ExtraHop Reveal(x) network detection and response automatically discovers and classifies every transaction, session, device, and asset in your enterprise. ExtraHop helps organizations understand and secure their environments by analyzing all network interactions in real-time and leveraging machine learning to identify threats, deliver critical applications, and secure investments in the hybrid cloud.
This document provides information about the ExtraHop Connector, which facilitates automated interactions, with an ExtraHop server using FortiSOAR™ playbooks. Add the ExtraHop Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts from ExtraHop, querying log records in ExtraHop, updating watch lists in ExtraHop, etc.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 7.4.2-3279
ExtraHop Version Tested on: 9.4.2.1625
Authored By: Fortinet
Contributor: Parag Khatavkar
Certified: Yes
Following enhancements have been made to the ExtraHop Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-extrahop
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ExtraHop connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Server URL of the ExtraHop Reveal(x) server to which you will connect and perform the automated operations. |
| API Key | API Key configured for your account for using the ExtraHop Reveal(x) APIs. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts from ExtraHop. | get_alerts Investigation |
| Get Alert Details | Retrieves details of a specific alert from ExtraHop based on the alert ID you have specified. | get_alert_details Investigation |
| Create Alert | Creates a new alert in ExtraHop based on the name, severity, author, and other input parameters you have specified. | create_alert Investigation |
| Update Alert | Updates an existing alert in ExtraHop based on the alert ID, name, severity, and other input parameters you have specified. | update_alert Investigation |
| Query Records | Queries log records in ExtraHop based on the time frame and other input parameters you have specified. | query_records Investigation |
| Search Devices | Retrieves all devices from ExtraHop that match the search criteria you have specified. | search_devices Investigation |
| Get Watchlist | Retrieves all devices that are on the watchlist from ExtraHop. | get_watchlist Investigation |
| Update Watchlist | Adds or removes devices from the watchlist in ExtraHop based on the IP addresses or device IDs you have specified. | update_watchlist Miscellaneous |
| Update Detection | Updates a detection in ExtraHop based on the detection ID, ticket ID, assignee, and other input parameters you have specified. | update_detection Miscellaneous |
| Get Peers Devices | Retrieves all peers for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_peers_devices Investigation |
| Get Protocols | Retrieves all active network protocols for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_protocols Investigation |
| Tag Devices | Adds or removes a tag from devices in ExtraHop based on the IP addresses or device IDs you have specified. | tag_devices Investigation |
| Create Tag | Creates a new tag in ExtraHop based on the tag name you have specified. | create_tag Investigation |
| Search Packet | Searches for packets by specifying parameters in a URL. Input parameters include the starting timestamp, file format, etc based on which packets are searched in ExtraHop.
NOTE: On successful execution of this action, an attachment of the specified file format is created in FortiSOAR. |
search_packet Investigation |
| Get Detections | Retrieves all detections from ExtraHop. | get_detections Investigation |
| Get Detection By ID | Retrieves a specific detection from ExtraHop based on the detection ID specified. | get_detection_by_id Investigation |
| Get Detection Formats | Retrieves all detection types from ExtraHop. | get_detection_format Investigation |
| Create New Detection Format | Creates a new detection format in ExtraHop based on the Type, Display Name, and other parameters specified. | create_new_detection_format Investigation |
| Delete Detection Format | Deletes a specific detection format from ExtraHop based on the detection ID specified. | delete_detection_format Investigation |
| Get Detection Hiding Rules | Retrieves all tuning rules from ExtraHop. | get_detection_rules_hiding Investigation |
| Update Detection Format | Updates a specific detection format in ExtraHop based on the detection format ID and other parameters specified. | update_detection_format Miscellaneous |
| Update Associated Ticket | Updates a ticket associated with detection in ExtraHop based on the ticket ID, assignee, status, and resolution specified. | update_associated_ticket Investigation |
| Search Detections | Retrieves detections that match the specified search criteria in ExtraHop. | search_detections Investigation |
None.
The output contains the following populated JSON schema:
[
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
]
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique identifier for the alert whose details you want to retrieve from ExtraHop. |
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Name | Specify the unique, friendly name for the alert that you want to create in ExtraHop. |
| Disabled | Select this checkbox to create the alert in the Disabled state in ExtraHop. |
| Severity | Select the severity level of the alert that you want to create in ExtraHop. This severity level gets displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options:
|
| Author | Specify the name of the user who created the alert that you want to add in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to create in ExtraHop. You can choose from following options:
|
| CC | Specify the list of email addresses that have not been included in an email group, and to which notifications of created alerts must be sent. |
| Description | (Optional) Specify the description for the alert that you want to create in ExtraHop. |
| Refire Interval | (Optional) Specify the time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique identifier for the alert that you want to update in ExtraHop. |
| Name | Specify the unique, friendly name for the alert that you want to update in ExtraHop. |
| Severity | Select the severity level of the alert that you want to update in ExtraHop. This severity level is displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options:
|
| Author | Specify the name of the user who created the alert that you want to update in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to update in ExtraHop. You can choose from following options:
|
| CC | Specify the list of email addresses that have not been included in an email group, and to which notifications of updated alerts must be sent. |
| Description | Specify the description for the alert that you want to update in ExtraHop. |
| Refire Interval | Specify the time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Type | Specify a CSV list of one or more record formats based on which you want to query for search log records in ExtraHop. The query returns only those records that match the specified formats. If no value is specified, then the query returns records of any type. Valid values for this field are displayed in the Record Type field on the Record Formats page. For example: "cifs" |
| Filter |
Select the type of filter to be based on which the query will search log records in ExtraHop. You can choose between Filter or Conditional Filter.
|
| Limit | (Optional) Specify the maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
| Sort | Select this checkbox if you want to sort records retrieved from ExtraHop. By default, records are sorted in the descending order on the timestamp field. If you select this checkbox, then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Active From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Active Until | Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Filter |
Select the type of filter to be based on which active devices will be retrieved from ExtraHop. You can choose between Filter or Conditional Filter.
|
| Limit | (Optional) Specify the maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"activity": [],
"analysis": "",
"analysis_level": "",
"auto_role": "",
"cdp_name": "",
"cloud_account": "",
"cloud_instance_id": "",
"cloud_instance_name": "",
"cloud_instance_type": "",
"critical": "",
"custom_criticality": "",
"custom_name": "",
"custom_type": "",
"default_name": "",
"description": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"ipaddr6": "",
"is_l3": "",
"last_seen_time": "",
"macaddr": "",
"mod_time": "",
"model": "",
"netbios_name": "",
"node_id": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"subnet_id": "",
"user_mod_time": "",
"vendor": "",
"vlanid": "",
"vpc_id": ""
}
None.
The output contains the following populated JSON schema:
[
{
"activity": [],
"analysis": "",
"analysis_level": "",
"auto_role": "",
"cdp_name": "",
"cloud_account": "",
"cloud_instance_description": "",
"cloud_instance_id": "",
"cloud_instance_name": "",
"cloud_instance_type": "",
"critical": "",
"custom_criticality": "",
"custom_make": "",
"custom_model": "",
"custom_name": "",
"custom_type": "",
"default_name": "",
"description": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"ipaddr6": "",
"is_l3": "",
"last_seen_time": "",
"macaddr": "",
"mod_time": "",
"model": "",
"model_override": "",
"netbios_name": "",
"node_id": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"subnet_id": "",
"user_mod_time": "",
"vendor": "",
"vlanid": "",
"vpc_id": ""
}
]
| Parameter | Description |
|---|---|
| Action | Select the action that you want to perform on the watchlist in ExtraHop. Choose 'Add' to add devices to the watchlist or choose 'Remove' to remove the devices from the watchlist. |
| Based On |
Select the input based on which you want to add or remove devices from the watchlist. You can choose between IP addresses or Device IDs.
|
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique identifier for the detection that you want to update in ExtraHop. |
| Ticket ID | Specify the ID of the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Assignee | Specify the assignee of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Status | Select the status of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose from the following options: New, In Progress, Acknowledged, or Closed. |
| Resolution | Select the resolution of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose between Action Taken or No Action Taken. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve peers for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Role | (Optional) Select the role of the peer device in relation to the origin device. You can choose from the following options: Any, Client, or Server. |
| Protocol | (Optional) Specify the protocol over which the origin device is communicating, such as "HTTP". If no value is set, the object includes any protocol. |
The output contains the following populated JSON schema:
[
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
]
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve active network protocols for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
The output contains the following populated JSON schema:
[
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
]
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of the tag that you want to add or remove from the specified device. |
| Action | Select the action that you want to perform on the tags in ExtraHop. Choose 'Add' to add tags to the device or choose 'Remove' to remove the tags from the device. |
| Based On |
Select the input based on which you want to add or remove tags from the device. You can choose between IP address or Device IDs
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of that tag that you want to create in ExtraHop. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the packets are searched in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the packets are searched in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| File Format | (Optional) Select the file format for the searched packet, which can be downloaded into the FortiSOAR 'Attachment' module. You can choose between pcap, pcapng, keylog_txt, or zip. |
| Limit Bytes | (Optional) Specify the maximum number of bytes to return. |
| Search Duration | (Optional) Specify the maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. |
| BPF | (Optional) Specify the Berkeley Packet Filter (BPF) syntax for packet search. |
| IP1 | (Optional) Specify the IP address whose sent or received packets will be returned by this operation. |
| Port1 | (Optional) Specify the Port whose sent or received packets will be returned by this operation. |
| IP2 | (Optional) Specify the IP address whose sent or received packets will be returned by this operation. |
| Port2 | (Optional) Specify the Port whose sent or received packets will be returned by this operation. |
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{
"appliance_id": "",
"assignee": "",
"categories": [
""
],
"description": "",
"end_time": "",
"id": "",
"is_user_created": "",
"mitre_tactics": [],
"mitre_techniques": [],
"mod_time": "",
"participants": [],
"properties": "",
"resolution": "",
"risk_score": "",
"start_time": "",
"status": "",
"ticket_id": "",
"ticket_url": "",
"title": "",
"type": "",
"update_time": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique identifier for the detection you want to retrieve from ExtraHop. |
The output contains the following populated JSON schema:
{
"appliance_id": "",
"assignee": "",
"categories": [],
"description": "",
"end_time": "",
"id": "",
"is_user_created": "",
"mitre_tactics": [],
"mitre_techniques": [],
"mod_time": "",
"participants": [],
"properties": "",
"resolution": "",
"risk_score": "",
"start_time": "",
"status": "",
"ticket_id": "",
"ticket_url": "",
"title": "",
"type": "",
"update_time": ""
}
None.
The output contains the following populated JSON schema:
{
"author": "",
"categories": [],
"display_name": "",
"is_user_created": "",
"mitre_categories": [],
"properties": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Type | Specify the string identifier for the detection type you want to create in ExtraHop. The string can only contain letters, numbers, and underscores. Although detection types are unique across built-in formats, and detection types are unique across custom formats; a built-in and custom format can share the same detection type. |
| Display Name | Specify the display name of the detection type that appears on the 'Detections' page in the ExtraHop system. |
| Author | (Optional) Specify the author of the detection format you want to create in ExtraHop. |
| Categories | (Optional) Specify the list of categories to which the detection you want to create in ExtraHop belongs. Keep the following in mind:
|
| Mitre Categories | (Optional) Specify the IDs of the MITRE techniques associated with the detection you want to create in ExtraHop. |
The output contains the following populated JSON schema:
{
"author": "",
"categories": [],
"display_name": "",
"is_user_created": "",
"mitre_categories": [],
"properties": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique string identifier for the detection you want to delete from ExtraHop. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
None.
The output contains the following populated JSON schema:
{
"author": "",
"create_time": "",
"description": "",
"detection_type": "",
"detections_hidden": "",
"enabled": "",
"expiration": "",
"hide_past_detections": "",
"id": "",
"offender": "",
"participants_hidden": "",
"properties": [],
"victim": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique string identifier for the detection format you want to update in ExtraHop |
| Display Name | Specify the display name of the detection type that appears on the 'Detections' page in the ExtraHop system. |
| Author | (Optional) Specify the author of the detection format you want to update in ExtraHop. |
| Categories | (Optional) Specify the list of categories to which the detection you want to update in ExtraHop belongs. Keep the following in mind:
|
| Mitre Categories | (Optional) Specify the IDs of the MITRE techniques associated with the detection you want to update in ExtraHop. |
| Type | (Optional) Specify the string identifier for the detection type you want to update in ExtraHop. The string can only contain letters, numbers, and underscores. Although detection types are unique across built-in formats, and detection types are unique across custom formats; a built-in and custom format can share the same detection type. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Ticket ID | Specify the ID of the ticket associated with the detection you want to update in ExtraHop. |
| Assignee | Specify the assignee of the ticket associated with the detection you want to update in ExtraHop. |
| Status | Select the status of the ticket associated with the detection you want to update in ExtraHop. You can choose from the following options: New, In Progress, Acknowledged, or Closed. |
| Resolution | Select the resolution of the ticket associated with the detection you want to update in ExtraHop. You can choose between Action Taken or No Action Taken. |
The output contains the following populated JSON schema:
{
"author": "",
"categories": [],
"display_name": "",
"is_user_created": "",
"mitre_categories": [],
"properties": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Categories | Specify a list of one or more detection categories that you want to retrieve from ExtraHop. |
| Assignee | Specify a list of one or more assignee of the detection to retrieve from ExtraHop. Specify .none to search for unassigned detections or specify .me to search for detections assigned to the authenticated user. |
| Ticket ID | Specify a list of one or more ID of the ticket that is associated with the detection to retrieve from ExtraHop. |
| Status | Select one or more detection status to retrieve from ExtraHop. You can select from the following options:
|
| Resolution | Select one or more detection resolution to retrieve from ExtraHop. You can select from the following options:
|
| Types | Specify the list of one or more type of the detection to retrieve from ExtraHop. |
| Min Risk Score | Specify the risk score of detection to retrieve detections with risk scores greater than or equal to the specified value. |
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search detections in ExtraHop. Detections that started before the specified date are returned if the detection was ongoing at that time. |
| Limit | Specify the maximum number of results, per page, that this operation should return. |
| Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
| Sort | Select this checkbox if you want to sort records retrieved from ExtraHop. By default, records are sorted in the descending order on the timestamp field. If you select this checkbox, then you must specify the following parameters:
|
| Until | Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search detections in ExtraHop. |
| Update Time | Returns detections related to events that occurred after the specified date, expressed in milliseconds since the epoch. Note that ExtraHop Machine Learning Services analyze historical data to generate detections, and so there is a time delay between when the events that cause those detections occur and when the detections are generated. If you search for detections in the same update_time window multiple times, the later search might return detections that were not returned by the earlier search. |
| Mod Time | Returns detections that were updated after the specified date, expressed in milliseconds since the epoch. |
| ID Only | (Optional) Select this checkbox if you want to retrieve only the IDs of the detections. By default, It is set to false |
The output contains the following populated JSON schema:
{
"appliance_id": "",
"assignee": "",
"categories": [],
"description": "",
"id": "",
"is_user_created": "",
"mitre_tactics": [],
"mitre_techniques": [],
"mod_time": "",
"participants": [],
"properties": "",
"resolution": "",
"risk_score": "",
"start_time": "",
"status": "",
"ticket_id": "",
"title": "",
"type": "",
"update_time": ""
}
The Sample - ExtraHop - 2.1.0 playbook collection comes bundled with the ExtraHop connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ExtraHop connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets overwritten during the connector upgrade and gets deleted during connector uninstall.
ExtraHop Reveal(x) network detection and response automatically discovers and classifies every transaction, session, device, and asset in your enterprise. ExtraHop helps organizations understand and secure their environments by analyzing all network interactions in real-time and leveraging machine learning to identify threats, deliver critical applications, and secure investments in the hybrid cloud.
This document provides information about the ExtraHop Connector, which facilitates automated interactions, with an ExtraHop server using FortiSOAR™ playbooks. Add the ExtraHop Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts from ExtraHop, querying log records in ExtraHop, updating watch lists in ExtraHop, etc.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 7.4.2-3279
ExtraHop Version Tested on: 9.4.2.1625
Authored By: Fortinet
Contributor: Parag Khatavkar
Certified: Yes
Following enhancements have been made to the ExtraHop Connector in version 2.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-extrahop
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ExtraHop connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Server URL of the ExtraHop Reveal(x) server to which you will connect and perform the automated operations. |
| API Key | API Key configured for your account for using the ExtraHop Reveal(x) APIs. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alerts | Retrieves all alerts from ExtraHop. | get_alerts Investigation |
| Get Alert Details | Retrieves details of a specific alert from ExtraHop based on the alert ID you have specified. | get_alert_details Investigation |
| Create Alert | Creates a new alert in ExtraHop based on the name, severity, author, and other input parameters you have specified. | create_alert Investigation |
| Update Alert | Updates an existing alert in ExtraHop based on the alert ID, name, severity, and other input parameters you have specified. | update_alert Investigation |
| Query Records | Queries log records in ExtraHop based on the time frame and other input parameters you have specified. | query_records Investigation |
| Search Devices | Retrieves all devices from ExtraHop that match the search criteria you have specified. | search_devices Investigation |
| Get Watchlist | Retrieves all devices that are on the watchlist from ExtraHop. | get_watchlist Investigation |
| Update Watchlist | Adds or removes devices from the watchlist in ExtraHop based on the IP addresses or device IDs you have specified. | update_watchlist Miscellaneous |
| Update Detection | Updates a detection in ExtraHop based on the detection ID, ticket ID, assignee, and other input parameters you have specified. | update_detection Miscellaneous |
| Get Peers Devices | Retrieves all peers for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_peers_devices Investigation |
| Get Protocols | Retrieves all active network protocols for a device from ExtraHop based on the device ID or IP address and other input parameters you have specified. | get_protocols Investigation |
| Tag Devices | Adds or removes a tag from devices in ExtraHop based on the IP addresses or device IDs you have specified. | tag_devices Investigation |
| Create Tag | Creates a new tag in ExtraHop based on the tag name you have specified. | create_tag Investigation |
| Search Packet | Searches for packets by specifying parameters in a URL. Input parameters include the starting timestamp, file format, etc based on which packets are searched in ExtraHop.
NOTE: On successful execution of this action, an attachment of the specified file format is created in FortiSOAR. |
search_packet Investigation |
| Get Detections | Retrieves all detections from ExtraHop. | get_detections Investigation |
| Get Detection By ID | Retrieves a specific detection from ExtraHop based on the detection ID specified. | get_detection_by_id Investigation |
| Get Detection Formats | Retrieves all detection types from ExtraHop. | get_detection_format Investigation |
| Create New Detection Format | Creates a new detection format in ExtraHop based on the Type, Display Name, and other parameters specified. | create_new_detection_format Investigation |
| Delete Detection Format | Deletes a specific detection format from ExtraHop based on the detection ID specified. | delete_detection_format Investigation |
| Get Detection Hiding Rules | Retrieves all tuning rules from ExtraHop. | get_detection_rules_hiding Investigation |
| Update Detection Format | Updates a specific detection format in ExtraHop based on the detection format ID and other parameters specified. | update_detection_format Miscellaneous |
| Update Associated Ticket | Updates a ticket associated with detection in ExtraHop based on the ticket ID, assignee, status, and resolution specified. | update_associated_ticket Investigation |
| Search Detections | Retrieves detections that match the specified search criteria in ExtraHop. | search_detections Investigation |
None.
The output contains the following populated JSON schema:
[
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
]
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique identifier for the alert whose details you want to retrieve from ExtraHop. |
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Name | Specify the unique, friendly name for the alert that you want to create in ExtraHop. |
| Disabled | Select this checkbox to create the alert in the Disabled state in ExtraHop. |
| Severity | Select the severity level of the alert that you want to create in ExtraHop. This severity level gets displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options:
|
| Author | Specify the name of the user who created the alert that you want to add in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to create in ExtraHop. You can choose from following options:
|
| CC | Specify the list of email addresses that have not been included in an email group, and to which notifications of created alerts must be sent. |
| Description | (Optional) Specify the description for the alert that you want to create in ExtraHop. |
| Refire Interval | (Optional) Specify the time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the unique identifier for the alert that you want to update in ExtraHop. |
| Name | Specify the unique, friendly name for the alert that you want to update in ExtraHop. |
| Severity | Select the severity level of the alert that you want to update in ExtraHop. This severity level is displayed in the alert history, email notifications, and SNMP traps. You can choose from the following options:
|
| Author | Specify the name of the user who created the alert that you want to update in ExtraHop. |
| Apply All | Select this checkbox to assign the created alert to all available data sources. |
| Notify SNMP | Select this checkbox to send an SNMP trap when this alert is generated. |
| Type | Select the type of alert you want to update in ExtraHop. You can choose from following options:
|
| CC | Specify the list of email addresses that have not been included in an email group, and to which notifications of updated alerts must be sent. |
| Description | Specify the description for the alert that you want to update in ExtraHop. |
| Refire Interval | Specify the time interval in which alert conditions are monitored. |
The output contains the following populated JSON schema:
{
"success": "",
"result": ""
}
| Parameter | Description |
|---|---|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search log records in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Type | Specify a CSV list of one or more record formats based on which you want to query for search log records in ExtraHop. The query returns only those records that match the specified formats. If no value is specified, then the query returns records of any type. Valid values for this field are displayed in the Record Type field on the Record Formats page. For example: "cifs" |
| Filter |
Select the type of filter to be based on which the query will search log records in ExtraHop. You can choose between Filter or Conditional Filter.
|
| Limit | (Optional) Specify the maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
| Sort | Select this checkbox if you want to sort records retrieved from ExtraHop. By default, records are sorted in the descending order on the timestamp field. If you select this checkbox, then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Active From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Active Until | Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which active devices will be retrieved from ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Filter |
Select the type of filter to be based on which active devices will be retrieved from ExtraHop. You can choose between Filter or Conditional Filter.
|
| Limit | (Optional) Specify the maximum number of results, per page, that this operation should return. By default, this is set to 100 and the maximum value that can be set is 10000. |
| Offset | (Optional) Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
The output contains the following populated JSON schema:
{
"activity": [],
"analysis": "",
"analysis_level": "",
"auto_role": "",
"cdp_name": "",
"cloud_account": "",
"cloud_instance_id": "",
"cloud_instance_name": "",
"cloud_instance_type": "",
"critical": "",
"custom_criticality": "",
"custom_name": "",
"custom_type": "",
"default_name": "",
"description": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"ipaddr6": "",
"is_l3": "",
"last_seen_time": "",
"macaddr": "",
"mod_time": "",
"model": "",
"netbios_name": "",
"node_id": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"subnet_id": "",
"user_mod_time": "",
"vendor": "",
"vlanid": "",
"vpc_id": ""
}
None.
The output contains the following populated JSON schema:
[
{
"activity": [],
"analysis": "",
"analysis_level": "",
"auto_role": "",
"cdp_name": "",
"cloud_account": "",
"cloud_instance_description": "",
"cloud_instance_id": "",
"cloud_instance_name": "",
"cloud_instance_type": "",
"critical": "",
"custom_criticality": "",
"custom_make": "",
"custom_model": "",
"custom_name": "",
"custom_type": "",
"default_name": "",
"description": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ipaddr4": "",
"ipaddr6": "",
"is_l3": "",
"last_seen_time": "",
"macaddr": "",
"mod_time": "",
"model": "",
"model_override": "",
"netbios_name": "",
"node_id": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"subnet_id": "",
"user_mod_time": "",
"vendor": "",
"vlanid": "",
"vpc_id": ""
}
]
| Parameter | Description |
|---|---|
| Action | Select the action that you want to perform on the watchlist in ExtraHop. Choose 'Add' to add devices to the watchlist or choose 'Remove' to remove the devices from the watchlist. |
| Based On |
Select the input based on which you want to add or remove devices from the watchlist. You can choose between IP addresses or Device IDs.
|
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique identifier for the detection that you want to update in ExtraHop. |
| Ticket ID | Specify the ID of the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Assignee | Specify the assignee of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. |
| Status | Select the status of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose from the following options: New, In Progress, Acknowledged, or Closed. |
| Resolution | Select the resolution of the detection or the ticket that is associated with the detection, which you want to update in ExtraHop. You can choose between Action Taken or No Action Taken. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve peers for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search peer devices in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Role | (Optional) Select the role of the peer device in relation to the origin device. You can choose from the following options: Any, Client, or Server. |
| Protocol | (Optional) Specify the protocol over which the origin device is communicating, such as "HTTP". If no value is set, the object includes any protocol. |
The output contains the following populated JSON schema:
[
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
]
| Parameter | Description |
|---|---|
| Based On |
Select the input based on which you want to retrieve active network protocols for the specified device from ExtraHop. You can choose between IP address or Device IDs
|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search active protocols in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
The output contains the following populated JSON schema:
[
{
"analysis": "",
"analysis_level": "",
"auto_role": "",
"client_protocols": [],
"default_name": "",
"device_class": "",
"dhcp_name": "",
"discover_time": "",
"discovery_id": "",
"display_name": "",
"dns_name": "",
"extrahop_id": "",
"id": "",
"ppaddr4": "",
"is_l3": "",
"macaddr": "",
"mod_time": "",
"on_watchlist": "",
"parent_id": "",
"role": "",
"server_protocols": [],
"url": "",
"user_mod_time": "",
"vendor": "",
"vlanid": ""
}
]
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of the tag that you want to add or remove from the specified device. |
| Action | Select the action that you want to perform on the tags in ExtraHop. Choose 'Add' to add tags to the device or choose 'Remove' to remove the tags from the device. |
| Based On |
Select the input based on which you want to add or remove tags from the device. You can choose between IP address or Device IDs
|
The output contains the following populated JSON schema:
{
"apply_all": "",
"author": "",
"categories": [],
"cc": [],
"description": "",
"disabled": "",
"field_name": "",
"field_name2": "",
"field_op": "",
"id": "",
"interval_length": "",
"mod_time": "",
"name": "",
"notify_snmp": "",
"object_type": "",
"operand": "",
"operator": "",
"param": {},
"param2": {},
"protocols": [],
"refire_interval": "",
"severity": "",
"stat_name": "",
"type": "",
"units": ""
}
| Parameter | Description |
|---|---|
| Tag Name | Specify the name of that tag that you want to create in ExtraHop. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the packets are searched in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| Until | (Optional) The ending timestamp of the time range expressed in milliseconds since the epoch, based on which the packets are searched in ExtraHop. A negative value specifies that the search will begin with records created at a time in the past relative to the current time. For example, specify -30m to begin the search with records created 30 minutes before the time of the request. The default unit for a negative value is milliseconds, but other units can be specified with one of the following unit suffixes: ms, s, m, h, d, w, M, y. For details on supported time units and suffixes, see https://docs.extrahop.com/current/rest-api-guide/#supported-time-units-. |
| File Format | (Optional) Select the file format for the searched packet, which can be downloaded into the FortiSOAR 'Attachment' module. You can choose between pcap, pcapng, keylog_txt, or zip. |
| Limit Bytes | (Optional) Specify the maximum number of bytes to return. |
| Search Duration | (Optional) Specify the maximum amount of time to run the packet search. The default unit is milliseconds, but other units can be specified with a unit suffix. |
| BPF | (Optional) Specify the Berkeley Packet Filter (BPF) syntax for packet search. |
| IP1 | (Optional) Specify the IP address whose sent or received packets will be returned by this operation. |
| Port1 | (Optional) Specify the Port whose sent or received packets will be returned by this operation. |
| IP2 | (Optional) Specify the IP address whose sent or received packets will be returned by this operation. |
| Port2 | (Optional) Specify the Port whose sent or received packets will be returned by this operation. |
The output contains a non-dictionary value.
None.
The output contains the following populated JSON schema:
{
"appliance_id": "",
"assignee": "",
"categories": [
""
],
"description": "",
"end_time": "",
"id": "",
"is_user_created": "",
"mitre_tactics": [],
"mitre_techniques": [],
"mod_time": "",
"participants": [],
"properties": "",
"resolution": "",
"risk_score": "",
"start_time": "",
"status": "",
"ticket_id": "",
"ticket_url": "",
"title": "",
"type": "",
"update_time": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique identifier for the detection you want to retrieve from ExtraHop. |
The output contains the following populated JSON schema:
{
"appliance_id": "",
"assignee": "",
"categories": [],
"description": "",
"end_time": "",
"id": "",
"is_user_created": "",
"mitre_tactics": [],
"mitre_techniques": [],
"mod_time": "",
"participants": [],
"properties": "",
"resolution": "",
"risk_score": "",
"start_time": "",
"status": "",
"ticket_id": "",
"ticket_url": "",
"title": "",
"type": "",
"update_time": ""
}
None.
The output contains the following populated JSON schema:
{
"author": "",
"categories": [],
"display_name": "",
"is_user_created": "",
"mitre_categories": [],
"properties": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Type | Specify the string identifier for the detection type you want to create in ExtraHop. The string can only contain letters, numbers, and underscores. Although detection types are unique across built-in formats, and detection types are unique across custom formats; a built-in and custom format can share the same detection type. |
| Display Name | Specify the display name of the detection type that appears on the 'Detections' page in the ExtraHop system. |
| Author | (Optional) Specify the author of the detection format you want to create in ExtraHop. |
| Categories | (Optional) Specify the list of categories to which the detection you want to create in ExtraHop belongs. Keep the following in mind:
|
| Mitre Categories | (Optional) Specify the IDs of the MITRE techniques associated with the detection you want to create in ExtraHop. |
The output contains the following populated JSON schema:
{
"author": "",
"categories": [],
"display_name": "",
"is_user_created": "",
"mitre_categories": [],
"properties": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique string identifier for the detection you want to delete from ExtraHop. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
None.
The output contains the following populated JSON schema:
{
"author": "",
"create_time": "",
"description": "",
"detection_type": "",
"detections_hidden": "",
"enabled": "",
"expiration": "",
"hide_past_detections": "",
"id": "",
"offender": "",
"participants_hidden": "",
"properties": [],
"victim": ""
}
| Parameter | Description |
|---|---|
| Detection ID | Specify the unique string identifier for the detection format you want to update in ExtraHop |
| Display Name | Specify the display name of the detection type that appears on the 'Detections' page in the ExtraHop system. |
| Author | (Optional) Specify the author of the detection format you want to update in ExtraHop. |
| Categories | (Optional) Specify the list of categories to which the detection you want to update in ExtraHop belongs. Keep the following in mind:
|
| Mitre Categories | (Optional) Specify the IDs of the MITRE techniques associated with the detection you want to update in ExtraHop. |
| Type | (Optional) Specify the string identifier for the detection type you want to update in ExtraHop. The string can only contain letters, numbers, and underscores. Although detection types are unique across built-in formats, and detection types are unique across custom formats; a built-in and custom format can share the same detection type. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
| Parameter | Description |
|---|---|
| Ticket ID | Specify the ID of the ticket associated with the detection you want to update in ExtraHop. |
| Assignee | Specify the assignee of the ticket associated with the detection you want to update in ExtraHop. |
| Status | Select the status of the ticket associated with the detection you want to update in ExtraHop. You can choose from the following options: New, In Progress, Acknowledged, or Closed. |
| Resolution | Select the resolution of the ticket associated with the detection you want to update in ExtraHop. You can choose between Action Taken or No Action Taken. |
The output contains the following populated JSON schema:
{
"author": "",
"categories": [],
"display_name": "",
"is_user_created": "",
"mitre_categories": [],
"properties": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Categories | Specify a list of one or more detection categories that you want to retrieve from ExtraHop. |
| Assignee | Specify a list of one or more assignee of the detection to retrieve from ExtraHop. Specify .none to search for unassigned detections or specify .me to search for detections assigned to the authenticated user. |
| Ticket ID | Specify a list of one or more ID of the ticket that is associated with the detection to retrieve from ExtraHop. |
| Status | Select one or more detection status to retrieve from ExtraHop. You can select from the following options:
|
| Resolution | Select one or more detection resolution to retrieve from ExtraHop. You can select from the following options:
|
| Types | Specify the list of one or more type of the detection to retrieve from ExtraHop. |
| Min Risk Score | Specify the risk score of detection to retrieve detections with risk scores greater than or equal to the specified value. |
| From | Specify the starting timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search detections in ExtraHop. Detections that started before the specified date are returned if the detection was ongoing at that time. |
| Limit | Specify the maximum number of results, per page, that this operation should return. |
| Offset | Specify the index of the first item to be returned by this operation. This parameter is useful if you want to get a subset of records, say incidents starting from the 10th log record. By default, this is set as 0. |
| Sort | Select this checkbox if you want to sort records retrieved from ExtraHop. By default, records are sorted in the descending order on the timestamp field. If you select this checkbox, then you must specify the following parameters:
|
| Until | Specify the ending timestamp of the time range expressed in milliseconds since the epoch, based on which the query will search detections in ExtraHop. |
| Update Time | Returns detections related to events that occurred after the specified date, expressed in milliseconds since the epoch. Note that ExtraHop Machine Learning Services analyze historical data to generate detections, and so there is a time delay between when the events that cause those detections occur and when the detections are generated. If you search for detections in the same update_time window multiple times, the later search might return detections that were not returned by the earlier search. |
| Mod Time | Returns detections that were updated after the specified date, expressed in milliseconds since the epoch. |
| ID Only | (Optional) Select this checkbox if you want to retrieve only the IDs of the detections. By default, It is set to false |
The output contains the following populated JSON schema:
{
"appliance_id": "",
"assignee": "",
"categories": [],
"description": "",
"id": "",
"is_user_created": "",
"mitre_tactics": [],
"mitre_techniques": [],
"mod_time": "",
"participants": [],
"properties": "",
"resolution": "",
"risk_score": "",
"start_time": "",
"status": "",
"ticket_id": "",
"title": "",
"type": "",
"update_time": ""
}
The Sample - ExtraHop - 2.1.0 playbook collection comes bundled with the ExtraHop connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ExtraHop connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets overwritten during the connector upgrade and gets deleted during connector uninstall.