ExtraHop Reveal(x) v2

Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.

ExtraHop Reveal(x) Playbooks

  • ExtraHop - Default
  • ExtraHop - CVE-2019-0708 (BlueKeep)
  • ExtraHop - Ticket Tracking
  • ExtraHop - Get Peers by Host

Use Cases

  • Create incidents for every detection that ExtraHop Reveal(x) surfaces in real-time.
  • Enable guided investigation and response through playbooks and automation scripts.
  • Interrogate the ExtraHop Reveal(x) REST API using the simple and powerful Demisto CLI.

Detailed Description

Visit the ExtraHop + Demisto Setup Guide for detailed integration instructions.

Fetch Incidents

Incidents are pushed in via the Demisto REST API by a trigger running on the ExtraHop Reveal(x) appliance.

Configure ExtraHop Reveal(x) on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for ExtraHop Reveal(x).
  3. Click Add instance to create and configure a new integration instance.
    • Name : a name to identify the ExtraHop appliance.
    • API Key : the value of the ExtraHop API key that was generated while configuring the ExtraHop appliance.
    • URL : the URL of the ExtraHop appliance including the protocol (e.g. https://).
    • Trust any certificate : whether to verify the SSL certificate on REST API requests.
    • Use System Proxy : whether to use the system configured proxy for requests.
  1. Click Test to validate the new instance by querying the ExtraHop version from the REST API. If the test fails, check the instance configuration including the Trust any certificate (Not Secure) setting for correctness.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get all alert rules: extrahop-get-alert-rules
  2. Query records: extrahop-query-records
  3. Search for devices: extrahop-device-search
  4. Add or remove devices from the watchlist: extrahop-edit-watchlist
  5. Get all devices on the watchlist: extrahop-get-watchlist
  6. Create a new alert rule: extrahop-create-alert-rule
  7. Modify an alert rule: extrahop-edit-alert-rule
  8. Link an ExtraHop Detection to a Demisto Investigation: extrahop-track-ticket
  9. Get all peers for a device: extrahop-get-peers
  10. Get all active network protocols for a device: extrahop-get-protocols
  11. Add or remove a tag from devices: extrahop-tag-devices
  12. Get a link to a Live Activity Map: extrahop-get-activity-map
  13. Search for specific packets: extrahop-search-packets

1. Get all alert rules

Get all alert rules from ExtraHop.

Base Command

extrahop-get-alert-rules

Required Permissions
  • Full write privileges
Input
Argument Name Description Required

Context Output
Path Type Description
Extrahop.Alert.Operator String b'The logical operator applied when comparing the value of the operand field to alert conditions.'
Extrahop.Alert.FieldName String b'The name of the monitored metric.'
Extrahop.Alert.NotifySnmp Boolean b'Indicates whether to send an SNMP trap when an alert is generated. '
Extrahop.Alert.Operand String b'The value to compare against alert conditions.'
Extrahop.Alert.IntervalLength Number b'The length of the alert interval, expressed in seconds.'
Extrahop.Alert.Author String b'The name of the user that created the alert. '
Extrahop.Alert.Name String b'The unique, friendly name for the alert.'
Extrahop.Alert.FieldName2 String b'The second monitored metric when applying a ratio.'
Extrahop.Alert.RefireInterval Number b'The time interval in which alert conditions are monitored, expressed in seconds.'
Extrahop.Alert.ModTime Number b'The time of the most recent update, expressed in milliseconds since the epoch. '
Extrahop.Alert.Units String b'The interval in which to evaluate the alert condition.'
Extrahop.Alert.ApplyAll Boolean b'Indicates whether the alert is assigned to all available data sources.'
Extrahop.Alert.Type String b'The type of alert.'
Extrahop.Alert.FieldOp String b'The type of comparison between the "field_name" and "field_name2" fields when applying a ratio.'
Extrahop.Alert.Id Number b'The unique identifier for the alert.'
Extrahop.Alert.Disabled Boolean b'Indicates whether the alert is disabled.'
Extrahop.Alert.Description String b'An optional description for the alert.'
Extrahop.Alert.Severity Number b'The severity level of the alert.'
Extrahop.Alert.StatName String b'The statistic name for the alert.'

Command Example

!extrahop-get-alert-rules

Context Example
{
    "ExtraHop": {
        "Alert": [
            {
                "ApplyAll": false,
                "Author": "ExtraHop",
                "Description": "Alert triggered when ratio of web errors is greater than 5%.",
                "Disabled": true,
                "FieldName": "rsp_error",
                "FieldName2": "rsp",
                "FieldOp": "/",
                "Id": 11,
                "IntervalLength": 30,
                "ModTime": 1522964293585,
                "Name": "Web Error Ratio - Red",
                "NotifySnmp": false,
                "Operand": ".05",
                "Operator": ">",
                "RefireInterval": 300,
                "Severity": 1,
                "StatName": "extrahop.application.http",
                "Type": "threshold",
                "Units": "none"
            },
            {
                "ApplyAll": false,
                "Author": "ExtraHop",
                "Description": "Alert triggered when ratio of web errors is greater than 1%.",
                "Disabled": true,
                "FieldName": "rsp_error",
                "FieldName2": "rsp",
                "FieldOp": "/",
                "Id": 12,
                "IntervalLength": 30,
                "ModTime": 1522964293596,
                "Name": "Web Error Ratio - Orange",
                "NotifySnmp": false,
                "Operand": ".01",
                "Operator": ">",
                "RefireInterval": 300,
                "Severity": 3,
                "StatName": "extrahop.application.http",
                "Type": "threshold",
                "Units": "none"
            }
        ]
    }
}
Human Readable Output

Found 2 Alert(s)

Apply All Author Description Disabled Field Name Field Name2 Field Op Id Interval Length Mod Time Name Notify Snmp Operand Operator Refire Interval Severity Stat Name Type Units
false ExtraHop Alert triggered when ratio of web errors is greater than 5%. true rsp_error rsp / 11 30 1522964293585 Web Error Ratio - Red false .05 > 300 1 extrahop.application.http threshold none
false ExtraHop Alert triggered when ratio of web errors is greater than 1%. true rsp_error rsp / 12 30 1522964293596 Web Error Ratio - Orange false .01 > 300 3 extrahop.application.http threshold none

2. Query records

Query records from ExtraHop.

Base Command

extrahop-query-records

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
query_from The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -10m to begin the search with records created 10 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Required
query_until The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. A 0 value specifies that the search will end with records created at the time of the request. A negative value specifies that the search will end with records created at a time in the past relative to the current time. For example, specify -5m to end the search with records created 5 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
limit The maximum number of entries to return. Optional
offset The number of records to skip in the query results. Optional
field1 The name of the field in the record to be filtered. The query compares field1 to value1 and applies the compare method specified by the operator1 parameter. If the specified field name is ".any", the union of all field values will be searched. If the specified field name is ".ipaddr" or ".port", the client, server, sender, and receiver roles are included in the search. Optional
operator1 The compare method applied when matching value1 against the field1 contents. Optional
value1 The value that the query attempts to match. The query compares this value to the contents of the field1 parameter and applies the compare method specified by the operator1 parameter. Optional
field2 The name of the field in the record to be filtered. The query compares field2 to value2 and applies the compare method specified by the operator2 parameter. If the specified field name is ".any", the union of all field values will be searched. If the specified field name is ".ipaddr" or ".port", the client, server, sender, and receiver roles are included in the search. Optional
operator2 The compare method applied when matching value2 against the field2 contents. Optional
value2 The value that the query attempts to match. The query compares this value to the contents of the field2 parameter and applies the compare method specified by the operator2 parameter. Optional
match_type The match operator to use when chaining the search fields of 1 and 2 together. For example, to find HTTP records with status code 500 or a processing time greater than 100ms (set match_type=or, field1=statusCode, operator1==, value1=500, field2=processingTime, operator2=> value2=100, types=http). Optional
types A list of one or more record formats for the query to filter on, comma separated. The query returns only records that match the specified formats. Optional

Context Output
Path Type Description
ExtraHop.Record.Type string b'The record format.'
ExtraHop.Record.Source.timestamp Number b'The timestamp of the item.'
ExtraHop.Record.Source.detection string b'The detection type that committed the record.'
ExtraHop.Record.Source.ex.isSuspicious Boolean b'Marked as suspicious by Threat Intelligence.'
ExtraHop.Record.Source.accessTime Number b'Access Time'
ExtraHop.Record.Source.ackCode String b'Ack Code'
ExtraHop.Record.Source.ackId String b'Ack ID'
ExtraHop.Record.Source.adminQueue String b'Admin Queue'
ExtraHop.Record.Source.age Number b'Age'
ExtraHop.Record.Source.alertCode Number b'Alert Code'
ExtraHop.Record.Source.alertLevel String b'Alert Level'
ExtraHop.Record.Source.answer Unknown b'Answer'
ExtraHop.Record.Source.answers Unknown b'Answers'
ExtraHop.Record.Source.appName String b'Application Name'
ExtraHop.Record.Source.application Unknown b'Application'
ExtraHop.Record.Source.args String b'Arguments'
ExtraHop.Record.Source.authDomain String b'Authentication Domain'
ExtraHop.Record.Source.authMethod String b'Authentication Method'
ExtraHop.Record.Source.authResult Number b'Auth Result'
ExtraHop.Record.Source.authType Number b'Auth Type'
ExtraHop.Record.Source.authenticator String b'Authenticator'
ExtraHop.Record.Source.bindDN String b'Bind Distinguished Name'
ExtraHop.Record.Source.bytes Number b'Bytes'
ExtraHop.Record.Source.cName String b'Canonical Endpoint'
ExtraHop.Record.Source.cNameType String b'Client Name Type'
ExtraHop.Record.Source.cNames String b'Client Name Components'
ExtraHop.Record.Source.cRealm String b'Client Realm'
ExtraHop.Record.Source.callId String b'Call ID'
ExtraHop.Record.Source.certificateFingerprint String b'Certificate Fingerprint'
ExtraHop.Record.Source.certificateIsSelfSigned Boolean b'Certificate Self Signed'
ExtraHop.Record.Source.certificateIssuer String b'Certificate Issuer'
ExtraHop.Record.Source.certificateKeySize Number b'Certificate Key Size'
ExtraHop.Record.Source.certificateNotAfter Number b'Certificate Not After'
ExtraHop.Record.Source.certificateNotBefore Number b'Certificate Not Before'
ExtraHop.Record.Source.certificateSignatureAlgorithm String b'Certificate Signature Algorithm'
ExtraHop.Record.Source.certificateSubject String b'Certificate Subject'
ExtraHop.Record.Source.certificateSubjectAlternativeNames String b'Certificate Subject Alternative Names'
ExtraHop.Record.Source.channel String b'Channel'
ExtraHop.Record.Source.cipherSuite String b'Cipher Suite'
ExtraHop.Record.Source.client.type String b'Client Type'
ExtraHop.Record.Source.client.value String b'Client Discovery ID'
ExtraHop.Record.Source.clientAddr.type String b'Client IP Address Type'
ExtraHop.Record.Source.clientAddr.value String b'Client IP Address Value'
ExtraHop.Record.Source.clientBuild String b'Client Build'
ExtraHop.Record.Source.clientBytes Number b'Client Bytes'
ExtraHop.Record.Source.clientCGPMsgCount Number b'Client CGP Messages'
ExtraHop.Record.Source.clientCertificateRequested Boolean b'Client Certificate Requested'
ExtraHop.Record.Source.clientCipherAlgorithm String b'Client Cipher Algorithm'
ExtraHop.Record.Source.clientCompressionAlgorithm String b'Client Compression Algorithm'
ExtraHop.Record.Source.clientImplementation String b'Client Implementation'
ExtraHop.Record.Source.clientL2Bytes Number b'Client L2 Bytes'
ExtraHop.Record.Source.clientLatency Number b'Client Latency'
ExtraHop.Record.Source.clientMacAlgorithm String b'Client MAC Algorithm'
ExtraHop.Record.Source.clientMachine String b'Client Machine'
ExtraHop.Record.Source.clientMsgCount Number b'Client Messages'
ExtraHop.Record.Source.clientName String b'Client Name'
ExtraHop.Record.Source.clientPkts Number b'Client Packets'
ExtraHop.Record.Source.clientPort Number b'Client Port'
ExtraHop.Record.Source.clientPrincipalName String b'Client Principal Name'
ExtraHop.Record.Source.clientRTO Number b'Client RTO'
ExtraHop.Record.Source.clientReqDelay Number b'Client Request Delay'
ExtraHop.Record.Source.clientType String b'ICA Client Type'
ExtraHop.Record.Source.clientVersion String b'Client Version'
ExtraHop.Record.Source.clientZeroWnd Number b'Client Zero Windows'
ExtraHop.Record.Source.collection String b'Collection'
ExtraHop.Record.Source.command String b'Command'
ExtraHop.Record.Source.contentType String b'Content Type'
ExtraHop.Record.Source.conversationId Number b'Conversation ID'
ExtraHop.Record.Source.cookie String b'Cookie'
ExtraHop.Record.Source.correlationId String b'Correlation ID'
ExtraHop.Record.Source.cwd String b'Current Working Directory'
ExtraHop.Record.Source.dataSize Number b'Data Size'
ExtraHop.Record.Source.database String b'Database'
ExtraHop.Record.Source.deltaBytes Number b'Delta Bytes'
ExtraHop.Record.Source.deltaPkts Number b'Delta Packets'
ExtraHop.Record.Source.desktopHeight Number b'Desktop Height'
ExtraHop.Record.Source.desktopWidth Number b'Desktop Width'
ExtraHop.Record.Source.destination String b'Destination'
ExtraHop.Record.Source.dn String b'Distinguished Name'
ExtraHop.Record.Source.domain String b'Domain'
ExtraHop.Record.Source.drops Number b'Drops'
ExtraHop.Record.Source.dscpName String b'DSCP'
ExtraHop.Record.Source.dstQueueMgr String b'Destination Queue Manager'
ExtraHop.Record.Source.dups Number b'Dups'
ExtraHop.Record.Source.duration Number b'Duration'
ExtraHop.Record.Source.egressInterface Unknown b'Egress Interface'
ExtraHop.Record.Source.error String b'Error'
ExtraHop.Record.Source.errorDetail String b'Error Detail'
ExtraHop.Record.Source.expiration Number b'Expiration'
ExtraHop.Record.Source.first Number b'First'
ExtraHop.Record.Source.flowId String b'Flow'
ExtraHop.Record.Source.format String b'Format'
ExtraHop.Record.Source.frameCutDuration Number b'Frame Cut Duration'
ExtraHop.Record.Source.frameSendDuration Number b'Frame Send Duration'
ExtraHop.Record.Source.from String b'From'
ExtraHop.Record.Source.functionId Number b'Function ID'
ExtraHop.Record.Source.functionName String b'Function Name'
ExtraHop.Record.Source.fwdReqClientAddr.type String b'Forwarded Request Client IP Address Type'
ExtraHop.Record.Source.fwdReqClientAddr.value String b'Forwarded Request Client IP Address Value'
ExtraHop.Record.Source.fwdReqHost String b'Forwarded Request Host'
ExtraHop.Record.Source.fwdReqIsEncrypted Boolean b'Forwarded Request Is Encrypted'
ExtraHop.Record.Source.fwdReqServerName String b'Forwarded Request Server Name'
ExtraHop.Record.Source.fwdReqServerPort Number b'Forwarded Request Server Port'
ExtraHop.Record.Source.gwAddr.type String b'Gateway IP Address Type'
ExtraHop.Record.Source.gwAddr.value String b'Gateway IP Address Value'
ExtraHop.Record.Source.handshakeTime Number b'Handshake Time'
ExtraHop.Record.Source.hasSDP Boolean b'Has SDP'
ExtraHop.Record.Source.hassh String b'HASSH'
ExtraHop.Record.Source.hasshServer String b'HASSH Server'
ExtraHop.Record.Source.heartbeatPayloadLength Number b'Heartbeat Payload Length'
ExtraHop.Record.Source.heartbeatType Number b'Heartbeat Type'
ExtraHop.Record.Source.hitCount Number b'Hit Count'
ExtraHop.Record.Source.hopLimit Number b'Hop Limit'
ExtraHop.Record.Source.host String b'Host'
ExtraHop.Record.Source.htype Number b'Hardware Address Type'
ExtraHop.Record.Source.ingressInterface Unknown b'Ingress Interface'
ExtraHop.Record.Source.interface String b'Interface'
ExtraHop.Record.Source.isAborted Boolean b'Aborted'
ExtraHop.Record.Source.isAuthoritative Boolean b'Authoritative'
ExtraHop.Record.Source.isBinaryProtocol Boolean b'Binary Protocol'
ExtraHop.Record.Source.isCheckingDisabled Boolean b'Checking Disabled'
ExtraHop.Record.Source.isCleanShutdown Boolean b'Clean Shutdown'
ExtraHop.Record.Source.isClientDiskRead Boolean b'Client Disk Read'
ExtraHop.Record.Source.isClientDiskWrite Boolean b'Client Disk Write'
ExtraHop.Record.Source.isCommandCreate Boolean b'Create Command'
ExtraHop.Record.Source.isCommandDelete Boolean b'Delete Command'
ExtraHop.Record.Source.isCommandFileInfo Boolean b'FileInfo Command'
ExtraHop.Record.Source.isCommandLock Boolean b'Lock Command'
ExtraHop.Record.Source.isCommandRead Boolean b'Read Command'
ExtraHop.Record.Source.isCommandRename Boolean b'Rename Command'
ExtraHop.Record.Source.isCommandWrite Boolean b'Write Command'
ExtraHop.Record.Source.isCompressed Boolean b'Compressed'
ExtraHop.Record.Source.isEncrypted Boolean b'Encrypted'
ExtraHop.Record.Source.isNoReply Boolean b'No Reply'
ExtraHop.Record.Source.isPipelined Boolean b'Pipelined'
ExtraHop.Record.Source.isRecursionAvailable Boolean b'Recursion Available'
ExtraHop.Record.Source.isRecursionDesired Boolean b'Recursion Desired'
ExtraHop.Record.Source.isRenegotiate Boolean b'Renegotiate'
ExtraHop.Record.Source.isReqAborted Boolean b'Request Aborted'
ExtraHop.Record.Source.isReqTimeout Boolean b'Request Timed Out'
ExtraHop.Record.Source.isReqTruncated Boolean b'Request Truncated'
ExtraHop.Record.Source.isRspAborted Boolean b'Response Aborted'
ExtraHop.Record.Source.isRspChunked Boolean b'Chunked'
ExtraHop.Record.Source.isRspCompressed Boolean b'Rsp Compressed'
ExtraHop.Record.Source.isRspImplicit Boolean b'Response Implicit'
ExtraHop.Record.Source.isRspTruncated Boolean b'Response Truncated'
ExtraHop.Record.Source.isSQLi Boolean b'Contains SQLi'
ExtraHop.Record.Source.isSharedSession Boolean b'Shared Session'
ExtraHop.Record.Source.isSubOperation Boolean b'Is a suboperation'
ExtraHop.Record.Source.isWeakCipherSuite Boolean b'Weak Cipher Suite'
ExtraHop.Record.Source.isXSS Boolean b'Contains XSS'
ExtraHop.Record.Source.ja3Hash String b'JA3 Hash'
ExtraHop.Record.Source.ja3sHash String b'JA3S Hash'
ExtraHop.Record.Source.jitter Number b'Jitter'
ExtraHop.Record.Source.kexAlgorithm String b'KEX Algorithm'
ExtraHop.Record.Source.keyboardLayout String b'Keyboard Layout'
ExtraHop.Record.Source.l2Bytes Number b'L2 Bytes'
ExtraHop.Record.Source.l7proto String b'L7 Protocol'
ExtraHop.Record.Source.label String b'Label'
ExtraHop.Record.Source.last Number b'Last'
ExtraHop.Record.Source.launchParams String b'Parameters'
ExtraHop.Record.Source.loadTime Number b'Load Time'
ExtraHop.Record.Source.loginTime Number b'Login Time'
ExtraHop.Record.Source.method String b'Method'
ExtraHop.Record.Source.missCount Number b'Miss Count'
ExtraHop.Record.Source.mos Number b'MOS'
ExtraHop.Record.Source.msgClass String b'Message Class'
ExtraHop.Record.Source.msgCode Number b'Message Code'
ExtraHop.Record.Source.msgFormat String b'Message Format'
ExtraHop.Record.Source.msgId Number b'Message ID'
ExtraHop.Record.Source.msgLength Number b'Message Length'
ExtraHop.Record.Source.msgSize Number b'Message Size'
ExtraHop.Record.Source.msgText String b'Message Text'
ExtraHop.Record.Source.msgType String b'Message Type'
ExtraHop.Record.Source.network Unknown b'Flow Network'
ExtraHop.Record.Source.networkAddr.type String b'Flow Network IP Address Type'
ExtraHop.Record.Source.networkAddr.value String b'Flow Network IP Address Value'
ExtraHop.Record.Source.networkLatency Number b'Network Latency'
ExtraHop.Record.Source.nextHop.type String b'Next Hop IP Address Type'
ExtraHop.Record.Source.nextHop.value String b'Next Hop IP Address Value'
ExtraHop.Record.Source.nextHopMTU Number b'Next Hop MTU'
ExtraHop.Record.Source.notAfter Number b'Certificate Not After'
ExtraHop.Record.Source.offeredAddr.type String b'Offered IP Address Type'
ExtraHop.Record.Source.offeredAddr.value String b'Offered IP Address Value'
ExtraHop.Record.Source.offset Number b'Offset'
ExtraHop.Record.Source.opcode String b'Opcode'
ExtraHop.Record.Source.operation String b'Operation'
ExtraHop.Record.Source.option String b'Options'
ExtraHop.Record.Source.origin String b'Origin'
ExtraHop.Record.Source.outOfOrder Number b'Out Of Order'
ExtraHop.Record.Source.path String b'Path'
ExtraHop.Record.Source.payloadType String b'Payload Type'
ExtraHop.Record.Source.payloadTypeId Number b'Payload Type ID'
ExtraHop.Record.Source.persistent Boolean b'Persistent'
ExtraHop.Record.Source.pkts Number b'Packets'
ExtraHop.Record.Source.pointer Number b'Pointer'
ExtraHop.Record.Source.printerName String b'Printer Name'
ExtraHop.Record.Source.priority Number b'Priority'
ExtraHop.Record.Source.procedure String b'Procedure'
ExtraHop.Record.Source.processingTime Number b'Processing Time'
ExtraHop.Record.Source.program String b'Program'
ExtraHop.Record.Source.proto String b'IP Protocol'
ExtraHop.Record.Source.protocol String b'Protocol'
ExtraHop.Record.Source.putAppName String b'Put Application Name'
ExtraHop.Record.Source.qname String b'Query Name'
ExtraHop.Record.Source.qtype String b'Query Type'
ExtraHop.Record.Source.query String b'Query'
ExtraHop.Record.Source.queue String b'Queue'
ExtraHop.Record.Source.queueMgr String b'Queue Manager'
ExtraHop.Record.Source.rFactor Number b'R Factor'
ExtraHop.Record.Source.realm String b'Server Realm'
ExtraHop.Record.Source.receiver.type String b'Receiver Type'
ExtraHop.Record.Source.receiver.value String b'Receiver Discovery ID'
ExtraHop.Record.Source.receiverAddr.type String b'Receiver IP Address Type'
ExtraHop.Record.Source.receiverAddr.value String b'Receiver IP Address Value'
ExtraHop.Record.Source.receiverAsn Number b'Receiver ASN'
ExtraHop.Record.Source.receiverBytes Number b'Receiver Bytes'
ExtraHop.Record.Source.receiverIsBroker Boolean b'To Broker'
ExtraHop.Record.Source.receiverL2Bytes Number b'Receiver L2 Bytes'
ExtraHop.Record.Source.receiverPkts Number b'Receiver Packets'
ExtraHop.Record.Source.receiverPort Number b'Receiver Port'
ExtraHop.Record.Source.receiverPrefixLength Number b'Receiver Prefix Length'
ExtraHop.Record.Source.receiverRTO Number b'Receiver RTO'
ExtraHop.Record.Source.receiverZeroWnd Number b'Receiver Zero Windows'
ExtraHop.Record.Source.recipient String b'Recipient'
ExtraHop.Record.Source.recipientList String b'Recipient List'
ExtraHop.Record.Source.redeliveryCount Number b'Redelivery Count'
ExtraHop.Record.Source.referer String b'Referer'
ExtraHop.Record.Source.renameDirChanged Boolean b'Rename Directory Changed'
ExtraHop.Record.Source.replyTo String b'Reply To'
ExtraHop.Record.Source.reqBytes Number b'Request Bytes'
ExtraHop.Record.Source.reqKey String b'Request Key'
ExtraHop.Record.Source.reqL2Bytes Number b'Request L2 Bytes'
ExtraHop.Record.Source.reqPdu String b'Request PDU Type'
ExtraHop.Record.Source.reqPkts Number b'Request Packets'
ExtraHop.Record.Source.reqRTO Number b'Request RTO'
ExtraHop.Record.Source.reqSize Number b'Request Size'
ExtraHop.Record.Source.reqTimeToLastByte Number b'Req Time To Last Byte'
ExtraHop.Record.Source.reqTransferTime Number b'Request Transfer Time'
ExtraHop.Record.Source.requestedColorDepth String b'Requested Color Depth'
ExtraHop.Record.Source.requestedProtocols String b'Requested Protocols'
ExtraHop.Record.Source.resolvedQueue String b'Resolved Queue'
ExtraHop.Record.Source.resolvedQueueMgr String b'Resolved Queue Manager'
ExtraHop.Record.Source.resource String b'Resource'
ExtraHop.Record.Source.responseQueue String b'Response Queue'
ExtraHop.Record.Source.roundTripTime Number b'Round Trip Time'
ExtraHop.Record.Source.rspBytes Number b'Response Bytes'
ExtraHop.Record.Source.rspL2Bytes Number b'Response L2 Bytes'
ExtraHop.Record.Source.rspPdu String b'Response PDU Type'
ExtraHop.Record.Source.rspPkts Number b'Response Packets'
ExtraHop.Record.Source.rspRTO Number b'Response RTO'
ExtraHop.Record.Source.rspSize Number b'Response Size'
ExtraHop.Record.Source.rspTimeToFirstByte Number b'Rsp Time To First Byte'
ExtraHop.Record.Source.rspTimeToFirstHeader Number b'Rsp Time To First Header'
ExtraHop.Record.Source.rspTimeToFirstPayload Number b'Rsp Time To First Payload'
ExtraHop.Record.Source.rspTimeToLastByte Number b'Rsp Time To Last Byte'
ExtraHop.Record.Source.rspTransferTime Number b'Response Transfer Time'
ExtraHop.Record.Source.rspVersion String b'Response Version'
ExtraHop.Record.Source.rto Number b'RTO'
ExtraHop.Record.Source.sNameType String b'Server Name Type'
ExtraHop.Record.Source.sNames String b'Server Name Components'
ExtraHop.Record.Source.saslMechanism String b'SASL Mechanism'
ExtraHop.Record.Source.searchFilter String b'Search Filter'
ExtraHop.Record.Source.searchScope String b'Search Scope'
ExtraHop.Record.Source.selectedProtocol String b'Selected Protocol'
ExtraHop.Record.Source.sender.type String b'Sender Type'
ExtraHop.Record.Source.sender.value String b'Sender Discovery ID'
ExtraHop.Record.Source.senderAddr.type String b'Sender IP Address Type'
ExtraHop.Record.Source.senderAddr.value String b'Sender IP Address Value'
ExtraHop.Record.Source.senderAsn Number b'Sender ASN'
ExtraHop.Record.Source.senderBytes Number b'Sender Bytes'
ExtraHop.Record.Source.senderIsBroker Boolean b'From Broker'
ExtraHop.Record.Source.senderL2Bytes Number b'Sender L2 Bytes'
ExtraHop.Record.Source.senderPkts Number b'Sender Packets'
ExtraHop.Record.Source.senderPort Number b'Sender Port'
ExtraHop.Record.Source.senderPrefixLength Number b'Sender Prefix Length'
ExtraHop.Record.Source.senderRTO Number b'Sender RTO'
ExtraHop.Record.Source.senderZeroWnd Number b'Sender Zero Windows'
ExtraHop.Record.Source.seqNum Number b'Sequence Number'
ExtraHop.Record.Source.server.type String b'Server Type'
ExtraHop.Record.Source.server.value String b'Server Discovery ID'
ExtraHop.Record.Source.serverAddr.type String b'Server IPv4 Address Type'
ExtraHop.Record.Source.serverAddr.value String b'Server IPv4 Address Value'
ExtraHop.Record.Source.serverBytes Number b'Server Bytes'
ExtraHop.Record.Source.serverCGPMsgCount Number b'Server CGP Messages'
ExtraHop.Record.Source.serverCipherAlgorithm String b'Server Cipher Algorithm'
ExtraHop.Record.Source.serverCompressionAlgorithm String b'Server Compression Algorithm'
ExtraHop.Record.Source.serverImplementation String b'Server Implementation'
ExtraHop.Record.Source.serverL2Bytes Number b'Server L2 Bytes'
ExtraHop.Record.Source.serverMacAlgorithm String b'Server MAC Algorithm'
ExtraHop.Record.Source.serverMsgCount Number b'Server Messages'
ExtraHop.Record.Source.serverPkts Number b'Server Packets'
ExtraHop.Record.Source.serverPort Number b'Server Port'
ExtraHop.Record.Source.serverPrincipalName String b'Server Principal Name'
ExtraHop.Record.Source.serverRTO Number b'Server RTO'
ExtraHop.Record.Source.serverVersion String b'Server Version'
ExtraHop.Record.Source.serverZeroWnd Number b'Server Zero Windows'
ExtraHop.Record.Source.share String b'Share'
ExtraHop.Record.Source.source String b'Source'
ExtraHop.Record.Source.sqli String b'Potential SQLi'
ExtraHop.Record.Source.srcQueueMgr String b'Source Queue Manager'
ExtraHop.Record.Source.ssrc Number b'Sender SSRC'
ExtraHop.Record.Source.statement String b'Statement'
ExtraHop.Record.Source.status String b'Status'
ExtraHop.Record.Source.statusCode Number b'Status Code'
ExtraHop.Record.Source.statusText String b'Status Text'
ExtraHop.Record.Source.table String b'Table'
ExtraHop.Record.Source.target String b'Target'
ExtraHop.Record.Source.tcpFlags Number b'TCP Flags'
ExtraHop.Record.Source.thinkTime Number b'Think Time'
ExtraHop.Record.Source.tickChannel String b'Tick Channel'
ExtraHop.Record.Source.ticketHash String b'Encrypted Ticket Hash'
ExtraHop.Record.Source.till String b'Till'
ExtraHop.Record.Source.title String b'Title'
ExtraHop.Record.Source.to String b'To'
ExtraHop.Record.Source.totalMsgLength Number b'Total Msg Length'
ExtraHop.Record.Source.transferBytes Number b'Bytes Transferred'
ExtraHop.Record.Source.txId Number b'Transaction ID'
ExtraHop.Record.Source.unitId Number b'Unit ID'
ExtraHop.Record.Source.uri String b'URI'
ExtraHop.Record.Source.user String b'User'
ExtraHop.Record.Source.userAgent String b'User Agent'
ExtraHop.Record.Source.vbucket Number b'vBucket'
ExtraHop.Record.Source.version String b'Version'
ExtraHop.Record.Source.vlan Number b'VLAN'
ExtraHop.Record.Source.vxlanVNI Number b'VxLAN VNI'
ExtraHop.Record.Source.warning String b'Warning'
ExtraHop.Record.Source.xss String b'Potential XSS'

Command Example

!extrahop-query-records query_from=-6h limit=2

Context Example
{
    "ExtraHop": {
        "Record": [
            {
                "Id": "AW1goQmvylOgLDUmuFLT",
                "Index": "extrahop-11-2019-9-24-0",
                "Sort": [
                    1569284181528.201
                ],
                "Source": {
                    "client": {
                        "type": "device",
                        "value": [
                            "fff41107140a0000"
                        ]
                    },
                    "clientAddr": {
                        "type": "ipaddr4",
                        "value": "172.16.34.152"
                    },
                    "clientPort": 34140,
                    "clientZeroWnd": 0,
                    "ex": {
                        "isSuspicious": false
                    },
                    "flowId": "0cac4df05d896054",
                    "host": "prod1.example.com",
                    "isPipelined": false,
                    "isReqAborted": false,
                    "isRspAborted": false,
                    "isRspChunked": false,
                    "isRspCompressed": false,
                    "isSQLi": false,
                    "isXSS": false,
                    "method": "POST",
                    "processingTime": 233.318,
                    "referer": "http://prod1.example.com/login?from=%2F",
                    "reqBytes": 1160,
                    "reqL2Bytes": 1518,
                    "reqPkts": 5,
                    "reqRTO": 0,
                    "reqSize": 64,
                    "reqTimeToLastByte": 0,
                    "roundTripTime": 0.245,
                    "rspBytes": 346,
                    "rspL2Bytes": 1284,
                    "rspPkts": 8,
                    "rspRTO": 0,
                    "rspSize": 0,
                    "rspTimeToFirstHeader": 233.318,
                    "rspTimeToLastByte": 234.528,
                    "rspVersion": "1.1",
                    "server": {
                        "type": "device",
                        "value": [
                            "fff4c3090a0a0000"
                        ]
                    },
                    "serverAddr": {
                        "type": "ipaddr4",
                        "value": "172.16.34.161"
                    },
                    "serverPort": 80,
                    "serverZeroWnd": 0,
                    "statusCode": 302,
                    "timestamp": 1569284181528.201,
                    "uri": "prod1.example.com/j_acegi_security_check",
                    "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
                },
                "Type": "~http"
            },
            {
                "Id": "AW1gQF7uylOgLDUmoClO",
                "Index": "extrahop-11-2019-9-23-0",
                "Sort": [
                    1569277857270.787
                ],
                "Source": {
                    "args": "",
                    "client": {
                        "type": "device",
                        "value": [
                            "fff48dff0a0a0000"
                        ]
                    },
                    "clientAddr": {
                        "type": "ipaddr4",
                        "value": "172.16.34.11"
                    },
                    "clientPort": 1920,
                    "clientZeroWnd": 0,
                    "cwd": "/",
                    "detection": [
                        "anonymous_ftp"
                    ],
                    "ex": {
                        "isSuspicious": false
                    },
                    "flowId": "037efd385d8947a0",
                    "isReqAborted": false,
                    "isRspAborted": false,
                    "method": "PASS",
                    "processingTime": 0.25,
                    "reqBytes": 22,
                    "reqL2Bytes": 490,
                    "reqPkts": 6,
                    "reqRTO": 0,
                    "rspBytes": 21,
                    "rspL2Bytes": 239,
                    "rspPkts": 2,
                    "rspRTO": 0,
                    "server": {
                        "type": "device",
                        "value": [
                            "fff45a060a0a0000"
                        ]
                    },
                    "serverAddr": {
                        "type": "ipaddr4",
                        "value": "172.16.34.231"
                    },
                    "serverPort": 21,
                    "serverZeroWnd": 0,
                    "statusCode": 230,
                    "timestamp": 1569277857270.787,
                    "user": "anonymous"
                },
                "Type": "~ftp"
            }
        ]
    }
}
Human Readable Output

Showing 2 out of 15 Record(s) Found.

client clientAddr clientPort clientZeroWnd ex flowId host isPipelined isReqAborted isRspAborted isRspChunked isRspCompressed isSQLi isXSS method processingTime referer reqBytes reqL2Bytes reqPkts reqRTO reqSize reqTimeToLastByte roundTripTime rspBytes rspL2Bytes rspPkts rspRTO rspSize rspTimeToFirstHeader rspTimeToLastByte rspVersion server serverAddr serverPort serverZeroWnd statusCode timestamp uri userAgent
type: device
value: fff41107140a0000
type: ipaddr4
value: 172.16.34.152
34140 0 isSuspicious: false 0cac4df05d896054 prod1.example.com false false false false false false false POST 233.318 http://prod1.example.com/login?from=%2F 1160 1518 5 0 64 0 0.245 346 1284 8 0 0 233.318 234.528 1.1 type: device
value: fff4c3090a0a0000
type: ipaddr4
value: 172.16.34.161
80 0 302 1569284181528.201 prod1.example.com/j_acegi_security_check Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
type: device
value: fff48dff0a0a0000
type: ipaddr4
value: 172.16.34.11
1920 0 isSuspicious: false 037efd385d8947a0 false false PASS 0.25 22 490 6 0 21 239 2 0 type: device
value: fff45a060a0a0000
type: ipaddr4
value: 172.16.34.231
21 0 230 1569277857270.787

3. Search for devices

Search for devices in ExtraHop.

Base Command

extrahop-device-search

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
name The name of the device. This searches for matches on all ExtraHop name fields (DHCP, DNS, NetBIOS, Cisco Discovery Protocol, etc). Optional
ip The IP address of the device. Optional
mac The MAC address of the device. Optional
role The role of the device. Optional
software The OS of the device. Optional
tag A tag present on the device. Optional
vendor The vendor of the device, based on MAC address via OUI lookup. Optional
discover_time The time that device was first seen by ExtraHop, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with the following unit suffixes: ms, s, m, h, d, w, M, y. For example, to look one day back enter -1d or -24h. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
vlan The VLAN ID of the Virtual LAN that the device is on. Optional
activity The activity of the device. Optional
operator The compare method applied when matching the fields against their values. For example, to find devices with names that begin with 'SEA1' (set name=SEA1, operator=startswith) Optional
match_type The match operator to use when chaining the search fields together. For example, to find all HTTP servers running Windows on the network (set match_type=and, role=http_server, software=windows). Optional
active_from The beginning timestamp for the request. Return only devices active after this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
active_until The ending timestamp for the request. Return only devices active before this time. Time is expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
limit The maximum number of devices to return. Optional
l3_only Only returns layer 3 devices by filtering out any layer 2 parent devices. Optional

Context Output
Path Type Description
ExtraHop.Device.Macaddr String b'The MAC Address of the device.'
ExtraHop.Device.DeviceClass String b'The class of the device.'
ExtraHop.Device.UserModTime Number b'The time of the most recent update, expressed in milliseconds since the epoch.'
ExtraHop.Device.AutoRole String b'The role automatically detected by the ExtraHop.'
ExtraHop.Device.ParentId Number b'The ID of the parent device.'
ExtraHop.Device.Vendor String b'The device vendor.'
ExtraHop.Device.Analysis string b'The level of analysis preformed on the device.'
ExtraHop.Device.DiscoveryId String b'The UUID given by the Discover appliance.'
ExtraHop.Device.DefaultName String b'The default name of the device.'
ExtraHop.Device.DisplayName String b'The display name of device.'
ExtraHop.Device.OnWatchlist Boolean b'Whether the device is on the advanced analysis whitelist.'
ExtraHop.Device.ModTime Number b'The time of the most recent update, expressed in milliseconds since the epoch.'
ExtraHop.Device.IsL3 Boolean b'Indicates whether the device is a Layer 3 device.'
ExtraHop.Device.Role String b'The role of the device.'
ExtraHop.Device.DiscoverTime Number b'The time that the device was discovered.'
ExtraHop.Device.Id Number b'The ID of the device.'
ExtraHop.Device.Ipaddr4 String b'The IPv4 address of the device.'
ExtraHop.Device.Vlanid Number b'The ID of VLan.'
ExtraHop.Device.Ipaddr6 string b'The IPv6 address of the device.'
ExtraHop.Device.NodeId number b'The Node ID of the Discover appliance.'
ExtraHop.Device.Description string b'A user customizable description of the device.'
ExtraHop.Device.DnsName string b'The DNS name associated with the device.'
ExtraHop.Device.DhcpName string b'The DHCP name associated with the device.'
ExtraHop.Device.CdpName string b'The Cisco Discovery Protocol name associated with the device.'
ExtraHop.Device.NetbiosName string b'The NetBIOS name associated with the device.'
ExtraHop.Device.Url string b'Link to the device details page in ExtraHop.'

Command Example

!extrahop-device-search limit=2

Context Example
{
    "ExtraHop": {
        "Device": [
            {
                "Analysis": "l2_exempt",
                "AnalysisLevel": 4,
                "AutoRole": "other",
                "DefaultName": "Dell A9B1F6",
                "DeviceClass": "node",
                "DhcpName": "Win3-Web",
                "DiscoverTime": 1569277980000,
                "DiscoveryId": "509a4ca9b1f60000",
                "DisplayName": "Win3-Web",
                "ExtrahopId": "509a4ca9b1f60000",
                "Id": 18628,
                "IsL3": false,
                "Macaddr": "70:F6:4C:A3:C2:F0",
                "ModTime": 1569278201104,
                "OnWatchlist": false,
                "Role": "other",
                "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.509a4ca9b1f60000/overview/",
                "UserModTime": 1569277990763,
                "Vendor": "Dell",
                "Vlanid": 0
            },
            {
                "Analysis": "l2_exempt",
                "AnalysisLevel": 4,
                "AutoRole": "other",
                "DefaultName": "Device a0510b0e4e210000",
                "DeviceClass": "node",
                "DhcpName": "PG1NP0ZR",
                "DiscoverTime": 1569276630000,
                "DiscoveryId": "a0510b0e4e210000",
                "DisplayName": "PF1NP0ZR",
                "ExtrahopId": "a0510b0e4e210000",
                "Id": 18627,
                "IsL3": false,
                "Macaddr": "B1:62:1C:1F:5F:32",
                "ModTime": 1569276641503,
                "OnWatchlist": false,
                "Role": "other",
                "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.a0510b0e4e210000/overview/",
                "UserModTime": 1569276640285,
                "Vlanid": 0
            }
        ]
    }
}
Human Readable Output

2 Device(s) Found

Display Name IP Address MAC Address Role Vendor URL
Win3-Web 70:F6:4C:A3:C2:F0 other Dell [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.509a4ca9b1f60000/overview/)
PG1NP0ZR B1:62:1C:1F:5F:32 other [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.a0510b0e4e210000/overview/)

4. Add or remove devices from the watchlist

Add or remove devices from the watchlist in ExtraHop.

Base Command

extrahop-edit-watchlist

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
add The list of IP Addresses or ExtraHop API IDs of the devices to add, comma separated. Optional
remove The list of IP Addresses or ExtraHop API IDs of the devices to remove, comma separated. Optional

Context Output
There are no context output for this command.

Command Example

!extrahop-edit-watchlist add=172.16.34.152

Human Readable Output

Successful Modification

5. Get all devices on the watchlist

Get all devices on the watchlist in ExtraHop.

Base Command

extrahop-get-watchlist

Required Permissions
  • Full write privileges
Input
Argument Name Description Required

Context Output
Path Type Description
Extrahop.Device.Macaddr String b'The MAC Address of the device.'
Extrahop.Device.DeviceClass String b'The class of this device. '
Extrahop.Device.UserModTime Number b'The time of the most recent update, expressed in milliseconds since the epoch.'
Extrahop.Device.AutoRole String b'The role automatically detected by the ExtraHop. '
Extrahop.Device.ParentId Number b'The ID of the parent device.'
Extrahop.Device.Vendor String b'The device vendor.'
Extrahop.Device.Analysis string b'The level of analysis preformed on the device.'
Extrahop.Device.DiscoveryId String b'The UUID given by the Discover appliance.'
Extrahop.Device.DefaultName String b'The default name for this device.'
Extrahop.Device.DisplayName String b'The display name of device.'
Extrahop.Device.OnWatchlist Boolean b'Whether the device is on the advanced analysis whitelist.'
Extrahop.Device.ModTime Number b'The time of the most recent update, expressed in milliseconds since the epoch.'
Extrahop.Device.IsL3 Boolean b'Indicates whether the device is a Layer 3 device.'
Extrahop.Device.Role String b'The role of the device. '
Extrahop.Device.DiscoverTime Number b'The time that the device was discovered.'
Extrahop.Device.Id Number b'The ID of the device.'
Extrahop.Device.Ipaddr4 String b'The IPv4 address for this device.'
Extrahop.Device.Vlanid Number b'The unique identifier for the VLAN this device is associated with.'
ExtraHop.Device.Ipaddr6 string b'The IPv6 address of the device.'
ExtraHop.Device.NodeId number b'The Node ID of the Discover appliance.'
ExtraHop.Device.Description string b'A user customizable description of the device.'
ExtraHop.Device.DnsName string b'The DNS name associated with the device.'
ExtraHop.Device.DhcpName string b'The DHCP name associated with the device.'
ExtraHop.Device.CdpName string b'The Cisco Discovery Protocol name associated with the device.'
ExtraHop.Device.NetbiosName string b'The NetBIOS name associated with the device.'
ExtraHop.Device.Url string b'Link to the device details page in ExtraHop.'

Command Example

!extrahop-get-watchlist

Context Example
{
    "ExtraHop": {
        "Device": [
            {
                "Analysis": "advanced",
                "AnalysisLevel": 2,
                "AutoRole": "other",
                "DefaultName": "Device 172.16.34.152",
                "DeviceClass": "node",
                "DhcpName": "dem-is-to",
                "DiscoverTime": 1522964970000,
                "DiscoveryId": "fff49b080a0a0000",
                "DisplayName": "dem-is-to",
                "DnsName": "dem-is-to.example.com",
                "ExtrahopId": "fff49b080a0a0000",
                "Id": 1554,
                "Ipaddr4": "172.16.34.152",
                "IsL3": true,
                "Macaddr": "63:65:11:A1:3B:2B",
                "ModTime": 1569283538898,
                "NetbiosName": "DEMISTO",
                "OnWatchlist": true,
                "ParentId": 1445,
                "Role": "other",
                "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff49b080a0a0000/overview/",
                "UserModTime": 1522964985837,
                "Vlanid": 0
            }
        ]
    }
}
Human Readable Output

1 Device(s) Found

Display Name IP Address MAC Address Role Vendor URL
dem-is-to 172.16.34.152 63:65:11:A1:3B:2B other [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff49b080a0a0000/overview/)

6. Create a new alert rule

Create a new alert rule in ExtraHop.

Base Command

extrahop-create-alert-rule

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
apply_all Indicates whether the alert is assigned to all available data sources. Required
disabled Indicates whether the alert is disabled. Required
name The unique, friendly name for the alert. Required
notify_snmp Indicates whether to send an SNMP trap when an alert is generated. Required
refire_interval The time interval in which alert conditions are monitored, expressed in seconds. Required
severity The severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. Supported values: 0, 1, 2, 3, 4, 5, 6, 7 Required
type The type of alert. Required
object_type The type of metric source monitored by the alert configuration. Only applicable to detection alerts. Optional
protocols The list of monitored protocols. Only applicable to detection alerts. Optional
field_name The name of the monitored metric. Only applicable to threshold alerts. Optional
field_name2 The second monitored metric when applying a ratio. Only applicable to threshold alerts. Optional
stat_name The statistic name for the alert. Only applicable to threshold alerts. Optional
units The interval in which to evaluate the alert condition. Only applicable to threshold alerts. Supported values: "none", "period", "1 sec", "1 min", "1 hr" Optional
interval_length The length of the alert interval, expressed in seconds. Only applicable to threshold alerts. Supported values: 30, 60, 120, 300, 600, 900, 1200, 1800 Optional
operand The value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts. Optional
operator The logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. Optional
field_op The type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. Optional
param The first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. Optional
param2 The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. Optional

Context Output
There are no context output for this command.

Command Example

!extrahop-create-alert-rule apply_all=false disabled=true name="Demisto Test Alert" notify_snmp=false refire_interval=3600 severity=3 type=threshold object_type=device operator=> operand=0.1 field_name=rsp_error field_name2=rsp field_op=/ units=none stat_name="extrahop.application.http"

Human Readable Output

Successfully Created

7. Modify an alert rule

Modify an alert rule in ExtraHop.

Base Command

extrahop-edit-alert-rule

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
alert_id The unique identifier for the alert. Required
apply_all Indicates whether the alert is assigned to all available data sources. Required
disabled Indicates whether the alert is disabled. Required
name The unique, friendly name for the alert. Required
notify_snmp Indicates whether to send an SNMP trap when an alert is generated. Required
field_name The name of the monitored metric. Only applicable to threshold alerts. Optional
stat_name The statistic name for the alert. Only applicable to threshold alerts. Optional
units The interval in which to evaluate the alert condition. Only applicable to threshold alerts. Optional
interval_length The length of the alert interval, expressed in seconds. Only applicable to threshold alerts. Optional
operand The value to compare against alert conditions. The compare method is specified by the value of the operator field. Only applicable to threshold alerts. Optional
refire_interval The time interval in which alert conditions are monitored, expressed in seconds. Required
severity The severity level of the alert, which is displayed in the Alert History, email notifications, and SNMP traps. Required
type The type of alert. Required
object_type The type of metric source monitored by the alert configuration. Only applicable to detection alerts. Optional
protocols The list of monitored protocols. Only applicable to detection alerts. Optional
operator The logical operator applied when comparing the value of the operand field to alert conditions. Only applicable to threshold alerts. Optional
field_name2 The second monitored metric when applying a ratio. Only applicable to threshold alerts. Optional
field_op The type of comparison between the field_name and field_name2 fields when applying a ratio. Only applicable to threshold alerts. Optional
param The first alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. Optional
param2 The second alert parameter, which is either a key pattern or a data point. Only applicable to threshold alerts. Optional

Context Output
There are no context output for this command.

Command Example

!extrahop-edit-alert-rule alert_id=32 apply_all=false disabled=true name="Demisto Test" notify_snmp=false refire_interval=3600 severity=3 type=threshold object_type=device operator=> operand=0.1 field_name=rsp_error field_name2=rsp field_op=/ units=none stat_name="extrahop.application.http" interval_length=30

Human Readable Output

Successful Modification

8. Link an ExtraHop Detection to a Demisto Investigation

Link an ExtraHop Detection to a Demisto Investigation.

Base Command

extrahop-track-ticket

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
incident_id The ID of the Demisto Incident to ticket track. Required
detection_id The ID of the ExtraHop Detection to ticket track. Required
incident_owner Owner of the incident. Optional
incident_status Status of the incident Optional
incident_close_reason Reason the incident was closed Optional

Context Output
Path Type Description
ExtraHop.TicketId string b'Demisto Incident ID successfully tracked to ExtraHop Detection'

Command Example

!extrahop-track-ticket detection_id=25910 incident_id=40360 incident_owner='colinw' incident_status=1

Context Example
{
    "ExtraHop": {
        "TicketId": "40360"
    }
}
Human Readable Output

Successful Modification

9. Get all peers for a device

Get all peers for a device from ExtraHop.

Base Command

extrahop-get-peers

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
ip_or_id The IP Address or ExtraHop API ID of the source device to get peer devices. Required
query_from The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
query_until The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
peer_role The role of the peer device in relation to the origin device. Optional
protocol A filter to only return peers that the source device has communicated with over this protocol. If no value is set, the object includes any protocol. Optional

Context Output
Path Type Description
ExtraHop.Device.Macaddr string b'The MAC Address of the device.'
ExtraHop.Device.DeviceClass string b'The class of the device.'
ExtraHop.Device.UserModTime number b'The time of the most recent update, expressed in milliseconds since the epoch.'
ExtraHop.Device.AutoRole string b'The role automatically detected by the ExtraHop.'
ExtraHop.Device.ParentId number b'The ID of the parent device.'
ExtraHop.Device.Vendor string b'The device vendor.'
ExtraHop.Device.Analysis string b'The level of analysis preformed on the device.'
ExtraHop.Device.DiscoveryId string b'The UUID given by the Discover appliance.'
ExtraHop.Device.DefaultName string b'The default name of the device.'
ExtraHop.Device.DisplayName string b'The display name of device.'
ExtraHop.Device.OnWatchlist boolean b'Whether the device is on the advanced analysis whitelist.'
ExtraHop.Device.ModTime number b'The time of the most recent update, expressed in milliseconds since the epoch.'
ExtraHop.Device.IsL3 boolean b'Indicates whether the device is a Layer 3 device.'
ExtraHop.Device.Role string b'The role of the device.'
ExtraHop.Device.DiscoverTime number b'The time that the device was discovered.'
ExtraHop.Device.Id number b'The ID of the device.'
ExtraHop.Device.Ipaddr4 string b'The IPv4 address of the device.'
ExtraHop.Device.Vlanid number b'The ID of VLan.'
ExtraHop.Device.Ipaddr6 string b'The IPv6 address of the device.'
ExtraHop.Device.NodeId number b'The Node ID of the Discover appliance.'
ExtraHop.Device.Description string b'A user customizable description of the device.'
ExtraHop.Device.DnsName string b'The DNS name associated with the device.'
ExtraHop.Device.DhcpName string b'The DHCP name associated with the device.'
ExtraHop.Device.CdpName string b'The Cisco Discovery Protocol name associated with the device.'
ExtraHop.Device.NetbiosName string b'The NetBIOS name associated with the device.'
ExtraHop.Device.Url string b'Link to the device details page in ExtraHop.'
ExtraHop.Device.ClientProtocols string b'The list of protocols the peer device is communicating as a client.'
ExtraHop.Device.ServerProtocols string b'The list of protocols the peer device is communicating as a server.'

Command Example

!extrahop-get-peers ip_or_id=172.16.34.23

Context Example
{
    "ExtraHop": {
        "Device": [
            {
                "Analysis": "advanced",
                "AnalysisLevel": 1,
                "AutoRole": "other",
                "DefaultName": "VMware 172.16.34.161",
                "DeviceClass": "node",
                "DhcpName": "joker.example.com",
                "DiscoverTime": 1522964910000,
                "DiscoveryId": "fff4bb070a0a0000",
                "DisplayName": "joker.example.com",
                "DnsName": "joker.example.com",
                "ExtrahopId": "fff4bb070a0a0000",
                "Id": 374,
                "Ipaddr4": "172.16.34.161",
                "IsL3": true,
                "Macaddr": "11:1D:3A:3C:3E:BE",
                "ModTime": 1569284586752,
                "OnWatchlist": false,
                "ParentId": 18018,
                "Role": "other",
                "ServerProtocols": [
                    "TCP:SSL:LDAP",
                    "TCP:SSL"
                ],
                "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff4bb070a0a0000/overview/",
                "UserModTime": 1564016944279,
                "Vendor": "VMware",
                "Vlanid": 0
            },
            {
                "Analysis": "discovery",
                "AnalysisLevel": 3,
                "AutoRole": "other",
                "ClientProtocols": [
                    "TCP:HTTP"
                ],
                "DefaultName": "Qumranet 172.16.34.11",
                "DeviceClass": "node",
                "DhcpName": "soundboard2",
                "DiscoverTime": 1533851220000,
                "DiscoveryId": "fff44001150a0000",
                "DisplayName": "soundboard2",
                "DnsName": "soundboard2.example.com",
                "ExtrahopId": "fff44001150a0000",
                "Id": 10751,
                "Ipaddr4": "172.16.34.11",
                "IsL3": true,
                "Macaddr": "11:2B:5B:27:12:9D",
                "ModTime": 1569279163337,
                "OnWatchlist": false,
                "ParentId": 10746,
                "Role": "other",
                "ServerProtocols": [
                    "TCP:OTHER"
                ],
                "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff44001150a0000/overview/",
                "UserModTime": 1533851289829,
                "Vendor": "Qumranet",
                "Vlanid": 0
            }
        ]
    }
}
Human Readable Output

2 Peer Device(s) Found

Display Name IP Address MAC Address Role Protocols URL Vendor
joker.example.com 172.16.34.161 11:1D:3A:3C:3E:BE other Client:
Server: TCP:SSL:LDAP, TCP:SSL
[View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff4bb070a0a0000/overview/) VMware
soundboard2 172.16.34.11 11:2B:5B:27:12:9D other Client: TCP:HTTP
Server: TCP:OTHER
[View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff44001150a0000/overview/) Qumranet

10. Get all active network protocols for a device

Get all active network protocols for a device from ExtraHop.

Base Command

extrahop-get-protocols

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
ip_or_id The IP Address or ExtraHop API ID of the device to get all active network protocols. Required
query_from The beginning timestamp of the time range the query will search, expressed in milliseconds since the epoch. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
query_until The ending timestamp of the time range the query will search, expressed in milliseconds since the epoch. 0 indicates the time of the request. A negative value is evaluated relative to the current time. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional

Context Output
Path Type Description
ExtraHop.Device.Macaddr string b'The MAC Address of the device.'
ExtraHop.Device.DeviceClass string b'The class of the device.'
ExtraHop.Device.UserModTime number b'The time of the most recent update, expressed in milliseconds since the epoch.'
ExtraHop.Device.AutoRole string b'The role automatically detected by the ExtraHop.'
ExtraHop.Device.ParentId number b'The ID of the parent device.'
ExtraHop.Device.Vendor string b'The device vendor.'
ExtraHop.Device.Analysis string b'The level of analysis preformed on the device.'
ExtraHop.Device.DiscoveryId string b'The UUID given by the Discover appliance.'
ExtraHop.Device.DefaultName string b'The default name of the device.'
ExtraHop.Device.DisplayName string b'The display name of device.'
ExtraHop.Device.OnWatchlist boolean b'Whether the device is on the advanced analysis whitelist.'
ExtraHop.Device.ModTime number b'The time of the most recent update, expressed in milliseconds since the epoch.'
ExtraHop.Device.IsL3 boolean b'Indicates whether the device is a Layer 3 device.'
ExtraHop.Device.Role string b'The role of the device.'
ExtraHop.Device.DiscoverTime number b'The time that the device was discovered.'
ExtraHop.Device.Id number b'The ID of the device.'
ExtraHop.Device.Ipaddr4 string b'The IPv4 address of the device.'
ExtraHop.Device.Vlanid number b'The ID of VLan.'
ExtraHop.Device.Ipaddr6 string b'The IPv6 address of the device.'
ExtraHop.Device.NodeId number b'The Node ID of the Discover appliance.'
ExtraHop.Device.Description string b'A user customizable description of the device.'
ExtraHop.Device.DnsName string b'The DNS name associated with the device.'
ExtraHop.Device.DhcpName string b'The DHCP name associated with the device.'
ExtraHop.Device.CdpName string b'The Cisco Discovery Protocol name associated with the device.'
ExtraHop.Device.NetbiosName string b'The NetBIOS name associated with the device.'
ExtraHop.Device.Url string b'Link to the device details page in ExtraHop.'
ExtraHop.Device.ClientProtocols string b'The list of protocols the peer device is communicating as a client.'
ExtraHop.Device.ServerProtocols string b'The list of protocols the peer device is communicating as a server.'

Command Example

!extrahop-get-protocols ip_or_id=172.16.34.11

Context Example
{
    "ExtraHop": {
        "Device": [
            {
                "Analysis": "advanced",
                "AnalysisLevel": 2,
                "AutoRole": "http_server",
                "ClientProtocols": [
                    "TCP:SSL:LDAP",
                    "TCP:SSL",
                    "TCP:OTHER",
                    "UDP:NTP",
                    "UDP:DNS"
                ],
                "DefaultName": "Qumranet 172.16.34.11",
                "DeviceClass": "node",
                "DhcpName": "soundboard2",
                "DiscoverTime": 1533851430000,
                "DiscoveryId": "fff40601150a0000",
                "DisplayName": "tme-lab-ubuntu",
                "ExtrahopId": "fff40601150a0000",
                "Id": 10754,
                "Ipaddr4": "172.16.34.11",
                "IsL3": true,
                "Macaddr": "11:2B:5B:27:12:9D",
                "ModTime": 1569276433204,
                "OnWatchlist": true,
                "ParentId": 10748,
                "Role": "http_server",
                "ServerProtocols": [
                    "TCP:HTTP"
                ],
                "Url": "https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff40601150a0000/overview/",
                "UserModTime": 1569284010207,
                "Vendor": "Qumranet",
                "Vlanid": 0
            }
        ]
    }
}
Human Readable Output

Device Activity Found

Display Name IP Address MAC Address Protocols (Client) Protocols (Server) Role Vendor URL
soundboard2 172.16.34.11 11:2B:5B:27:12:9D TCP:SSL:LDAP, TCP:SSL, TCP:OTHER, UDP:NTP, UDP:DNS TCP:HTTP http_server Qumranet [View Device in ExtraHop](https://test1.extrahop.com/extrahop/#/metrics/devices/a74b9b6aa9e44de9baedcf8112c27ec4.fff40601150a0000/overview/)

11. Add or remove a tag from devices

Add or remove a tag from devices in ExtraHop.

Base Command

extrahop-tag-devices

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
tag The case-sensitive value of the tag. Optional
add The list of IP Addresses or ExtraHop API IDs of the devices to tag, comma separated. Optional
remove The list of IP Addresses or ExtraHop API IDs of the devices to remove the tag from, comma separated. Optional

Context Output
There are no context output for this command.

Command Example

!extrahop-tag-devices tag='demisto' add=172.16.34.11

Human Readable Output

Successful Modification

12. Get a link to a Live Activity Map

Get a link to a visual activity map in ExtraHop.

Base Command

extrahop-get-activity-map

Required Permissions
  • Full write privileges
Input
Argument Name Description Required
ip_or_id The IP Address or ExtraHop API ID of the source device to get an activity map. Required
time_interval The time interval of the live activity map, expressed as the "Last" 30 minutes. For example, specify a value of 30 minutes to get an activity map showing the time range of the last 30 minutes. This field is ignored if from_time and until_time are provided. Optional
from_time The beginning timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch. Optional
until_time The ending timestamp of a fixed time range the activity map will display, expressed in seconds since the epoch. Optional
peer_role The role of the peer devices in relation to the source device. For example, specifying a peer_role of client will show All Clients communicating with the source device. Additionally specifying a protocol of HTTP will result in further filtering and only showing HTTP Clients communicating with the source device. Optional
protocol The protocol over which the source device is communicating. For example, specifying a protocol of HTTP show only HTTP Clients and HTTP Servers communicating with the source device. Additionally specifying a peer_role of client will result in further filtering and only showing HTTP Clients communicating with the source device. Optional

Context Output
Path Type Description
ExtraHop.ActivityMap string b'The link to a visual activity map in ExtraHop.'

Command Example

!extrahop-get-activity-map ip_or_id=172.16.34.11 time_interval="6 hours"

Context Example
{
    "ExtraHop": {
        "ActivityMap": "https://test1.extrahop.com/extrahop/#/activitymaps?appliance_id=a74b9b6aa9e44de9baedcf8112c27ec4&discovery_id=fff40601150a0000&from=6&interval_type=HR&object_type=device&protocol=any&role=any&until=0"
    }
}
Human Readable Output

[View Live Activity Map in ExtraHop](https://test1.extrahop.com/extrahop/#/activitymaps?appliance_id=a74b9b6aa9e44de9baedcf8112c27ec4&discovery_id=fff40601150a0000&from=6&interval_type=HR&object_type=device&protocol=any&role=any&until=0)

13. Search for specific packets

Search for specific packets in ExtraHop.

Base Command

extrahop-search-packets

Required Permissions
  • Full write privileges
  • Packet and Session Key Access
Input
Argument Name Description Required
output The output format. A pcap file, A keylog.txt file that can be loaded in wireshark to decode ssl packets, or a zip file containing both a packets.pcap and keylog.txt. Optional
limit_bytes The maximum number of bytes to return. Optional
limit_search_duration The maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. Optional
query_from The beginning timestamp of the time range the search will include, expressed in milliseconds since the epoch. A negative value specifies that the search will begin with packets captured at a time in the past relative to the current time. For example, specify -10m to begin the search with packets captured 10 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Required
query_until The ending timestamp of the time range the search will include, expressed in milliseconds since the epoch. A 0 value specifies that the search will end with packets captured at the time of the search. A negative value specifies that the search will end with packets captured at a time in the past relative to the current time. For example, specify -5m to end the search with packets captured 5 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. See https://docs.extrahop.com/current/rest-api-guide/#supported-time-units- for more details on supported time units and suffixes. Optional
bpf The Berkeley Packet Filter (BPF) syntax for the packet search. Optional
ip1 Returns packets sent to or received by the specified IP address. Optional
port1 Returns packets sent from or received on the specified port. Optional
ip2 Returns packets sent to or received by the specified IP address. Optional
port2 Returns packets sent from or received on the specified port. Optional

Context Output
There are no context output for this command.

Command Example

!extrahop-search-packets ip1=172.16.34.23 port1=10057 ip2=172.16.34.11 port2=44576

Human Readable Output

Uploaded file: extrahop 2019-09-23 16.59.01 to 17.29.01 PST.pcap

Additional Information

Known Limitations

Troubleshooting

This integration was integrated and tested with version 7.8 of ExtraHop Reveal(x) and version 4.5 of Demisto.