ExtraHop Reveal(x) 360
Overview
ExtraHop Reveal(x) 360 is a cloud-based network detection and response platform offering protection and detections for on-premises and cloud environments. In this documentation we will explain how to collect and send Reveal(x) 360 events to Sekoia.io.
- Vendor: ExtraHop
- Supported environment: Cloud
- Detection based on: Telemetry, Alert
Configure
Prerequisites
- System and access administration privileges for ExtraHop Reveal(x) 360
- Access to Sekoia.io Intakes and Playbook pages with write permissions
How to create REST API credentials
- Log in to Reveal(x) 360.
- Click the System Settings icon at the top right of the page and then click All Administration.
- Click API Access.
- Click Create Credentials.
- In the Name field, type a name for the credentials.
- In the Privileges field, specify a privilege level for the credentials.
Note
The privilege level determines which actions can be performed with the credential. Do not grant more privileges to REST API credentials than needed because it can create a security risk. For example, applications that only retrieve metrics should not be granted credentials that grant administrative privileges. For more information about each privilege level, see User privileges.
Note
System and Access Administration privileges are similar to Full write privileges and allow the credentials to connect self-managed sensors and Trace appliances to Reveal(x) 360.
- In the Packet Access field, specify whether you can retrieve packets and session keys with the credentials.
- Click Save. The Copy REST API Credentials pane appears.
- Under ID, click Copy to Clipboard and save the ID to your local machine.
- Under Secret, click Copy to Clipboard and save the secret to your local machine.
Important
The secret cannot be viewed or retrieved later.
- Click Done.
Create your intake
- Go to the intake page and create a new intake from the
ExtraHop Reveal(x) 360. - Copy the associated Intake key
Pull the logs to collect them on Sekoia.io
Go to the Sekoia.io playbook page, and follow these steps:
- Click on + PLAYBOOK button to create a new one
- Select Create a playbook from scratch
- Give it a name in the field Name
- Open the left panel, click ExtraHop then select the trigger
Fetch new alerts from ExtraHop Reveal(x) 360 -
Click on Create
-
Create a Module configuration using your REST API credentials created on the How to create REST API credentials step. Name the module configuration as you wish
- Create a Trigger configuration and Type the
Intake keycreated on the previous step - Click on the Save button
- Activate the playbook with the toggle button on the top right corner of the page
Enjoy your events on the Events page
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"id": 22222222222,
"start_time": 1701379823296,
"update_time": 1706720536009,
"mod_time": 1706720577690,
"title": "Deprecated SSL/TLS Versions",
"description": "db1\\.example\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.",
"risk_score": 30,
"type": "deprecated_ssl_tls_individual",
"recommended_factors": [],
"recommended": false,
"categories": [
"sec",
"sec.hardening"
],
"properties": {
"version": "TLSv1.0"
},
"participants": [
{
"role": "offender",
"object_id": 33333333333,
"object_type": "device",
"object_value": "1.2.3.5",
"hostname": "db1.example.org",
"id": 2222,
"external": false,
"scanner_service": null
}
],
"ticket_id": null,
"assignee": null,
"status": null,
"resolution": null,
"mitre_tactics": [],
"mitre_techniques": [],
"appliance_id": 3,
"is_user_created": false
}
{
"id": 11111111111,
"start_time": 1701270240000,
"update_time": 1706720850000,
"mod_time": 1706720877879,
"title": "LLMNR Activity",
"description": "[db3\\.example\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.",
"risk_score": 30,
"type": "llmnr_activity_individual",
"recommended_factors": [],
"recommended": false,
"categories": [
"sec",
"sec.hardening"
],
"properties": {},
"participants": [
{
"role": "offender",
"object_id": 44444444444,
"object_type": "device",
"id": 3333,
"external": false,
"scanner_service": null
}
],
"ticket_id": null,
"assignee": null,
"status": null,
"resolution": null,
"mitre_tactics": [],
"mitre_techniques": [],
"appliance_id": 3,
"is_user_created": false
}
{
"id": 33333333333,
"start_time": 1701379823296,
"update_time": 1706720535987,
"mod_time": 1706720577690,
"title": "Weak Cipher Suite",
"description": "[db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.",
"risk_score": 30,
"type": "weak_cipher_individual",
"recommended_factors": [],
"recommended": false,
"categories": [
"sec",
"sec.hardening"
],
"properties": {
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
},
"participants": [
{
"role": "offender",
"object_id": 44444444444,
"object_type": "device",
"object_value": "1.2.3.4",
"hostname": "db1.example.org",
"id": 2657,
"external": false,
"scanner_service": null
}
],
"ticket_id": null,
"assignee": null,
"status": null,
"resolution": null,
"mitre_tactics": [],
"mitre_techniques": [],
"appliance_id": 3,
"is_user_created": false
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake ExtraHop Reveal(x) 360. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x ExtraHop Reveal(x) 360 on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
Computer Account Deleted
Detects computer account deletion.
- Effort: master
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity
ExtraHop Reveal(x) 360 raised an intrusion detection alert with critical severity.
- Effort: master
ExtraHop Reveal(x) 360 Intrusion Detection High Severity
ExtraHop Reveal(x) 360 raised an intrusion detection alert with high severity.
- Effort: master
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: intermediate
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network protocol analysis |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | intrusion_detection |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"id\": 22222222222, \"start_time\": 1701379823296, \"update_time\": 1706720536009, \"mod_time\": 1706720577690, \"title\": \"Deprecated SSL/TLS Versions\", \"description\": \"db1\\\\.example\\\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.\", \"risk_score\": 30, \"type\": \"deprecated_ssl_tls_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {\"version\": \"TLSv1.0\"}, \"participants\": [{\"role\": \"offender\", \"object_id\": 33333333333, \"object_type\": \"device\", \"object_value\": \"1.2.3.5\", \"hostname\": \"db1.example.org\", \"id\": 2222, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
"event": {
"category": [
"intrusion_detection"
],
"code": "deprecated_ssl_tls_individual",
"kind": "alert",
"reason": "db1\\.example\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.",
"risk_score": 30,
"start": "2023-11-30T21:30:23.296000Z",
"type": [
"info"
]
},
"@timestamp": "2024-01-31T17:02:57.690000Z",
"extrahop": {
"revealx360": {
"categories": [
"sec",
"sec.hardening"
],
"id": "22222222222",
"title": "Deprecated SSL/TLS Versions"
}
},
"host": {
"id": "33333333333",
"ip": [
"1.2.3.5"
],
"name": "db1.example.org"
},
"observer": {
"product": "Reveal(x) 360",
"vendor": "Extrahop"
},
"related": {
"ip": [
"1.2.3.5"
]
},
"tls": {
"version": "1.0"
}
}
{
"message": "{\"id\": 11111111111, \"start_time\": 1701270240000, \"update_time\": 1706720850000, \"mod_time\": 1706720877879, \"title\": \"LLMNR Activity\", \"description\": \"[db3\\\\.example\\\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.\", \"risk_score\": 30, \"type\": \"llmnr_activity_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {}, \"participants\": [{\"role\": \"offender\", \"object_id\": 44444444444, \"object_type\": \"device\", \"id\": 3333, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
"event": {
"category": [
"intrusion_detection"
],
"code": "llmnr_activity_individual",
"kind": "alert",
"reason": "[db3\\.example\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.",
"risk_score": 30,
"start": "2023-11-29T15:04:00Z",
"type": [
"info"
]
},
"@timestamp": "2024-01-31T17:07:57.879000Z",
"extrahop": {
"revealx360": {
"categories": [
"sec",
"sec.hardening"
],
"id": "11111111111",
"title": "LLMNR Activity"
}
},
"host": {
"id": "44444444444"
},
"observer": {
"product": "Reveal(x) 360",
"vendor": "Extrahop"
}
}
{
"message": "{\"id\": 33333333333, \"start_time\": 1701379823296, \"update_time\": 1706720535987, \"mod_time\": 1706720577690, \"title\": \"Weak Cipher Suite\", \"description\": \"[db1\\\\.example\\\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\\\.example\\\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.\", \"risk_score\": 30, \"type\": \"weak_cipher_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {\"cipher_suite\": \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\"}, \"participants\": [{\"role\": \"offender\", \"object_id\": 44444444444, \"object_type\": \"device\", \"object_value\": \"1.2.3.4\", \"hostname\": \"db1.example.org\", \"id\": 2657, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
"event": {
"category": [
"intrusion_detection"
],
"code": "weak_cipher_individual",
"kind": "alert",
"reason": "[db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.",
"risk_score": 30,
"start": "2023-11-30T21:30:23.296000Z",
"type": [
"info"
]
},
"@timestamp": "2024-01-31T17:02:57.690000Z",
"extrahop": {
"revealx360": {
"categories": [
"sec",
"sec.hardening"
],
"id": "33333333333",
"title": "Weak Cipher Suite"
}
},
"host": {
"id": "44444444444",
"ip": [
"1.2.3.4"
],
"name": "db1.example.org"
},
"observer": {
"product": "Reveal(x) 360",
"vendor": "Extrahop"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"tls": {
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.risk_score |
float |
Risk score or priority of the event (e.g. security solutions). Use your system's original value here. |
event.risk_score_norm |
float |
Normalized risk score or priority of the event (0-100). |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
extrahop.revealx360.categories |
keyword |
|
extrahop.revealx360.id |
keyword |
|
extrahop.revealx360.title |
keyword |
|
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
tls.cipher |
keyword |
String indicating the cipher used during the current connection. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.