Start Demo

Back Arrow Bundle Library

Demisto Integration

Supported Bundle

Description

Demisto is a security orchestration, automation, and response (SOAR) platform focused on incident response that enables you to automate security workflows, manage incidents, and investigate underlying issues.

This integration enables the following investigative tasks and workflows in Demisto as an automated response to ExtraHop Reveal(x) detections:

  • Create a Demisto incident in real-time when a Reveal(x) detection identifies malicious or non-compliant behavior on your network.

  • Leverage Reveal(x) playbooks to respond with thousands of security actions that accelerate automated investigation and remediation.

  • Send real-time queries to Reveal(x) through the ExtraHop REST API that enable you to search for specific devices, network peers, active protocols, records, and packets that are part of your investigation.

  • Track tickets in Reveal(x) that link detections to your Demisto investigation.

The bundle for this integration includes a single trigger that formats Reveal(x) detections and sends a request to create Demisto incidents through the Demisto REST API. After an incident is created in Demisto, the default ExtraHop playbook assigns an ExtraHop analyst role to the incident, sets up ticket tracking, and runs associated detection playbooks.

The following figures show an example of a Reveal(x) detection and the resulting incident and workflows in Demisto.

ExtraHop detection card

Figure 1. ExtraHop detection card for CVE-2019-0708 RDP Exploit Attempt

Demisto incident summary

Figure 2. Demisto incident summary for CVE-2019-0708 RDP Exploit Attempt

Demisto playbook for ExtraHop detections

Figure 3. Reveal(x) playbook to set up ticket tracking and run the BlueKeep playbook

Bundle Contents

  • (1) Trigger

    • Demisto Incidents

Requirements

  • You must have an ExtraHop Discover or Command appliance with version 7.8 or later and a user account that has Unlimited privileges

  • You must have a Demisto instance with version 4.5.0 or later and a user account that has Administrator privileges

  • You must generate an API key for a designated user to enable requests to the ExtraHop REST API before configuring Demisto. When configuring this bundle on a Command appliance, you must generate the API key from the Command appliance.

  • You must generate an API key for a designated user to enable requests to the Demisto REST API key before configuring Reveal(x).

Installation Instructions

Configure Demisto

  1. Log into Demisto and update the Content Repository with the latest integrations and playbooks.

  2. Set up the ExtraHop Reveal(x) integration with the following parameters:

    • In the Name field, type a name to identify the Reveal(x) appliance.

    • In the API Key field, type the value of the ExtraHop REST API key you generated.

    • In the URL field, type the URL of the Reveal(x) appliance, similar to the following: https://<hostname-or-ip-address-of-Reveal(x)-appliance>/.

    • (Optional) Select the Trust any certificate (Not Secure) checkbox if you want to bypass SSL certification verification.

The completed form should look similar to the following figure.

Add a ExtraHop Reveal(x) instance

Create a role

  1. Navigate to Settings > Users and Roles > Roles.

  2. Select the Analyst role.

  3. Click the copy icon Copy icon.

  4. In the Role name field, type ExtraHop.

  5. Click Save.

The completed form should look similar to the following figure.

ExtraHop Role

Add users to the ExtraHop role

  1. Navigate to Settings > Users and Roles > Users.

  2. Select the checkbox next to the user that you want to add to the ExtraHop role.

  3. Click Roles.

  4. From the Roles field drop-down list, select ExtraHop.

  5. Click Save.

  6. Repeat these steps for each user that you want to add to the ExtraHop role.

Add user to ExtraHop role

Create a new incident type

  1. Add a new incident type with the following parameters:

    • In the Name field, type ExtraHop Detection.

    • From the Default playbook drop-down list, select ExtraHop - Default.

    • Select the Run playbook automatically checkbox.

The completed form should look similar to the following figure.

ExtraHop Detection Incident Type

Create a pre-process rule

  1. Create a pre-process rule with the following parameters:

    • In the Rule name field, type Deduplicate ExtraHop Detections.

    • In the Conditions for incoming incident section:

      i. From the Choose an incident field drop-down list, select Type.

      ii. From the Choose a value drop-down list, select ExtraHop Detection.

    • In the Action section:

      i. From the Action drop-down list, select Drop and update.

    • In the Update section:

      i. Select the Search closed incidents checkbox.

      ii. From the Choose an incident field drop-down list, select Detection URL.

      iii. Click Equals (String) and then select is identical.

    • Click Save.

The completed form should look similar to the following figure.

Demisto pre-process rule

Configure field change triggers

  1. Navigate to Settings > Advanced > Fields.

  2. Select the checkbox next to the field name Owner, and then click Edit.

  3. From the Script upon change drop-down list, select ExtraHopTrackIncidents.

  4. Click Save.

  5. Repeat steps 2 through 4 for the field name Run Status.

Field change trigger

Configure ExtraHop Reveal(x)

Note: If you are installing this bundle on a Command appliance, you must complete all of these steps on the Command appliance, and then configure the open data stream targets on each connected Discover appliance that should send detections to Demisto.

Install the bundle

When installing the bundle on a Command appliance, select the option to install the bundle on all of the connected Discover appliances that should send detections to Demisto.

  1. Download the bundle on this page.

  2. Upload and apply the bundle.

Setup Ticket Tracking

  1. Log into the Admin UI on the Command or Discover appliance where you installed the bundle.

  2. Enable ticket tracking and specify a URL template with the following parameters:

    • In the URL field, type https://<demisto-hostname>/#/Details/$ticket_id, replacing <demisto-hostname> with the hostname or IP address of your Demisto instance.

    • Click Save.

The completed page should look similar to the following figure.

ExtraHop ticket tracking

Configure ODS targets

When installing this bundle on a Command appliance, configure the open data stream (ODS) targets on each connected Discover appliance that should send detections to Demisto.

  1. Log into the Admin UI on the Discover appliance.

  2. Configure an HTTP target for an open data stream with the following parameters:

    • In the Name field, type demisto.

    • In the Host field, type the hostname or IP address of your Demisto instance.

    • In the Port field, type 443.

    • From the Type drop-down list, select HTTPS.

    • In the Additional HTTP header field, type Authorization:<demisto-api-key>, replacing <demisto-api-key> with the value of the Demisto API Key that you generated previously.

The completed form should look similar to the following figure.

ExtraHop open data stream target

Configure the trigger

  1. In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon System Settings icon, and then click Triggers.

  2. In the list of triggers, click Demisto Incidents.

  3. In the right pane, click Edit Trigger Script.

  4. In the left pane in the Options section, select the Enable trigger checkbox.

  5. (Optional) For Command appliances only, configure EH_HOSTNAME with the hostname or IP address of the Command appliance, otherwise leave this setting as is.

  6. Click Save, then click Done.

ExtraHop trigger configuration

+

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More