Description
Demisto is a security orchestration, automation, and response (SOAR) platform focused on incident response that enables you to automate security workflows, manage incidents, and investigate underlying issues.
This integration enables the following investigative tasks and workflows in Demisto as an automated response to ExtraHop Reveal(x) detections:
Create a Demisto incident in real-time when a Reveal(x) detection identifies malicious or non-compliant behavior on your network.
Leverage Reveal(x) playbooks to respond with thousands of security actions that accelerate automated investigation and remediation.
Send real-time queries to Reveal(x) through the ExtraHop REST API that enable you to search for specific devices, network peers, active protocols, records, and packets that are part of your investigation.
Track tickets in Reveal(x) that link detections to your Demisto investigation.
The bundle for this integration includes a single trigger that formats Reveal(x) detections and sends a request to create Demisto incidents through the Demisto REST API. After an incident is created in Demisto, the default ExtraHop playbook assigns an ExtraHop analyst role to the incident, sets up ticket tracking, and runs associated detection playbooks.
The following figures show an example of a Reveal(x) detection and the resulting incident and workflows in Demisto.
Figure 1. ExtraHop detection card for CVE-2019-0708 RDP Exploit Attempt
Figure 2. Demisto incident summary for CVE-2019-0708 RDP Exploit Attempt
Figure 3. Reveal(x) playbook to set up ticket tracking and run the BlueKeep playbook
Bundle Contents
(1) Trigger
- Demisto Incidents
Requirements
You must have an ExtraHop Discover or Command appliance with version 7.8 or later and a user account that has Unlimited privileges
You must have a Demisto instance with version 4.5.0 or later and a user account that has Administrator privileges
You must generate an API key for a designated user to enable requests to the ExtraHop REST API before configuring Demisto. When configuring this bundle on a Command appliance, you must generate the API key from the Command appliance.
You must generate an API key for a designated user to enable requests to the Demisto REST API key before configuring Reveal(x).
Installation Instructions
Configure Demisto
Log into Demisto and update the Content Repository with the latest integrations and playbooks.
Set up the ExtraHop Reveal(x) integration with the following parameters:
In the Name field, type a name to identify the Reveal(x) appliance.
In the API Key field, type the value of the ExtraHop REST API key you generated.
In the URL field, type the URL of the Reveal(x) appliance, similar to the following:
https://<hostname-or-ip-address-of-Reveal(x)-appliance>/
.(Optional) Select the Trust any certificate (Not Secure) checkbox if you want to bypass SSL certification verification.
The completed form should look similar to the following figure.
Create a role
Navigate to Settings > Users and Roles > Roles.
Select the Analyst role.
Click the copy icon
.
In the Role name field, type
ExtraHop
.Click Save.
The completed form should look similar to the following figure.
Add users to the ExtraHop role
Navigate to Settings > Users and Roles > Users.
Select the checkbox next to the user that you want to add to the ExtraHop role.
Click Roles.
From the Roles field drop-down list, select ExtraHop.
Click Save.
Repeat these steps for each user that you want to add to the ExtraHop role.
Create a new incident type
Add a new incident type with the following parameters:
In the Name field, type
ExtraHop Detection
.From the Default playbook drop-down list, select ExtraHop - Default.
Select the Run playbook automatically checkbox.
The completed form should look similar to the following figure.
Create a pre-process rule
Create a pre-process rule with the following parameters:
In the Rule name field, type
Deduplicate ExtraHop Detections
.In the Conditions for incoming incident section:
i. From the Choose an incident field drop-down list, select Type.
ii. From the Choose a value drop-down list, select ExtraHop Detection.
In the Action section:
i. From the Action drop-down list, select Drop and update.
In the Update section:
i. Select the Search closed incidents checkbox.
ii. From the Choose an incident field drop-down list, select Detection URL.
iii. Click Equals (String) and then select is identical.
Click Save.
The completed form should look similar to the following figure.
Configure field change triggers
Navigate to Settings > Advanced > Fields.
Select the checkbox next to the field name Owner, and then click Edit.
From the Script upon change drop-down list, select ExtraHopTrackIncidents.
Click Save.
Repeat steps 2 through 4 for the field name Run Status.
Configure ExtraHop Reveal(x)
Note: If you are installing this bundle on a Command appliance, you must complete all of these steps on the Command appliance, and then configure the open data stream targets on each connected Discover appliance that should send detections to Demisto.
Install the bundle
When installing the bundle on a Command appliance, select the option to install the bundle on all of the connected Discover appliances that should send detections to Demisto.
Download the bundle on this page.
Setup Ticket Tracking
Log into the Admin UI on the Command or Discover appliance where you installed the bundle.
Enable ticket tracking and specify a URL template with the following parameters:
In the URL field, type
https://<demisto-hostname>/#/Details/$ticket_id
, replacing<demisto-hostname>
with the hostname or IP address of your Demisto instance.Click Save.
The completed page should look similar to the following figure.
Configure ODS targets
When installing this bundle on a Command appliance, configure the open data stream (ODS) targets on each connected Discover appliance that should send detections to Demisto.
Log into the Admin UI on the Discover appliance.
Configure an HTTP target for an open data stream with the following parameters:
In the Name field, type
demisto
.In the Host field, type the hostname or IP address of your Demisto instance.
In the Port field, type
443
.From the Type drop-down list, select HTTPS.
In the Additional HTTP header field, type
Authorization:<demisto-api-key>
, replacing<demisto-api-key>
with the value of the Demisto API Key that you generated previously.
The completed form should look similar to the following figure.
Configure the trigger
In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon
, and then click Triggers.
In the list of triggers, click Demisto Incidents.
In the right pane, click Edit Trigger Script.
In the left pane in the Options section, select the Enable trigger checkbox.
(Optional) For Command appliances only, configure
EH_HOSTNAME
with the hostname or IP address of the Command appliance, otherwise leave this setting as is.Click Save, then click Done.