Skip to content

ExtraHop Reveal(x) 360

Overview

ExtraHop Reveal(x) 360 is a cloud-based network detection and response platform offering protection and detections for on-premises and cloud environments.

In this documenation we will explain how to collect and send Reveal(x) 360 events to Sekoia.io.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

The following Sekoia.io built-in rules match the intake ExtraHop Reveal(x) 360 [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x ExtraHop Reveal(x) 360 [BETA] on ATT&CK Navigator

Account Added To A Security Enabled Group

Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)

  • Effort: master
Account Removed From A Security Enabled Group

Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)

  • Effort: master
Computer Account Deleted

Detects computer account deletion.

  • Effort: master
Domain Trust Created Or Removed

A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.

  • Effort: advanced
Password Change On Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

  • Effort: intermediate
Possible Replay Attack

This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.

  • Effort: intermediate
User Account Created

Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.

  • Effort: master
User Account Deleted

Detects local user deletion

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network protocol analysis None

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert
Category intrusion_detection
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{\"id\": 22222222222, \"start_time\": 1701379823296, \"update_time\": 1706720536009, \"mod_time\": 1706720577690, \"title\": \"Deprecated SSL/TLS Versions\", \"description\": \"db1\\\\.example\\\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.\", \"risk_score\": 30, \"type\": \"deprecated_ssl_tls_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {\"version\": \"TLSv1.0\"}, \"participants\": [{\"role\": \"offender\", \"object_id\": 33333333333, \"object_type\": \"device\", \"object_value\": \"1.2.3.5\", \"hostname\": \"db1.example.org\", \"id\": 2222, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "code": "deprecated_ssl_tls_individual",
        "kind": "alert",
        "reason": "db1\\.example\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.",
        "risk_score": 30,
        "start": "2023-11-30T21:30:23.296000Z",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-01-31T17:02:57.690000Z",
    "extrahop": {
        "revealx360": {
            "categories": [
                "sec",
                "sec.hardening"
            ],
            "id": "22222222222",
            "title": "Deprecated SSL/TLS Versions"
        }
    },
    "host": {
        "id": "33333333333",
        "ip": [
            "1.2.3.5"
        ],
        "name": "db1.example.org"
    },
    "observer": {
        "product": "Reveal(x) 360",
        "vendor": "Extrahop"
    },
    "related": {
        "ip": [
            "1.2.3.5"
        ]
    },
    "tls": {
        "version": "1.0"
    }
}
{
    "message": "{\"id\": 11111111111, \"start_time\": 1701270240000, \"update_time\": 1706720850000, \"mod_time\": 1706720877879, \"title\": \"LLMNR Activity\", \"description\": \"[db3\\\\.example\\\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.\", \"risk_score\": 30, \"type\": \"llmnr_activity_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {}, \"participants\": [{\"role\": \"offender\", \"object_id\": 44444444444, \"object_type\": \"device\", \"id\": 3333, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "code": "llmnr_activity_individual",
        "kind": "alert",
        "reason": "[db3\\.example\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.",
        "risk_score": 30,
        "start": "2023-11-29T15:04:00Z",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-01-31T17:07:57.879000Z",
    "extrahop": {
        "revealx360": {
            "categories": [
                "sec",
                "sec.hardening"
            ],
            "id": "11111111111",
            "title": "LLMNR Activity"
        }
    },
    "host": {
        "id": "44444444444"
    },
    "observer": {
        "product": "Reveal(x) 360",
        "vendor": "Extrahop"
    }
}
{
    "message": "{\"id\": 33333333333, \"start_time\": 1701379823296, \"update_time\": 1706720535987, \"mod_time\": 1706720577690, \"title\": \"Weak Cipher Suite\", \"description\": \"[db1\\\\.example\\\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\\\.example\\\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.\", \"risk_score\": 30, \"type\": \"weak_cipher_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {\"cipher_suite\": \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\"}, \"participants\": [{\"role\": \"offender\", \"object_id\": 44444444444, \"object_type\": \"device\", \"object_value\": \"1.2.3.4\", \"hostname\": \"db1.example.org\", \"id\": 2657, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "code": "weak_cipher_individual",
        "kind": "alert",
        "reason": "[db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.",
        "risk_score": 30,
        "start": "2023-11-30T21:30:23.296000Z",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-01-31T17:02:57.690000Z",
    "extrahop": {
        "revealx360": {
            "categories": [
                "sec",
                "sec.hardening"
            ],
            "id": "33333333333",
            "title": "Weak Cipher Suite"
        }
    },
    "host": {
        "id": "44444444444",
        "ip": [
            "1.2.3.4"
        ],
        "name": "db1.example.org"
    },
    "observer": {
        "product": "Reveal(x) 360",
        "vendor": "Extrahop"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "tls": {
        "cipher": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.risk_score float Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
event.risk_score_norm float Normalized risk score or priority of the event (0-100).
event.start date event.start contains the date when the event started or when the activity was first observed.
event.type keyword Event type. The third categorization field in the hierarchy.
extrahop.revealx360.categories keyword
extrahop.revealx360.id keyword
extrahop.revealx360.title keyword
host.id keyword Unique host id.
host.ip ip Host ip addresses.
host.name keyword Name of the host.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
tls.cipher keyword String indicating the cipher used during the current connection.
tls.version keyword Numeric part of the version parsed from the original string.

Configure

Prerequisites

  • System and access administration privileges for ExtraHop Reveal(x) 360
  • Access to Sekoia.io Intakes and Playbook pages with write permissions

How to create REST API credentials

  1. Log in to Reveal(x) 360.
  2. Click the System Settings icon at the top right of the page and then click All Administration.
  3. Click API Access.
  4. Click Create Credentials.
  5. In the Name field, type a name for the credentials.
  6. In the Privileges field, specify a privilege level for the credentials.

Note

The privilege level determines which actions can be performed with the credential. Do not grant more privileges to REST API credentials than needed because it can create a security risk. For example, applications that only retrieve metrics should not be granted credentials that grant administrative privileges. For more information about each privilege level, see User privileges.

Note

System and Access Administration privileges are similar to Full write privileges and allow the credentials to connect self-managed sensors and Trace appliances to Reveal(x) 360.

  1. In the Packet Access field, specify whether you can retrieve packets and session keys with the credentials.
  2. Click Save. The Copy REST API Credentials pane appears.
  3. Under ID, click Copy to Clipboard and save the ID to your local machine.
  4. Under Secret, click Copy to Clipboard and save the secret to your local machine.

Important

The secret cannot be viewed or retrieved later.

  1. Click Done.

Create your intake

  1. Go to the intake page and create a new intake from the ExtraHop Reveal(x) 360.
  2. Copy the associated Intake key

Pull the logs to collect them on Sekoia.io

Go to the Sekoia.io playbook page, and follow these steps:

  • Click on + PLAYBOOK button to create a new one
  • Select Create a playbook from scratch
  • Give it a name in the field Name
  • Open the left panel, click ExtraHop then select the trigger Fetch new alerts from ExtraHop Reveal(x) 360
  • Click on Create

  • Create a Module configuration using your REST API credentials created on the How to create REST API credentials step. Name the module configuration as you wish

  • Create a Trigger configuration and Type the Intake key created on the previous step
  • Click on the Save button
  • Activate the playbook with the toggle button on the top right corner of the page

Enjoy your events on the Events page