Phantom Integration

Description

The Phantom integration for ExtraHop Reveal(x) enables you to automate and orchestrate rapid security investigation, response, and remediation workflows. ExtraHop Reveal(x) provides a uniquely rich, real-time data source by turning unstructured packets into structured wire data and analyzing it in real-time. Based on this data, you can confidently configure Phantom to automate security workflows and investigations and orchestrate precise, rapid responses to security threats more effectively than ever before.

Extrahop and Phantom connect through simple, powerful REST APIs, making it easy to build and iterate new use cases to get the most value for the least effort, a vital capability for thinly stretched enterprise security teams.

The Phantom integration for ExtraHop Reveal(x) is composed of an ExtraHop bundle and a Phantom app. The ExtraHop appliance sends events to Phantom through an ExtraHop open data stream (ODS), which is accessed through the ExtraHop Trigger API.

In Phantom, these events create a container with a single child artifact.

Bundle Contents

• (1) Alert
  • Phantom - Data Exfiltration Detected
• (1) Application
  • Phantom Cyber
• (2) Dashboards
  • Phantom Setup
  • Phantom Status
• (1) Dynamic Group
  • Database Servers
• (3) Triggers
  • Phantom Connector
  • Phantom Database Access
  • Phantom Detect Data Exfiltration

Requirements

• ExtraHop version 7.2 or later
• An ExtraHop Reveal(x) license
• Phantom version 3.5.180 or later

Installation Instructions

Here is an overview of the steps you must complete to integrate Phantom with ExtraHop Reveal(x):

1. Create an ExtraHop user on the Phantom appliance
2. Create an HTTP Open Data Stream (ODS) on the ExtraHop appliance
3. Install the ExtraHop Phantom Integration bundle
4. Generate an ExtraHop REST API Key
5. Install and configure the ExtraHop app on the Phantom appliance
6. Configure Extrahop Playbooks on the Phantom appliance

1. Create an ExtraHop user on the Phantom appliance

You must create a dedicated user on the Phantom appliance to handle authentication with the ExtraHop appliance. The user must be assigned the Automation role.

1. On the Phantom appliance, navigate to Administration>User Management.
2. Click +User.
3. In the User Type field, select Automation.
4. In the Username field, type automation-extrahop.
5. In the Allowed IPs field, type the IP address of the ExtraHop appliance.
6. In the Default Label field, select NEW ENTRY, and then type extrahop_events.
7. Click Save.
8. Select the automation-extrahop user.
9. Scroll down to the Authorization Configuration for REST API section.
10. Copy the ph-auth-token value for the next step.

2. Create an HTTP Open Data Stream (ODS) on the ExtraHop Appliance

You must create an HTTP open data stream on the ExtraHop appliance to enable communication with the Phantom appliance.

1. Log into the Admin UI on the ExtraHop appliance.
2. In the System Configuration section, click Open Data Streams.
3. Click Add Target.
4. In the Target Type field, select HTTP.
5. In the Name field, type phantom.
6. In the Host field, type the IP address or hostname of the Phantom appliance.
7. In the Port field, type 443.
8. In the Type field, select HTTPS.
9. In the Additional HTTP header field, type the following text:

ph-auth-token:<Your Auth Token> 10. In the Authentication field, select None.

3. Install the ExtraHop Phantom Integration bundle

1. Download the bundle on this page.
2. Log into the ExtraHop Web UI and complete the instructions in the following topic: Upload and Apply the Bundle

Note: You must enable the Phantom Connector trigger to allow your ExtraHop appliance to communicate with Phantom. The remaining triggers and alerts in the bundle are Phantom playbook examples and are not required. For more information, see Playbook examples.

4. Generate an ExtraHop REST API Key

You must generate a REST API key on the ExtraHop appliance to allow Phantom to communicate with the appliance.

1. Log into the Admin UI on the ExtraHop appliance with a user account that has full write privileges.
2. Complete the instructions in the following topic: Generate a REST API key.
3. After you generate the key, copy the key to your clipboard.

5. Install and configure the ExtraHop app on the Phantom appliance

You must install the ExtraHop app on your Phantom appliance. After the app is installed and configured, the actions included in the app will be available in your Phantom Playbooks.

1. On the Phantom appliance, navigate to Apps.
2. Click New Apps, and then click Install All.
3. Click App Updates, and then click Update All.
4. In the Search Apps bar, type ExtraHop.
5. Click the Unconfigured Apps tab.
6. Click Configure New Asset for the ExtraHop app.
7. In the Asset Name field, type a name for the ExtraHop appliance, such as eh-data-center-01.
8. In the Asset Description field, type a meaningful description, such as ExtraHop appliance in Data Center 1.
9. Click Asset Settings.
10. In the IP Address or Hostname field, type the IP address or hostname for the ExtraHop appliance.
11. In the REST API Key field, type the key you generated in the previous section.
12. Click Save.
13. Click Test Connectivity.

If Test Connectivity to ExtraHop Passed does not appear, make sure that the IP address or hostname and REST API key are correct.

Playbook examples

The ExtraHop app for Phantom and the Phantom bundle for ExtraHop include example playbooks to help get you started. These example playbooks demonstrate how you can configure third-party Phantom apps to react to wire data observed by ExtraHop.

Disclaimer: The example playbooks rely on third-party Phantom integrations that are tested and maintained independently of the ExtraHop app.

ExtraHop Externally Accessible Databases

This playbook example shows you how to configure the Palo Alto Networks Firewall app to automatically block external clients from accessing internal databases. When an ExtraHop appliance detects an external machine accessing an internal database, the appliance sends information about the client, server, and peers of those machines to the Phantom appliance. In Phantom, the Palo Alto Networks Firewall app then blocks traffic from the specified external client IP address.

Components

• Phantom Database Access trigger: This ExtraHop trigger counts each time an external IP address accesses an internal database.
• Phantom Connector trigger: This trigger sends the information collected by the Phantom Database Access trigger to the Phantom app.
• Palo Alto Networks Firewall app: This Phantom app blocks the external IP addresses from accessing the internal database.

To configure this playbook:

1. On the ExtraHop appliance, click the System Settings icon, and then click Triggers.
2. Select the checkbox next to Phantom Database Access, and then click Enable.
3. On the Phantom appliance, navigate to Playbooks.
4. In the search bar, type ExtraHop.
5. In the row for extrahop_externally_accessible_databases, select Active from the Status list.

Extrahop Detect Data Exfiltration

This playbook example shows you how to configure the Anomali ThreatStream app to analyze devices involved in ExtraHop data-exfiltration anomalies. When an ExtraHop appliance detects a data exfiltration anomaly on a device, the appliance sends a list of all recent peers of the device to the Phantom appliance. In Phantom, the Anomali ThreatStream app analyzes each IP address. If ThreatStream finds a known bad IP address, it notifies the ExtraHop appliance, which adds the bad_ip_reputation tag to the device. Phantom then creates a task for an analyst to manually look into the data exfiltration event.

Components

• Phantom - Data Exfiltration Detected alert: This ExtraHop alert is generated when ExtraHop detects a data exfiltration anomaly.
• Phantom Detect Data Exfiltration trigger: Whenever a Data Exfiltration Detected alert is generated, this ExtraHop trigger records information about peers of the device that the anomaly was detected on.
• Phantom Connector trigger: This trigger sends the information collected by the Phantom Detect Data Exfiltration trigger to the Phantom app.
• Anomali ThreatStream app: This Phantom app analyzes the peer IP addresses sent from an ExtraHop appliance.

To configure this playbook:

1. On the ExtraHop appliance, click the System Settings icon, and then click Triggers.
2. Select the checkbox next to Phantom Detect Data Exfiltration, and then click Enable.
3. Click the System Settings icon and then click Alerts.
4. Select the checkbox next to Phantom - Data Exfiltration Detected, and then click Enable.
5. On the Phantom appliance, navigate to Playbooks.
6. In the search bar, type ExtraHop.
7. Click extrahop_detect_data_exfiltration.
8. Click Edit Playbook.
9. Click the decision block directly following the ip reputation block and configure the threshold values for both Threat Score and Confidence to fit your operational requirements.
10. Click Save.
11. In the row for extrahop_detect_data_exfiltration, select Active from the Status list.

ExtraHop New DNS Servers

This playbook example shows you how to configure a Nessus vulnerability scanner app to scan new DNS servers discovered by the ExtraHop system for vulnerabilities. The playbook queries the ExtraHop appliance every 30 minutes through the ExtraHop REST API for information about any newly discovered DNS servers on your network. The Nessus Phantom app then scans each of the new DNS servers for potential vulnerabilities.

Components

• Timer asset: This Phantom asset queries an ExtraHop appliance for newly discovered DNS servers on your network and forwards information about those servers to Nessus.
• Nessus app: This Phantom app scans DNS servers for potential security vulnerabilities.

To configure this playbook:

1. On the Phantom appliance, navigate to Playbooks.
2. In the search bar, type ExtraHop.
3. Click extrahop_new_dns_servers.
4. Click Edit Playbook.
5. Click the decision block directly following the list policies block and type a name to identify the Nessus scan policy.
6. Click Save.
7. In the row for extrahop_new_dns_servers, select Active from the Status list.
8. Configure a Timer asset with the following configuration.
   1. In the Asset Name field, type extrahop_new_dns_server.
   2. In the Asset Description field, type Creates an Event that runs the extrahop_new_dns_servers playbook every 30 minutes.
   3. Click Asset Settings.
   4. In the Name of created event field, type Auto discover new DNS servers.
   5. Click Ingest Settings.
   6. In the Label to apply to objects from this source field, select NEW ENTRY, and type extrahop_discovery.
   7. In the Polling Interval field, select Scheduled.
   8. In the Every field, select 30 minutes.
9. Click Save.

Next steps

When new events are received in Phantom, you can view them in the sources section of the Phantom Web UI.