| ip1 | Returns packets sent to or received by the specified IP address. | Optional |
| port1 | Returns packets sent from or received on the specified port. | Optional |
| ip2 | Returns packets sent to or received by the specified IP address. | Optional |
| port2 | Returns packets sent from or received on the specified port. | Optional |
Context Output
There are no context output for this command.
Command Example
!extrahop-search-packets ip1=172.16.34.23 port1=10057 ip2=172.16.34.11 port2=44576
Human Readable Output
Uploaded file: extrahop 2019-09-23 16.59.01 to 17.29.01 PST.pcap
Additional Information
Known Limitations
Troubleshooting
This integration was integrated and tested with version 7.8 of ExtraHop Reveal(x) and version 4.5 of Demisto.