Skip to main content

ExtraHop Reveal(x)

This Integration is part of the ExtraHop Reveal(x) Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

Configure ExtraHop Reveal(x) in Cortex#

ParameterDescriptionRequired
NameThe name of the instance.True
Fetches incidentsSelect to enable this instance to fetch detection events. Otherwise, select Do not fetch. Each API call fetches a maximum of 200 detection events.True
ClassifierSpecifies the type of incident to be created for detection events ingested by this instance.False
Incident typeSpecifies the type of incident to be created for detection events ingested by this instance if a Classifier is not specified.False
MapperSpecifies how detection events ingested by this instance are mapped to Cortex XSOAR incident fields.False
On CloudThe type of ExtraHop system the integration will connect to. Select if connecting to ExtraHop Reveal(x) 360. Leave unselected if connecting to Reveal(x) Enterprise.False
URLThe URL of the ExtraHop system this integration will connect to.True
API KeyThe API key required for authentication if connecting to ExtraHop Reveal(x) Enterprise. The API key is generated on your ExtraHop system.False
Client ID and Client SecretThe credential pair required for authentication if connecting to ExtraHop Reveal(x) 360. The client ID and secret are generated on your ExtraHop system.False
Trust any certificate (not secure)Specifies whether to allow connections without verifying SSL certificate's validity.False
Use system proxy settingsSpecifies whether to use XSOAR system proxy settings to connect to the API.False
First fetch timeSpecifies the beginning timestamp from which to start fetching detection events.False
Incidents Fetch IntervalSpecifies how often the instance fetches detection events. Because each API call fetches a maximum of 200 detection events, we recommend specifying one minute intervals to fetch all detection events.False
Advanced FilterApplies a filter to the list of detections based on a JSON-specific query.

Example for detections:
{
"categories": ["sec.attack"],
"risk_score_min": 51
}

If the categories and category are not specified, then categories will be set to ["sec.attack"]. The category field is deprecated by the API, so please use the categories field instead.
For a complete reference to the Extrahop detections filter fields, please refer to the ExtraHop REST API documentation at
https://docs.extrahop.com/current/rest-api-guide/
False
Do not use by defaultSelect to disable running commands through the Cortex XSOAR CLI on this instance of the integration.False
Log LevelSpecifies the level of logging to enable for this instance of the integration.False
Run onSpecifies whether to run the instance of the integration on a single engine.False

Commands#

You can run the following commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully run a command, a DBot message appears in the War Room with the command details.

  • Get detections from ExtraHop Reveal(x): extrahop-detections-list
  • Link an ExtraHop Reveal(x) detection to a Cortex XSOAR incident: extrahop-ticket-track
  • Search for devices in ExtraHop Reveal(x): extrahop-devices-search
  • Get all active network protocols for a device from ExtraHop Reveal(x): extrahop-protocols-get
  • Get all peers for a device from ExtraHop Reveal(x): extrahop-peers-get
  • Get a link to a live activity map in ExtraHop Reveal(x): extrahop-activity-map-get
  • Get all devices on the Advanced Analysis watchlist in ExtraHop Reveal(x): extrahop-watchlist-get
  • Add or remove devices from the Advanced Analysis watchlist in ExtraHop Reveal(x): extrahop-watchlist-edit
  • Add or remove a tag from devices in ExtraHop Reveal(x): extrahop-devices-tag
  • Get all alert rules from ExtraHop Reveal(x): extrahop-alert-rules-get
  • Create a new alert rule in ExtraHop Reveal(x): extrahop-alert-rule-create
  • Modify an alert rule in ExtraHop Reveal(x): extrahop-alert-rule-edit
  • Get metrics for specified objects from ExtraHop Reveal(x): extrahop-metrics-list
  • Search for specific packets in ExtraHop Reveal(x): extrahop-packets-search

extrahop-watchlist-get#


Get all devices on the advanced analysis watchlist in ExtraHop Reveal(x).

Base Command#

extrahop-watchlist-get

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
ExtraHop.Device.MacaddrStringThe MAC Address of the device.
ExtraHop.Device.DeviceClassStringThe class of this device.
ExtraHop.Device.UserModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.AutoRoleStringThe role automatically detected by the ExtraHop system.
ExtraHop.Device.ParentIdNumberThe ID of the parent device.
ExtraHop.Device.VendorStringThe device vendor.
ExtraHop.Device.AnalysisstringThe level of analysis received by the device.
ExtraHop.Device.DiscoveryIdStringThe UUID for this device.
ExtraHop.Device.DefaultNameStringThe default name for this device.
ExtraHop.Device.DisplayNameStringThe display name of device.
ExtraHop.Device.OnWatchlistBooleanWhether the device is on the advanced analysis watch list.
ExtraHop.Device.ModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.IsL3BooleanIndicates whether the device is a layer 3 device.
ExtraHop.Device.RoleStringThe role of the device.
ExtraHop.Device.DiscoverTimeNumberThe time that the device was discovered.
ExtraHop.Device.IdNumberThe ID of the device.
ExtraHop.Device.Ipaddr4StringThe IPv4 address for this device.
ExtraHop.Device.VlanidNumberThe unique identifier for the VLAN associated with the device.
ExtraHop.Device.Ipaddr6stringThe IPv6 address of the device.
ExtraHop.Device.NodeIdnumberThe node ID of the sensor associated with this device.
ExtraHop.Device.DescriptionstringA user customizable description of the device.
ExtraHop.Device.DnsNamestringThe DNS name associated with the device.
ExtraHop.Device.DhcpNamestringThe DHCP name associated with the device.
ExtraHop.Device.CdpNamestringThe Cisco Discovery Protocol name associated with the device.
ExtraHop.Device.NetbiosNamestringThe NetBIOS name associated with the device.
ExtraHop.Device.UrlstringLink to the device details page in ExtraHop Reveal(x).

Command example#

!extrahop-watchlist-get

Context Example#

{
"ExtraHop": {
"Device": [
{
"analysis": "advanced",
"analysis_level": 2,
"auto_role": "other",
"critical": false,
"default_name": "VM9",
"device_class": "node",
"dhcp_name": "test",
"discover_time": 1635499650000,
"discovery_id": "0000000000000000",
"display_name": "test",
"extrahop_id": "0000000000000000",
"id": 25769803982,
"ipaddr4": "0.0.0.0",
"is_l3": false,
"macaddr": "00:00:00:00:00:00",
"mod_time": 1676638611398,
"model": "vmware_vm",
"node_id": 6,
"on_watchlist": true,
"role": "other",
"url": "https://dummy_url/extrahop/#/metrics/devices/overview/",
"user_mod_time": 1676290306316,
"vendor": "VMware",
"vlanid": 0
},
{
"analysis": "advanced",
"analysis_level": 2,
"auto_role": "other",
"critical": false,
"default_name": "VM8",
"device_class": "node",
"discover_time": 1675318050000,
"discovery_id": "0000000000000000",
"display_name": "VM8",
"extrahop_id": "0000000000000000",
"id": 25769808133,
"ipaddr4": "0.0.0.0",
"is_l3": false,
"last_seen_time": 1675319010000,
"macaddr": "00:00:00:00:00:00",
"mod_time": 1675425919964,
"model": "vmware_vm",
"node_id": 6,
"on_watchlist": true,
"role": "other",
"url": "https://dummy_url/extrahop/#/metrics/devices/00000000000000000000000000000000.0000000000000000/overview/",
"user_mod_time": 0,
"vendor": "VMware",
"vlanid": 0
}
]
}
}

Human Readable Output#

Device Details:#

Display NameIP AddressMAC AddressRoleVendorURL
test0.0.0.000:00:00:00:00:00otherVMwareView Device in ExtraHop
VM 80.0.0.000:00:00:00:00:00otherVMwareView Device in ExtraHop

extrahop-peers-get#


Get all peers for a device from ExtraHop Reveal(x).

Base Command#

extrahop-peers-get

Input#

Argument NameDescriptionRequired
ip_or_idThe IP address or ExtraHop API ID of the source device to get peer devices.Required
query_fromThe beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Default is -30m.Optional
query_untilThe ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes.Optional
peer_roleThe role of the peer device in relation to the origin device. Possible values are: any, client, server. Default is any.Optional
protocolA filter to only return peers that the source device has communicated with over this protocol. If no value is set, the object includes any protocol. Possible values are: any, AAA, ActiveMQ, AJP, amf, CIFS, DB, DHCP, DICOM, DNS, FIX, FTP, HL7, HTTP, IBMMQ, ICA, IKE/ISAKMP, IMAP, IPFIX, IPsec NAT-T, IRC, iSCSI, Kerberos, L2TP, LDAP, lync-compress, memcache, Modbus, MongoDB, MSMQ, MSN, MSRPC, NetFlow, NFS, NTP, OpenVPN, PCoIP, Perforce, POP3, RDP, Redis, RFB, RTCP, RTP, sFlow, SIP, SMPP, SMTP, SNMP, SSH, SSL, Syslog, TCP, telnet, UDP, WebSocket. Default is any.Optional

Context Output#

PathTypeDescription
ExtraHop.Device.MacaddrStringThe MAC address of the device.
ExtraHop.Device.DeviceClassStringThe class of the device.
ExtraHop.Device.UserModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.AutoRoleStringThe role automatically detected by the ExtraHop system.
ExtraHop.Device.ParentIdNumberThe ID of the parent device.
ExtraHop.Device.VendorStringThe device vendor.
ExtraHop.Device.AnalysisstringThe level of analysis received by the device.
ExtraHop.Device.DiscoveryIdStringThe UUID given of the device.
ExtraHop.Device.DefaultNameStringThe default name for this device.
ExtraHop.Device.DisplayNameStringThe display name of device.
ExtraHop.Device.OnWatchlistBooleanWhether the device is on the advanced analysis watch list.
ExtraHop.Device.ModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.IsL3BooleanIndicates whether the device is a layer 3 device.
ExtraHop.Device.RoleStringThe role of the device.
ExtraHop.Device.DiscoverTimeNumberThe time that the device was discovered.
ExtraHop.Device.IdNumberThe ID of the device.
ExtraHop.Device.Ipaddr4StringThe IPv4 address for this device.
ExtraHop.Device.VlanidNumberThe unique identifier for the VLAN associated with the device.
ExtraHop.Device.Ipaddr6stringThe IPv6 address of the device.
ExtraHop.Device.NodeIdnumberThe node ID of the sensor associated with the device.
ExtraHop.Device.DescriptionstringA user customizable description of the device.
ExtraHop.Device.DnsNamestringThe DNS name associated with the device.
ExtraHop.Device.DhcpNamestringThe DHCP name associated with the device.
ExtraHop.Device.CdpNamestringThe Cisco Discovery Protocol name associated with the device.
ExtraHop.Device.NetbiosNamestringThe NetBIOS name associated with the device.
ExtraHop.Device.UrlstringLink to the device details page in ExtraHop Reveal(x).

Command example#

!extrahop-peers-get ip_or_id=0.0.0.0 peer_role=server protocol=any query_from=-60m query_until=0

Context Example#

{
"ExtraHop": {
"Device": {
"analysis": "advanced",
"analysis_level": 1,
"auto_role": "gateway",
"critical": true,
"default_name": "Cisco Meraki 23D27A",
"device_class": "gateway",
"discover_time": 1655102100000,
"discovery_id": "0000000000000000",
"display_name": "Cisco Meraki 23D27A",
"extrahop_id": "0000000000000000",
"id": 25769805776,
"ipaddr4": "0.0.0.0",
"is_l3": false,
"macaddr": "00:00:00:00:00:00",
"mod_time": 1676638911830,
"node_id": 6,
"on_watchlist": false,
"role": "gateway",
"server_protocols": [
"UDP:NTP"
],
"url": "https://dummy_url/extrahop/#/metrics/devices/overview/",
"user_mod_time": 0,
"vendor": "Cisco Meraki",
"vlanid": 0
}
}
}

Human Readable Output#

Device Details:#

Display NameIP AddressMAC AddressRoleProtocolsURLVendor
Cisco Meraki 23D27A0.0.0.000:00:00:00:00:00gatewayServer: UDP:NTPView Device in ExtraHopCisco Meraki

extrahop-devices-search#


Search for devices in ExtraHop Reveal(x).

Base Command#

extrahop-devices-search

Input#

Argument NameDescriptionRequired
nameThe name of the device. This searches for matches on all ExtraHop Reveal(x) name fields (DHCP, DNS, NetBIOS, Cisco Discovery Protocol, etc).Optional
ipThe IP address of the device.Optional
macThe MAC address of the device.Optional
roleThe role of the device. Possible values are: db_server, dhcp_server, dns_server, file_server, firewall, gateway, http_server, domain_controller, web_proxy, load_balancer, pc, medical_device, mobile_device, printer, scanner, custom, voip_phone, other.Optional
softwareThe OS of the device. Possible values are: android, apple_ios, arista_eos, cisco_ios, cisco_nx-os, chrome_os, linux, mac_os, windows, windows_server, windows_server_2008, windows_server_2008_r2, windows_server_2012, windows_server_2012_r2, windows_server_2016, windows_vista, windows_7, windows_8, windows_8.1, windows_10.Optional
tagA tag present on the device.Optional
vendorThe vendor of the device, based on MAC address via OUI lookup. Possible values are: alcatel-lucent, apple, arista, asus, brother, canon, cisco, cisco-linksys, citrix, dell, dellemc, d-link, emc, f5, google, hp, htc, huawei, ibm, juniper, kyocera, microsoft, netapp, netgear, nokia, nortel, oracle, paloalto, samsung, 3com, toshiba, virtualbox, vmware, zte.Optional
discover_timeThe time that device was first seen by the ExtraHop system, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with the following unit suffixes: ms, s, m, h, d, w, M, y. For example, to look one day back enter -1d or -24h. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes.Optional
vlanThe VLAN ID of the Virtual LAN that the device is on.Optional
activityThe activity of the device. Possible values are: aaa_client, aaa_server, ajp_client, ajp_server, amf_client, amf_server, cifs_client, cifs_server, db_client, db_server, dhcp_client, dhcp_server, dicom_client, dicom_server, dns_client, dns_server, fix_client, fix_server, ftp_client, ftp_server, hl7_client, hl7_server, http_client, http_server, ibmmq_client, ibmmq_server, ica_client, ica_server, icmp, iscsi_client, iscsi_server, kerberos_client, kerberos_server, ldap_client, ldap_server, llmnr_client, llmnr_server, memcache_client, memcache_server, modbus_client, modbus_server, mongo_client, mongo_server, msmq, nbns_client, nbns_server, nfs_client, nfs_server, pcoip_client, pcoip_server, pop3_client, pop3_server, rdp_client, rdp_server, redis_client, redis_server, rfb_client, rfb_server, rpc_client, rpc_server, rtcp, rtp, scanner, sip_client, sip_server, smpp_client, smpp_server, smtp_client, smtp_server, ssh_client, ssh_server, ssl_client, ssl_server, tcp, telnet_client, telnet_server, udp, websocket_client, websocket_server, wsman_client, wsman_server.Optional
operatorThe compare method applied when matching the fields against their values. For example, to find devices with names that begin with 'SEA1' (set name=SEA1, operator=startswith). Possible values are: >, <, <=, >=, =, !=, startswith, exists, not_exists, ~, !~. Default is =.Optional
match_typeThe match operator to use when chaining the search fields together. For example, to find all HTTP servers running Windows on the network (set match_type=and, role=http_server, software=windows). Possible values are: and, or, not. Default is and.Optional
active_fromThe beginning timestamp for the request. Return only devices active after this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes.Optional
active_untilThe ending timestamp for the request. Return only devices active before this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes.Optional
limitThe maximum number of devices to return. Default is 10.Optional
l3_onlyOnly returns layer 3 devices by filtering out any layer 2 parent devices. Possible values are: true, false. Default is true.Optional

Context Output#

PathTypeDescription
ExtraHop.Device.MacaddrStringThe MAC address of the device.
ExtraHop.Device.DeviceClassStringThe class of the device.
ExtraHop.Device.UserModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.AutoRoleStringThe role automatically detected by the ExtraHop system.
ExtraHop.Device.ParentIdNumberThe ID of the parent device.
ExtraHop.Device.VendorStringThe device vendor.
ExtraHop.Device.AnalysisstringThe level of analysis received by the device.
ExtraHop.Device.DiscoveryIdStringThe UUID of the device.
ExtraHop.Device.DefaultNameStringThe default name of the device.
ExtraHop.Device.DisplayNameStringThe display name of device.
ExtraHop.Device.OnWatchlistBooleanWhether the device is on the advanced analysis watch list.
ExtraHop.Device.ModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.IsL3BooleanIndicates whether the device is a layer 3 device.
ExtraHop.Device.RoleStringThe role of the device.
ExtraHop.Device.DiscoverTimeNumberThe time that the device was discovered.
ExtraHop.Device.IdNumberThe ID of the device.
ExtraHop.Device.Ipaddr4StringThe IPv4 address of the device.
ExtraHop.Device.VlanidNumberThe ID of the VLAN associated with the device.
ExtraHop.Device.Ipaddr6StringThe IPv6 address of the device.
ExtraHop.Device.NodeIdNumberThe node ID of the sensor associated with the device.
ExtraHop.Device.DescriptionStringA user customizable description of the device.
ExtraHop.Device.DnsNameStringThe DNS name associated with the device.
ExtraHop.Device.DhcpNameStringThe DHCP name associated with the device.
ExtraHop.Device.CdpNameStringThe Cisco Discovery Protocol name associated with the device.
ExtraHop.Device.NetbiosNameStringThe NetBIOS name associated with the device.
ExtraHop.Device.UrlStringLink to the device details page in ExtraHop Reveal(x).

Command example#

!extrahop-devices-search activity=aaa_client discover_time=-10m ip=0.0.0.0 l3_only=true limit=2 mac=00:00:00:00:00:00 match_type=or name=DNS operator=!= role=file_server software=linux tag=tag1 vendor=cisco

Context Example#

{
"ExtraHop": {
"Device": [
{
"analysis": "advanced",
"analysis_level": 1,
"auto_role": "other",
"critical": false,
"default_name": "VMware 8",
"device_class": "node",
"discover_time": 1676633640000,
"discovery_id": "0000000000000000",
"display_name": "VMware 8",
"extrahop_id": "0000000000000000",
"id": 25769808421,
"ipaddr4": "0.0.0.0",
"is_l3": false,
"last_seen_time": 1676634840000,
"macaddr": "00:00:00:00:00:00",
"mod_time": 1676634890174,
"model": "vmware_vm",
"node_id": 6,
"on_watchlist": false,
"role": "other",
"url": "https://dummy_url/extrahop/#/metrics/devices/overview/",
"user_mod_time": 0,
"vendor": "VMware",
"vlanid": 0
},
{
"analysis": "advanced",
"analysis_level": 1,
"auto_role": "other",
"critical": false,
"default_name": "VMware 3",
"device_class": "node",
"discover_time": 1676614620000,
"discovery_id": "0000000000000000",
"display_name": "VMware 3",
"extrahop_id": "0000000000000000",
"id": 25769808417,
"ipaddr4": "0.0.0.0",
"is_l3": false,
"last_seen_time": 1676616960000,
"macaddr": "00:00:00:00:00:00",
"mod_time": 1676616977189,
"model": "vmware_vm",
"node_id": 6,
"on_watchlist": false,
"role": "other",
"url": "https://dummy_url/extrahop/#/metrics/devices/overview/",
"user_mod_time": 0,
"vendor": "VMware",
"vlanid": 0
}
]
}
}

Human Readable Output#

Device Details:#

Display NameIP AddressMAC AddressRoleVendorURL
VMware 80.0.0.000:00:00:00:00:00otherVMwareView Device in ExtraHop
VMware 30.0.0.000:00:00:00:00:00otherVMwareView Device in ExtraHop

extrahop-protocols-get#


Get all active network protocols for a device from ExtraHop Reveal(x).

Base Command#

extrahop-protocols-get

Input#

Argument NameDescriptionRequired
ip_or_idThe IP address or ExtraHop API ID of the device to get all active network protocols.Required
query_fromThe beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Default is -30m.Optional
query_untilThe ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes.Optional

Context Output#

PathTypeDescription
ExtraHop.Device.MacaddrStringThe MAC address of the device.
ExtraHop.Device.DeviceClassStringThe class of the device.
ExtraHop.Device.UserModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.AutoRoleStringThe role automatically detected by the ExtraHop system.
ExtraHop.Device.ParentIdNumberThe ID of the parent device.
ExtraHop.Device.VendorStringThe device vendor.
ExtraHop.Device.AnalysisStringThe level of analysis received by the device.
ExtraHop.Device.DiscoveryIdStringThe UUID of the device.
ExtraHop.Device.DefaultNameStringThe default name of the device.
ExtraHop.Device.DisplayNameStringThe display name of device.
ExtraHop.Device.OnWatchlistBooleanWhether the device is on the advanced analysis watch list.
ExtraHop.Device.ModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Device.IsL3BooleanIndicates whether the device is a layer 3 device.
ExtraHop.Device.RoleStringThe role of the device.
ExtraHop.Device.DiscoverTimeNumberThe time that the device was discovered.
ExtraHop.Device.IdNumberThe ID of the device.
ExtraHop.Device.Ipaddr4StringThe IPv4 address of the device.
ExtraHop.Device.VlanidNumberThe ID of the VLAN associated with the device.
ExtraHop.Device.Ipaddr6StringThe IPv6 address of the device.
ExtraHop.Device.NodeIdNumberThe node ID of the sensor associated with the device.
ExtraHop.Device.DescriptionStringA user customizable description of the device.
ExtraHop.Device.DnsNameStringThe DNS name associated with the device.
ExtraHop.Device.DhcpNameStringThe DHCP name associated with the device.
ExtraHop.Device.CdpNameStringThe Cisco Discovery Protocol name associated with the device.
ExtraHop.Device.NetbiosNameStringThe NetBIOS name associated with the device.
ExtraHop.Device.UrlStringLink to the device details page in ExtraHop Reveal(x).
ExtraHop.Device.ClientProtocolsStringThe list of protocols the peer device is communicating on as a client.
ExtraHop.Device.ServerProtocolsStringThe list of protocols the peer device is communicating on as a server.

Command example#

!extrahop-protocols-get ip_or_id=0.0.0.0 query_from=-20m query_until=0

Context Example#

{
"ExtraHop": {
"Device": {
"analysis": "advanced",
"analysis_level": 2,
"auto_role": "other",
"client_protocols": [
"UDP:NTP"
],
"critical": false,
"default_name": "VMware 9",
"device_class": "node",
"dhcp_name": "test",
"discover_time": 1635499650000,
"discovery_id": "0000000000000000",
"display_name": "test",
"extrahop_id": "0000000000000000",
"id": 10000000000,
"ipaddr4": "0.0.0.0",
"is_l3": false,
"macaddr": "00:00:00:00:00:000",
"mod_time": 1676638611398,
"model": "vmware_vm",
"node_id": 6,
"on_watchlist": true,
"role": "other",
"url": "https://dummy_url/extrahop/#/metrics/devices/overview/",
"user_mod_time": 1676290306316,
"vendor": "VMware",
"vlanid": 0
}
}
}

Human Readable Output#

Device Activity Found:#

Display NameIP AddressMAC AddressProtocols (Client)RoleVendorURL
test0.0.0.000:00:00:00:00:000UDP:NTPotherVMwareView Device in ExtraHop

extrahop-activity-map-get#


Get a link to a live activity map in ExtraHop Reveal(x).

Base Command#

extrahop-activity-map-get

Input#

Argument NameDescriptionRequired
ip_or_idThe IP address or ExtraHop API ID of the source device to get an activity map.Required
time_intervalThe time interval of the live activity map, expressed as the "Last" 30 minutes. For example, specify a value of 30 minutes to get an activity map showing the time range of the last 30 minutes. This field is ignored if from_time and until_time are provided. Possible values are: 30 minutes, 6 hours, 1 day, 1 week. Default is 30 minutes.Optional
from_timeThe beginning timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch.Optional
until_timeThe ending timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch.Optional
peer_roleThe role of the peer devices in relation to the source device. For example, specifying a peer_role of client will show All Clients communicating with the source device. Additionally specifying a protocol of HTTP will result in further filtering and only showing HTTP Clients communicating with the source device. Possible values are: any, client, server. Default is any.Optional
protocolThe protocol over which the source device is communicating. For example, specifying a protocol of HTTP show only HTTP Clients and HTTP Servers communicating with the source device. Additionally specifying a peer_role of client will result in further filtering and only showing HTTP Clients communicating with the source device. Possible values are: any, AAA, ActiveMQ, AJP, amf, CIFS, DB, DHCP, DICOM, DNS, FIX, FTP, HL7, HTTP, IBMMQ, ICA, IKE/ISAKMP, IMAP, IPFIX, IPsec NAT-T, IRC, iSCSI, Kerberos, L2TP, LDAP, lync-compress, memcache, Modbus, MongoDB, MSMQ, MSN, MSRPC, NetFlow, NFS, NTP, OpenVPN, PCoIP, Perforce, POP3, RDP, Redis, RFB, RTCP, RTP, sFlow, SIP, SMPP, SMTP, SNMP, SSH, SSL, Syslog, TCP, telnet, UDP, WebSocket. Default is any.Optional

Context Output#

PathTypeDescription
ExtraHop.ActivityMap.urlStringThe link to a visual activity map in ExtraHop Reveal(x).

Command example#

!extrahop-activity-map-get ip_or_id=0.0.0.0 peer_role=server protocol=any time_interval="30 minutes"

Context Example#

{
"ExtraHop": {
"ActivityMap": {
"url": "https://dummy_url/extrahop/#/activitymaps?appliance_id=00000000000000000000000000000000&discovery_id=0000000000000000&from=30&interval_type=MIN&object_type=device&protocol=any&role=server&until=0"
}
}
}

Human Readable Output#

View Live Activity Map in ExtraHop

extrahop-alert-rules-get#


Get all alert rules from ExtraHop Reveal(x).

Base Command#

extrahop-alert-rules-get

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
ExtraHop.Alert.OperatorStringThe logical operator applied when comparing the value of the operand field to alert conditions.
ExtraHop.Alert.FieldNameStringThe name of the monitored metric.
ExtraHop.Alert.NotifySnmpBooleanIndicates whether to send an SNMP trap when an alert is generated.
ExtraHop.Alert.OperandStringThe value to compare against alert conditions.
ExtraHop.Alert.IntervalLengthNumberThe length of the alert interval, expressed in seconds.
ExtraHop.Alert.AuthorStringThe name of the user that created the alert.
ExtraHop.Alert.NameStringThe unique, friendly name for the alert.
ExtraHop.Alert.FieldName2StringThe second monitored metric when applying a ratio.
ExtraHop.Alert.RefireIntervalNumberThe time interval in which alert conditions are monitored, expressed in seconds.
ExtraHop.Alert.ModTimeNumberThe time of the most recent update, expressed in milliseconds since the epoch.
ExtraHop.Alert.UnitsStringThe interval in which to evaluate the alert condition.
ExtraHop.Alert.ApplyAllBooleanIndicates whether the alert is assigned to all available data sources.
ExtraHop.Alert.TypeStringThe type of alert.
ExtraHop.Alert.FieldOpStringThe type of comparison between the "field_name" and "field_name2" fields when applying a ratio.
ExtraHop.Alert.IdNumberThe unique identifier for the alert.
ExtraHop.Alert.DisabledBooleanIndicates whether the alert is disabled.
ExtraHop.Alert.DescriptionStringAn optional description for the alert.
ExtraHop.Alert.SeverityNumberThe severity level of the alert.
ExtraHop.Alert.StatNameStringThe statistic name for the alert.

Command example#

!extrahop-alert-rules-get

Context Example#

{
"ExtraHop": {
"Alert": [
{
"apply_all": false,
"author": "ExtraHop",
"description": "Alert triggered when ratio of DB errors is greater than 1%.",
"disabled": false,
"field_name": "rsp_error",
"field_name2": "rsp",
"field_op": "/",
"id": 15,
"interval_length": 30,
"mod_time": 1617887147538,
"name": "DB Error Ratio - Orange",
"notify_snmp": false,
"operand": "0.01",
"operator": ">",
"refire_interval": 300,
"severity": 3,
"stat_name": "extrahop.application.db",
"type": "threshold",
"units": "none"
},
{
"apply_all": false,
"author": "ExtraHop",
"description": "Alert triggered when ratio of DB errors is greater than 5%.",
"disabled": false,
"field_name": "rsp_error",
"field_name2": "rsp",
"field_op": "/",
"id": 14,
"interval_length": 30,
"mod_time": 1617887147615,
"name": "DB Error Ratio - Red",
"notify_snmp": false,
"operand": "0.05",
"operator": ">",
"refire_interval": 300,
"severity": 1,
"stat_name": "extrahop.application.db",
"type": "threshold",
"units": "none"
},
{
"apply_all": false,
"author": "ExtraHop",
"description": "Alert triggered when ratio of DNS errors is greater than 0.1%.",
"disabled": false,
"field_name": "rsp_error",
"field_name2": "rsp",
"field_op": "/",
"id": 19,
"interval_length": 30,
"mod_time": 1617887147785,
"name": "DNS Error Ratio - Yellow",
"notify_snmp": false,
"operand": "0.001",
"operator": ">",
"refire_interval": 300,
"severity": 5,
"stat_name": "extrahop.application.dns",
"type": "threshold",
"units": "none"
}
]
}
}

Human Readable Output#

Found 3 Alert(s)#

Apply AllAuthorDescriptionDisabledField NameField Name2Field OpIdInterval LengthMod TimeNameNotify SnmpOperandOperatorRefire IntervalSeverityStat NameTypeUnits
falseExtraHopAlert triggered when ratio of DB errors is greater than 1%.falsersp_errorrsp/15301617887147538DB Error Ratio - Orangefalse0.01>3003extrahop.application.dbthresholdnone
falseExtraHopAlert triggered when ratio of DB errors is greater than 5%.falsersp_errorrsp/14301617887147615DB Error Ratio - Redfalse0.05>3001extrahop.application.dbthresholdnone
falseExtraHopAlert triggered when ratio of DNS errors is greater than 0.1%.falsersp_errorrsp/19301617887147785DNS Error Ratio - Yellowfalse0.001>3005extrahop.application.dnsthresholdnone

extrahop-packets-search#


Search for specific packets in ExtraHop Reveal(x).

Base Command#

extrahop-packets-search

Input#

Argument NameDescriptionRequired
outputThe output format. A pcap file, A keylog.txt file that can be loaded in wireshark to decode ssl packets, or a zip file containing both a packets.pcap and keylog.txt. Possible values are: pcap, keylog_txt, zip. Default is pcap.Optional
limit_bytesThe maximum number of bytes to return. Default is 10MB.Optional
limit_search_durationThe maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. Default is 5m.Optional
query_fromThe beginning timestamp of the time range the search will include, expressed in milliseconds since the epoch. A negative value specifies that the search will begin with packets captured at a time in the past relative to the current time. For example, specify -10m to begin the search with packets captured 10 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Default is -10m.Optional
query_untilThe ending timestamp of the time range the search will include, expressed in milliseconds since the epoch. A 0 value specifies that the search will end with packets captured at the time of the search. A negative value specifies that the search will end with packets captured at a time in the past relative to the current time. For example, specify -5m to end the search with packets captured 5 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes.Optional
bpfThe Berkeley Packet Filter (BPF) syntax for the packet search.Optional
ip1Returns packets sent to or received by the specified IP address.Optional
port1Returns packets sent from or received on the specified port.Optional
ip2Returns packets sent to or received by the specified IP address.Optional
port2Returns packets sent from or received on the specified port.Optional

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Command example#

!extrahop-packets-search ip1=0.0.0.0 ip2=0.0.0.0 limit_bytes=10MB limit_search_duration=10m output=pcap port1=8000 port2=8000 query_from=-15m query_until=0

Human Readable Output#

Uploaded file: extrahop 2022-12-15 21.12.29 to 21.27.29 IST.pcapDownload.

PropertyValue
Typepcap
Size1,122,020 bytes
Infodata
MD5710737f2d9874690f130da14da38e7cb
SHA1a89d4696c11ee0a8890d8f4effba8fad891cf05d
SHA256433f238d350d8eb19979f0f513974d97b9e9f3445f99deb75c0a1f46e54de111
SHA512fbb914a425d324e4d50bdcf15fc31499720e48d9242005c796d91c345dcb44e1f2fb1435d6bf44c89e0f8256dbae43638f5d8175872bcd29e5bf4fbcba4124cb
SSDeep12288:WzC9IOFcF8jgBXx00uMOsOFtKu1R4mF48f6G2GeXCuX:Wgo8cNx3QsODKugmnfjcPX

extrahop-devices-tag#


Add or remove a tag from devices in ExtraHop Reveal(x).

Base Command#

extrahop-devices-tag

Input#

Argument NameDescriptionRequired
tagThe case-sensitive value of the tag.Required
addThe list of IP addresses or ExtraHop API IDs of the devices to tag, comma separated.Optional
removeThe list of IP addresses or ExtraHop API IDs of the devices to remove the tag from, comma separated.Optional

Context Output#

There is no context output for this command.

Command example#

!extrahop-devices-tag tag=MyTag add=0.0.0.0 remove=0.0.0.0

Human Readable Output#

Successfully tagged untagged the device/s.

extrahop-alert-rule-create#


Create a new alert rule in ExtraHop Reveal(x).

Base Command#

extrahop-alert-rule-create

Input#

Argument NameDescriptionRequired
apply_allIndicates whether the alert is assigned to all available data sources. Possible values are: true, false.Required
disabledIndicates whether the alert is disabled. Possible values are: true, false.Required
field_nameThe name of the monitored metric. Only applicable to threshold alerts.Optional
field_name2The second monitored metric when applying a ratio. Only applicable to threshold alerts.Optional
field_opThe type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. Possible values are: /, null.Optional
interval_lengthThe length of the alert interval, expressed in seconds. Only applicable to threshold alerts. Possible values are: 30, 60, 120, 300, 600, 900, 1200, 1800. Default is 30.Optional
nameThe unique, friendly name for the alert.Required
notify_snmpIndicates whether to send an SNMP trap when an alert is generated. Possible values are: true, false.Required
object_typeThe type of metric source monitored by the alert configuration. Only applicable to detection alerts. Possible values are: application, device.Optional
operandThe value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts.Optional
operatorThe logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. Possible values are: ==, >, <, >=, <=.Optional
paramThe first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts.Optional
param2The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts.Optional
protocolsThe list of monitored protocols. Only applicable to detection alerts.Optional
refire_intervalThe time interval in which alert conditions are monitored, expressed in seconds. Possible values are: 300, 600, 900, 1800, 3600, 7200, 14400.Required
severityThe severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. Possible values are: 0, 1, 2, 3, 4, 5, 6, 7.Required
stat_nameThe statistic name for the alert. Only applicable to threshold alerts.Optional
typeThe type of alert. Possible values are: detection, threshold.Required
unitsThe interval in which to evaluate the alert condition. Only applicable to threshold alerts. Possible values are: none, period, 1 sec, 1 min, 1 hr.Optional

Context Output#

There is no context output for this command.

Command example#

!extrahop-alert-rule-create apply_all=true interval_length=30 disabled=false name="test10" notify_snmp=false refire_interval=300 severity=4 type=detection object_type=device protocols="udp"


#### Human Readable Output

Successfully created alert rule.

extrahop-ticket-track#


Link an ExtraHop Reveal(x) detection to a Cortex XSOAR incident.

Base Command#

extrahop-ticket-track

Input#

Argument NameDescriptionRequired
incident_idThe ID of the Cortex XSOAR incident to track.Required
detection_idThe ID of the ExtraHop Reveal(x) detection to track.Required
incident_ownerOwner of the incident.Optional
incident_statusStatus of the incident. Possible values are: 0, 1, 2, 3.Optional
incident_close_reasonReason the incident was closed.Optional

Context Output#

PathTypeDescription
ExtraHop.TicketIdStringCortex XSOAR incident ID successfully tracked to the ExtraHop Reveal(x) detection.

Command example#

!extrahop-ticket-track detection_id=1234 incident_id=1 incident_owner=John incident_status=1

Context Example#

{
"ExtraHop": {
"ExtraHop": {
"TicketId": "1"
}
}
}

Human Readable Output#

Successfully linked detection(1234) with incident(1)

extrahop-alert-rule-edit#


Modify an alert rule in ExtraHop Reveal(x).

Base Command#

extrahop-alert-rule-edit

Input#

Argument NameDescriptionRequired
alert_idThe unique identifier for the alert.Required
apply_allIndicates whether the alert is assigned to all available data sources. Possible values are: true, false.Required
disabledIndicates whether the alert is disabled. Possible values are: true, false.Required
field_nameThe name of the monitored metric. Only applicable to threshold alerts.Optional
field_name2The second monitored metric when applying a ratio. Only applicable to threshold alerts.Optional
field_opThe type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. Possible values are: /, null.Optional
interval_lengthThe length of the alert interval, expressed in seconds. Only applicable to threshold alerts. Possible values are: 30, 60, 120, 300, 600, 900, 1200, 1800. Default is 30.Optional
nameThe unique, friendly name for the alert.Required
notify_snmpIndicates whether to send an SNMP trap when an alert is generated. Possible values are: true, false.Required
object_typeThe type of metric source monitored by the alert configuration. Only applicable to detection alerts. Possible values are: application, device.Optional
operandThe value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts.Optional
operatorThe logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. Possible values are: ==, >, <, >=, <=.Optional
paramThe first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts.Optional
param2The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts.Optional
protocolsThe list of monitored protocols. Only applicable to detection alerts.Optional
refire_intervalThe time interval in which alert conditions are monitored, expressed in seconds. Possible values are: 300, 600, 900, 1800, 3600, 7200, 14400.Required
severityThe severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. Possible values are: 0, 1, 2, 3, 4, 5, 6, 7.Required
stat_nameThe statistic name for the alert. Only applicable to threshold alerts.Optional
typeThe type of alert. Possible values are: detection, threshold.Required
unitsThe interval in which to evaluate the alert condition. Only applicable to threshold alerts. Possible values are: none, period, 1 sec, 1 min, 1 hr.Optional

Context Output#

There is no context output for this command.

Command example#

!extrahop-alert-rule-edit interval_length=30 alert_id=36 apply_all=true disabled=false name="t127" notify_snmp=false refire_interval=300 severity=4 type=detection protocols="udp" object_type=device

Human Readable Output#

Successfully updated alert rule.

extrahop-watchlist-edit#


Add or remove devices from the advanced analysis watchlist in ExtraHop Reveal(x).

Base Command#

extrahop-watchlist-edit

Input#

Argument NameDescriptionRequired
addThe list of IP addresses or ExtraHop API IDs of the devices to add, comma separated.Optional
removeThe list of IP addresses or ExtraHop API IDs of the devices to remove, comma separated.Optional

Context Output#

There is no context output for this command.

Command example#

!extrahop-watchlist-edit add=0.0.0.0 remove=0.0.0.0

Human Readable Output#

Successfully added new devices(0.0.0.0) in the watchlist Successfully removed devices(0.0.0.0) from the watchlist

extrahop-metrics-list#


Get metrics for specified objects from ExtraHop Reveal(x).

Base Command#

extrahop-metrics-list

Input#

Argument NameDescriptionRequired
cycleThe aggregation period for metrics.
Supported values: "auto", "1sec", "30sec", "5min", "1hr", "24hr". Possible values are: auto, 1sec, 30sec, 5min, 1hr, 24hr.
Required
from_timeThe beginning timestamp for the request. Return only metrics collected after this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with a unit suffix.
For example, to request devices active in the last 30 minutes, specify the following parameter value: "-30m".
Required
metric_categoryThe group of metrics that are searchable in the metric catalog.Required
object_idsThe list of numeric values that represent unique identifiers. Unique identifiers can be retrieved through the /networks, /devices, /applications, /vlans, /devicegroups, /activitygroups, and /appliances resources. For system health metrics, specify the ID of the sensor or console and set the object_type parameter to "system".Required
object_typeIndicates the object type of unique identifiers specified in the object_ids property.
Supported values: "network", "device", "application", "vlan", "device_group", "system". Possible values are: network, device, application, vlan, device_group, system.
Required
until_timeThe ending timestamp for the request. Return only metrics collected before this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with a unit suffix.
For example, to request devices active in the last 30 minutes, specify the following parameter value: "-30m".
Required
metric_specsAn array of metric specification objects.
Refer to the ExtraHop REST API Guide at https://docs.extrahop.com/current/rest-api-guide/.
Required

Context Output#

PathTypeDescription
ExtraHop.Metrics.cycleStringThe aggregation period for metrics.
ExtraHop.Metrics.node_idNumberNode ID of the sensor associated with the object.
ExtraHop.Metrics.clockNumberThe current time.
ExtraHop.Metrics.fromNumberThe beginning time from which metrics were collected.
ExtraHop.Metrics.untilNumberThe ending time that metrics were collected.
ExtraHop.Metrics.stats.oidNumberThe ID of the object.
ExtraHop.Metrics.stats.timeNumberThe time for which metrics were collected.
ExtraHop.Metrics.stats.durationNumberThe duration that metrics were collected.
ExtraHop.Metrics.stats.valuesUnknownThe count value of the metrics that were collected.

Command example#

!extrahop-metrics-list cycle=auto from_time=0 metric_category=http object_ids=0 object_type=application until_time=0 metric_specs="[{\"name\": \"req\", \"key\": \"/GET/\"}]"

Context Example#

{
"ExtraHop": {
"Metrics": {
"clock": 1676883600000,
"cycle": "1hr",
"from": 0,
"node_id": 0,
"stats": [
{
"duration": 3600000,
"oid": 0,
"time": 1637740800000,
"values": [
345
]
},
{
"duration": 3600000,
"oid": 0,
"time": 1637744400000,
"values": [
178
]
},
{
"duration": 3600000,
"oid": 0,
"time": 1637751600000,
"values": [
744
]
}
],
"until": 1676883600000
}
}
}

Human Readable Output#

Metrics Found:

Cycle30 sec
Node Id0
Clock1676873250000
From Time1676871390000
Until Time1676871990000
Stats{'oid': 0, 'time': 1637740800000, 'duration': 30000, 'values': [4]},
{'oid': 0, 'time': 1676871420000, 'duration': 30000, 'values': [9]},
{'oid': 0, 'time': 1676871450000, 'duration': 30000, 'values': [4]},

extrahop-detections-list#


Get detections from ExtraHop Reveal(x).

Base Command#

extrahop-detections-list

Input#

Argument NameDescriptionRequired
filterDetection-specific filters.
For eg:
{
"categories": ["sec.attack"],
"risk_score_min": 51
}

If the categories and category are not specified, then categories will be set to ["sec.attack"]. The category field is deprecated by the API, so please use the categories field instead.
Refer to the ExtraHop REST API guide at https://docs.extrahop.com/current/rest-api-guide/.
Optional
fromReturns detections that occurred after the specified date, expressed in milliseconds since the epoch. Detections that started before the specified date are returned if the detection was ongoing at that time.

For eg:
from=1673508360001.
Optional
limitReturns no more than the specified number of detections.

For eg:
limit=10. Default is 200.
Optional
offsetThe number of detections to skip for pagination.

For eg:
offset=100.
Optional
sortSorts returned detections by the specified fields.
Comma separated "field" "direction" is the accepted format.
By default, detections are sorted by most recent update time and then id in ascending order.

For eg:
sort="end_time asc,id desc".
Optional
untilReturn detections that ended before the specified date, expressed in milliseconds since the epoch.

For eg:
until=1673509360001.
Optional
mod_timeReturn detections that were modified on or after the specified date, expressed in milliseconds since the epoch.

For eg: 1675416916102 .
Optional

Context Output#

PathTypeDescription
ExtraHop.Detections.idNumberThe unique detection ID of the detection.
ExtraHop.Detections.start_timeNumberThe timestamp when the detection was identified.
ExtraHop.Detections.mod_timeNumberThe timestamp when the detection was last modified.
ExtraHop.Detections.end_timeNumberThe timestamp when the detection was completed.
ExtraHop.Detections.titleStringThe title of the detection.
ExtraHop.Detections.descriptionStringThe description of the event for which the detection was created.
ExtraHop.Detections.categoriesUnknownThe categories associated with the detection.
ExtraHop.Detections.risk_scoreNumberThe risk level of the event.
ExtraHop.Detections.typeStringThe detection type.
ExtraHop.Detections.propertiesUnknownThe detection properties.
ExtraHop.Detections.participantsUnknownThe participants involved in the event.
ExtraHop.Detections.ticket_idStringThe unique ticket ID for the detection that is being tracked.
ExtraHop.Detections.assigneeStringThe user assigned to the detection.
ExtraHop.Detections.statusStringThe status of the detection.
ExtraHop.Detections.resolutionStringThe resolution status of the detection.
ExtraHop.Detections.mitre_tacticsUnknownThe MITRE tactics associated with the attack.
ExtraHop.Detections.mitre_techniquesUnknownThe MITRE techniques associated with the attack.
ExtraHop.Detections.appliance_idNumberThe unique identifier of the sensor on which the attack was detected.
ExtraHop.Detections.is_user_createdBooleanIndicates whether the detection is user-created.

Command example#

!extrahop-detections-list limit=3

Context Example#

{
"ExtraHop": {
"Detections": [
{
"appliance_id": 0,
"categories": [
"sec",
"sec.exploit"
],
"description": "The offender was recently observed carrying out a TCP SYN Scan and has now made a successful TCP 3-way handshake to the victim device. Investigate to determine if this is the result of the SYN Scan.",
"end_time": 1676895361452,
"id": 1110161,
"is_user_created": true,
"participants": [
{
"external": false,
"id": 2187135,
"object_type": "ipaddr",
"object_value": "0.0.0.0",
"role": "offender"
},
{
"external": true,
"id": 2187136,
"object_type": "ipaddr",
"object_value": "0.0.0.2",
"role": "victim"
}
],
"risk_score": 50,
"start_time": 1676895361452,
"title": "Test_Detection_1_1676895361452",
"type": "Test_Detection_1_1676895361452",
"mod_time": 1676895361452
},
{
"appliance_id": 0,
"categories": [
"sec",
"sec.exploit"
],
"description": "The offender was recently observed carrying out a TCP SYN Scan and has now made a successful TCP 3-way handshake to the victim device. Investigate to determine if this is the result of the SYN Scan.",
"end_time": 1676895331451,
"id": 1110160,
"is_user_created": true,
"participants": [
{
"external": false,
"id": 2187133,
"object_type": "ipaddr",
"object_value": "0.0.0.0",
"role": "offender"
},
{
"external": true,
"id": 2187134,
"object_type": "ipaddr",
"object_value": "0.0.0.2",
"role": "victim"
}
],
"risk_score": 50,
"start_time": 1676895331451,
"title": "Test_Detection_1_1676895331451",
"type": "Test_Detection_1_1676895331451",
"mod_time": 1676895331451
},
{
"appliance_id": 0,
"categories": [
"sec",
"sec.exploit"
],
"description": "The offender was recently observed carrying out a TCP SYN Scan and has now made a successful TCP 3-way handshake to the victim device. Investigate to determine if this is the result of the SYN Scan.",
"end_time": 1676895301451,
"id": 1110159,
"is_user_created": true,
"participants": [
{
"external": false,
"id": 2187131,
"object_type": "ipaddr",
"object_value": "0.0.0.0",
"role": "offender"
},
{
"external": true,
"id": 2187132,
"object_type": "ipaddr",
"object_value": "0.0.0.2",
"role": "victim"
}
],
"risk_score": 50,
"start_time": 1676895301451,
"title": "Test_Detection_1_1676895301451",
"type": "Test_Detection_1_1676895301451",
"mod_time": 1676895301451
}
]
}
}

Human Readable Output#

Found 3 Detection(s)#

Detection IDRisk ScoreDescriptionCategoriesStart Time
111016150The offender was recently observed carrying out a TCP SYN Scan and has now made a successful TCP 3-way handshake to the victim device. Investigate to determine if this is the result of the SYN Scan.sec,
sec.exploit
1676895361452
111016050The offender was recently observed carrying out a TCP SYN Scan and has now made a successful TCP 3-way handshake to the victim device. Investigate to determine if this is the result of the SYN Scan.sec,
sec.exploit
1676895331451
111015950The offender was recently observed carrying out a TCP SYN Scan and has now made a successful TCP 3-way handshake to the victim device. Investigate to determine if this is the result of the SYN Scan.sec,
sec.exploit
1676895301451

Additional Information#

ExtraHop Reveal(x) Playbooks

  • ExtraHop - Default
  • ExtraHop - CVE-2019-0708 (BlueKeep)
  • ExtraHop - Ticket Tracking
  • ExtraHop - Get Peers by Host

Use Cases

  • Create incidents for every detection that ExtraHop Reveal(x) surfaces in real-time.
  • Enable guided investigation and response through playbooks and automation scripts.
  • Query the ExtraHop Reveal(x) REST API using the simple and powerful Cortex XSOAR CLI.