Publisher: Splunk
Connector Version: 2.0.0
Product Vendor: ExtraHop Networks
Product Name: ExtraHop
Product Version Supported (regex): ".*"
Minimum Product Version: 5.3.0
This app integrates with the ExtraHop platform to perform investigative actions based on real-time network data
For ExtraHop installation and configuration instructions visit bundles.extrahop.com .
The Splunk SOAR integration for ExtraHop enables you to automate and orchestrate rapid security investigation, response, and remediation workflows. ExtraHop Reveal(x) provides a uniquely rich, real-time data source by turning unstructured packets into structured wire data and analyzing it in real-time. Based on this data, you can confidently configure Splunk SOAR to automate security workflows and investigations and orchestrate precise, rapid responses to security threats more effectively than ever before.
Extrahop and Splunk SOAR connect through simple, powerful REST APIs, making it easy to build and iterate new use cases to get the most value for the least effort, a vital capability for thinly stretched enterprise security teams.
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a ExtraHop asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
base_url | required | string | IP Address or Hostname |
verify_server_cert | optional | boolean | Verify server certificate |
api_key | required | password | REST API Key |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
get device info - Get device details from ExtraHop
get peers - Get a list of peers that a device communicated with within the last N minutes
get protocols - Get a list of protocols that a device communicated in the last N minutes
get devices - Get a list of newly discovered devices
create device - Create a new custom device on the ExtraHop
tag device - Tag an existing device on the ExtraHop
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Get device details from ExtraHop
Type: investigate
Read only: True
This action will get more details about a device given its IP address. Details include MAC address, dhcp name, first discovered time, device type, and more.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | Comma-separated IP addresses | string | ip |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.ip | string | ip |
action_result.data.*.analysis | string | |
action_result.data.*.analysis_level | numeric | |
action_result.data.*.auto_role | string | |
action_result.data.*.cdp_name | string | |
action_result.data.*.cloud_account | string | |
action_result.data.*.cloud_instance_description | string | |
action_result.data.*.cloud_instance_id | string | |
action_result.data.*.cloud_instance_name | string | |
action_result.data.*.cloud_instance_type | string | |
action_result.data.*.critical | boolean | |
action_result.data.*.custom_criticality | string | |
action_result.data.*.custom_make | string | |
action_result.data.*.custom_model | string | |
action_result.data.*.custom_name | string | |
action_result.data.*.custom_type | string | |
action_result.data.*.default_name | string | |
action_result.data.*.description | string | |
action_result.data.*.device_class | string | |
action_result.data.*.dhcp_name | string | host name |
action_result.data.*.discover_time | numeric | |
action_result.data.*.discovery_id | string | |
action_result.data.*.display_name | string | |
action_result.data.*.dns_name | string | host name |
action_result.data.*.extrahop_id | string | |
action_result.data.*.id | numeric | extrahop api id |
action_result.data.*.ipaddr4 | string | ip |
action_result.data.*.ipaddr6 | string | ip |
action_result.data.*.is_l3 | boolean | |
action_result.data.*.last_seen_time | numeric | |
action_result.data.*.macaddr | string | mac address |
action_result.data.*.mod_time | numeric | |
action_result.data.*.model | string | |
action_result.data.*.model_override | string | |
action_result.data.*.netbios_name | string | |
action_result.data.*.node_id | string | |
action_result.data.*.on_watchlist | boolean | |
action_result.data.*.parent_id | numeric | |
action_result.data.*.role | string | |
action_result.data.*.subnet_id | string | |
action_result.data.*.user_mod_time | numeric | |
action_result.data.*.vendor | string | |
action_result.data.*.vlanid | numeric | |
action_result.data.*.vpc_id | string | |
action_result.summary.device_count | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get a list of peers that a device communicated with within the last N minutes
Type: investigate
Read only: True
This action retrieves a list of all of the peers that a device communicated with within the last N minutes, optionally filtered by role and/or protocol. Either 'ip' or 'eh_api_id' parameter is required. If both the parameters are provided, 'eh_api_id' will be considered.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | optional | IP address of device | string | ip |
minutes | optional | Minutes to look back (default 30) | numeric | |
peer_role | optional | Filter by peer role | string | |
protocol | optional | Filter by protocol | string | |
eh_api_id | optional | ExtraHop API id | numeric | extrahop api id |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.eh_api_id | numeric | extrahop api id |
action_result.parameter.ip | string | ip |
action_result.parameter.minutes | numeric | |
action_result.parameter.peer_role | string | |
action_result.parameter.protocol | string | |
action_result.data.*.analysis | string | |
action_result.data.*.analysis_level | numeric | |
action_result.data.*.cdp_name | string | |
action_result.data.*.custom_name | string | |
action_result.data.*.custom_type | string | |
action_result.data.*.default_name | string | |
action_result.data.*.description | string | |
action_result.data.*.device_class | string | |
action_result.data.*.dhcp_name | string | host name |
action_result.data.*.discover_time | numeric | |
action_result.data.*.discovery_id | string | |
action_result.data.*.display_name | string | |
action_result.data.*.dns_name | string | host name |
action_result.data.*.extrahop_id | string | |
action_result.data.*.id | numeric | extrahop api id |
action_result.data.*.ipaddr4 | string | ip |
action_result.data.*.ipaddr6 | string | ip |
action_result.data.*.is_l3 | boolean | |
action_result.data.*.macaddr | string | mac address |
action_result.data.*.mod_time | numeric | |
action_result.data.*.netbios_name | string | |
action_result.data.*.node_id | string | |
action_result.data.*.on_watchlist | boolean | |
action_result.data.*.parent_id | numeric | |
action_result.data.*.user_mod_time | numeric | |
action_result.data.*.vendor | string | |
action_result.data.*.vlanid | numeric | |
action_result.summary.peer_count | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get a list of protocols that a device communicated in the last N minutes
Type: investigate
Read only: True
This action retrieves a list of all of the protocols that a device communicated over the last N minutes, optionally filtered by role. Either 'ip' or 'eh_api_id' parameter is required. If both the parameters are provided, 'eh_api_id' will be considered.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | optional | IP address of device | string | ip |
minutes | optional | Minutes to look back (default 30) | numeric | |
eh_api_id | optional | ExtraHop API id | numeric | extrahop api id |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.eh_api_id | numeric | extrahop api id |
action_result.parameter.ip | string | ip |
action_result.parameter.minutes | numeric | |
action_result.data.*.client_protocols | string | |
action_result.data.*.server_protocols | string | |
action_result.summary.client_protocol_count | numeric | |
action_result.summary.server_protocol_count | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Get a list of newly discovered devices
Type: investigate
Read only: True
This action retrieves a list of newly discovered devices classified in a particular activity group that first communicated on your network in the last N minutes.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
activity_type | required | Activity type | string | |
minutes | optional | Minutes of look back (default 30) | numeric | |
offset | optional | Starting index of overall result set (default 0) | numeric | |
limit | optional | Numbers of records to fetch (default 1000) | numeric |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.activity_type | string | |
action_result.parameter.limit | numeric | |
action_result.parameter.minutes | numeric | |
action_result.parameter.offset | numeric | |
action_result.data.*.analysis | string | |
action_result.data.*.analysis_level | numeric | |
action_result.data.*.auto_role | string | |
action_result.data.*.cdp_name | string | |
action_result.data.*.cloud_account | string | |
action_result.data.*.cloud_instance_description | string | |
action_result.data.*.cloud_instance_id | string | |
action_result.data.*.cloud_instance_name | string | |
action_result.data.*.cloud_instance_type | string | |
action_result.data.*.critical | boolean | |
action_result.data.*.custom_criticality | string | |
action_result.data.*.custom_make | string | |
action_result.data.*.custom_model | string | |
action_result.data.*.custom_name | string | |
action_result.data.*.custom_type | string | |
action_result.data.*.default_name | string | |
action_result.data.*.description | string | |
action_result.data.*.device_class | string | |
action_result.data.*.dhcp_name | string | host name |
action_result.data.*.discover_time | numeric | |
action_result.data.*.discovery_id | string | |
action_result.data.*.display_name | string | |
action_result.data.*.dns_name | string | host name |
action_result.data.*.extrahop_id | string | |
action_result.data.*.id | numeric | extrahop api id |
action_result.data.*.ipaddr4 | string | ip |
action_result.data.*.ipaddr6 | string | ip |
action_result.data.*.is_l3 | boolean | |
action_result.data.*.last_seen_time | numeric | |
action_result.data.*.macaddr | string | mac address |
action_result.data.*.mod_time | numeric | |
action_result.data.*.model | string | |
action_result.data.*.model_override | string | |
action_result.data.*.netbios_name | string | |
action_result.data.*.node_id | string | |
action_result.data.*.on_watchlist | boolean | |
action_result.data.*.parent_id | numeric | |
action_result.data.*.role | string | |
action_result.data.*.subnet_id | string | |
action_result.data.*.user_mod_time | numeric | |
action_result.data.*.vendor | string | |
action_result.data.*.vlanid | numeric | |
action_result.data.*.vpc_id | string | |
action_result.summary.new_devices_count | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Create a new custom device on the ExtraHop
Type: generic
Read only: False
This action will create a new custom device on the ExtraHop appliance with a single IP address. This action is expected to be used with endpoints, which are not typically tracked individually with full analysis.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP address | string | ip |
name | optional | The friendly name for the custom device | string | |
author | optional | The name of the custom device creator | string | |
description | optional | An optional description of the custom device | string | |
cidr | optional | CIDR block | string |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.author | string | |
action_result.parameter.cidr | string | |
action_result.parameter.description | string | |
action_result.parameter.ip | string | ip |
action_result.parameter.name | string | |
action_result.data.*.cidr | string | |
action_result.data.*.name | string | |
action_result.summary.name | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Tag an existing device on the ExtraHop
Type: generic
Read only: False
This action will tag a device on the ExtraHop appliance. Normally tags are used to control device membership in dynamic groups. Either 'ip' or 'eh_api_id' parameter is required. If both the parameters are provided, 'eh_api_id' will be considered.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | optional | IP address | string | ip |
tag | required | Tag name | string | |
eh_api_id | optional | ExtraHop device API ID | numeric | extrahop api id |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.eh_api_id | numeric | extrahop api id |
action_result.parameter.ip | string | ip |
action_result.parameter.tag | string | |
action_result.data.*.tag_id | numeric | |
action_result.summary.extrahop_device_id | numeric | |
action_result.summary.tag | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |