ExtraHop
Integration version: 4.0Configure ExtraHop integration in Google SecOps
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | Yes | API root of the ExtraHop instance. | |
| Client ID | String | N/A | Yes | Client ID of the ExtraHop instance. |
| Client Secret | Password | N/A | Yes | Client Secret of the ExtraHop instance. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the ExtraHop server is valid. |
Product Use Cases
Ingestion of alerts
Actions
Ping
Description
Test connectivity to ExtraHop with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_succeed | True/False | is_succeed:False |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful: "Successfully connected to the ExtraHop server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the ExtraHop server! Error is {0}".format(exception.stacktrace) |
General |
Update Detection
Update a detection in ExtraHop.
Run On
This action doesn't run on entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Detection ID | String | N/A | Yes | Specify the ID of the detection that needs to be updated. |
| Status | DDL | Possible Values:
|
No | Specify the status for the detection. |
| Resolution | DDL | Possible Values:
|
No | Specify the resolution for the detection. If Status parameter is set to "Closed", Resolution parameter is needed. |
| Assign To | String | N/A | No | Specify the name of the analyst to whom the alert needs to be assigned. If "Unassign" is provided, the action will remove assignment from the alert. |
Action Outputs
| Type | Available |
|---|---|
| Script Result | True |
| JSON Result | True |
| Enrichment Table | False |
| Case Wall Table | False |
| Case Wall Link | False |
| Case Wall Attachment | False |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
0: {
"id": 4294967299,
"start_time": 1693795020000,
"update_time": 1693805700000,
"end_time": 1694198520000,
"title": "LLMNR Activity",
"description": "[EVAL\\-W2019\\-PRD](https://wwt-mand.cloud.extrahop.com#/
// metrics/devices/d0ded7fd86f0459890394969c49d2bf6.005056bd27330000/
// overview?from=1693795020&interval_type=DT&until=1694198520) sent
// Link-Local Multicast Name Resolution (LLMNR) requests that are part of an
// internal broadcast query to resolve a hostname. The LLMNR protocol is
// known to be vulnerable to attacks.",
"risk_score": 30,
"type": "llmnr_activity_individual",
"recommended_factors": [],
"recommended": false,
"categories": [
"sec",
"sec.hardening"
],
"properties": {},
"participants": [
{
"role": "offender",
"scanner_service": null,
"endpoint": null,
"external": false,
"object_id": 4294967305,
"object_type": "device",
"username": null,
"id": 2
}
],
"ticket_id": null,
"assignee": "ankita.shakya@wwtatc.com",
"status": "in_progress",
"resolution": null,
"mitre_tactics": [],
"mitre_techniques": [],
"appliance_id": 1,
"is_user_created": false,
"mod_time": 1694790591224,
"create_time": 1693795051521,
"url": "https://wwt-mand.cloud.extrahop.com/extrahop/#/detections/detail/4294
// 967299/?from=1693794120&until=1694199420&interval_type=DT"
}
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* |
The action should not fail or stop a playbook execution: if returned info (is_success = true): print "Successfully updated detection with ID {detection id} in Extrahop." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Update Detection". Reason: {0}''.format(error.Stacktrace) If detection not found (404 status code): Error executing action "Update Detection". Reason: detection with ID {alert id} wasn't found in Extrahop. Please check the spelling." If "type": "request_error": Error executing action "Update Detection". Reason: {detail}" If "Status" is "Select One", and nothing is provided in "Assign To": Error executing action "Update Detection". Reason: at least one of the "Status" or "Assign To" parameters should have a value." |
General |
Connectors
ExtraHop - Detections Connector
Description
Pull information about detections from ExtraHop. Note: The whitelist filter works with the "type" parameter.
Configure ExtraHop - Detections Connector in Google SecOps
For detailed instructions on how to configure a connector in Google SecOps, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | . | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is . to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://{instance}.api.cloud.extrahop.com | Yes | API root of the ExtraHop instance. |
| Client ID | String | N/A | Yes | Client ID of the ExtraHop instance. |
| Client Secret | Password | N/A | Yes | Client Secret of the ExtraHop instance. |
| Lowest Risk Score To Fetch | Integer | N/A | No | Lowest risk score that needs to be used to fetch detections. Maximum: 100. If nothing is provided, the connector will ingest detections with all risk scores. |
| Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch detections. |
| Max Detections To Fetch | Integer | 100 | No | How many detections to process per one connector iteration. Default: 100. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the ExtraHop server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.
Need more help? Get answers from Community members and Google SecOps professionals.