ExtraHop Reveal(x) network detection and response automatically discovers and classifies every transaction, session, device, and asset in your enterprise. ExtraHop helps organizations understand and secure their environments by analyzing all network interactions in real-time and leveraging machine learning to identify threats, deliver critical applications, and secure investments in the hybrid cloud.
This document provides information about the ExtraHop Connector, which facilitates automated interactions, with an ExtraHop server using FortiSOAR™ playbooks. Add the ExtraHop Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts from ExtraHop, querying log records in ExtraHop, updating watchlists in ExtraHop, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-extrahop
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ExtraHop connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Server URL of the ExtraHop Reveal(x) server to which you will connect and perform the automated operations. |
| API Key | API Key configured for your account for using the ExtraHop Reveal(x) APIs. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts from ExtraHop. | get_alerts Investigation |
| Get Alert Details | Retrieve details of a specific alert from ExtraHop based on the alert ID you have specified. | get_alert_details Investigation |
| Create Alert | Creates a new alert in ExtraHop based on the name, severity, author, and other input parameters you have specified. | create_alert Investigation |
| Update Alert | Updates an existing alert in ExtraHop based on the alert ID, name, severity, and other input parameters you have specified. | update_alert Investigation |
| Query Records | Queries log records in ExtraHop based on the time frame and other input parameters you have specified. | query_records Investigation |
| Search Devices | Retrieves all devices from ExtraHop that match the search criteria you have specified. | search_devices Investigation |
| Get Watchlist | Retrieve all devices that are in the watchlist from ExtraHop. | get_watchlist Investigation |
| Update Watchlist | Adds or removes devices from the watchlist in ExtraHop based on the IP addresses or device IDs you have specified. | update_watchlist Miscellaneous |
| Update Detection | Updates a detection in ExtraHop based on the detection ID, ticket ID, assignee, and other input parameters you have specified. | update_detection Miscellaneous |
| Get Peers Devices | Retrieves all peers for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_peers_devices Investigation |
| Get Protocols | Retrieves all active network protocols for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_protocols Investigation |
| Tag Devices | Adds or removes a tag from devices in ExtraHop based on the IP addresses or device IDs you have specified. | tag_devices Investigation |
| Create Tag | Creates a new tag in ExtraHop based on the tag name you have specified. | tag_tag Investigation |
| Search Packet | Searches for packets by specifying parameters in a URL. | search_packet Investigation |
None.
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Alert ID | The unique identifier for the alert whose details you want to retrieve from ExtraHop. |
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Name | Specify the unique, friendly name for the alert that you want to create in ExtraHop. |
| Disabled | Select this checkbox to create the alert in the 'Disabled' state in ExtraHop. |
| Severity | Select the severity level of the alert that you want to create in ExtraHop. This severity level gets displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options: Emergency, Alert, Critical, Error, Warning, Info, or Debug. |
| Author | Specify the name of the user who created the alert that you want to add in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to create in ExtraHop. You can choose between Threshold or Detection. If you choose Threshold, then you can specify the following parameters:
|
| CC | The list of email addresses, which have not been included in an email group, who should receive notifications for created alerts. |
| Description | Specify the description for the alert that you want to create in ExtraHop. |
| Refire Interval | Specify the time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique identifier for the alert that you want to update in ExtraHop. |
| Name | Specify the unique, friendly name for the alert that you want to update in ExtraHop. |
| Severity | Select the severity level of the alert that you want to update in ExtraHop. This severity level gets displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options: Emergency, Alert, Critical, Error, Warning, Info, or Debug. |
| Author | Specify the name of the user who created the alert that you want to update in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to update in ExtraHop. You can choose between Threshold or Detection. If you choose Threshold, then you can specify the following parameters:
|
| CC | The list of email addresses, which have not been included in an email group, who should receive notifications for updated alerts. |
| Description | Specify the description for the alert that you want to update in ExtraHop. |
| Refire Interval | The time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| From | The starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Type | Specify a CSV list of one or more records formats based on which you want to query for search log records in ExtraHop. The query returns only those records that match the specified formats. If no value is specified, then the query returns records of any type. Valid values for this field are displayed in the Record Type field on the 'Record Formats' page. For example: "cifs" |
| Field | Specify the name of the field in the record based on which you want to filter the search log records in ExtraHop. The query compares the contents of the field parameter to the value of the operand parameter. |
| Operator | The logical operator to be applied when comparing the contents of the field parameter to the value of the operand parameter. |
| Operand | The value to be compared by the query. The query compares the contents of the field parameter to the value of the operand parameter. |
| Use Conditional Filters | Select this checkbox to use conditional filters, i.e., a list of one or more filter objects within a single filter object. Filter objects can be embedded recursively. Only "and", "or", or "not" operators are allowed for this parameter. If you select this checkbox, then you must specify the following parameters:
|
| Limit | The maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
| Sort | Select this checkbox if you want to sort records retrieved from ExtraHop. By default, records are sorted in the descending order on the timestamp field. If you select this checkbox, then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Active From | The starting timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Active Until | The ending timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Field | Specify the name of the field based on which you want to filter results returned by this operation. The search compares the contents of the field parameter to the value of the operand parameter. |
| Operator | The logical operator to be applied when comparing the contents of the field parameter to the value of the operand parameter. |
| Operand | The value that this search operation attempts to match. The query compares the value of the operand to the contents of the field parameter and applies the compare method specified by the operator parameter. |
| Use Conditional Filters | Select this checkbox to use conditional filters, i.e., a list of one or more filter objects within a single filter object. Filter objects can be embedded recursively. Only "and", "or", or "not" operators are allowed for this parameter. If you select this checkbox, then you must specify the following parameters:
|
| Limit | The maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"activity": [],
"analysis": "",
"analysis_level": "",
"auto_role": "",
"cdp_name": "",
"cloud_account": "",
"cloud_instance_id": "",
"cloud_instance_name": "",
"cloud_instance_type": "",
"critical": "",
"custom_criticality": "",
"custom_name": "",
"custom_type": "",
"default_name": "",
"description": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"ipaddr6": "",
"is_l3": "",
"last_seen_time": "",
"macaddr": "",
"mod_time": "",
"model": "",
"netbios_name": "",
"node_id": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"subnet_id": "",
"user_mod_time": "",
"vendor": "",
"vlanid": "",
"vpc_id": ""
}
None.
The output contains the following populated JSON schema:
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"netbios_name": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"url": "",
"user_mod_time": "",
"vlanid": ""
}
| Parameter | Description |
|---|---|
| Action | Select the action that you want to perform on the watchlist in ExtraHop. Choose 'Add' to add devices to the watchlist or choose 'Remove' to remove the devices from the watchlist. |
| Based On |
Select the input based on which you want to add or remove devices from the watchlist. You can choose between IP addresses or Device IDs.
|
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Detection ID | The unique identifier for the detection that you want to update in ExtraHop. |
| Ticket ID | The ID of the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Assignee | The assignee of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Status | The status of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose from the following options: New, In Progress, Acknowledged, or Closed. |
| Resolution | The resolution of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose between Action Taken or No Action Taken. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve peers for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | (Optional) The starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Role | (Optional) The role of the peer device in relation to the origin device. You can choose from the following options: Any, Client, or Server. |
| Protocol | (Optional) The protocol over which the origin device is communicating, such as "HTTP". If no value is set, the object includes any protocol. |
The output contains the following populated JSON schema:
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve active network protocols for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | (Optional) The starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
The output contains the following populated JSON schema:
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of the tag that you want to add or remove from the specified device. |
| Action | Select the action that you want to perform on the tags in ExtraHop. Choose 'Add' to add tags to the device or choose 'Remove' to remove the tags from the device. |
| Based On |
Select the input based on which you want to add or remove tags from the device. You can choose between IP address or Device IDs
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of that tag that you want to create in ExtraHop. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| File Format | Select the file format for the searched packet, which can be downloaded into the FortiSOAR 'Attachment' module. You can choose between pcap, keylog_txt, or zip. |
| Limit Bytes | The maximum number of bytes to return. |
| Search Duration | The maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. |
| BPF | The Berkeley Packet Filter (BPF) syntax for packet search. |
| IP1 | Returns packets sent to or received by the specified IP address. |
| Port1 | Returns packets sent from or received on the specified port. |
| IP2 | Returns packets sent to or received by the specified IP address. |
| Port2 | Returns packets sent from or received on the specified port. |
The output contains a non-dictionary value.
The Sample - ExtraHop - 1.0.0 playbook collection comes bundled with the ExtraHop connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ExtraHop connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
ExtraHop Reveal(x) network detection and response automatically discovers and classifies every transaction, session, device, and asset in your enterprise. ExtraHop helps organizations understand and secure their environments by analyzing all network interactions in real-time and leveraging machine learning to identify threats, deliver critical applications, and secure investments in the hybrid cloud.
This document provides information about the ExtraHop Connector, which facilitates automated interactions, with an ExtraHop server using FortiSOAR™ playbooks. Add the ExtraHop Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts from ExtraHop, querying log records in ExtraHop, updating watchlists in ExtraHop, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-extrahop
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ExtraHop connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Server URL of the ExtraHop Reveal(x) server to which you will connect and perform the automated operations. |
| API Key | API Key configured for your account for using the ExtraHop Reveal(x) APIs. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts from ExtraHop. | get_alerts Investigation |
| Get Alert Details | Retrieve details of a specific alert from ExtraHop based on the alert ID you have specified. | get_alert_details Investigation |
| Create Alert | Creates a new alert in ExtraHop based on the name, severity, author, and other input parameters you have specified. | create_alert Investigation |
| Update Alert | Updates an existing alert in ExtraHop based on the alert ID, name, severity, and other input parameters you have specified. | update_alert Investigation |
| Query Records | Queries log records in ExtraHop based on the time frame and other input parameters you have specified. | query_records Investigation |
| Search Devices | Retrieves all devices from ExtraHop that match the search criteria you have specified. | search_devices Investigation |
| Get Watchlist | Retrieve all devices that are in the watchlist from ExtraHop. | get_watchlist Investigation |
| Update Watchlist | Adds or removes devices from the watchlist in ExtraHop based on the IP addresses or device IDs you have specified. | update_watchlist Miscellaneous |
| Update Detection | Updates a detection in ExtraHop based on the detection ID, ticket ID, assignee, and other input parameters you have specified. | update_detection Miscellaneous |
| Get Peers Devices | Retrieves all peers for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_peers_devices Investigation |
| Get Protocols | Retrieves all active network protocols for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_protocols Investigation |
| Tag Devices | Adds or removes a tag from devices in ExtraHop based on the IP addresses or device IDs you have specified. | tag_devices Investigation |
| Create Tag | Creates a new tag in ExtraHop based on the tag name you have specified. | tag_tag Investigation |
| Search Packet | Searches for packets by specifying parameters in a URL. | search_packet Investigation |
None.
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Alert ID | The unique identifier for the alert whose details you want to retrieve from ExtraHop. |
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Name | Specify the unique, friendly name for the alert that you want to create in ExtraHop. |
| Disabled | Select this checkbox to create the alert in the 'Disabled' state in ExtraHop. |
| Severity | Select the severity level of the alert that you want to create in ExtraHop. This severity level gets displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options: Emergency, Alert, Critical, Error, Warning, Info, or Debug. |
| Author | Specify the name of the user who created the alert that you want to add in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to create in ExtraHop. You can choose between Threshold or Detection. If you choose Threshold, then you can specify the following parameters:
|
| CC | The list of email addresses, which have not been included in an email group, who should receive notifications for created alerts. |
| Description | Specify the description for the alert that you want to create in ExtraHop. |
| Refire Interval | Specify the time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique identifier for the alert that you want to update in ExtraHop. |
| Name | Specify the unique, friendly name for the alert that you want to update in ExtraHop. |
| Severity | Select the severity level of the alert that you want to update in ExtraHop. This severity level gets displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options: Emergency, Alert, Critical, Error, Warning, Info, or Debug. |
| Author | Specify the name of the user who created the alert that you want to update in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to update in ExtraHop. You can choose between Threshold or Detection. If you choose Threshold, then you can specify the following parameters:
|
| CC | The list of email addresses, which have not been included in an email group, who should receive notifications for updated alerts. |
| Description | Specify the description for the alert that you want to update in ExtraHop. |
| Refire Interval | The time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| From | The starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Type | Specify a CSV list of one or more records formats based on which you want to query for search log records in ExtraHop. The query returns only those records that match the specified formats. If no value is specified, then the query returns records of any type. Valid values for this field are displayed in the Record Type field on the 'Record Formats' page. For example: "cifs" |
| Field | Specify the name of the field in the record based on which you want to filter the search log records in ExtraHop. The query compares the contents of the field parameter to the value of the operand parameter. |
| Operator | The logical operator to be applied when comparing the contents of the field parameter to the value of the operand parameter. |
| Operand | The value to be compared by the query. The query compares the contents of the field parameter to the value of the operand parameter. |
| Use Conditional Filters | Select this checkbox to use conditional filters, i.e., a list of one or more filter objects within a single filter object. Filter objects can be embedded recursively. Only "and", "or", or "not" operators are allowed for this parameter. If you select this checkbox, then you must specify the following parameters:
|
| Limit | The maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
| Sort | Select this checkbox if you want to sort records retrieved from ExtraHop. By default, records are sorted in the descending order on the timestamp field. If you select this checkbox, then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Active From | The starting timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Active Until | The ending timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Field | Specify the name of the field based on which you want to filter results returned by this operation. The search compares the contents of the field parameter to the value of the operand parameter. |
| Operator | The logical operator to be applied when comparing the contents of the field parameter to the value of the operand parameter. |
| Operand | The value that this search operation attempts to match. The query compares the value of the operand to the contents of the field parameter and applies the compare method specified by the operator parameter. |
| Use Conditional Filters | Select this checkbox to use conditional filters, i.e., a list of one or more filter objects within a single filter object. Filter objects can be embedded recursively. Only "and", "or", or "not" operators are allowed for this parameter. If you select this checkbox, then you must specify the following parameters:
|
| Limit | The maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | Index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"activity": [],
"analysis": "",
"analysis_level": "",
"auto_role": "",
"cdp_name": "",
"cloud_account": "",
"cloud_instance_id": "",
"cloud_instance_name": "",
"cloud_instance_type": "",
"critical": "",
"custom_criticality": "",
"custom_name": "",
"custom_type": "",
"default_name": "",
"description": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"ipaddr6": "",
"is_l3": "",
"last_seen_time": "",
"macaddr": "",
"mod_time": "",
"model": "",
"netbios_name": "",
"node_id": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"subnet_id": "",
"user_mod_time": "",
"vendor": "",
"vlanid": "",
"vpc_id": ""
}
None.
The output contains the following populated JSON schema:
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"netbios_name": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"url": "",
"user_mod_time": "",
"vlanid": ""
}
| Parameter | Description |
|---|---|
| Action | Select the action that you want to perform on the watchlist in ExtraHop. Choose 'Add' to add devices to the watchlist or choose 'Remove' to remove the devices from the watchlist. |
| Based On |
Select the input based on which you want to add or remove devices from the watchlist. You can choose between IP addresses or Device IDs.
|
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Detection ID | The unique identifier for the detection that you want to update in ExtraHop. |
| Ticket ID | The ID of the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Assignee | The assignee of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Status | The status of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose from the following options: New, In Progress, Acknowledged, or Closed. |
| Resolution | The resolution of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose between Action Taken or No Action Taken. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve peers for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | (Optional) The starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Role | (Optional) The role of the peer device in relation to the origin device. You can choose from the following options: Any, Client, or Server. |
| Protocol | (Optional) The protocol over which the origin device is communicating, such as "HTTP". If no value is set, the object includes any protocol. |
The output contains the following populated JSON schema:
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve active network protocols for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | (Optional) The starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
The output contains the following populated JSON schema:
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of the tag that you want to add or remove from the specified device. |
| Action | Select the action that you want to perform on the tags in ExtraHop. Choose 'Add' to add tags to the device or choose 'Remove' to remove the tags from the device. |
| Based On |
Select the input based on which you want to add or remove tags from the device. You can choose between IP address or Device IDs
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of that tag that you want to create in ExtraHop. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| File Format | Select the file format for the searched packet, which can be downloaded into the FortiSOAR 'Attachment' module. You can choose between pcap, keylog_txt, or zip. |
| Limit Bytes | The maximum number of bytes to return. |
| Search Duration | The maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. |
| BPF | The Berkeley Packet Filter (BPF) syntax for packet search. |
| IP1 | Returns packets sent to or received by the specified IP address. |
| Port1 | Returns packets sent from or received on the specified port. |
| IP2 | Returns packets sent to or received by the specified IP address. |
| Port2 | Returns packets sent from or received on the specified port. |
The output contains a non-dictionary value.
The Sample - ExtraHop - 1.0.0 playbook collection comes bundled with the ExtraHop connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ExtraHop connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
