+ Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response. +
+Visit the ExtraHop + Demisto Setup Guide for detailed integration instructions.
+Incidents are pushed in via the Demisto REST API by a trigger running on the ExtraHop Reveal(x) appliance.
++ You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. + After you successfully execute a command, a DBot message appears in the War Room with the command details. +
+Get all alert rules from ExtraHop.
+
+ extrahop-get-alerts
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| Extrahop.Alert.Operator | +String | +b'The logical operator applied when comparing the value of the operand field to alert conditions.' | +
| Extrahop.Alert.FieldName | +String | +b'The name of the monitored metric.' | +
| Extrahop.Alert.NotifySnmp | +Boolean | +b'Indicates whether to send an SNMP trap when an alert is generated. ' | +
| Extrahop.Alert.Operand | +String | +b'The value to compare against alert conditions.' | +
| Extrahop.Alert.IntervalLength | +Number | +b'The length of the alert interval, expressed in seconds.' | +
| Extrahop.Alert.Author | +String | +b'The name of the user that created the alert. ' | +
| Extrahop.Alert.Name | +String | +b'The unique, friendly name for the alert.' | +
| Extrahop.Alert.FieldName2 | +String | +b'The second monitored metric when applying a ratio.' | +
| Extrahop.Alert.RefireInterval | +Number | +b'The time interval in which alert conditions are monitored, expressed in seconds.' | +
| Extrahop.Alert.ModTime | +Number | +b'The time of the most recent update, expressed in milliseconds since the epoch. ' | +
| Extrahop.Alert.Units | +String | +b'The interval in which to evaluate the alert condition.' | +
| Extrahop.Alert.ApplyAll | +Boolean | +b'Indicates whether the alert is assigned to all available data sources.' | +
| Extrahop.Alert.Type | +String | +b'The type of alert.' | +
| Extrahop.Alert.FieldOp | +String | +b'The type of comparison between the "field_name" and "field_name2" fields when applying a ratio.' | +
| Extrahop.Alert.Id | +Number | +b'The unique identifier for the alert.' | +
| Extrahop.Alert.Disabled | +Boolean | +b'Indicates whether the alert is disabled.' | +
| Extrahop.Alert.Description | +String | +b'An optional description for the alert.' | +
| Extrahop.Alert.Severity | +Number | +b'The severity level of the alert.' | +
| Extrahop.Alert.StatName | +String | +b'The statistic name for the alert.' | +
+
+ !extrahop-get-alerts
+
+{
+ "ExtraHop": {
+ "Alert": [
+ {
+ "ApplyAll": false,
+ "Author": "ExtraHop",
+ "Description": "Alert triggered when ratio of web errors is greater than 5%.",
+ "Disabled": true,
+ "FieldName": "rsp_error",
+ "FieldName2": "rsp",
+ "FieldOp": "/",
+ "Id": 11,
+ "IntervalLength": 30,
+ "ModTime": 1522964293585,
+ "Name": "Web Error Ratio - Red",
+ "NotifySnmp": false,
+ "Operand": ".05",
+ "Operator": ">",
+ "RefireInterval": 300,
+ "Severity": 1,
+ "StatName": "extrahop.application.http",
+ "Type": "threshold",
+ "Units": "none"
+ },
+ {
+ "ApplyAll": false,
+ "Author": "ExtraHop",
+ "Description": "Alert triggered when ratio of web errors is greater than 1%.",
+ "Disabled": true,
+ "FieldName": "rsp_error",
+ "FieldName2": "rsp",
+ "FieldOp": "/",
+ "Id": 12,
+ "IntervalLength": 30,
+ "ModTime": 1522964293596,
+ "Name": "Web Error Ratio - Orange",
+ "NotifySnmp": false,
+ "Operand": ".01",
+ "Operator": ">",
+ "RefireInterval": 300,
+ "Severity": 3,
+ "StatName": "extrahop.application.http",
+ "Type": "threshold",
+ "Units": "none"
+ }
+ ]
+ }
+}
+
++
| Apply All | +Author | +Description | +Disabled | +Field Name | +Field Name2 | +Field Op | +Id | +Interval Length | +Mod Time | +Name | +Notify Snmp | +Operand | +Operator | +Refire Interval | +Severity | +Stat Name | +Type | +Units | +
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| false | +ExtraHop | +Alert triggered when ratio of web errors is greater than 5%. | +true | +rsp_error | +rsp | +/ | +11 | +30 | +1522964293585 | +Web Error Ratio - Red | +false | +.05 | +> | +300 | +1 | +extrahop.application.http | +threshold | +none | +
| false | +ExtraHop | +Alert triggered when ratio of web errors is greater than 1%. | +true | +rsp_error | +rsp | +/ | +12 | +30 | +1522964293596 | +Web Error Ratio - Orange | +false | +.01 | +> | +300 | +3 | +extrahop.application.http | +threshold | +none | +
Query records from ExtraHop.
+
+ extrahop-query-records
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| query_from | +The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -10m to begin the search with records created 10 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Required | +
| query_until | +The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. A 0 value specifies that the search will end with records created at the time of the request. A negative value specifies that the search will end with records created at a time in the past relative to the current time. For example, specify -5m to end the search with records created 5 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| limit | +The maximum number of entries to return. | +Optional | +
| offset | +The number of records to skip in the query results. | +Optional | +
| field1 | +The name of the field in the record to be filtered. The query compares field1 to value1 and applies the compare method specified by the operator1 parameter. If the specified field name is ".any", the union of all field values will be searched. If the specified field name is ".ipaddr" or ".port", the client, server, sender, and receiver roles are included in the search. | +Optional | +
| operator1 | +The compare method applied when matching value1 against the field1 contents. | +Optional | +
| value1 | +The value that the query attempts to match. The query compares this value to the contents of the field1 parameter and applies the compare method specified by the operator1 parameter. | +Optional | +
| field2 | +The name of the field in the record to be filtered. The query compares field2 to value2 and applies the compare method specified by the operator2 parameter. If the specified field name is ".any", the union of all field values will be searched. If the specified field name is ".ipaddr" or ".port", the client, server, sender, and receiver roles are included in the search. | +Optional | +
| operator2 | +The compare method applied when matching value2 against the field2 contents. | +Optional | +
| value2 | +The value that the query attempts to match. The query compares this value to the contents of the field2 parameter and applies the compare method specified by the operator2 parameter. | +Optional | +
| match_type | +The match operator to use when chaining the search fields of 1 and 2 together. For example, to find HTTP records with status code 500 or a processing time greater than 100ms (set match_type=or, field1=statusCode, operator1==, value1=500, field2=processingTime, operator2=> value2=100, types=http). | +Optional | +
| types | +A list of one or more record formats for the query to filter on, comma separated. The query returns only records that match the specified formats. | +Optional | +
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| ExtraHop.Record.Type | +string | +b'The record format.' | +
| ExtraHop.Record.Source.timestamp | +Number | +b'The timestamp of the item.' | +
| ExtraHop.Record.Source.detection | +string | +b'The detection type that committed the record.' | +
| ExtraHop.Record.Source.ex.isSuspicious | +Boolean | +b'Marked as suspicious by Threat Intelligence.' | +
| ExtraHop.Record.Source.accessTime | +Number | +b'Access Time' | +
| ExtraHop.Record.Source.ackCode | +String | +b'Ack Code' | +
| ExtraHop.Record.Source.ackId | +String | +b'Ack ID' | +
| ExtraHop.Record.Source.adminQueue | +String | +b'Admin Queue' | +
| ExtraHop.Record.Source.age | +Number | +b'Age' | +
| ExtraHop.Record.Source.alertCode | +Number | +b'Alert Code' | +
| ExtraHop.Record.Source.alertLevel | +String | +b'Alert Level' | +
| ExtraHop.Record.Source.answer | +Unknown | +b'Answer' | +
| ExtraHop.Record.Source.answers | +Unknown | +b'Answers' | +
| ExtraHop.Record.Source.appName | +String | +b'Application Name' | +
| ExtraHop.Record.Source.application | +Unknown | +b'Application' | +
| ExtraHop.Record.Source.args | +String | +b'Arguments' | +
| ExtraHop.Record.Source.authDomain | +String | +b'Authentication Domain' | +
| ExtraHop.Record.Source.authMethod | +String | +b'Authentication Method' | +
| ExtraHop.Record.Source.authResult | +Number | +b'Auth Result' | +
| ExtraHop.Record.Source.authType | +Number | +b'Auth Type' | +
| ExtraHop.Record.Source.authenticator | +String | +b'Authenticator' | +
| ExtraHop.Record.Source.bindDN | +String | +b'Bind Distinguished Name' | +
| ExtraHop.Record.Source.bytes | +Number | +b'Bytes' | +
| ExtraHop.Record.Source.cName | +String | +b'Canonical Endpoint' | +
| ExtraHop.Record.Source.cNameType | +String | +b'Client Name Type' | +
| ExtraHop.Record.Source.cNames | +String | +b'Client Name Components' | +
| ExtraHop.Record.Source.cRealm | +String | +b'Client Realm' | +
| ExtraHop.Record.Source.callId | +String | +b'Call ID' | +
| ExtraHop.Record.Source.certificateFingerprint | +String | +b'Certificate Fingerprint' | +
| ExtraHop.Record.Source.certificateIsSelfSigned | +Boolean | +b'Certificate Self Signed' | +
| ExtraHop.Record.Source.certificateIssuer | +String | +b'Certificate Issuer' | +
| ExtraHop.Record.Source.certificateKeySize | +Number | +b'Certificate Key Size' | +
| ExtraHop.Record.Source.certificateNotAfter | +Number | +b'Certificate Not After' | +
| ExtraHop.Record.Source.certificateNotBefore | +Number | +b'Certificate Not Before' | +
| ExtraHop.Record.Source.certificateSignatureAlgorithm | +String | +b'Certificate Signature Algorithm' | +
| ExtraHop.Record.Source.certificateSubject | +String | +b'Certificate Subject' | +
| ExtraHop.Record.Source.certificateSubjectAlternativeNames | +String | +b'Certificate Subject Alternative Names' | +
| ExtraHop.Record.Source.channel | +String | +b'Channel' | +
| ExtraHop.Record.Source.cipherSuite | +String | +b'Cipher Suite' | +
| ExtraHop.Record.Source.client.type | +String | +b'Client Type' | +
| ExtraHop.Record.Source.client.value | +String | +b'Client Discovery ID' | +
| ExtraHop.Record.Source.clientAddr.type | +String | +b'Client IP Address Type' | +
| ExtraHop.Record.Source.clientAddr.value | +String | +b'Client IP Address Value' | +
| ExtraHop.Record.Source.clientBuild | +String | +b'Client Build' | +
| ExtraHop.Record.Source.clientBytes | +Number | +b'Client Bytes' | +
| ExtraHop.Record.Source.clientCGPMsgCount | +Number | +b'Client CGP Messages' | +
| ExtraHop.Record.Source.clientCertificateRequested | +Boolean | +b'Client Certificate Requested' | +
| ExtraHop.Record.Source.clientCipherAlgorithm | +String | +b'Client Cipher Algorithm' | +
| ExtraHop.Record.Source.clientCompressionAlgorithm | +String | +b'Client Compression Algorithm' | +
| ExtraHop.Record.Source.clientImplementation | +String | +b'Client Implementation' | +
| ExtraHop.Record.Source.clientL2Bytes | +Number | +b'Client L2 Bytes' | +
| ExtraHop.Record.Source.clientLatency | +Number | +b'Client Latency' | +
| ExtraHop.Record.Source.clientMacAlgorithm | +String | +b'Client MAC Algorithm' | +
| ExtraHop.Record.Source.clientMachine | +String | +b'Client Machine' | +
| ExtraHop.Record.Source.clientMsgCount | +Number | +b'Client Messages' | +
| ExtraHop.Record.Source.clientName | +String | +b'Client Name' | +
| ExtraHop.Record.Source.clientPkts | +Number | +b'Client Packets' | +
| ExtraHop.Record.Source.clientPort | +Number | +b'Client Port' | +
| ExtraHop.Record.Source.clientPrincipalName | +String | +b'Client Principal Name' | +
| ExtraHop.Record.Source.clientRTO | +Number | +b'Client RTO' | +
| ExtraHop.Record.Source.clientReqDelay | +Number | +b'Client Request Delay' | +
| ExtraHop.Record.Source.clientType | +String | +b'ICA Client Type' | +
| ExtraHop.Record.Source.clientVersion | +String | +b'Client Version' | +
| ExtraHop.Record.Source.clientZeroWnd | +Number | +b'Client Zero Windows' | +
| ExtraHop.Record.Source.collection | +String | +b'Collection' | +
| ExtraHop.Record.Source.command | +String | +b'Command' | +
| ExtraHop.Record.Source.contentType | +String | +b'Content Type' | +
| ExtraHop.Record.Source.conversationId | +Number | +b'Conversation ID' | +
| ExtraHop.Record.Source.cookie | +String | +b'Cookie' | +
| ExtraHop.Record.Source.correlationId | +String | +b'Correlation ID' | +
| ExtraHop.Record.Source.cwd | +String | +b'Current Working Directory' | +
| ExtraHop.Record.Source.dataSize | +Number | +b'Data Size' | +
| ExtraHop.Record.Source.database | +String | +b'Database' | +
| ExtraHop.Record.Source.deltaBytes | +Number | +b'Delta Bytes' | +
| ExtraHop.Record.Source.deltaPkts | +Number | +b'Delta Packets' | +
| ExtraHop.Record.Source.desktopHeight | +Number | +b'Desktop Height' | +
| ExtraHop.Record.Source.desktopWidth | +Number | +b'Desktop Width' | +
| ExtraHop.Record.Source.destination | +String | +b'Destination' | +
| ExtraHop.Record.Source.dn | +String | +b'Distinguished Name' | +
| ExtraHop.Record.Source.domain | +String | +b'Domain' | +
| ExtraHop.Record.Source.drops | +Number | +b'Drops' | +
| ExtraHop.Record.Source.dscpName | +String | +b'DSCP' | +
| ExtraHop.Record.Source.dstQueueMgr | +String | +b'Destination Queue Manager' | +
| ExtraHop.Record.Source.dups | +Number | +b'Dups' | +
| ExtraHop.Record.Source.duration | +Number | +b'Duration' | +
| ExtraHop.Record.Source.egressInterface | +Unknown | +b'Egress Interface' | +
| ExtraHop.Record.Source.error | +String | +b'Error' | +
| ExtraHop.Record.Source.errorDetail | +String | +b'Error Detail' | +
| ExtraHop.Record.Source.expiration | +Number | +b'Expiration' | +
| ExtraHop.Record.Source.first | +Number | +b'First' | +
| ExtraHop.Record.Source.flowId | +String | +b'Flow' | +
| ExtraHop.Record.Source.format | +String | +b'Format' | +
| ExtraHop.Record.Source.frameCutDuration | +Number | +b'Frame Cut Duration' | +
| ExtraHop.Record.Source.frameSendDuration | +Number | +b'Frame Send Duration' | +
| ExtraHop.Record.Source.from | +String | +b'From' | +
| ExtraHop.Record.Source.functionId | +Number | +b'Function ID' | +
| ExtraHop.Record.Source.functionName | +String | +b'Function Name' | +
| ExtraHop.Record.Source.fwdReqClientAddr.type | +String | +b'Forwarded Request Client IP Address Type' | +
| ExtraHop.Record.Source.fwdReqClientAddr.value | +String | +b'Forwarded Request Client IP Address Value' | +
| ExtraHop.Record.Source.fwdReqHost | +String | +b'Forwarded Request Host' | +
| ExtraHop.Record.Source.fwdReqIsEncrypted | +Boolean | +b'Forwarded Request Is Encrypted' | +
| ExtraHop.Record.Source.fwdReqServerName | +String | +b'Forwarded Request Server Name' | +
| ExtraHop.Record.Source.fwdReqServerPort | +Number | +b'Forwarded Request Server Port' | +
| ExtraHop.Record.Source.gwAddr.type | +String | +b'Gateway IP Address Type' | +
| ExtraHop.Record.Source.gwAddr.value | +String | +b'Gateway IP Address Value' | +
| ExtraHop.Record.Source.handshakeTime | +Number | +b'Handshake Time' | +
| ExtraHop.Record.Source.hasSDP | +Boolean | +b'Has SDP' | +
| ExtraHop.Record.Source.hassh | +String | +b'HASSH' | +
| ExtraHop.Record.Source.hasshServer | +String | +b'HASSH Server' | +
| ExtraHop.Record.Source.heartbeatPayloadLength | +Number | +b'Heartbeat Payload Length' | +
| ExtraHop.Record.Source.heartbeatType | +Number | +b'Heartbeat Type' | +
| ExtraHop.Record.Source.hitCount | +Number | +b'Hit Count' | +
| ExtraHop.Record.Source.hopLimit | +Number | +b'Hop Limit' | +
| ExtraHop.Record.Source.host | +String | +b'Host' | +
| ExtraHop.Record.Source.htype | +Number | +b'Hardware Address Type' | +
| ExtraHop.Record.Source.ingressInterface | +Unknown | +b'Ingress Interface' | +
| ExtraHop.Record.Source.interface | +String | +b'Interface' | +
| ExtraHop.Record.Source.isAborted | +Boolean | +b'Aborted' | +
| ExtraHop.Record.Source.isAuthoritative | +Boolean | +b'Authoritative' | +
| ExtraHop.Record.Source.isBinaryProtocol | +Boolean | +b'Binary Protocol' | +
| ExtraHop.Record.Source.isCheckingDisabled | +Boolean | +b'Checking Disabled' | +
| ExtraHop.Record.Source.isCleanShutdown | +Boolean | +b'Clean Shutdown' | +
| ExtraHop.Record.Source.isClientDiskRead | +Boolean | +b'Client Disk Read' | +
| ExtraHop.Record.Source.isClientDiskWrite | +Boolean | +b'Client Disk Write' | +
| ExtraHop.Record.Source.isCommandCreate | +Boolean | +b'Create Command' | +
| ExtraHop.Record.Source.isCommandDelete | +Boolean | +b'Delete Command' | +
| ExtraHop.Record.Source.isCommandFileInfo | +Boolean | +b'FileInfo Command' | +
| ExtraHop.Record.Source.isCommandLock | +Boolean | +b'Lock Command' | +
| ExtraHop.Record.Source.isCommandRead | +Boolean | +b'Read Command' | +
| ExtraHop.Record.Source.isCommandRename | +Boolean | +b'Rename Command' | +
| ExtraHop.Record.Source.isCommandWrite | +Boolean | +b'Write Command' | +
| ExtraHop.Record.Source.isCompressed | +Boolean | +b'Compressed' | +
| ExtraHop.Record.Source.isEncrypted | +Boolean | +b'Encrypted' | +
| ExtraHop.Record.Source.isNoReply | +Boolean | +b'No Reply' | +
| ExtraHop.Record.Source.isPipelined | +Boolean | +b'Pipelined' | +
| ExtraHop.Record.Source.isRecursionAvailable | +Boolean | +b'Recursion Available' | +
| ExtraHop.Record.Source.isRecursionDesired | +Boolean | +b'Recursion Desired' | +
| ExtraHop.Record.Source.isRenegotiate | +Boolean | +b'Renegotiate' | +
| ExtraHop.Record.Source.isReqAborted | +Boolean | +b'Request Aborted' | +
| ExtraHop.Record.Source.isReqTimeout | +Boolean | +b'Request Timed Out' | +
| ExtraHop.Record.Source.isReqTruncated | +Boolean | +b'Request Truncated' | +
| ExtraHop.Record.Source.isRspAborted | +Boolean | +b'Response Aborted' | +
| ExtraHop.Record.Source.isRspChunked | +Boolean | +b'Chunked' | +
| ExtraHop.Record.Source.isRspCompressed | +Boolean | +b'Rsp Compressed' | +
| ExtraHop.Record.Source.isRspImplicit | +Boolean | +b'Response Implicit' | +
| ExtraHop.Record.Source.isRspTruncated | +Boolean | +b'Response Truncated' | +
| ExtraHop.Record.Source.isSQLi | +Boolean | +b'Contains SQLi' | +
| ExtraHop.Record.Source.isSharedSession | +Boolean | +b'Shared Session' | +
| ExtraHop.Record.Source.isSubOperation | +Boolean | +b'Is a suboperation' | +
| ExtraHop.Record.Source.isWeakCipherSuite | +Boolean | +b'Weak Cipher Suite' | +
| ExtraHop.Record.Source.isXSS | +Boolean | +b'Contains XSS' | +
| ExtraHop.Record.Source.ja3Hash | +String | +b'JA3 Hash' | +
| ExtraHop.Record.Source.ja3sHash | +String | +b'JA3S Hash' | +
| ExtraHop.Record.Source.jitter | +Number | +b'Jitter' | +
| ExtraHop.Record.Source.kexAlgorithm | +String | +b'KEX Algorithm' | +
| ExtraHop.Record.Source.keyboardLayout | +String | +b'Keyboard Layout' | +
| ExtraHop.Record.Source.l2Bytes | +Number | +b'L2 Bytes' | +
| ExtraHop.Record.Source.l7proto | +String | +b'L7 Protocol' | +
| ExtraHop.Record.Source.label | +String | +b'Label' | +
| ExtraHop.Record.Source.last | +Number | +b'Last' | +
| ExtraHop.Record.Source.launchParams | +String | +b'Parameters' | +
| ExtraHop.Record.Source.loadTime | +Number | +b'Load Time' | +
| ExtraHop.Record.Source.loginTime | +Number | +b'Login Time' | +
| ExtraHop.Record.Source.method | +String | +b'Method' | +
| ExtraHop.Record.Source.missCount | +Number | +b'Miss Count' | +
| ExtraHop.Record.Source.mos | +Number | +b'MOS' | +
| ExtraHop.Record.Source.msgClass | +String | +b'Message Class' | +
| ExtraHop.Record.Source.msgCode | +Number | +b'Message Code' | +
| ExtraHop.Record.Source.msgFormat | +String | +b'Message Format' | +
| ExtraHop.Record.Source.msgId | +Number | +b'Message ID' | +
| ExtraHop.Record.Source.msgLength | +Number | +b'Message Length' | +
| ExtraHop.Record.Source.msgSize | +Number | +b'Message Size' | +
| ExtraHop.Record.Source.msgText | +String | +b'Message Text' | +
| ExtraHop.Record.Source.msgType | +String | +b'Message Type' | +
| ExtraHop.Record.Source.network | +Unknown | +b'Flow Network' | +
| ExtraHop.Record.Source.networkAddr.type | +String | +b'Flow Network IP Address Type' | +
| ExtraHop.Record.Source.networkAddr.value | +String | +b'Flow Network IP Address Value' | +
| ExtraHop.Record.Source.networkLatency | +Number | +b'Network Latency' | +
| ExtraHop.Record.Source.nextHop.type | +String | +b'Next Hop IP Address Type' | +
| ExtraHop.Record.Source.nextHop.value | +String | +b'Next Hop IP Address Value' | +
| ExtraHop.Record.Source.nextHopMTU | +Number | +b'Next Hop MTU' | +
| ExtraHop.Record.Source.notAfter | +Number | +b'Certificate Not After' | +
| ExtraHop.Record.Source.offeredAddr.type | +String | +b'Offered IP Address Type' | +
| ExtraHop.Record.Source.offeredAddr.value | +String | +b'Offered IP Address Value' | +
| ExtraHop.Record.Source.offset | +Number | +b'Offset' | +
| ExtraHop.Record.Source.opcode | +String | +b'Opcode' | +
| ExtraHop.Record.Source.operation | +String | +b'Operation' | +
| ExtraHop.Record.Source.option | +String | +b'Options' | +
| ExtraHop.Record.Source.origin | +String | +b'Origin' | +
| ExtraHop.Record.Source.outOfOrder | +Number | +b'Out Of Order' | +
| ExtraHop.Record.Source.path | +String | +b'Path' | +
| ExtraHop.Record.Source.payloadType | +String | +b'Payload Type' | +
| ExtraHop.Record.Source.payloadTypeId | +Number | +b'Payload Type ID' | +
| ExtraHop.Record.Source.persistent | +Boolean | +b'Persistent' | +
| ExtraHop.Record.Source.pkts | +Number | +b'Packets' | +
| ExtraHop.Record.Source.pointer | +Number | +b'Pointer' | +
| ExtraHop.Record.Source.printerName | +String | +b'Printer Name' | +
| ExtraHop.Record.Source.priority | +Number | +b'Priority' | +
| ExtraHop.Record.Source.procedure | +String | +b'Procedure' | +
| ExtraHop.Record.Source.processingTime | +Number | +b'Processing Time' | +
| ExtraHop.Record.Source.program | +String | +b'Program' | +
| ExtraHop.Record.Source.proto | +String | +b'IP Protocol' | +
| ExtraHop.Record.Source.protocol | +String | +b'Protocol' | +
| ExtraHop.Record.Source.putAppName | +String | +b'Put Application Name' | +
| ExtraHop.Record.Source.qname | +String | +b'Query Name' | +
| ExtraHop.Record.Source.qtype | +String | +b'Query Type' | +
| ExtraHop.Record.Source.query | +String | +b'Query' | +
| ExtraHop.Record.Source.queue | +String | +b'Queue' | +
| ExtraHop.Record.Source.queueMgr | +String | +b'Queue Manager' | +
| ExtraHop.Record.Source.rFactor | +Number | +b'R Factor' | +
| ExtraHop.Record.Source.realm | +String | +b'Server Realm' | +
| ExtraHop.Record.Source.receiver.type | +String | +b'Receiver Type' | +
| ExtraHop.Record.Source.receiver.value | +String | +b'Receiver Discovery ID' | +
| ExtraHop.Record.Source.receiverAddr.type | +String | +b'Receiver IP Address Type' | +
| ExtraHop.Record.Source.receiverAddr.value | +String | +b'Receiver IP Address Value' | +
| ExtraHop.Record.Source.receiverAsn | +Number | +b'Receiver ASN' | +
| ExtraHop.Record.Source.receiverBytes | +Number | +b'Receiver Bytes' | +
| ExtraHop.Record.Source.receiverIsBroker | +Boolean | +b'To Broker' | +
| ExtraHop.Record.Source.receiverL2Bytes | +Number | +b'Receiver L2 Bytes' | +
| ExtraHop.Record.Source.receiverPkts | +Number | +b'Receiver Packets' | +
| ExtraHop.Record.Source.receiverPort | +Number | +b'Receiver Port' | +
| ExtraHop.Record.Source.receiverPrefixLength | +Number | +b'Receiver Prefix Length' | +
| ExtraHop.Record.Source.receiverRTO | +Number | +b'Receiver RTO' | +
| ExtraHop.Record.Source.receiverZeroWnd | +Number | +b'Receiver Zero Windows' | +
| ExtraHop.Record.Source.recipient | +String | +b'Recipient' | +
| ExtraHop.Record.Source.recipientList | +String | +b'Recipient List' | +
| ExtraHop.Record.Source.redeliveryCount | +Number | +b'Redelivery Count' | +
| ExtraHop.Record.Source.referer | +String | +b'Referer' | +
| ExtraHop.Record.Source.renameDirChanged | +Boolean | +b'Rename Directory Changed' | +
| ExtraHop.Record.Source.replyTo | +String | +b'Reply To' | +
| ExtraHop.Record.Source.reqBytes | +Number | +b'Request Bytes' | +
| ExtraHop.Record.Source.reqKey | +String | +b'Request Key' | +
| ExtraHop.Record.Source.reqL2Bytes | +Number | +b'Request L2 Bytes' | +
| ExtraHop.Record.Source.reqPdu | +String | +b'Request PDU Type' | +
| ExtraHop.Record.Source.reqPkts | +Number | +b'Request Packets' | +
| ExtraHop.Record.Source.reqRTO | +Number | +b'Request RTO' | +
| ExtraHop.Record.Source.reqSize | +Number | +b'Request Size' | +
| ExtraHop.Record.Source.reqTimeToLastByte | +Number | +b'Req Time To Last Byte' | +
| ExtraHop.Record.Source.reqTransferTime | +Number | +b'Request Transfer Time' | +
| ExtraHop.Record.Source.requestedColorDepth | +String | +b'Requested Color Depth' | +
| ExtraHop.Record.Source.requestedProtocols | +String | +b'Requested Protocols' | +
| ExtraHop.Record.Source.resolvedQueue | +String | +b'Resolved Queue' | +
| ExtraHop.Record.Source.resolvedQueueMgr | +String | +b'Resolved Queue Manager' | +
| ExtraHop.Record.Source.resource | +String | +b'Resource' | +
| ExtraHop.Record.Source.responseQueue | +String | +b'Response Queue' | +
| ExtraHop.Record.Source.roundTripTime | +Number | +b'Round Trip Time' | +
| ExtraHop.Record.Source.rspBytes | +Number | +b'Response Bytes' | +
| ExtraHop.Record.Source.rspL2Bytes | +Number | +b'Response L2 Bytes' | +
| ExtraHop.Record.Source.rspPdu | +String | +b'Response PDU Type' | +
| ExtraHop.Record.Source.rspPkts | +Number | +b'Response Packets' | +
| ExtraHop.Record.Source.rspRTO | +Number | +b'Response RTO' | +
| ExtraHop.Record.Source.rspSize | +Number | +b'Response Size' | +
| ExtraHop.Record.Source.rspTimeToFirstByte | +Number | +b'Rsp Time To First Byte' | +
| ExtraHop.Record.Source.rspTimeToFirstHeader | +Number | +b'Rsp Time To First Header' | +
| ExtraHop.Record.Source.rspTimeToFirstPayload | +Number | +b'Rsp Time To First Payload' | +
| ExtraHop.Record.Source.rspTimeToLastByte | +Number | +b'Rsp Time To Last Byte' | +
| ExtraHop.Record.Source.rspTransferTime | +Number | +b'Response Transfer Time' | +
| ExtraHop.Record.Source.rspVersion | +String | +b'Response Version' | +
| ExtraHop.Record.Source.rto | +Number | +b'RTO' | +
| ExtraHop.Record.Source.sNameType | +String | +b'Server Name Type' | +
| ExtraHop.Record.Source.sNames | +String | +b'Server Name Components' | +
| ExtraHop.Record.Source.saslMechanism | +String | +b'SASL Mechanism' | +
| ExtraHop.Record.Source.searchFilter | +String | +b'Search Filter' | +
| ExtraHop.Record.Source.searchScope | +String | +b'Search Scope' | +
| ExtraHop.Record.Source.selectedProtocol | +String | +b'Selected Protocol' | +
| ExtraHop.Record.Source.sender.type | +String | +b'Sender Type' | +
| ExtraHop.Record.Source.sender.value | +String | +b'Sender Discovery ID' | +
| ExtraHop.Record.Source.senderAddr.type | +String | +b'Sender IP Address Type' | +
| ExtraHop.Record.Source.senderAddr.value | +String | +b'Sender IP Address Value' | +
| ExtraHop.Record.Source.senderAsn | +Number | +b'Sender ASN' | +
| ExtraHop.Record.Source.senderBytes | +Number | +b'Sender Bytes' | +
| ExtraHop.Record.Source.senderIsBroker | +Boolean | +b'From Broker' | +
| ExtraHop.Record.Source.senderL2Bytes | +Number | +b'Sender L2 Bytes' | +
| ExtraHop.Record.Source.senderPkts | +Number | +b'Sender Packets' | +
| ExtraHop.Record.Source.senderPort | +Number | +b'Sender Port' | +
| ExtraHop.Record.Source.senderPrefixLength | +Number | +b'Sender Prefix Length' | +
| ExtraHop.Record.Source.senderRTO | +Number | +b'Sender RTO' | +
| ExtraHop.Record.Source.senderZeroWnd | +Number | +b'Sender Zero Windows' | +
| ExtraHop.Record.Source.seqNum | +Number | +b'Sequence Number' | +
| ExtraHop.Record.Source.server.type | +String | +b'Server Type' | +
| ExtraHop.Record.Source.server.value | +String | +b'Server Discovery ID' | +
| ExtraHop.Record.Source.serverAddr.type | +String | +b'Server IPv4 Address Type' | +
| ExtraHop.Record.Source.serverAddr.value | +String | +b'Server IPv4 Address Value' | +
| ExtraHop.Record.Source.serverBytes | +Number | +b'Server Bytes' | +
| ExtraHop.Record.Source.serverCGPMsgCount | +Number | +b'Server CGP Messages' | +
| ExtraHop.Record.Source.serverCipherAlgorithm | +String | +b'Server Cipher Algorithm' | +
| ExtraHop.Record.Source.serverCompressionAlgorithm | +String | +b'Server Compression Algorithm' | +
| ExtraHop.Record.Source.serverImplementation | +String | +b'Server Implementation' | +
| ExtraHop.Record.Source.serverL2Bytes | +Number | +b'Server L2 Bytes' | +
| ExtraHop.Record.Source.serverMacAlgorithm | +String | +b'Server MAC Algorithm' | +
| ExtraHop.Record.Source.serverMsgCount | +Number | +b'Server Messages' | +
| ExtraHop.Record.Source.serverPkts | +Number | +b'Server Packets' | +
| ExtraHop.Record.Source.serverPort | +Number | +b'Server Port' | +
| ExtraHop.Record.Source.serverPrincipalName | +String | +b'Server Principal Name' | +
| ExtraHop.Record.Source.serverRTO | +Number | +b'Server RTO' | +
| ExtraHop.Record.Source.serverVersion | +String | +b'Server Version' | +
| ExtraHop.Record.Source.serverZeroWnd | +Number | +b'Server Zero Windows' | +
| ExtraHop.Record.Source.share | +String | +b'Share' | +
| ExtraHop.Record.Source.source | +String | +b'Source' | +
| ExtraHop.Record.Source.sqli | +String | +b'Potential SQLi' | +
| ExtraHop.Record.Source.srcQueueMgr | +String | +b'Source Queue Manager' | +
| ExtraHop.Record.Source.ssrc | +Number | +b'Sender SSRC' | +
| ExtraHop.Record.Source.statement | +String | +b'Statement' | +
| ExtraHop.Record.Source.status | +String | +b'Status' | +
| ExtraHop.Record.Source.statusCode | +Number | +b'Status Code' | +
| ExtraHop.Record.Source.statusText | +String | +b'Status Text' | +
| ExtraHop.Record.Source.table | +String | +b'Table' | +
| ExtraHop.Record.Source.target | +String | +b'Target' | +
| ExtraHop.Record.Source.tcpFlags | +Number | +b'TCP Flags' | +
| ExtraHop.Record.Source.thinkTime | +Number | +b'Think Time' | +
| ExtraHop.Record.Source.tickChannel | +String | +b'Tick Channel' | +
| ExtraHop.Record.Source.ticketHash | +String | +b'Encrypted Ticket Hash' | +
| ExtraHop.Record.Source.till | +String | +b'Till' | +
| ExtraHop.Record.Source.title | +String | +b'Title' | +
| ExtraHop.Record.Source.to | +String | +b'To' | +
| ExtraHop.Record.Source.totalMsgLength | +Number | +b'Total Msg Length' | +
| ExtraHop.Record.Source.transferBytes | +Number | +b'Bytes Transferred' | +
| ExtraHop.Record.Source.txId | +Number | +b'Transaction ID' | +
| ExtraHop.Record.Source.unitId | +Number | +b'Unit ID' | +
| ExtraHop.Record.Source.uri | +String | +b'URI' | +
| ExtraHop.Record.Source.user | +String | +b'User' | +
| ExtraHop.Record.Source.userAgent | +String | +b'User Agent' | +
| ExtraHop.Record.Source.vbucket | +Number | +b'vBucket' | +
| ExtraHop.Record.Source.version | +String | +b'Version' | +
| ExtraHop.Record.Source.vlan | +Number | +b'VLAN' | +
| ExtraHop.Record.Source.vxlanVNI | +Number | +b'VxLAN VNI' | +
| ExtraHop.Record.Source.warning | +String | +b'Warning' | +
| ExtraHop.Record.Source.xss | +String | +b'Potential XSS' | +
+
+ !extrahop-query-records query_from=-6h limit=2
+
+{
+ "ExtraHop": {
+ "Record": [
+ {
+ "Id": "AW1goQmvylOgLDUmuFLT",
+ "Index": "extrahop-11-2019-9-24-0",
+ "Sort": [
+ 1569284181528.201
+ ],
+ "Source": {
+ "client": {
+ "type": "device",
+ "value": [
+ "fff41107140a0000"
+ ]
+ },
+ "clientAddr": {
+ "type": "ipaddr4",
+ "value": "172.16.34.152"
+ },
+ "clientPort": 34140,
+ "clientZeroWnd": 0,
+ "ex": {
+ "isSuspicious": false
+ },
+ "flowId": "0cac4df05d896054",
+ "host": "prod1.example.com",
+ "isPipelined": false,
+ "isReqAborted": false,
+ "isRspAborted": false,
+ "isRspChunked": false,
+ "isRspCompressed": false,
+ "isSQLi": false,
+ "isXSS": false,
+ "method": "POST",
+ "processingTime": 233.318,
+ "referer": "http://prod1.example.com/login?from=%2F",
+ "reqBytes": 1160,
+ "reqL2Bytes": 1518,
+ "reqPkts": 5,
+ "reqRTO": 0,
+ "reqSize": 64,
+ "reqTimeToLastByte": 0,
+ "roundTripTime": 0.245,
+ "rspBytes": 346,
+ "rspL2Bytes": 1284,
+ "rspPkts": 8,
+ "rspRTO": 0,
+ "rspSize": 0,
+ "rspTimeToFirstHeader": 233.318,
+ "rspTimeToLastByte": 234.528,
+ "rspVersion": "1.1",
+ "server": {
+ "type": "device",
+ "value": [
+ "fff4c3090a0a0000"
+ ]
+ },
+ "serverAddr": {
+ "type": "ipaddr4",
+ "value": "172.16.34.161"
+ },
+ "serverPort": 80,
+ "serverZeroWnd": 0,
+ "statusCode": 302,
+ "timestamp": 1569284181528.201,
+ "uri": "prod1.example.com/j_acegi_security_check",
+ "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
+ },
+ "Type": "~http"
+ },
+ {
+ "Id": "AW1gQF7uylOgLDUmoClO",
+ "Index": "extrahop-11-2019-9-23-0",
+ "Sort": [
+ 1569277857270.787
+ ],
+ "Source": {
+ "args": "",
+ "client": {
+ "type": "device",
+ "value": [
+ "fff48dff0a0a0000"
+ ]
+ },
+ "clientAddr": {
+ "type": "ipaddr4",
+ "value": "172.16.34.11"
+ },
+ "clientPort": 1920,
+ "clientZeroWnd": 0,
+ "cwd": "/",
+ "detection": [
+ "anonymous_ftp"
+ ],
+ "ex": {
+ "isSuspicious": false
+ },
+ "flowId": "037efd385d8947a0",
+ "isReqAborted": false,
+ "isRspAborted": false,
+ "method": "PASS",
+ "processingTime": 0.25,
+ "reqBytes": 22,
+ "reqL2Bytes": 490,
+ "reqPkts": 6,
+ "reqRTO": 0,
+ "rspBytes": 21,
+ "rspL2Bytes": 239,
+ "rspPkts": 2,
+ "rspRTO": 0,
+ "server": {
+ "type": "device",
+ "value": [
+ "fff45a060a0a0000"
+ ]
+ },
+ "serverAddr": {
+ "type": "ipaddr4",
+ "value": "172.16.34.231"
+ },
+ "serverPort": 21,
+ "serverZeroWnd": 0,
+ "statusCode": 230,
+ "timestamp": 1569277857270.787,
+ "user": "anonymous"
+ },
+ "Type": "~ftp"
+ }
+ ]
+ }
+}
+
++
| client | +clientAddr | +clientPort | +clientZeroWnd | +ex | +flowId | +host | +isPipelined | +isReqAborted | +isRspAborted | +isRspChunked | +isRspCompressed | +isSQLi | +isXSS | +method | +processingTime | +referer | +reqBytes | +reqL2Bytes | +reqPkts | +reqRTO | +reqSize | +reqTimeToLastByte | +roundTripTime | +rspBytes | +rspL2Bytes | +rspPkts | +rspRTO | +rspSize | +rspTimeToFirstHeader | +rspTimeToLastByte | +rspVersion | +server | +serverAddr | +serverPort | +serverZeroWnd | +statusCode | +timestamp | +uri | +userAgent | +
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| type: device value: fff41107140a0000 |
+ type: ipaddr4 value: 172.16.34.152 |
+ 34140 | +0 | +isSuspicious: false | +0cac4df05d896054 | +prod1.example.com | +false | +false | +false | +false | +false | +false | +false | +POST | +233.318 | +http://prod1.example.com/login?from=%2F | +1160 | +1518 | +5 | +0 | +64 | +0 | +0.245 | +346 | +1284 | +8 | +0 | +0 | +233.318 | +234.528 | +1.1 | +type: device value: fff4c3090a0a0000 |
+ type: ipaddr4 value: 172.16.34.161 |
+ 80 | +0 | +302 | +1569284181528.201 | +prod1.example.com/j_acegi_security_check | +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 | +
| type: device value: fff48dff0a0a0000 |
+ type: ipaddr4 value: 172.16.34.11 |
+ 1920 | +0 | +isSuspicious: false | +037efd385d8947a0 | ++ | + | false | +false | ++ | + | + | + | PASS | +0.25 | ++ | 22 | +490 | +6 | +0 | ++ | + | + | 21 | +239 | +2 | +0 | ++ | + | + | + | type: device value: fff45a060a0a0000 |
+ type: ipaddr4 value: 172.16.34.231 |
+ 21 | +0 | +230 | +1569277857270.787 | ++ | + |
Search for devices in ExtraHop.
+
+ extrahop-device-search
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| name | +The name of the device. This searches for matches on all ExtraHop name fields (DHCP, DNS, NetBIOS, Cisco Discovery Protocol, etc). | +Optional | +
| ip | +The IP address of the device. | +Optional | +
| mac | +The MAC address of the device. | +Optional | +
| role | +The role of the device. | +Optional | +
| software | +The OS of the device. | +Optional | +
| tag | +A tag present on the device. | +Optional | +
| vendor | +The vendor of the device, based on MAC address via OUI lookup. | +Optional | +
| discover_time | +The time that device was first seen by ExtraHop, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with the following unit suffixes: ms, s, m, h, d, w, M, y. For example, to look one day back enter -1d or -24h. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| vlan | +The VLAN ID of the Virtual LAN that the device is on. | +Optional | +
| activity | +The activity of the device. | +Optional | +
| operator | +The compare method applied when matching the fields against their values. For example, to find devices with names that begin with 'SEA1' (set name=SEA1, operator=startswith) | +Optional | +
| match_type | +The match operator to use when chaining the search fields together. For example, to find all HTTP servers running Windows on the network (set match_type=and, role=http_server, software=windows). | +Optional | +
| active_from | +The beginning timestamp for the request. Return only devices active after this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| active_until | +The ending timestamp for the request. Return only devices active before this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| limit | +The maximum number of devices to return. | +Optional | +
| l3_only | +Only returns layer 3 devices by filtering out any layer 2 parent devices. | +Optional | +
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| ExtraHop.Device.Macaddr | +String | +b'The MAC Address of the device.' | +
| ExtraHop.Device.DeviceClass | +String | +b'The class of the device.' | +
| ExtraHop.Device.UserModTime | +Number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| ExtraHop.Device.AutoRole | +String | +b'The role automatically detected by the ExtraHop.' | +
| ExtraHop.Device.ParentId | +Number | +b'The ID of the parent device.' | +
| ExtraHop.Device.Vendor | +String | +b'The device vendor.' | +
| ExtraHop.Device.Analysis | +string | +b'The level of analysis preformed on the device.' | +
| ExtraHop.Device.DiscoveryId | +String | +b'The UUID given by the Discover appliance.' | +
| ExtraHop.Device.DefaultName | +String | +b'The default name of the device.' | +
| ExtraHop.Device.DisplayName | +String | +b'The display name of device.' | +
| ExtraHop.Device.OnWatchlist | +Boolean | +b'Whether the device is on the advanced analysis whitelist.' | +
| ExtraHop.Device.ModTime | +Number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| ExtraHop.Device.IsL3 | +Boolean | +b'Indicates whether the device is a Layer 3 device.' | +
| ExtraHop.Device.Role | +String | +b'The role of the device.' | +
| ExtraHop.Device.DiscoverTime | +Number | +b'The time that the device was discovered.' | +
| ExtraHop.Device.Id | +Number | +b'The ID of the device.' | +
| ExtraHop.Device.Ipaddr4 | +String | +b'The IPv4 address of the device.' | +
| ExtraHop.Device.Vlanid | +Number | +b'The ID of VLan.' | +
| ExtraHop.Device.Ipaddr6 | +string | +b'The IPv6 address of the device.' | +
| ExtraHop.Device.NodeId | +number | +b'The Node ID of the Discover appliance.' | +
| ExtraHop.Device.Description | +string | +b'A user customizable description of the device.' | +
| ExtraHop.Device.DnsName | +string | +b'The DNS name associated with the device.' | +
| ExtraHop.Device.DhcpName | +string | +b'The DHCP name associated with the device.' | +
| ExtraHop.Device.CdpName | +string | +b'The Cisco Discovery Protocol name associated with the device.' | +
| ExtraHop.Device.NetbiosName | +string | +b'The NetBIOS name associated with the device.' | +
| ExtraHop.Device.Url | +string | +b'Link to the device details page in ExtraHop.' | +
+
+ !extrahop-device-search limit=2
+
+{
+ "ExtraHop": {
+ "Device": [
+ {
+ "Analysis": "l2_exempt",
+ "AnalysisLevel": 4,
+ "AutoRole": "other",
+ "DefaultName": "Dell A9B1F6",
+ "DeviceClass": "node",
+ "DhcpName": "Win3-Web",
+ "DiscoverTime": 1569277980000,
+ "DiscoveryId": "509a4ca9b1f60000",
+ "DisplayName": "Win3-Web",
+ "ExtrahopId": "509a4ca9b1f60000",
+ "Id": 18628,
+ "IsL3": false,
+ "Macaddr": "70:F6:4C:A3:C2:F0",
+ "ModTime": 1569278201104,
+ "OnWatchlist": false,
+ "Role": "other",
+ "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.509a4ca9b1f60000/overview/",
+ "UserModTime": 1569277990763,
+ "Vendor": "Dell",
+ "Vlanid": 0
+ },
+ {
+ "Analysis": "l2_exempt",
+ "AnalysisLevel": 4,
+ "AutoRole": "other",
+ "DefaultName": "Device a0510b0e4e210000",
+ "DeviceClass": "node",
+ "DhcpName": "PG1NP0ZR",
+ "DiscoverTime": 1569276630000,
+ "DiscoveryId": "a0510b0e4e210000",
+ "DisplayName": "PF1NP0ZR",
+ "ExtrahopId": "a0510b0e4e210000",
+ "Id": 18627,
+ "IsL3": false,
+ "Macaddr": "B1:62:1C:1F:5F:32",
+ "ModTime": 1569276641503,
+ "OnWatchlist": false,
+ "Role": "other",
+ "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.a0510b0e4e210000/overview/",
+ "UserModTime": 1569276640285,
+ "Vlanid": 0
+ }
+ ]
+ }
+}
+
++
| Display Name | +IP Address | +MAC Address | +Role | +Vendor | +URL | +
|---|---|---|---|---|---|
| Win3-Web | ++ | 70:F6:4C:A3:C2:F0 | +other | +Dell | +[View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.509a4ca9b1f60000/overview/) | +
| PG1NP0ZR | ++ | B1:62:1C:1F:5F:32 | +other | ++ | [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.a0510b0e4e210000/overview/) | +
Add or remove devices from the watchlist in ExtraHop.
+
+ extrahop-edit-watchlist
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| add | +The list of IP Addresses or ExtraHop API IDs of the devices to add, comma separated. | +Optional | +
| remove | +The list of IP Addresses or ExtraHop API IDs of the devices to remove, comma separated. | +Optional | +
+
+
+ !extrahop-edit-watchlist add=172.16.34.152
+
+
+Successful Modification +
+ + +Get all devices on the watchlist in ExtraHop.
+
+ extrahop-get-watchlist
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| Extrahop.Device.Macaddr | +String | +b'The MAC Address of the device.' | +
| Extrahop.Device.DeviceClass | +String | +b'The class of this device. ' | +
| Extrahop.Device.UserModTime | +Number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| Extrahop.Device.AutoRole | +String | +b'The role automatically detected by the ExtraHop. ' | +
| Extrahop.Device.ParentId | +Number | +b'The ID of the parent device.' | +
| Extrahop.Device.Vendor | +String | +b'The device vendor.' | +
| Extrahop.Device.Analysis | +string | +b'The level of analysis preformed on the device.' | +
| Extrahop.Device.DiscoveryId | +String | +b'The UUID given by the Discover appliance.' | +
| Extrahop.Device.DefaultName | +String | +b'The default name for this device.' | +
| Extrahop.Device.DisplayName | +String | +b'The display name of device.' | +
| Extrahop.Device.OnWatchlist | +Boolean | +b'Whether the device is on the advanced analysis whitelist.' | +
| Extrahop.Device.ModTime | +Number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| Extrahop.Device.IsL3 | +Boolean | +b'Indicates whether the device is a Layer 3 device.' | +
| Extrahop.Device.Role | +String | +b'The role of the device. ' | +
| Extrahop.Device.DiscoverTime | +Number | +b'The time that the device was discovered.' | +
| Extrahop.Device.Id | +Number | +b'The ID of the device.' | +
| Extrahop.Device.Ipaddr4 | +String | +b'The IPv4 address for this device.' | +
| Extrahop.Device.Vlanid | +Number | +b'The unique identifier for the VLAN this device is associated with.' | +
| ExtraHop.Device.Ipaddr6 | +string | +b'The IPv6 address of the device.' | +
| ExtraHop.Device.NodeId | +number | +b'The Node ID of the Discover appliance.' | +
| ExtraHop.Device.Description | +string | +b'A user customizable description of the device.' | +
| ExtraHop.Device.DnsName | +string | +b'The DNS name associated with the device.' | +
| ExtraHop.Device.DhcpName | +string | +b'The DHCP name associated with the device.' | +
| ExtraHop.Device.CdpName | +string | +b'The Cisco Discovery Protocol name associated with the device.' | +
| ExtraHop.Device.NetbiosName | +string | +b'The NetBIOS name associated with the device.' | +
| ExtraHop.Device.Url | +string | +b'Link to the device details page in ExtraHop.' | +
+
+ !extrahop-get-watchlist
+
+{
+ "ExtraHop": {
+ "Device": [
+ {
+ "Analysis": "advanced",
+ "AnalysisLevel": 2,
+ "AutoRole": "other",
+ "DefaultName": "Device 172.16.34.152",
+ "DeviceClass": "node",
+ "DhcpName": "dem-is-to",
+ "DiscoverTime": 1522964970000,
+ "DiscoveryId": "fff49b080a0a0000",
+ "DisplayName": "dem-is-to",
+ "DnsName": "dem-is-to.example.com",
+ "ExtrahopId": "fff49b080a0a0000",
+ "Id": 1554,
+ "Ipaddr4": "172.16.34.152",
+ "IsL3": true,
+ "Macaddr": "63:65:11:A1:3B:2B",
+ "ModTime": 1569283538898,
+ "NetbiosName": "DEMISTO",
+ "OnWatchlist": true,
+ "ParentId": 1445,
+ "Role": "other",
+ "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff49b080a0a0000/overview/",
+ "UserModTime": 1522964985837,
+ "Vlanid": 0
+ }
+ ]
+ }
+}
+
++
| Display Name | +IP Address | +MAC Address | +Role | +Vendor | +URL | +
|---|---|---|---|---|---|
| dem-is-to | +172.16.34.152 | +63:65:11:A1:3B:2B | +other | ++ | [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff49b080a0a0000/overview/) | +
Create a new alert rule in ExtraHop.
+
+ extrahop-create-alert
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| apply_all | +Indicates whether the alert is assigned to all available data sources. | +Required | +
| disabled | +Indicates whether the alert is disabled. | +Required | +
| name | +The unique, friendly name for the alert. | +Required | +
| notify_snmp | +Indicates whether to send an SNMP trap when an alert is generated. | +Required | +
| refire_interval | +The time interval in which alert conditions are monitored, expressed in seconds. | +Required | +
| severity | +The severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. Supported values: 0, 1, 2, 3, 4, 5, 6, 7 | +Required | +
| type | +The type of alert. | +Required | +
| object_type | +The type of metric source monitored by the alert configuration. Only applicable to detection alerts. | +Optional | +
| protocols | +The list of monitored protocols. Only applicable to detection alerts. | +Optional | +
| field_name | +The name of the monitored metric. Only applicable to threshold alerts. | +Optional | +
| field_name2 | +The second monitored metric when applying a ratio. Only applicable to threshold alerts. | +Optional | +
| stat_name | +The statistic name for the alert. Only applicable to threshold alerts. | +Optional | +
| units | +The interval in which to evaluate the alert condition. Only applicable to threshold alerts. +Supported values: "none", "period", "1 sec", "1 min", "1 hr" | +Optional | +
| interval_length | +The length of the alert interval, expressed in seconds. Only applicable to threshold alerts. +Supported values: 30, 60, 120, 300, 600, 900, 1200, 1800 | +Optional | +
| operand | +The value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts. | +Optional | +
| operator | +The logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. | +Optional | +
| field_op | +The type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. | +Optional | +
| param | +The first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | +Optional | +
| param2 | +The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | +Optional | +
+
+
+ !extrahop-create-alert apply_all=false disabled=true name="Demisto Test Alert" notify_snmp=false refire_interval=3600 severity=3 type=threshold object_type=device operator=> operand=0.1 field_name=rsp_error field_name2=rsp field_op=/ units=none stat_name="extrahop.application.http"
+
+
+Successfully Created +
+ + +Modify an alert rule in ExtraHop.
+
+ extrahop-edit-alert
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| alert_id | +The unique identifier for the alert. | +Required | +
| apply_all | +Indicates whether the alert is assigned to all available data sources. | +Required | +
| disabled | +Indicates whether the alert is disabled. | +Required | +
| name | +The unique, friendly name for the alert. | +Required | +
| notify_snmp | +Indicates whether to send an SNMP trap when an alert is generated. | +Required | +
| field_name | +The name of the monitored metric. Only applicable to threshold alerts. | +Optional | +
| stat_name | +The statistic name for the alert. Only applicable to threshold alerts. | +Optional | +
| units | +The interval in which to evaluate the alert condition. Only applicable to threshold alerts. | +Optional | +
| interval_length | +The length of the alert interval, expressed in seconds. Only applicable to threshold alerts. | +Optional | +
| operand | +The value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts. | +Optional | +
| refire_interval | +The time interval in which alert conditions are monitored, expressed in seconds. | +Required | +
| severity | +The severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. | +Required | +
| type | +The type of alert. | +Required | +
| object_type | +The type of metric source monitored by the alert configuration. Only applicable to detection alerts. | +Optional | +
| protocols | +The list of monitored protocols. Only applicable to detection alerts. | +Optional | +
| operator | +The logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. | +Optional | +
| field_name2 | +The second monitored metric when applying a ratio. Only applicable to threshold alerts. | +Optional | +
| field_op | +The type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. | +Optional | +
| param | +The first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | +Optional | +
| param2 | +The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. | +Optional | +
+
+
+ !extrahop-edit-alert alert_id=32 apply_all=false disabled=true name="Demisto Test" notify_snmp=false refire_interval=3600 severity=3 type=threshold object_type=device operator=> operand=0.1 field_name=rsp_error field_name2=rsp field_op=/ units=none stat_name="extrahop.application.http" interval_length=30
+
+
+Successful Modification +
+ + +Link an ExtraHop Detection to a Demisto Investigation.
+
+ extrahop-track-ticket
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| incident_id | +The ID of the Demisto Incident to ticket track. | +Required | +
| detection_id | +The ID of the ExtraHop Detection to ticket track. | +Required | +
| incident_owner | +Owner of the incident. | +Optional | +
| incident_status | +Status of the incident | +Optional | +
| incident_close_reason | +Reason the incident was closed | +Optional | +
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| ExtraHop.TicketId | +string | +b'Demisto Incident ID successfully tracked to ExtraHop Detection' | +
+
+ !extrahop-track-ticket detection_id=25910 incident_id=40360 incident_owner='colinw' incident_status=1
+
+{
+ "ExtraHop": {
+ "TicketId": "40360"
+ }
+}
+
++
+Successful Modification +
+ + +Get all peers for a device from ExtraHop.
+
+ extrahop-get-peers
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| ip_or_id | +The IP Address or ExtraHop API ID of the source device to get peer devices. | +Required | +
| query_from | +The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| query_until | +The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| peer_role | +The role of the peer device in relation to the origin device. | +Optional | +
| protocol | +A filter to only return peers that the source device has communicated with over this protocol. If no value is set, the object includes any protocol. | +Optional | +
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| ExtraHop.Device.Macaddr | +string | +b'The MAC Address of the device.' | +
| ExtraHop.Device.DeviceClass | +string | +b'The class of the device.' | +
| ExtraHop.Device.UserModTime | +number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| ExtraHop.Device.AutoRole | +string | +b'The role automatically detected by the ExtraHop.' | +
| ExtraHop.Device.ParentId | +number | +b'The ID of the parent device.' | +
| ExtraHop.Device.Vendor | +string | +b'The device vendor.' | +
| ExtraHop.Device.Analysis | +string | +b'The level of analysis preformed on the device.' | +
| ExtraHop.Device.DiscoveryId | +string | +b'The UUID given by the Discover appliance.' | +
| ExtraHop.Device.DefaultName | +string | +b'The default name of the device.' | +
| ExtraHop.Device.DisplayName | +string | +b'The display name of device.' | +
| ExtraHop.Device.OnWatchlist | +boolean | +b'Whether the device is on the advanced analysis whitelist.' | +
| ExtraHop.Device.ModTime | +number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| ExtraHop.Device.IsL3 | +boolean | +b'Indicates whether the device is a Layer 3 device.' | +
| ExtraHop.Device.Role | +string | +b'The role of the device.' | +
| ExtraHop.Device.DiscoverTime | +number | +b'The time that the device was discovered.' | +
| ExtraHop.Device.Id | +number | +b'The ID of the device.' | +
| ExtraHop.Device.Ipaddr4 | +string | +b'The IPv4 address of the device.' | +
| ExtraHop.Device.Vlanid | +number | +b'The ID of VLan.' | +
| ExtraHop.Device.Ipaddr6 | +string | +b'The IPv6 address of the device.' | +
| ExtraHop.Device.NodeId | +number | +b'The Node ID of the Discover appliance.' | +
| ExtraHop.Device.Description | +string | +b'A user customizable description of the device.' | +
| ExtraHop.Device.DnsName | +string | +b'The DNS name associated with the device.' | +
| ExtraHop.Device.DhcpName | +string | +b'The DHCP name associated with the device.' | +
| ExtraHop.Device.CdpName | +string | +b'The Cisco Discovery Protocol name associated with the device.' | +
| ExtraHop.Device.NetbiosName | +string | +b'The NetBIOS name associated with the device.' | +
| ExtraHop.Device.Url | +string | +b'Link to the device details page in ExtraHop.' | +
| ExtraHop.Device.ClientProtocols | +string | +b'The list of protocols the peer device is communicating as a client.' | +
| ExtraHop.Device.ServerProtocols | +string | +b'The list of protocols the peer device is communicating as a server.' | +
+
+ !extrahop-get-peers ip_or_id=172.16.34.23
+
+{
+ "ExtraHop": {
+ "Device": [
+ {
+ "Analysis": "advanced",
+ "AnalysisLevel": 1,
+ "AutoRole": "other",
+ "DefaultName": "VMware 172.16.34.161",
+ "DeviceClass": "node",
+ "DhcpName": "joker.example.com",
+ "DiscoverTime": 1522964910000,
+ "DiscoveryId": "fff4bb070a0a0000",
+ "DisplayName": "joker.example.com",
+ "DnsName": "joker.example.com",
+ "ExtrahopId": "fff4bb070a0a0000",
+ "Id": 374,
+ "Ipaddr4": "172.16.34.161",
+ "IsL3": true,
+ "Macaddr": "11:1D:3A:3C:3E:BE",
+ "ModTime": 1569284586752,
+ "OnWatchlist": false,
+ "ParentId": 18018,
+ "Role": "other",
+ "ServerProtocols": [
+ "TCP:SSL:LDAP",
+ "TCP:SSL"
+ ],
+ "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff4bb070a0a0000/overview/",
+ "UserModTime": 1564016944279,
+ "Vendor": "VMware",
+ "Vlanid": 0
+ },
+ {
+ "Analysis": "discovery",
+ "AnalysisLevel": 3,
+ "AutoRole": "other",
+ "ClientProtocols": [
+ "TCP:HTTP"
+ ],
+ "DefaultName": "Qumranet 172.16.34.11",
+ "DeviceClass": "node",
+ "DhcpName": "soundboard2",
+ "DiscoverTime": 1533851220000,
+ "DiscoveryId": "fff44001150a0000",
+ "DisplayName": "soundboard2",
+ "DnsName": "soundboard2.example.com",
+ "ExtrahopId": "fff44001150a0000",
+ "Id": 10751,
+ "Ipaddr4": "172.16.34.11",
+ "IsL3": true,
+ "Macaddr": "11:2B:5B:27:12:9D",
+ "ModTime": 1569279163337,
+ "OnWatchlist": false,
+ "ParentId": 10746,
+ "Role": "other",
+ "ServerProtocols": [
+ "TCP:OTHER"
+ ],
+ "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff44001150a0000/overview/",
+ "UserModTime": 1533851289829,
+ "Vendor": "Qumranet",
+ "Vlanid": 0
+ }
+ ]
+ }
+}
+
+2 Peer Device(s) Found +
| Display Name | +IP Address | +MAC Address | +Role | +Protocols | +URL | +Vendor | +
|---|---|---|---|---|---|---|
| joker.example.com | +172.16.34.161 | +11:1D:3A:3C:3E:BE | +other | +Client: Server: TCP:SSL:LDAP, TCP:SSL |
+ [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff4bb070a0a0000/overview/) | +VMware | +
| soundboard2 | +172.16.34.11 | +11:2B:5B:27:12:9D | +other | +Client: TCP:HTTP Server: TCP:OTHER |
+ [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff44001150a0000/overview/) | +Qumranet | +
Get all active network protocols for a device from ExtraHop.
+
+ extrahop-get-protocols
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| ip_or_id | +The IP Address or ExtraHop API ID of the device to get all active network protocols. | +Required | +
| query_from | +The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| query_until | +The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| ExtraHop.Device.Macaddr | +string | +b'The MAC Address of the device.' | +
| ExtraHop.Device.DeviceClass | +string | +b'The class of the device.' | +
| ExtraHop.Device.UserModTime | +number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| ExtraHop.Device.AutoRole | +string | +b'The role automatically detected by the ExtraHop.' | +
| ExtraHop.Device.ParentId | +number | +b'The ID of the parent device.' | +
| ExtraHop.Device.Vendor | +string | +b'The device vendor.' | +
| ExtraHop.Device.Analysis | +string | +b'The level of analysis preformed on the device.' | +
| ExtraHop.Device.DiscoveryId | +string | +b'The UUID given by the Discover appliance.' | +
| ExtraHop.Device.DefaultName | +string | +b'The default name of the device.' | +
| ExtraHop.Device.DisplayName | +string | +b'The display name of device.' | +
| ExtraHop.Device.OnWatchlist | +boolean | +b'Whether the device is on the advanced analysis whitelist.' | +
| ExtraHop.Device.ModTime | +number | +b'The time of the most recent update, expressed in milliseconds since the epoch.' | +
| ExtraHop.Device.IsL3 | +boolean | +b'Indicates whether the device is a Layer 3 device.' | +
| ExtraHop.Device.Role | +string | +b'The role of the device.' | +
| ExtraHop.Device.DiscoverTime | +number | +b'The time that the device was discovered.' | +
| ExtraHop.Device.Id | +number | +b'The ID of the device.' | +
| ExtraHop.Device.Ipaddr4 | +string | +b'The IPv4 address of the device.' | +
| ExtraHop.Device.Vlanid | +number | +b'The ID of VLan.' | +
| ExtraHop.Device.Ipaddr6 | +string | +b'The IPv6 address of the device.' | +
| ExtraHop.Device.NodeId | +number | +b'The Node ID of the Discover appliance.' | +
| ExtraHop.Device.Description | +string | +b'A user customizable description of the device.' | +
| ExtraHop.Device.DnsName | +string | +b'The DNS name associated with the device.' | +
| ExtraHop.Device.DhcpName | +string | +b'The DHCP name associated with the device.' | +
| ExtraHop.Device.CdpName | +string | +b'The Cisco Discovery Protocol name associated with the device.' | +
| ExtraHop.Device.NetbiosName | +string | +b'The NetBIOS name associated with the device.' | +
| ExtraHop.Device.Url | +string | +b'Link to the device details page in ExtraHop.' | +
| ExtraHop.Device.ClientProtocols | +string | +b'The list of protocols the peer device is communicating as a client.' | +
| ExtraHop.Device.ServerProtocols | +string | +b'The list of protocols the peer device is communicating as a server.' | +
+
+ !extrahop-get-protocols ip_or_id=172.16.34.11
+
+{
+ "ExtraHop": {
+ "Device": [
+ {
+ "Analysis": "advanced",
+ "AnalysisLevel": 2,
+ "AutoRole": "http_server",
+ "ClientProtocols": [
+ "TCP:SSL:LDAP",
+ "TCP:SSL",
+ "TCP:OTHER",
+ "UDP:NTP",
+ "UDP:DNS"
+ ],
+ "DefaultName": "Qumranet 172.16.34.11",
+ "DeviceClass": "node",
+ "DhcpName": "soundboard2",
+ "DiscoverTime": 1533851430000,
+ "DiscoveryId": "fff40601150a0000",
+ "DisplayName": "tme-lab-ubuntu",
+ "ExtrahopId": "fff40601150a0000",
+ "Id": 10754,
+ "Ipaddr4": "172.16.34.11",
+ "IsL3": true,
+ "Macaddr": "11:2B:5B:27:12:9D",
+ "ModTime": 1569276433204,
+ "OnWatchlist": true,
+ "ParentId": 10748,
+ "Role": "http_server",
+ "ServerProtocols": [
+ "TCP:HTTP"
+ ],
+ "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff40601150a0000/overview/",
+ "UserModTime": 1569284010207,
+ "Vendor": "Qumranet",
+ "Vlanid": 0
+ }
+ ]
+ }
+}
+
++
| Display Name | +IP Address | +MAC Address | +Protocols (Client) | +Protocols (Server) | +Role | +Vendor | +URL | +
|---|---|---|---|---|---|---|---|
| soundboard2 | +172.16.34.11 | +11:2B:5B:27:12:9D | +TCP:SSL:LDAP, TCP:SSL, TCP:OTHER, UDP:NTP, UDP:DNS | +TCP:HTTP | +http_server | +Qumranet | +[View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff40601150a0000/overview/) | +
Add or remove a tag from devices in ExtraHop.
+
+ extrahop-tag-devices
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| tag | +The case-sensitive value of the tag. | +Optional | +
| add | +The list of IP Addresses or ExtraHop API IDs of the devices to tag, comma separated. | +Optional | +
| remove | +The list of IP Addresses or ExtraHop API IDs of the devices to remove the tag from, comma separated. | +Optional | +
+
+
+ !extrahop-tag-devices tag='demisto' add=172.16.34.11
+
+
+Successful Modification +
+ + +Get a link to a visual activity map in ExtraHop.
+
+ extrahop-get-activity-map
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| ip_or_id | +The IP Address or ExtraHop API ID of the source device to get an activity map. | +Required | +
| time_interval | +The time interval of the live activity map, expressed as the "Last" 30 minutes. For example, specify a value of 30 minutes to get an activity map showing the time range of the last 30 minutes. This field is ignored if from_time and until_time are provided. | +Optional | +
| from_time | +The beginning timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch. | +Optional | +
| until_time | +The ending timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch. | +Optional | +
| peer_role | +The role of the peer devices in relation to the source device. For example, specifying a peer_role of client will show All Clients communicating with the source device. Additionally specifying a protocol of HTTP will result in further filtering and only showing HTTP Clients communicating with the source device. | +Optional | +
| protocol | +The protocol over which the source device is communicating. For example, specifying a protocol of HTTP show only HTTP Clients and HTTP Servers communicating with the source device. Additionally specifying a peer_role of client will result in further filtering and only showing HTTP Clients communicating with the source device. | +Optional | +
+
| + Path + | ++ Type + | ++ Description + | +
|---|---|---|
| ExtraHop.ActivityMap | +string | +b'The link to a visual activity map in ExtraHop.' | +
+
+ !extrahop-get-activity-map ip_or_id=172.16.34.11 time_interval="6 hours"
+
+{
+ "ExtraHop": {
+ "ActivityMap": "https://test1.extrahop.com/extrahop/#/activitymaps?appliance_id=a74b9b6aa9e44de9baedcf8112c27ec4&discovery_id=fff40601150a0000&from=6&interval_type=HR&object_type=device&protocol=any&role=any&until=0"
+ }
+}
+
++
+[View Live Activity Map in ExtraHop](https://test1.extrahop.com/extrahop/#/activitymaps?appliance_id=a74b9b6aa9e44de9baedcf8112c27ec4&discovery_id=fff40601150a0000&from=6&interval_type=HR&object_type=device&protocol=any&role=any&until=0) +
+ + +Search for specific packets in ExtraHop.
+
+ extrahop-search-packets
+
| + Argument Name + | ++ Description + | ++ Required + | +
|---|---|---|
| output | +The output format. A pcap file, A keylog.txt file that can be loaded in wireshark to decode ssl packets, or a zip file containing both a packets.pcap and keylog.txt. | +Optional | +
| limit_bytes | +The maximum number of bytes to return. | +Optional | +
| limit_search_duration | +The maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. | +Optional | +
| query_from | +The beginning timestamp of the time range the search will include, expressed in milliseconds since the epoch. A negative value specifies that the search will begin with packets captured at a time in the past relative to the current time. For example, specify -10m to begin the search with packets captured 10 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Required | +
| query_until | +The ending timestamp of the time range the search will include, expressed in milliseconds since the epoch. A 0 value specifies that the search will end with packets captured at the time of the search. A negative value specifies that the search will end with packets captured at a time in the past relative to the current time. For example, specify -5m to end the search with packets captured 5 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. | +Optional | +
| bpf | +The Berkeley Packet Filter (BPF) syntax for the packet search. | +Optional | +
| ip1 | +Returns packets sent to or received by the specified IP address. | +Optional | +
| port1 | +Returns packets sent from or received on the specified port. | +Optional | +
| ip2 | +Returns packets sent to or received by the specified IP address. | +Optional | +
| port2 | +Returns packets sent from or received on the specified port. | +Optional | +
+
+
+ !extrahop-search-packets ip1=172.16.34.23 port1=10057 ip2=172.16.34.11 port2=44576
+
+
+Uploaded file: extrahop 2019-09-23 16.59.01 to 17.29.01 PST.pcap +
+ +This integration was integrated and tested with version 7.8 of ExtraHop Reveal(x) and version 4.5 of Demisto. \ No newline at end of file diff --git a/Layouts/layout-close-ExtraHop_Detection.json b/Layouts/layout-close-ExtraHop_Detection.json new file mode 100644 index 000000000000..46137f77a664 --- /dev/null +++ b/Layouts/layout-close-ExtraHop_Detection.json @@ -0,0 +1,43 @@ +{ + "typeId": "ExtraHop Detection", + "kind": "close", + "layout": { + "id": "ExtraHop Detection", + "version": -1, + "modified": "2019-06-20T16:01:05.659574019-07:00", + "name": "", + "kind": "close", + "typeId": "ExtraHop Detection", + "system": false, + "sections": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_closereason", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_closenotes", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + } + ] + } +} diff --git a/Layouts/layout-close-ExtraHop_Detection_CHANGELOG.md b/Layouts/layout-close-ExtraHop_Detection_CHANGELOG.md new file mode 100644 index 000000000000..65db9ed960cc --- /dev/null +++ b/Layouts/layout-close-ExtraHop_Detection_CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +Added a layout for the **ExtraHop Detection** incident type. \ No newline at end of file diff --git a/Layouts/layout-details-ExtraHop_Detection.json b/Layouts/layout-details-ExtraHop_Detection.json new file mode 100644 index 000000000000..66cc96cdf0a0 --- /dev/null +++ b/Layouts/layout-details-ExtraHop_Detection.json @@ -0,0 +1,328 @@ +{ + "kind": "details", + "layout": { + "id": "ExtraHop Detection", + "kind": "details", + "modified": "2019-11-04T11:27:56.296067875-08:00", + "name": "", + "sections": [ + { + "description": "", + "fields": [ + { + "fieldId": "incident_type", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_severity", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_owner", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotstatus", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_sourcebrand", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_sourceinstance", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_playbookid", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_phase", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_roles", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_category", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_extrahophostname", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionurl", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionticketed", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_occurred", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionendtime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionupdatetime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_riskscore", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionid", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Detection Details", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_details", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Details", + "query": null, + "queryType": "", + "readOnly": true, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_participants", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Detection Participants", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Work Plan", + "query": null, + "queryType": "", + "readOnly": true, + "type": "workplan", + "version": 0 + }, + { + "description": "", + "fields": [], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Incident Files", + "query": { + "categories": [ + "attachments" + ], + "lastId": "", + "pageSize": 100, + "tags": [], + "users": [] + }, + "queryType": "warRoomFilter", + "readOnly": true, + "type": "invTimeline", + "version": 0 + }, + { + "description": "", + "fields": [], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Linked Incidents", + "query": null, + "queryType": "", + "readOnly": true, + "type": "linkedIncidents", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_dbotcreated", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_occurred", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotduedate", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotmodified", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbottotaltime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Timeline Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Incident Timeline", + "query": { + "categories": [ + "incidentInfo" + ], + "lastId": "", + "pageSize": 100, + "tags": [], + "users": [] + }, + "queryType": "warRoomFilter", + "readOnly": true, + "type": "invTimeline", + "version": 0 + } + ], + "system": false, + "typeId": "ExtraHop Detection", + "version": -1 + }, + "typeId": "ExtraHop Detection" +} diff --git a/Layouts/layout-details-ExtraHop_Detection_CHANGELOG.md b/Layouts/layout-details-ExtraHop_Detection_CHANGELOG.md new file mode 100644 index 000000000000..65db9ed960cc --- /dev/null +++ b/Layouts/layout-details-ExtraHop_Detection_CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +Added a layout for the **ExtraHop Detection** incident type. \ No newline at end of file diff --git a/Layouts/layout-edit-ExtraHop_Detection.json b/Layouts/layout-edit-ExtraHop_Detection.json new file mode 100644 index 000000000000..9aa8a58d6b1e --- /dev/null +++ b/Layouts/layout-edit-ExtraHop_Detection.json @@ -0,0 +1,176 @@ +{ + "typeId": "ExtraHop Detection", + "kind": "edit", + "layout": { + "id": "ExtraHop Detection", + "version": -1, + "modified": "2019-06-21T10:21:39.764830083-07:00", + "name": "", + "kind": "edit", + "typeId": "ExtraHop Detection", + "system": false, + "sections": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_name", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_occurred", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_reminder", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_owner", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_roles", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_type", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_severity", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_playbookid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_labels", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_phase", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_attachment", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_details", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Detection Details", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_extrahophostname", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_detectionurl", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_detectionid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_riskscore", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_participants", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_detectionupdatetime", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_detectionendtime", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + } + ] + } +} diff --git a/Layouts/layout-edit-ExtraHop_Detection_CHANGELOG.md b/Layouts/layout-edit-ExtraHop_Detection_CHANGELOG.md new file mode 100644 index 000000000000..65db9ed960cc --- /dev/null +++ b/Layouts/layout-edit-ExtraHop_Detection_CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +Added a layout for the **ExtraHop Detection** incident type. \ No newline at end of file diff --git a/Layouts/layout-mobile-ExtraHop_Detection.json b/Layouts/layout-mobile-ExtraHop_Detection.json new file mode 100644 index 000000000000..5bc4b73f923e --- /dev/null +++ b/Layouts/layout-mobile-ExtraHop_Detection.json @@ -0,0 +1,260 @@ +{ + "kind": "mobile", + "layout": { + "id": "ExtraHop Detection", + "kind": "mobile", + "modified": "2019-08-29T16:20:17.8102986-07:00", + "name": "", + "sections": [ + { + "description": "", + "fields": [ + { + "fieldId": "incident_type", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_severity", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_owner", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotstatus", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_sourcebrand", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_sourceinstance", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_playbookid", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_phase", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_roles", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_category", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_extrahophostname", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionurl", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionticketed", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_occurred", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionupdatetime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionendtime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_riskscore", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionid", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Detection Details", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_details", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Details", + "query": null, + "queryType": "", + "readOnly": true, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_dbotcreated", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_occurred", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotduedate", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotmodified", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbottotaltime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Timeline Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_labels", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Labels", + "query": null, + "queryType": "", + "readOnly": true, + "type": "labels", + "version": 0 + } + ], + "system": false, + "typeId": "ExtraHop Detection", + "version": -1 + }, + "typeId": "ExtraHop Detection" +} diff --git a/Layouts/layout-mobile-ExtraHop_Detection_CHANGELOG.md b/Layouts/layout-mobile-ExtraHop_Detection_CHANGELOG.md new file mode 100644 index 000000000000..65db9ed960cc --- /dev/null +++ b/Layouts/layout-mobile-ExtraHop_Detection_CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +Added a layout for the **ExtraHop Detection** incident type. \ No newline at end of file diff --git a/Layouts/layout-quickView-ExtraHop_Detection.json b/Layouts/layout-quickView-ExtraHop_Detection.json new file mode 100644 index 000000000000..993a850f95cf --- /dev/null +++ b/Layouts/layout-quickView-ExtraHop_Detection.json @@ -0,0 +1,281 @@ +{ + "kind": "quickView", + "layout": { + "id": "ExtraHop Detection", + "kind": "quickView", + "modified": "2019-08-29T16:19:59.288492914-07:00", + "name": "", + "sections": [ + { + "description": "", + "fields": [ + { + "fieldId": "incident_type", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_severity", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_owner", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotstatus", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_sourcebrand", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_sourceinstance", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_playbookid", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_phase", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_roles", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_category", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_extrahophostname", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionurl", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionticketed", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_occurred", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionupdatetime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionendtime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_riskscore", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_detectionid", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Detection Details", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_details", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Details", + "query": null, + "queryType": "", + "readOnly": true, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_participants", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Detection Participants", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_dbotcreated", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_occurred", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotduedate", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbotmodified", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + }, + { + "fieldId": "incident_dbottotaltime", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Timeline Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "", + "version": 0 + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_labels", + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "version": 0 + } + ], + "id": "", + "isVisible": true, + "modified": "0001-01-01T00:00:00Z", + "name": "Labels", + "query": null, + "queryType": "", + "readOnly": true, + "type": "labels", + "version": 0 + } + ], + "system": false, + "typeId": "ExtraHop Detection", + "version": -1 + }, + "typeId": "ExtraHop Detection" +} diff --git a/Layouts/layout-quickView-ExtraHop_Detection_CHANGELOG.md b/Layouts/layout-quickView-ExtraHop_Detection_CHANGELOG.md new file mode 100644 index 000000000000..65db9ed960cc --- /dev/null +++ b/Layouts/layout-quickView-ExtraHop_Detection_CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +Added a layout for the **ExtraHop Detection** incident type. \ No newline at end of file diff --git a/Playbooks/playbook-Endpoint_Enrichment_-_Generic_v2.1.yml b/Playbooks/playbook-Endpoint_Enrichment_-_Generic_v2.1.yml index 5705414f79ec..fd0920ce718b 100644 --- a/Playbooks/playbook-Endpoint_Enrichment_-_Generic_v2.1.yml +++ b/Playbooks/playbook-Endpoint_Enrichment_-_Generic_v2.1.yml @@ -10,6 +10,7 @@ description: |- - Carbon Black Enterprise Response v2 - Cylance Protect v2 - CrowdStrike Falcon Host + - ExtraHop Reveal(x) starttaskid: "0" tasks: "0": @@ -55,11 +56,12 @@ tasks: - "18" - "19" - "20" + - "30" separatecontext: false view: |- { "position": { - "x": 1060, + "x": 1280, "y": 440 } } @@ -75,7 +77,6 @@ tasks: version: -1 name: Is McAfee ePolicy Orchestrator enabled? description: Checks if there is an active instance of the McAfee ePolicy Orchestrator integration enabled. - integration enabled. scriptName: Exists type: condition iscommand: false @@ -349,8 +350,8 @@ tasks: view: |- { "position": { - "x": 1740, - "y": 750 + "x": 2150, + "y": 770 } } note: false @@ -453,7 +454,7 @@ tasks: view: |- { "position": { - "x": 1740, + "x": 2150, "y": 605 } } @@ -656,8 +657,8 @@ tasks: view: |- { "position": { - "x": 1740, - "y": 1086 + "x": 2250, + "y": 1070 } } note: false @@ -694,8 +695,8 @@ tasks: view: |- { "position": { - "x": 1930, - "y": 1260 + "x": 2250, + "y": 1220 } } note: false @@ -703,10 +704,10 @@ tasks: ignoreworker: false "29": id: "29" - taskid: 477738d4-3629-410f-86bb-84181caeacd2 + taskid: 9681a79e-1d5e-462c-8e65-ec0bfe1bb7d8 type: regular task: - id: 477738d4-3629-410f-86bb-84181caeacd2 + id: 9681a79e-1d5e-462c-8e65-ec0bfe1bb7d8 version: -1 name: Get host information from Crowdstrike Falcon Host description: Gets details for one or more devices, according to device ID. @@ -728,8 +729,131 @@ tasks: view: |- { "position": { - "x": 2080, - "y": 1460 + "x": 2460, + "y": 1440 + } + } + note: false + timertriggers: [] + ignoreworker: false + "30": + id: "30" + taskid: ec344482-77f7-42b5-8ee4-34317afd1179 + type: title + task: + id: ec344482-77f7-42b5-8ee4-34317afd1179 + version: -1 + name: ExtraHop Reveal(x) + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "31" + separatecontext: false + view: |- + { + "position": { + "x": 1710, + "y": 605 + } + } + note: false + timertriggers: [] + ignoreworker: false + "31": + id: "31" + taskid: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + type: condition + task: + id: 58c8b4be-657c-45f6-8eca-5a01da85f1f3 + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "4" + "yes": + - "32" + scriptarguments: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: ExtraHop v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 1710, + "y": 770 + } + } + note: false + timertriggers: [] + ignoreworker: false + "32": + id: "32" + taskid: 344e1330-e5f8-4292-83df-7a4fba147ebf + type: regular + task: + id: 344e1330-e5f8-4292-83df-7a4fba147ebf + version: -1 + name: Get host information from ExtraHop Reveal(x) + description: Get host information from ExtraHop Reveal(x). + script: '|||extrahop-device-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + active_from: {} + active_until: {} + activity: {} + discover_time: {} + ip: {} + l3_only: {} + limit: {} + mac: {} + match_type: {} + name: + simple: ${inputs.Hostname} + operator: {} + role: {} + software: {} + tag: {} + vendor: {} + vlan: {} + separatecontext: false + view: |- + { + "position": { + "x": 1730, + "y": 1086 } } note: false @@ -742,10 +866,12 @@ view: |- "10_4_#default#": 0.1, "22_23_yes": 0.54, "22_4_#default#": 0.15, - "28_29_yes": 0.5, + "28_29_yes": 0.4, "28_4_#default#": 0.1, "2_4_#default#": 0.21, "2_5_yes": 0.64, + "31_32_yes": 0.64, + "31_4_#default#": 0.1, "3_1_yes": 0.3, "3_24_yes": 0.41, "3_4_#default#": 0.12, @@ -755,7 +881,7 @@ view: |- "paper": { "dimensions": { "height": 1645, - "width": 3076, + "width": 3456, "x": -616, "y": 50 } @@ -792,5 +918,85 @@ outputs: description: The device information about the hostname that was enriched using Cylance Protect v2. type: unknown +- contextPath: ExtraHop.Device.Macaddr + description: The MAC Address of the device. + type: String +- contextPath: ExtraHop.Device.DeviceClass + description: The class of the device. + type: String +- contextPath: ExtraHop.Device.UserModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.AutoRole + description: The role automatically detected by the ExtraHop. + type: String +- contextPath: ExtraHop.Device.ParentId + description: The ID of the parent device. + type: Number +- contextPath: ExtraHop.Device.Vendor + description: The device vendor. + type: String +- contextPath: ExtraHop.Device.Analysis + description: The level of analysis preformed on the device. + type: string +- contextPath: ExtraHop.Device.DiscoveryId + description: The UUID given by the Discover appliance. + type: String +- contextPath: ExtraHop.Device.DefaultName + description: The default name of the device. + type: String +- contextPath: ExtraHop.Device.DisplayName + description: The display name of device. + type: String +- contextPath: ExtraHop.Device.OnWatchlist + description: Whether the device is on the advanced analysis whitelist. + type: Boolean +- contextPath: ExtraHop.Device.ModTime + description: The time of the most recent update, expressed in milliseconds since + the epoch. + type: Number +- contextPath: ExtraHop.Device.IsL3 + description: Indicates whether the device is a Layer 3 device. + type: Boolean +- contextPath: ExtraHop.Device.Role + description: The role of the device. + type: String +- contextPath: ExtraHop.Device.DiscoverTime + description: The time that the device was discovered. + type: Number +- contextPath: ExtraHop.Device.Id + description: The ID of the device. + type: Number +- contextPath: ExtraHop.Device.Ipaddr4 + description: The IPv4 address of the device. + type: String +- contextPath: ExtraHop.Device.Vlanid + description: The ID of VLan. + type: Number +- contextPath: ExtraHop.Device.Ipaddr6 + description: The IPv6 address of the device. + type: string +- contextPath: ExtraHop.Device.NodeId + description: The Node ID of the Discover appliance. + type: number +- contextPath: ExtraHop.Device.Description + description: A user customizable description of the device. + type: string +- contextPath: ExtraHop.Device.DnsName + description: The DNS name associated with the device. + type: string +- contextPath: ExtraHop.Device.DhcpName + description: The DHCP name associated with the device. + type: string +- contextPath: ExtraHop.Device.CdpName + description: The Cisco Discovery Protocol name associated with the device. + type: string +- contextPath: ExtraHop.Device.NetbiosName + description: The NetBIOS name associated with the device. + type: string +- contextPath: ExtraHop.Device.Url + description: Link to the device details page in ExtraHop. + type: string tests: - Endpoint Enrichment - Generic v2.1 - Test diff --git a/Playbooks/playbook-Endpoint_Enrichment_-_Generic_v2.1_CHANGELOG.md b/Playbooks/playbook-Endpoint_Enrichment_-_Generic_v2.1_CHANGELOG.md new file mode 100644 index 000000000000..d692a8812fa9 --- /dev/null +++ b/Playbooks/playbook-Endpoint_Enrichment_-_Generic_v2.1_CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +Added ExtraHop Reveal(x) as a supported integration to enrich an endpoint by hostname. \ No newline at end of file diff --git a/Playbooks/playbook-ExtraHop_-_CVE-2019-0708_(BlueKeep).yml b/Playbooks/playbook-ExtraHop_-_CVE-2019-0708_(BlueKeep).yml new file mode 100644 index 000000000000..c67fd8c6d917 --- /dev/null +++ b/Playbooks/playbook-ExtraHop_-_CVE-2019-0708_(BlueKeep).yml @@ -0,0 +1,676 @@ +id: ExtraHop - CVE-2019-0708 (BlueKeep) +version: -1 +fromversion: 4.5.0 +name: ExtraHop - CVE-2019-0708 (BlueKeep) +description: |- + This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. + + MITIGATION OPTIONS + - Disable Remote Desktop Services if they are not required + - Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 + - Configure firewalls to block traffic on TCP port 3389 +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 44709a0e-a454-49dc-86dc-07bc12acf25d + type: start + task: + id: 44709a0e-a454-49dc-86dc-07bc12acf25d + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": -460 + } + } + note: false + timertriggers: [] + ignoreworker: false + "2": + id: "2" + taskid: afa75cf0-4935-4b71-8816-585d782d18a8 + type: title + task: + id: afa75cf0-4935-4b71-8816-585d782d18a8 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": 790 + } + } + note: false + timertriggers: [] + ignoreworker: false + "15": + id: "15" + taskid: 2700d930-33f2-439b-8782-cdeb704eceed + type: condition + task: + id: 2700d930-33f2-439b-8782-cdeb704eceed + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "16" + scriptarguments: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: ExtraHop v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": -320 + } + } + note: false + timertriggers: [] + ignoreworker: false + "16": + id: "16" + taskid: 1b3cd97e-fed5-406e-8574-61224e3df17b + type: regular + task: + id: 1b3cd97e-fed5-406e-8574-61224e3df17b + version: -1 + name: Run CVE search for BlueKeep vulnerability + description: Search CVE by ID. + script: CVE Search|||cve-search + type: regular + iscommand: true + brand: CVE Search + nexttasks: + '#none#': + - "17" + - "24" + scriptarguments: + cveId: + simple: CVE-2019-0708 + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 210, + "y": -120 + } + } + note: false + timertriggers: [] + ignoreworker: false + "17": + id: "17" + taskid: 237c1ad2-3e95-4c44-8442-6c5d70ba2e7c + type: playbook + task: + id: 237c1ad2-3e95-4c44-8442-6c5d70ba2e7c + version: -1 + name: ExtraHop - Get Peers by Host + description: Given a host, the playbook will retrieve the peer network devices + that communicated with that host in a given time range. In addition to a + list of peers and protocols (sorted by bytes) the playbook returns a link + to the ExtraHop Live Activity Map to visualize the peer relationships. + playbookName: ExtraHop - Get Peers by Host + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "21" + scriptarguments: + from_time: + complex: + root: incident + accessor: occurred + transformers: + - operator: toUnix + - operator: subtraction + args: + by: + value: + simple: "1800" + ip: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: victim + field: + value: + simple: role + getField: + value: + simple: ipaddress + mac: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: victim + field: + value: + simple: role + getField: + value: + simple: macaddress + name: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: victim + field: + value: + simple: role + getField: + value: + simple: dnsname + until_time: + complex: + root: incident + accessor: occurred + transformers: + - operator: toUnix + - operator: addition + args: + by: + value: + simple: "1800" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 210, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + "19": + id: "19" + taskid: 0fa6c81c-87a3-476f-80d7-dc4171df2ac3 + type: condition + task: + id: 0fa6c81c-87a3-476f-80d7-dc4171df2ac3 + version: -1 + name: Email team to block offender IP address + description: Ask ExtraHop analysts whether or not to automatically block the + offender IP address. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "20" + "Yes": + - "23" + separatecontext: false + view: |- + { + "position": { + "x": 620, + "y": 410 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: ExtraHop + subject: + simple: CVE-2019-0708 RDP Exploit Attempt - Block Offender IP? + body: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: offender + field: + value: + simple: role + getField: + value: + simple: ipaddress + methods: + - email + format: "" + bcc: null + cc: null + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + replyOptions: + - "Yes" + - "No" + "20": + id: "20" + taskid: 0539b3a2-867d-4d0f-8074-028dfb73c781 + type: regular + task: + id: 0539b3a2-867d-4d0f-8074-028dfb73c781 + version: -1 + name: Guided investigation steps and mitigation options + description: |- + Investigate to determine if the victim server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. + + Mitigation Options + - Disable Remote Desktop Services if they are not required + - Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 + - Configure firewalls to block traffic on TCP port 3389 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + separatecontext: false + view: |- + { + "position": { + "x": 210, + "y": 590 + } + } + note: false + timertriggers: [] + ignoreworker: false + "21": + id: "21" + taskid: f123a474-b51e-4bc5-830f-b6308fc70937 + type: regular + task: + id: f123a474-b51e-4bc5-830f-b6308fc70937 + version: -1 + name: Get associated transaction records from ExtraHop Reveal(x) + description: Query records associated with this detection from ExtraHop. + script: '|||extrahop-query-records' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + field1: + simple: clientAddr + field2: + simple: serverAddr + limit: {} + match_type: {} + offset: {} + operator1: + simple: '=' + operator2: + simple: '=' + query_from: + complex: + root: incident + accessor: occurred + transformers: + - operator: toUnix + - operator: multiply + args: + by: + value: + simple: "1000" + query_until: + complex: + root: incident + accessor: occurred + transformers: + - operator: toUnix + - operator: addition + args: + by: + value: + simple: "2" + - operator: multiply + args: + by: + value: + simple: "1000" + types: + simple: rdp_close,rdp_tick + value1: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: offender + field: + value: + simple: role + getField: + value: + simple: ipaddress + value2: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: victim + field: + value: + simple: role + getField: + value: + simple: ipaddress + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 210, + "y": 230 + } + } + note: false + timertriggers: [] + ignoreworker: false + "22": + id: "22" + taskid: 6b73a498-5e96-4479-86ec-7a09799e5892 + type: regular + task: + id: 6b73a498-5e96-4479-86ec-7a09799e5892 + version: -1 + name: Get associated PCAP file from ExtraHop Reveal(x) + description: Search for the specific packets associated with this detection + in ExtraHop and return the pcap file. + script: '|||extrahop-search-packets' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "20" + scriptarguments: + bpf: {} + ip1: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: offender + field: + value: + simple: role + getField: + value: + simple: ipaddress + ip2: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: victim + field: + value: + simple: role + getField: + value: + simple: ipaddress + limit_bytes: {} + limit_search_duration: {} + output: {} + port1: {} + port2: + simple: "3389" + query_from: + complex: + root: incident + accessor: occurred + transformers: + - operator: toUnix + - operator: multiply + args: + by: + value: + simple: "1000" + query_until: + complex: + root: incident + accessor: occurred + transformers: + - operator: toUnix + - operator: addition + args: + by: + value: + simple: "2" + - operator: multiply + args: + by: + value: + simple: "1000" + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 210, + "y": 410 + } + } + note: false + timertriggers: [] + ignoreworker: false + "23": + id: "23" + taskid: 5892b97f-fcb0-48ef-843a-dfbbf0a5beb8 + type: playbook + task: + id: 5892b97f-fcb0-48ef-843a-dfbbf0a5beb8 + version: -1 + name: Block IP - Generic v2 + description: |- + This playbook blocks malicious IPs using all integrations that you have enabled. + + Supported integrations for this playbook: + * Check Point Firewall + * Palo Alto Networks Minemeld + * Palo Alto Networks PAN-OS + * Zscaler + playbookName: Block IP - Generic v2 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + IP: + complex: + root: incident + accessor: participants + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: offender + field: + value: + simple: role + getField: + value: + simple: ipaddress + IPBlacklistMiner: {} + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 840, + "y": 590 + } + } + note: false + timertriggers: [] + ignoreworker: false + "24": + id: "24" + taskid: b400891d-eb98-40b6-898d-89e7d4a32e38 + type: condition + task: + id: b400891d-eb98-40b6-898d-89e7d4a32e38 + version: -1 + name: Automatically block the offender IP address? + description: Check the playbook inputs to see if automatically blocking the + offender IP address is desired. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "19" + "yes": + - "23" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.AutoBlockIp + iscontext: true + right: + value: + simple: "True" + view: |- + { + "position": { + "x": 620, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false +view: |- + { + "linkLabelsPosition": { + "15_2_#default#": 0.12, + "19_20_#default#": 0.33, + "19_23_Yes": 0.57, + "24_19_#default#": 0.55 + }, + "paper": { + "dimensions": { + "height": 1315, + "width": 1230, + "x": -10, + "y": -460 + } + } + } +inputs: +- key: AutoBlockIp + value: + simple: "False" + required: false + description: |- + Enable the "Block IP" capability automatically (can be either "True" or "False"). + The "Block IP" sub-playbook will block the offender IP address in the relevant integrations. +outputs: +- contextPath: CVE + description: Details on the CVE. + type: unknown +- contextPath: ExtraHop.Device + description: 'Details on the host and any peer devices found. ' + type: unknown +- contextPath: ExtraHop.ActivityMap + description: The link to a visual activity map in ExtraHop. + type: string +- contextPath: ExtraHop.Record.Source + description: Associated transaction records from ExtraHop. + type: unknown +tests: +- ExtraHop_v2-Test \ No newline at end of file diff --git a/Playbooks/playbook-ExtraHop_-_Default.yml b/Playbooks/playbook-ExtraHop_-_Default.yml new file mode 100644 index 000000000000..c956dae88a01 --- /dev/null +++ b/Playbooks/playbook-ExtraHop_-_Default.yml @@ -0,0 +1,333 @@ +id: ExtraHop - Default +version: -1 +fromversion: 4.5.0 +name: ExtraHop - Default +description: Default playbook to run for all ExtraHop Detection incidents. This playbook + handles ticket tracking as well as triggering specific playbooks based on the name + of the ExtraHop Detection. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: e05c49e8-d5fc-49cc-8e4f-febae049f470 + type: start + task: + id: e05c49e8-d5fc-49cc-8e4f-febae049f470 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + "2": + id: "2" + taskid: aacb39b5-ff6b-405e-8891-e03e73e4b101 + type: title + task: + id: aacb39b5-ff6b-405e-8891-e03e73e4b101 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + "15": + id: "15" + taskid: c46704ba-c334-4b3b-887f-fa1dd8339fd0 + type: condition + task: + id: c46704ba-c334-4b3b-887f-fa1dd8339fd0 + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "18" + - "19" + scriptarguments: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: ExtraHop v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + "16": + id: "16" + taskid: b24f8753-bb48-4a77-8b97-a33ed472cd05 + type: playbook + task: + id: b24f8753-bb48-4a77-8b97-a33ed472cd05 + version: -1 + name: ExtraHop - Ticket Tracking + description: Links the Demisto incident back to the ExtraHop detection that + created it for ticket tracking purposes. + playbookName: ExtraHop - Ticket Tracking + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "17" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 280, + "y": 500 + } + } + note: false + timertriggers: [] + ignoreworker: false + "17": + id: "17" + taskid: a67d8b24-4516-46c0-85a0-3fd3cf7c2279 + type: regular + task: + id: a67d8b24-4516-46c0-85a0-3fd3cf7c2279 + version: -1 + name: Add initial investigation notes + description: This task is for the ExtraHop analyst to enter notes on the ExtraHop + Detection that created this Incident. Used as a method of initial investigation + and tracking notes within the Work Plan. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + separatecontext: false + view: |- + { + "position": { + "x": 280, + "y": 685 + } + } + note: false + timertriggers: [] + ignoreworker: false + "18": + id: "18" + taskid: 03bac09d-d03d-45d5-86f1-4209973b4a4d + type: title + task: + id: 03bac09d-d03d-45d5-86f1-4209973b4a4d + version: -1 + name: Detection Playbooks + description: Check whether the values provided in arguments are equal. If either + of the arguments are missing, no is returned. + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "20" + separatecontext: false + view: |- + { + "position": { + "x": -180, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + "19": + id: "19" + taskid: f4749919-007f-47da-85ce-4428c0000d64 + type: title + task: + id: f4749919-007f-47da-85ce-4428c0000d64 + version: -1 + name: Ticket Tracking + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "16" + separatecontext: false + view: |- + { + "position": { + "x": 280, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + "20": + id: "20" + taskid: 7a4202c3-81a2-4275-8ceb-474fa9f90a39 + type: condition + task: + id: 7a4202c3-81a2-4275-8ceb-474fa9f90a39 + version: -1 + name: Does the detection have a playbook? + description: Check if the incoming detection has a specific playbook to run. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + BlueKeep: + - "21" + separatecontext: false + conditions: + - label: BlueKeep + condition: + - - operator: containsString + left: + value: + simple: incident.name + iscontext: true + right: + value: + simple: CVE-2019-0708 + view: |- + { + "position": { + "x": -180, + "y": 500 + } + } + note: false + timertriggers: [] + ignoreworker: false + "21": + id: "21" + taskid: ecbb3f9e-7e2b-4497-800d-b13e7dfcb858 + type: playbook + task: + id: ecbb3f9e-7e2b-4497-800d-b13e7dfcb858 + version: -1 + name: ExtraHop - CVE-2019-0708 (BlueKeep) + description: |- + This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. + + MITIGATION OPTIONS + - Disable Remote Desktop Services if they are not required + - Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 + - Configure firewalls to block traffic on TCP port 3389 + playbookName: ExtraHop - CVE-2019-0708 (BlueKeep) + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + AutoBlockIp: + simple: "False" + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": -290, + "y": 730 + } + } + note: false + timertriggers: [] + ignoreworker: false +view: |- + { + "linkLabelsPosition": { + "15_2_#default#": 0.18, + "20_21_BlueKeep": 0.44, + "20_2_#default#": 0.19 + }, + "paper": { + "dimensions": { + "height": 935, + "width": 950, + "x": -290, + "y": 50 + } + } + } +inputs: [] +outputs: +- contextPath: CVE + description: Details on the CVE. + type: unknown +- contextPath: ExtraHop.Device + description: 'Details on the host and any peer devices found. ' + type: unknown +- contextPath: ExtraHop.ActivityMap + description: The link to a visual activity map in ExtraHop. + type: string +- contextPath: ExtraHop.Record.Source + description: Associated transaction records from ExtraHop. + type: unknown +tests: +- ExtraHop_v2-Test \ No newline at end of file diff --git a/Playbooks/playbook-ExtraHop_-_Get_Peers_by_Host.yml b/Playbooks/playbook-ExtraHop_-_Get_Peers_by_Host.yml new file mode 100644 index 000000000000..9a76fdf05c6b --- /dev/null +++ b/Playbooks/playbook-ExtraHop_-_Get_Peers_by_Host.yml @@ -0,0 +1,414 @@ +id: ExtraHop - Get Peers by Host +version: -1 +fromversion: 4.5.0 +name: ExtraHop - Get Peers by Host +description: Given a host, the playbook will retrieve the peer network devices that + communicated with that host in a given time range. In addition to a list of peers + and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live + Activity Map to visualize the peer relationships. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: bf60ce0f-ce07-4119-8d54-0ce64f1a0e00 + type: start + task: + id: bf60ce0f-ce07-4119-8d54-0ce64f1a0e00 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + "2": + id: "2" + taskid: 2fbd50da-8e6e-4b1a-8b1f-5cf90cebc303 + type: title + task: + id: 2fbd50da-8e6e-4b1a-8b1f-5cf90cebc303 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 70, + "y": 1220 + } + } + note: false + timertriggers: [] + ignoreworker: false + "3": + id: "3" + taskid: cf740c00-0812-4696-8dc1-33877ccf12d5 + type: regular + task: + id: cf740c00-0812-4696-8dc1-33877ccf12d5 + version: -1 + name: Search for peer devices in ExtraHop Reveal(x) + description: Get the list of all of the peers that communicated with the given + host in the specified time range. + script: '|||extrahop-get-peers' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + ip_or_id: + simple: ${ExtraHop.Device.Id} + peer_role: {} + protocol: {} + query_from: + complex: + root: inputs.from_time + filters: + - - operator: isNotEmpty + left: + value: + simple: inputs.from_time + iscontext: true + transformers: + - operator: multiply + args: + by: + value: + simple: "1000" + query_until: + complex: + root: inputs.until_time + filters: + - - operator: isNotEmpty + left: + value: + simple: inputs.until_time + iscontext: true + transformers: + - operator: multiply + args: + by: + value: + simple: "1000" + separatecontext: false + view: |- + { + "position": { + "x": 360, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + "7": + id: "7" + taskid: 1b5c7cbd-6f0c-4a82-8314-335cd0e92066 + type: regular + task: + id: 1b5c7cbd-6f0c-4a82-8314-335cd0e92066 + version: -1 + name: Search for device in ExtraHop Reveal(x) + description: Search for the device within ExtraHop using the provided name, + IP address, and MAC address. + script: '|||extrahop-device-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + active_from: {} + active_until: {} + activity: {} + discover_time: {} + ip: + simple: ${inputs.ip} + l3_only: {} + limit: + simple: "1" + mac: + simple: ${inputs.mac} + match_type: {} + name: + simple: ${inputs.name} + operator: {} + role: {} + software: {} + tag: {} + vendor: {} + vlan: {} + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 360, + "y": 540 + } + } + note: false + timertriggers: [] + ignoreworker: false + "9": + id: "9" + taskid: bcd55624-cc38-49fe-8f93-f45bc97a5d4b + type: condition + task: + id: bcd55624-cc38-49fe-8f93-f45bc97a5d4b + version: -1 + name: Is there a host? + description: Check if the host information required to search for peers was + provided. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "7" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: inputs.name + iscontext: true + - operator: isNotEmpty + left: + value: + simple: inputs.ip + iscontext: true + - operator: isNotEmpty + left: + value: + simple: inputs.mac + iscontext: true + view: |- + { + "position": { + "x": 160, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + "11": + id: "11" + taskid: 4703272c-c182-4ecf-8e41-4705ed8d0c54 + type: condition + task: + id: 4703272c-c182-4ecf-8e41-4705ed8d0c54 + version: -1 + name: Was a device found? + description: Check if a device was found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "3" + - "16" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: hasLength + left: + value: + simple: ExtraHop.Device + iscontext: true + right: + value: + simple: "1" + view: |- + { + "position": { + "x": 360, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + "15": + id: "15" + taskid: f93ea96a-09bf-4503-8fe6-fc791422d554 + type: condition + task: + id: f93ea96a-09bf-4503-8fe6-fc791422d554 + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "9" + scriptarguments: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: ExtraHop v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + timertriggers: [] + ignoreworker: false + "16": + id: "16" + taskid: ed8c477b-6860-429c-8c8b-888a1ac3e1d7 + type: regular + task: + id: ed8c477b-6860-429c-8c8b-888a1ac3e1d7 + version: -1 + name: Get a link to a live activity map in ExtraHop Reveal(x) + description: Get a link to a live activity map for the given device in the specified + time range. + script: '|||extrahop-get-activity-map' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + from_time: + complex: + root: inputs.from_time + filters: + - - operator: isNotEmpty + left: + value: + simple: inputs.from_time + iscontext: true + ip_or_id: + simple: ${ExtraHop.Device.Id} + peer_role: {} + protocol: {} + time_interval: {} + until_time: + complex: + root: inputs.until_time + filters: + - - operator: isNotEmpty + left: + value: + simple: inputs.until_time + iscontext: true + separatecontext: false + view: |- + { + "position": { + "x": 760, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false +view: |- + { + "linkLabelsPosition": { + "11_16_yes": 0.29, + "11_2_#default#": 0.28, + "11_3_yes": 0.58, + "15_2_#default#": 0.29, + "15_9_yes": 0.53, + "9_2_#default#": 0.24, + "9_7_yes": 0.44 + }, + "paper": { + "dimensions": { + "height": 1235, + "width": 1090, + "x": 50, + "y": 50 + } + } + } +inputs: +- key: name + value: {} + required: false + description: The name of the device. This searches for matches on all ExtraHop name + fields (DHCP, DNS, NetBIOS, Cisco Discovery Protocol, etc). +- key: ip + value: {} + required: false + description: The IP address of the device. +- key: mac + value: {} + required: false + description: The MAC address of the device. +- key: from_time + value: {} + required: false + description: The beginning timestamp of the time range the playbook will use to + search, expressed in seconds since the epoch. +- key: until_time + value: {} + required: false + description: The ending timestamp of the time range the playbook will use to search, + expressed in seconds since the epoch. +outputs: +- contextPath: ExtraHop.Device + description: 'Details on the host and any peer devices found. ' + type: unknown +- contextPath: ExtraHop.ActivityMap + description: The link to a visual activity map in ExtraHop. + type: string +tests: +- ExtraHop_v2-Test \ No newline at end of file diff --git a/Playbooks/playbook-ExtraHop_-_Ticket_Tracking.yml b/Playbooks/playbook-ExtraHop_-_Ticket_Tracking.yml new file mode 100644 index 000000000000..e664da4c4999 --- /dev/null +++ b/Playbooks/playbook-ExtraHop_-_Ticket_Tracking.yml @@ -0,0 +1,736 @@ +id: ExtraHop - Ticket Tracking +version: -1 +fromversion: 4.5.0 +name: ExtraHop - Ticket Tracking +description: Links the Demisto incident back to the ExtraHop detection that created + it for ticket tracking purposes. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 71394f2c-bc76-4885-8bab-b55ce0094789 + type: start + task: + id: 71394f2c-bc76-4885-8bab-b55ce0094789 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": -460 + } + } + note: false + timertriggers: [] + ignoreworker: false + "1": + id: "1" + taskid: be00a185-8d20-4e46-8012-4ae44b3687fc + type: regular + task: + id: be00a185-8d20-4e46-8012-4ae44b3687fc + version: -1 + name: Track the incident status in ExtraHop Reveal(x) + description: Link the ExtraHop Detection to the corresponding Demisto Investigation. This + uses the ExtraHop ticket tracking functionality to properly display ticket + status within ExtraHop. + script: '|||extrahop-track-ticket' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "12" + scriptarguments: + detection_id: + complex: + root: foundIncidents + accessor: CustomFields.detectionid + incident_close_reason: + complex: + root: foundIncidents + accessor: closeReason + incident_id: + complex: + root: foundIncidents + accessor: id + incident_owner: + complex: + root: foundIncidents + accessor: owner + incident_status: + complex: + root: foundIncidents + accessor: status + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 170, + "y": 1110 + } + } + note: false + timertriggers: [] + ignoreworker: false + "2": + id: "2" + taskid: f4953d89-2219-4d74-8acf-d819728d0ac9 + type: title + task: + id: f4953d89-2219-4d74-8acf-d819728d0ac9 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": -100, + "y": 1640 + } + } + note: false + timertriggers: [] + ignoreworker: false + "3": + id: "3" + taskid: 6f9852cc-7a6e-4d2f-8bef-86fb205e5408 + type: regular + task: + id: 6f9852cc-7a6e-4d2f-8bef-86fb205e5408 + version: -1 + name: Mark the incident as tracked + description: Update the incident to reflect the Detection Ticketed status. + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "4" + scriptarguments: + addLabels: {} + affecteddata: {} + affecteddatatype: {} + affectedindividualscontactinformation: {} + app: {} + approximatenumberofaffecteddatasubjects: {} + assetid: {} + attachmentcount: {} + attachmentextension: {} + attachmenthash: {} + attachmentid: {} + attachmentname: {} + attachmentsize: {} + attachmenttype: {} + bugtraq: {} + city: {} + closeNotes: {} + closeReason: {} + companyaddress: {} + companycity: {} + companycountry: {} + companyhasinsuranceforthebreach: {} + companyname: {} + companypostalcode: {} + contactaddress: {} + contactname: {} + country: {} + countrywherebusinesshasitsmainestablishment: {} + countrywherethebreachtookplace: {} + customFields: {} + cve: {} + cvss: {} + dataencryptionstatus: {} + datetimeofthebreach: {} + deleteEmptyField: {} + dest: {} + destntdomain: {} + details: {} + detectionendtime: {} + detectionid: {} + detectionticketed: + simple: "true" + detectionupdatetime: {} + detectionurl: {} + dpoemailaddress: {} + duration: {} + emailaddress: {} + emailbcc: {} + emailbody: {} + emailbodyformat: {} + emailbodyhtml: {} + emailcc: {} + emailclientname: {} + emailfrom: {} + emailhtml: {} + emailinreplyto: {} + emailkeywords: {} + emailmessageid: {} + emailreceived: {} + emailreplyto: {} + emailreturnpath: {} + emailsenderip: {} + emailsize: {} + emailsource: {} + emailsubject: {} + emailto: {} + emailtocount: {} + emailurlclicked: {} + extrahopapplianceid: {} + extrahophostname: {} + filehash: {} + filename: {} + filepath: {} + id: + simple: ${ExtraHop.TicketId} + isthedatasubjecttodpia: {} + labels: {} + likelyimpact: {} + maliciouscauseifthecauseisamaliciousattack: {} + malwarefamily: {} + measurestomitigate: {} + name: {} + occurred: {} + owner: {} + participants: {} + phase: {} + possiblecauseofthebreach: {} + postalcode: {} + rawparticipants: {} + replacePlaybook: {} + riskscore: {} + roles: {} + sectorofaffectedparty: {} + severity: {} + signature: {} + sizenumberofemployees: {} + sizeturnover: {} + sla: {} + slaField: {} + src: {} + srcntdomain: {} + srcuser: {} + systems: {} + telephoneno: {} + type: {} + user: {} + vendorid: {} + vendorproduct: {} + vulnerabilitycategory: {} + whereisdatahosted: {} + separatecontext: false + view: |- + { + "position": { + "x": 490, + "y": 600 + } + } + note: false + timertriggers: [] + ignoreworker: false + "4": + id: "4" + taskid: 8185a734-72c0-4461-83d4-774c4cc8652a + type: regular + task: + id: 8185a734-72c0-4461-83d4-774c4cc8652a + version: -1 + name: Search for any untracked ExtraHop Detections + description: Searches Demisto incidents for any ExtraHop Detections that are + untracked. + scriptName: SearchIncidents + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "10" + scriptarguments: + details: {} + fromclosedate: {} + fromdate: {} + fromduedate: {} + id: {} + level: {} + name: {} + notstatus: {} + owner: {} + page: {} + query: + simple: type:"ExtraHop Detection" and incident.detectionticketed:F and incident.created:>="1 + day ago" + reason: {} + size: {} + sort: {} + status: {} + toclosedate: {} + todate: {} + toduedate: {} + type: {} + separatecontext: false + view: |- + { + "position": { + "x": 170, + "y": 770 + } + } + note: false + timertriggers: [] + ignoreworker: false + "6": + id: "6" + taskid: 75eb04ec-c770-4120-8d70-56513ce2201b + type: regular + task: + id: 75eb04ec-c770-4120-8d70-56513ce2201b + version: -1 + name: Mark the incident as tracked + description: Update the incident to reflect the Detection Ticketed status. + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "2" + scriptarguments: + addLabels: {} + affecteddata: {} + affecteddatatype: {} + affectedindividualscontactinformation: {} + app: {} + approximatenumberofaffecteddatasubjects: {} + assetid: {} + attachmentcount: {} + attachmentextension: {} + attachmenthash: {} + attachmentid: {} + attachmentname: {} + attachmentsize: {} + attachmenttype: {} + bugtraq: {} + city: {} + closeNotes: {} + closeReason: {} + companyaddress: {} + companycity: {} + companycountry: {} + companyhasinsuranceforthebreach: {} + companyname: {} + companypostalcode: {} + contactaddress: {} + contactname: {} + country: {} + countrywherebusinesshasitsmainestablishment: {} + countrywherethebreachtookplace: {} + customFields: {} + cve: {} + cvss: {} + dataencryptionstatus: {} + datetimeofthebreach: {} + deleteEmptyField: {} + dest: {} + destntdomain: {} + details: {} + detectionendtime: {} + detectionid: {} + detectionticketed: + simple: "true" + detectionupdatetime: {} + detectionurl: {} + dpoemailaddress: {} + duration: {} + emailaddress: {} + emailbcc: {} + emailbody: {} + emailbodyformat: {} + emailbodyhtml: {} + emailcc: {} + emailclientname: {} + emailfrom: {} + emailhtml: {} + emailinreplyto: {} + emailkeywords: {} + emailmessageid: {} + emailreceived: {} + emailreplyto: {} + emailreturnpath: {} + emailsenderip: {} + emailsize: {} + emailsource: {} + emailsubject: {} + emailto: {} + emailtocount: {} + emailurlclicked: {} + extrahopapplianceid: {} + extrahophostname: {} + filehash: {} + filename: {} + filepath: {} + id: + simple: ${ExtraHop.TicketId} + isthedatasubjecttodpia: {} + labels: {} + likelyimpact: {} + maliciouscauseifthecauseisamaliciousattack: {} + malwarefamily: {} + measurestomitigate: {} + name: {} + occurred: {} + owner: {} + participants: {} + phase: {} + possiblecauseofthebreach: {} + postalcode: {} + rawparticipants: {} + replacePlaybook: {} + riskscore: {} + roles: {} + sectorofaffectedparty: {} + severity: {} + signature: {} + sizenumberofemployees: {} + sizeturnover: {} + sla: {} + slaField: {} + src: {} + srcntdomain: {} + srcuser: {} + systems: {} + telephoneno: {} + type: {} + user: {} + vendorid: {} + vendorproduct: {} + vulnerabilitycategory: {} + whereisdatahosted: {} + separatecontext: false + view: |- + { + "position": { + "x": 170, + "y": 1465 + } + } + note: false + timertriggers: [] + ignoreworker: false + "7": + id: "7" + taskid: 50b89e52-0733-477b-8929-8b595f704ca4 + type: regular + task: + id: 50b89e52-0733-477b-8929-8b595f704ca4 + version: -1 + name: Track the incident status in ExtraHop Reveal(x) + description: Link the ExtraHop Detection to the corresponding Demisto Investigation. This + uses the ExtraHop ticket tracking functionality to properly display ticket + status within ExtraHop. + script: '|||extrahop-track-ticket' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + detection_id: + simple: ${incident.detectionid} + incident_close_reason: + simple: ${incident.closeReason} + incident_id: + simple: ${incident.id} + incident_owner: + simple: ${incident.owner} + incident_status: + simple: ${incident.status} + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 490, + "y": 230 + } + } + note: false + timertriggers: [] + ignoreworker: false + "9": + id: "9" + taskid: 40271f8c-840d-4e71-86c5-57a28bc24aea + type: condition + task: + id: 40271f8c-840d-4e71-86c5-57a28bc24aea + version: -1 + name: Are the required fields present? + description: Checks if the required detection and incident IDs are present. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "4" + "yes": + - "7" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: incident.id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: incident.detectionid + iscontext: true + view: |- + { + "position": { + "x": 170, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + "10": + id: "10" + taskid: 76071ff8-9c4d-494d-8b73-aa4368199fb5 + type: condition + task: + id: 76071ff8-9c4d-494d-8b73-aa4368199fb5 + version: -1 + name: Were there any incidents found? + description: Checks if there were any untracked ExtraHop Detections found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "1" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: foundIncidents.id + iscontext: true + view: |- + { + "position": { + "x": 170, + "y": 930 + } + } + note: false + timertriggers: [] + ignoreworker: false + "11": + id: "11" + taskid: e553a569-662c-460e-87f0-f69efaf2901a + type: condition + task: + id: e553a569-662c-460e-87f0-f69efaf2901a + version: -1 + name: Was the incident successfully tracked? + description: Check if the ticket tracking was successful. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "4" + "yes": + - "3" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: ExtraHop.TicketId + iscontext: true + view: |- + { + "position": { + "x": 490, + "y": 390 + } + } + note: false + timertriggers: [] + ignoreworker: false + "12": + id: "12" + taskid: 624c3b07-31d8-45ca-8f6f-332974515fef + type: condition + task: + id: 624c3b07-31d8-45ca-8f6f-332974515fef + version: -1 + name: Was the incident successfully tracked? + description: Check if the ticket tracking was successful. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "6" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: ExtraHop.TicketId + iscontext: true + view: |- + { + "position": { + "x": 170, + "y": 1275 + } + } + note: false + timertriggers: [] + ignoreworker: false + "13": + id: "13" + taskid: 1619242b-d813-4dfb-8801-cd45a61906f3 + type: regular + task: + id: 1619242b-d813-4dfb-8801-cd45a61906f3 + version: -1 + name: Assign an ExtraHop analyst to the incident + description: Assign an analyst randomly from the pool of users with the ExtraHop + role. + scriptName: AssignAnalystToIncident + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + assignBy: {} + email: {} + roles: + simple: ExtraHop + username: {} + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 170, + "y": -110 + } + } + note: false + timertriggers: [] + ignoreworker: false + "15": + id: "15" + taskid: dffb9228-cc49-4adf-88f5-13001f85ba70 + type: condition + task: + id: dffb9228-cc49-4adf-88f5-13001f85ba70 + version: -1 + name: Is ExtraHop Reveal(x) enabled? + description: Checks if there is an active instance of the ExtraHop Reveal(x) + integration enabled. + scriptName: Exists + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "13" + scriptarguments: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: brand + iscontext: true + right: + value: + simple: ExtraHop v2 + - - operator: isEqualString + left: + value: + simple: state + iscontext: true + right: + value: + simple: active + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": -320 + } + } + note: false + timertriggers: [] + ignoreworker: false +view: |- + { + "linkLabelsPosition": { + "10_1_yes": 0.42, + "10_2_#default#": 0.2, + "11_3_yes": 0.49, + "11_4_#default#": 0.45, + "12_2_#default#": 0.31, + "12_6_yes": 0.47, + "15_13_yes": 0.55, + "15_2_#default#": 0.1, + "9_4_#default#": 0.31, + "9_7_yes": 0.44 + }, + "paper": { + "dimensions": { + "height": 2165, + "width": 970, + "x": -100, + "y": -460 + } + } + } +inputs: [] +outputs: [] +tests: +- ExtraHop_v2-Test \ No newline at end of file diff --git a/Scripts/ExtraHopTrackIncidents/ExtraHopTrackIncidents.py b/Scripts/ExtraHopTrackIncidents/ExtraHopTrackIncidents.py new file mode 100644 index 000000000000..3450b453ffb7 --- /dev/null +++ b/Scripts/ExtraHopTrackIncidents/ExtraHopTrackIncidents.py @@ -0,0 +1,42 @@ +import demistomock as demisto +from CommonServerPython import * +dArgs = demisto.args() +incidents = demisto.incidents() +if incidents: + incident = incidents[0] + + # Only track the incident if it's an ExtraHop Detection + if incident.get('type') == 'ExtraHop Detection': + + if incident.get('id') or incident.get('investigationId'): + + args = { + 'incident_id': incident.get('id') or incident.get('investigationId'), + 'detection_id': incident.get('CustomFields', {}).get('detectionid', None), + 'incident_owner': incident.get('owner', None), + 'incident_status': incident.get('status', None), + 'incident_close_reason': incident.get('closeReason', None) + } + + # Field Trigger value change + if 'name' in dArgs: + if dArgs['name'] == 'owner': + args['incident_owner'] = dArgs['new'] + elif dArgs['name'] == 'status': + args['incident_status'] = dArgs['new'] + + track_ticket = demisto.executeCommand("extrahop-track-ticket", args)[0] + + if isError(track_ticket): + demisto.results(track_ticket) + else: + demisto.results({ + "Type": entryTypes["note"], + "ContentsFormat": formats["text"], + "Contents": track_ticket['Contents'] + }) + + else: + return_warning("Could not identify the Incident ID or Investigation ID.") +else: + return_warning("No Incidents to process.") diff --git a/Scripts/ExtraHopTrackIncidents/ExtraHopTrackIncidents.yml b/Scripts/ExtraHopTrackIncidents/ExtraHopTrackIncidents.yml new file mode 100644 index 000000000000..bcdcb425faad --- /dev/null +++ b/Scripts/ExtraHopTrackIncidents/ExtraHopTrackIncidents.yml @@ -0,0 +1,23 @@ +commonfields: + id: ExtraHopTrackIncidents + version: -1 +name: ExtraHopTrackIncidents +type: python +tags: +- incidents +- ExtraHop +- field-change-triggered +comment: Links an incident investigation back to the ExtraHop Detection that created + it. +script: '-' +system: false +enabled: true +scripttarget: 0 +dependson: + must: + - 'ExtraHop v2|||extrahop-track-ticket' +runonce: false +dockerimage: demisto/python3:3.7.2.200 +runas: DBotWeakRole +tests: +- ExtraHop_v2-Test \ No newline at end of file diff --git a/TestPlaybooks/playbook-ExtraHop_v2-Test.yml b/TestPlaybooks/playbook-ExtraHop_v2-Test.yml new file mode 100644 index 000000000000..61b35d542ec8 --- /dev/null +++ b/TestPlaybooks/playbook-ExtraHop_v2-Test.yml @@ -0,0 +1,549 @@ +id: ExtraHop_v2-Test +version: -1 +name: ExtraHop_v2-Test +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 7f000fa5-26f6-4fc5-8a2e-1a42ae7464ca + type: start + task: + id: 7f000fa5-26f6-4fc5-8a2e-1a42ae7464ca + version: -1 + name: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 30 + } + } + note: false + timertriggers: [] + ignoreworker: false + "5": + id: "5" + taskid: c5914d68-d75f-4cf1-8447-d06cfc3f1d6c + type: condition + task: + id: c5914d68-d75f-4cf1-8447-d06cfc3f1d6c + version: -1 + name: Found alert rules? + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "12" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: greaterThan + left: + value: + complex: + root: ExtraHop + accessor: Alert + transformers: + - operator: count + iscontext: true + right: + value: + simple: "0" + - - operator: isExists + left: + value: + simple: ExtraHop.Alert.[0].Id + iscontext: true + view: |- + { + "position": { + "x": 450, + "y": 360 + } + } + note: false + timertriggers: [] + ignoreworker: false + "6": + id: "6" + taskid: 64e466a2-2800-4a1f-8e46-292ad44dd60b + type: condition + task: + id: 64e466a2-2800-4a1f-8e46-292ad44dd60b + version: -1 + name: Found advanced analysis device? + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "19" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: ExtraHop + accessor: '[1].Device' + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: advanced + field: + value: + simple: Analysis + getField: {} + iscontext: true + view: |- + { + "position": { + "x": 450, + "y": 740 + } + } + note: false + timertriggers: [] + ignoreworker: false + "8": + id: "8" + taskid: af552a3a-b4c3-4130-81a3-c31c46ff4dfc + type: condition + task: + id: af552a3a-b4c3-4130-81a3-c31c46ff4dfc + version: -1 + name: Verify the device is on the watchlist + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isTrue + left: + value: + simple: ExtraHop.[2].Device.[0].OnWatchlist + iscontext: true + view: |- + { + "position": { + "x": 450, + "y": 1230 + } + } + note: false + timertriggers: [] + ignoreworker: false + "9": + id: "9" + taskid: 30ffa3d3-e040-4317-8a21-494b81d8131e + type: regular + task: + id: 30ffa3d3-e040-4317-8a21-494b81d8131e + version: -1 + name: Add a device to the watchlist + description: Add a device to the watchlist in ExtraHop. + script: ExtraHop v2|||extrahop-edit-watchlist + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "10" + scriptarguments: + add: + simple: ${ExtraHop.[1].Device.[0].Id} + remove: {} + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 1420 + } + } + note: false + timertriggers: [] + ignoreworker: false + "10": + id: "10" + taskid: 0ed6f37c-f1e3-4b95-8742-49f0b95af49e + type: regular + task: + id: 0ed6f37c-f1e3-4b95-8742-49f0b95af49e + version: -1 + name: Remove a device from the watchlist + description: Remove a device from the watchlist in ExtraHop. + script: ExtraHop v2|||extrahop-edit-watchlist + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "14" + scriptarguments: + add: {} + remove: + simple: ${ExtraHop.[1].Device.[0].Id} + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 1600 + } + } + note: false + timertriggers: [] + ignoreworker: false + "11": + id: "11" + taskid: 4ab78872-d011-4e67-8fe0-ac7054ae0c36 + type: regular + task: + id: 4ab78872-d011-4e67-8fe0-ac7054ae0c36 + version: -1 + name: Get ExtraHop alert rules + description: Get all alert rules from ExtraHop. + script: ExtraHop v2|||extrahop-get-alerts + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "5" + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 180 + } + } + note: false + timertriggers: [] + ignoreworker: false + "12": + id: "12" + taskid: f2af6df9-e437-4663-897e-2d6a90172172 + type: regular + task: + id: f2af6df9-e437-4663-897e-2d6a90172172 + version: -1 + name: Search ExtraHop for devices + description: Search for devices in ExtraHop. + script: ExtraHop v2|||extrahop-device-search + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "6" + scriptarguments: + active_from: {} + active_until: {} + activity: {} + discover_time: {} + ip: {} + l3_only: + simple: "true" + limit: + simple: "500" + mac: {} + match_type: {} + name: {} + operator: {} + role: {} + software: {} + tag: {} + vendor: {} + vlan: {} + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 560 + } + } + note: false + timertriggers: [] + ignoreworker: false + "13": + id: "13" + taskid: 3fdedbab-98ff-4782-8fb1-63eaa0fb2a41 + type: regular + task: + id: 3fdedbab-98ff-4782-8fb1-63eaa0fb2a41 + version: -1 + name: Get all devices on the ExtraHop watchlist + description: Get all devices on the watchlist in ExtraHop. + script: ExtraHop v2|||extrahop-get-watchlist + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "8" + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 1060 + } + } + note: false + timertriggers: [] + ignoreworker: false + "14": + id: "14" + taskid: c89e7963-96bc-4970-8299-81aaf8f66e3f + type: regular + task: + id: c89e7963-96bc-4970-8299-81aaf8f66e3f + version: -1 + name: Get the peer devices of the test device + description: Get all peers for a device from ExtraHop. + script: ExtraHop v2|||extrahop-get-peers + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "15" + scriptarguments: + ip_or_id: + simple: ${EHTestDeviceId} + peer_role: {} + protocol: {} + query_from: {} + query_until: {} + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 1780 + } + } + note: false + timertriggers: [] + ignoreworker: false + "15": + id: "15" + taskid: 6880ce11-be62-4af3-8f1b-9f89ebea9bc8 + type: regular + task: + id: 6880ce11-be62-4af3-8f1b-9f89ebea9bc8 + version: -1 + name: Get the network protocols of the test device + script: ExtraHop v2|||extrahop-get-protocols + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "16" + scriptarguments: + ip_or_id: + simple: ${EHTestDeviceId} + query_from: {} + query_until: {} + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 1970 + } + } + note: false + timertriggers: [] + ignoreworker: false + "16": + id: "16" + taskid: 3c114d9f-7a77-4510-885c-cc9e992e421b + type: regular + task: + id: 3c114d9f-7a77-4510-885c-cc9e992e421b + version: -1 + name: Get a link to an activity map of the test device + description: Get a link to a Live Activity Map in ExtraHop. + script: ExtraHop v2|||extrahop-get-activity-map + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "17" + scriptarguments: + from_time: {} + ip_or_id: + simple: ${EHTestDeviceId} + peer_role: {} + protocol: {} + time_interval: {} + until_time: {} + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 2160 + } + } + note: false + timertriggers: [] + ignoreworker: false + "17": + id: "17" + taskid: ef005a03-a034-43d3-8151-9428203d99ee + type: regular + task: + id: ef005a03-a034-43d3-8151-9428203d99ee + version: -1 + name: Add a tag on the test device + description: Add a tag from a device in ExtraHop. + script: ExtraHop v2|||extrahop-tag-devices + type: regular + iscommand: true + brand: ExtraHop v2 + nexttasks: + '#none#': + - "18" + scriptarguments: + add: + simple: ${EHTestDeviceId} + remove: {} + tag: + simple: test-playbook + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 2360 + } + } + note: false + timertriggers: [] + ignoreworker: false + "18": + id: "18" + taskid: 7f70cf49-7724-47c4-8efe-4cbe2976d298 + type: regular + task: + id: 7f70cf49-7724-47c4-8efe-4cbe2976d298 + version: -1 + name: Remove a tag from the test device + description: Remove a tag from a device in ExtraHop. + script: ExtraHop v2|||extrahop-tag-devices + type: regular + iscommand: true + brand: ExtraHop v2 + scriptarguments: + add: {} + remove: + simple: ${EHTestDeviceId} + tag: + simple: test-playbook + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 2560 + } + } + note: false + timertriggers: [] + ignoreworker: false + "19": + id: "19" + taskid: 610c4350-db3d-4543-8f47-eed73657b134 + type: regular + task: + id: 610c4350-db3d-4543-8f47-eed73657b134 + version: -1 + name: Set test device ID to context + description: Sets a value into the context with the given context key + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "13" + scriptarguments: + append: {} + key: + simple: EHTestDeviceId + value: + complex: + root: ExtraHop + accessor: '[1].Device' + transformers: + - operator: WhereFieldEquals + args: + equalTo: + value: + simple: advanced + field: + value: + simple: Analysis + getField: + value: + simple: Id + - operator: slice + args: + from: + value: + simple: "0" + to: + value: + simple: "1" + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 900 + } + } + note: false + timertriggers: [] + ignoreworker: false +view: |- + { + "linkLabelsPosition": { + "5_12_yes": 0.5, + "8_9_yes": 0.36 + }, + "paper": { + "dimensions": { + "height": 2625, + "width": 380, + "x": 450, + "y": 30 + } + } + } +inputs: [] +outputs: [] diff --git a/Tests/conf.json b/Tests/conf.json index 48a59d8f33da..4f8be91c1814 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -208,6 +208,10 @@ "integrations": "ExtraHop", "playbookID": "ExtraHop-Test" }, + { + "integrations": "ExtraHop v2", + "playbookID": "ExtraHop_v2-Test" + }, { "playbookID": "Test CommonServer" }, diff --git a/Tests/secrets_white_list.json b/Tests/secrets_white_list.json index a2e84a50fa10..2f89ca6f3b2a 100644 --- a/Tests/secrets_white_list.json +++ b/Tests/secrets_white_list.json @@ -208,7 +208,12 @@ "123.176.102.168", "1.1.1.69", "5.6.4.1", - "18.219.190.57" + "18.219.190.57", + "172.16.34.231", + "172.16.34.161", + "172.16.34.152", + "172.16.34.11", + "172.16.34.23" ], "ipv6": [ "2603:10b6:208:160::47", @@ -1100,7 +1105,10 @@ "http://www.msn.com", "http://schemas.openxmlformats.org", "http://upper-int.ru", - "walla.com" + "walla.com", + "docs.extrahop.com", + "extrahop.com", + "test1.extrahop.com" ], "md5": [ "c8092abd8d581750c0530fa1fc8d8318", diff --git a/release_notes.py b/release_notes.py index f4de151c85a2..c0797f1fc26b 100644 --- a/release_notes.py +++ b/release_notes.py @@ -33,6 +33,7 @@ "close": "Close", "quickView": "Quick View", "indicatorsDetails": "Indicator Details", + "mobile": "Mobile", } RELEASE_NOTES_ORDER = [INTEGRATIONS_DIR, SCRIPTS_DIR, PLAYBOOKS_DIR, REPORTS_DIR,