back caretBlog

Three Ways to Automate Security Investigations, Response, and Remediation with ExtraHop's Phantom Integration

With Reveal(x) and Phantom, you can automatically investigate potential data exfiltration, vet newly added DNS servers, and block unauthorized database access.

Check out our on-demand webcast with Phantom to see the ExtraHop app for Phantom and get a walkthrough of the three automated investigation and response playbooks currently available:

The Phantom integration for ExtraHop Reveal(x) enables you to automate and orchestrate rapid security investigation, response, and remediation workflows. Reveal(x) provides a uniquely rich, real-time data source by turning unstructured packets into structured wire data and analyzing it in real-time. This data allows you to confidently configure Phantom to automate security workflows and investigations and orchestrate precise, rapid responses more effectively than ever before. In this post we'll go through three playbooks highlighting the valuable actions you can automate with Reveal(x) and Phantom.


How It Works

Reveal(x) automatically discovers and classifies everything communicating on the network and provides unprecedented depth of visibility into application layer (L7) transactions, as well as decrypting SSL traffic, even with PFS, for maximum visibility. Phantom can use these uniquely deep insights to kick off workflows that discover rogue DNS servers on your network and initiate vulnerability scans, block external clients from accessing internal databases, validate the IP reputation of suspicious endpoints, and more.

Phantom App Click image to zoom

Playbook 1: Scan New DNS Servers for Vulnerabilities

This playbook discovers new DNS servers on your network and initiates Nessus vulnerability scans. Whether it's a rogue DNS server or your IT department's newly configured DNS server, this playbook enables you to automatically know that it exists and perform an in-depth scan.

New DNS servers Click image to zoom

The Phantom app queries the ExtraHop server through the ExtraHop REST API every 30 minutes for any newly discovered DNS servers on your network. If there are new DNS servers to report then ExtraHop sends Phantom the details to initiate this playbook and continue with a more in-depth investigation. ExtraHop retrieves all of the peers that each new DNS server has communicated with in the last 30 minutes as well as all of the protocols it has communicated over in that same timeframe. Finally the Nessus app scans each of the new DNS servers for potential security vulnerabilities.

Playbook 2: Block External Access to Internal Databases

This playbook processes an ExtraHop detection of an internal database being accessed externally and blocks the corresponding external client IP Address on a Palo Alto Networks Firewall. Leaking private data is a big concern and a simple oversight of a misconfigured firewall can wreak havoc, so with the power of wire data this playbook can block access in real-time and notify you to focus on a potential larger external access issue.

Block DB access Click image to zoom

A trigger in the Phantom bundle detects an external IP address accessing an internal database. The trigger then sends this event from the ExtraHop appliance to a Phantom appliance. A Phantom playbook then begins with an automated investigation and remediation workflow. ExtraHop retrieves all of the peers that the external client and internal database server communicated with in the last 30 minutes as well as all of the protocols they communicated over in that same timeframe. Finally the Palo Alto Networks Firewall app blocks traffic from the specified external client IP address.

Playbook 3: Investigate Data Exfiltration Anomalies

This playbook processes an ExtraHop Addy anomaly of potential data exfiltration on your network. With Addy, your team can rest assured it will always be the first to know when there's a problem, so you can solve it quickly and proactively. This playbook puts that into action by automatically starting the investigation and taking the first steps toward responding to possible exfiltration of sensitive data.

Detect data exfiltration Click image to zoom

After Reveal(x) detects a data exfiltration anomaly, it sends the important details of the anomaly to the Phantom appliance. This playbook first retrieves all of the peers acting as a client in the last 30 minutes for the device that triggered the anomaly. Then it filters out private IP addresses as defined in RFC1918. Next it looks up IP reputation scores for each of the non-private IP addresses that have communicated with the device that triggered the anomaly in the last 30 minutes. If a known bad IP address is found then that device will be tagged appropriately in ExtraHop and a task will be created for an analyst to manually look into this data exfiltration event further.

Unlock Easier Integrations

The Phantom integration for ExtraHop Reveal(x) enables you to integrate your existing security infrastructure together so that each part is actively participating in your defense strategy: quickly and easily integrate Reveal(x) with over 200 Phantom community apps without ever having to write a single line of code. This allows you to bring together the information needed to proactively identify potential security issues on your network in real-time, and gives you the tools to automate and orchestrate rapid security investigation, response, and remediation workflows between systems, ultimately improving efficiency and precision by orchestrating complex security workflows.

Read the full brief here.

The Phantom integration is available for download on the Solutions Bundles Gallery.

Disclaimer: The example playbooks rely on third-party Phantom integrations that are tested and maintained independently of the ExtraHop app.*

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed