ExtraHop Reveal(x) 360
Overview
ExtraHop Reveal(x) 360 is a cloud-based network detection and response platform offering protection and detections for on-premises and cloud environments.
In this documenation we will explain how to collect and send Reveal(x) 360 events to Sekoia.io.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake ExtraHop Reveal(x) 360. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x ExtraHop Reveal(x) 360 on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
Computer Account Deleted
Detects computer account deletion.
- Effort: master
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: intermediate
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network protocol analysis |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | intrusion_detection |
| Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"id\": 22222222222, \"start_time\": 1701379823296, \"update_time\": 1706720536009, \"mod_time\": 1706720577690, \"title\": \"Deprecated SSL/TLS Versions\", \"description\": \"db1\\\\.example\\\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.\", \"risk_score\": 30, \"type\": \"deprecated_ssl_tls_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {\"version\": \"TLSv1.0\"}, \"participants\": [{\"role\": \"offender\", \"object_id\": 33333333333, \"object_type\": \"device\", \"object_value\": \"1.2.3.5\", \"hostname\": \"db1.example.org\", \"id\": 2222, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
"event": {
"category": [
"intrusion_detection"
],
"code": "deprecated_ssl_tls_individual",
"kind": "alert",
"reason": "db1\\.example\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.",
"risk_score": 30,
"start": "2023-11-30T21:30:23.296000Z",
"type": [
"info"
]
},
"@timestamp": "2024-01-31T17:02:57.690000Z",
"extrahop": {
"revealx360": {
"categories": [
"sec",
"sec.hardening"
],
"id": "22222222222",
"title": "Deprecated SSL/TLS Versions"
}
},
"host": {
"id": "33333333333",
"ip": [
"1.2.3.5"
],
"name": "db1.example.org"
},
"observer": {
"product": "Reveal(x) 360",
"vendor": "Extrahop"
},
"related": {
"ip": [
"1.2.3.5"
]
},
"tls": {
"version": "1.0"
}
}
{
"message": "{\"id\": 11111111111, \"start_time\": 1701270240000, \"update_time\": 1706720850000, \"mod_time\": 1706720877879, \"title\": \"LLMNR Activity\", \"description\": \"[db3\\\\.example\\\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.\", \"risk_score\": 30, \"type\": \"llmnr_activity_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {}, \"participants\": [{\"role\": \"offender\", \"object_id\": 44444444444, \"object_type\": \"device\", \"id\": 3333, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
"event": {
"category": [
"intrusion_detection"
],
"code": "llmnr_activity_individual",
"kind": "alert",
"reason": "[db3\\.example\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.",
"risk_score": 30,
"start": "2023-11-29T15:04:00Z",
"type": [
"info"
]
},
"@timestamp": "2024-01-31T17:07:57.879000Z",
"extrahop": {
"revealx360": {
"categories": [
"sec",
"sec.hardening"
],
"id": "11111111111",
"title": "LLMNR Activity"
}
},
"host": {
"id": "44444444444"
},
"observer": {
"product": "Reveal(x) 360",
"vendor": "Extrahop"
}
}
{
"message": "{\"id\": 33333333333, \"start_time\": 1701379823296, \"update_time\": 1706720535987, \"mod_time\": 1706720577690, \"title\": \"Weak Cipher Suite\", \"description\": \"[db1\\\\.example\\\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\\\.example\\\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.\", \"risk_score\": 30, \"type\": \"weak_cipher_individual\", \"recommended_factors\": [], \"recommended\": false, \"categories\": [\"sec\", \"sec.hardening\"], \"properties\": {\"cipher_suite\": \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\"}, \"participants\": [{\"role\": \"offender\", \"object_id\": 44444444444, \"object_type\": \"device\", \"object_value\": \"1.2.3.4\", \"hostname\": \"db1.example.org\", \"id\": 2657, \"external\": false, \"scanner_service\": null}], \"ticket_id\": null, \"assignee\": null, \"status\": null, \"resolution\": null, \"mitre_tactics\": [], \"mitre_techniques\": [], \"appliance_id\": 3, \"is_user_created\": false}",
"event": {
"category": [
"intrusion_detection"
],
"code": "weak_cipher_individual",
"kind": "alert",
"reason": "[db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.",
"risk_score": 30,
"start": "2023-11-30T21:30:23.296000Z",
"type": [
"info"
]
},
"@timestamp": "2024-01-31T17:02:57.690000Z",
"extrahop": {
"revealx360": {
"categories": [
"sec",
"sec.hardening"
],
"id": "33333333333",
"title": "Weak Cipher Suite"
}
},
"host": {
"id": "44444444444",
"ip": [
"1.2.3.4"
],
"name": "db1.example.org"
},
"observer": {
"product": "Reveal(x) 360",
"vendor": "Extrahop"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"tls": {
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.risk_score |
float |
Risk score or priority of the event (e.g. security solutions). Use your system's original value here. |
event.risk_score_norm |
float |
Normalized risk score or priority of the event (0-100). |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
extrahop.revealx360.categories |
keyword |
|
extrahop.revealx360.id |
keyword |
|
extrahop.revealx360.title |
keyword |
|
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
tls.cipher |
keyword |
String indicating the cipher used during the current connection. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
Configure
Prerequisites
- System and access administration privileges for ExtraHop Reveal(x) 360
- Access to Sekoia.io Intakes and Playbook pages with write permissions
How to create REST API credentials
- Log in to Reveal(x) 360.
- Click the System Settings icon at the top right of the page and then click All Administration.
- Click API Access.
- Click Create Credentials.
- In the Name field, type a name for the credentials.
- In the Privileges field, specify a privilege level for the credentials.
Note
The privilege level determines which actions can be performed with the credential. Do not grant more privileges to REST API credentials than needed because it can create a security risk. For example, applications that only retrieve metrics should not be granted credentials that grant administrative privileges. For more information about each privilege level, see User privileges.
Note
System and Access Administration privileges are similar to Full write privileges and allow the credentials to connect self-managed sensors and Trace appliances to Reveal(x) 360.
- In the Packet Access field, specify whether you can retrieve packets and session keys with the credentials.
- Click Save. The Copy REST API Credentials pane appears.
- Under ID, click Copy to Clipboard and save the ID to your local machine.
- Under Secret, click Copy to Clipboard and save the secret to your local machine.
Important
The secret cannot be viewed or retrieved later.
- Click Done.
Create your intake
- Go to the intake page and create a new intake from the
ExtraHop Reveal(x) 360. - Copy the associated Intake key
Pull the logs to collect them on Sekoia.io
Go to the Sekoia.io playbook page, and follow these steps:
- Click on + PLAYBOOK button to create a new one
- Select Create a playbook from scratch
- Give it a name in the field Name
- Open the left panel, click ExtraHop then select the trigger
Fetch new alerts from ExtraHop Reveal(x) 360 -
Click on Create
-
Create a Module configuration using your REST API credentials created on the How to create REST API credentials step. Name the module configuration as you wish
- Create a Trigger configuration and Type the
Intake keycreated on the previous step - Click on the Save button
- Activate the playbook with the toggle button on the top right corner of the page