Description
The Reveal(x) Extras bundle provides quick insight into common security concerns in your network. The bundle includes a dashboard that summarizes information about the cryptographic strength of secure connections, Kerberos and LDAP authentication errors, threat intelligence indicators in north-south traffic, and traffic detected over deprecated network protocols. The bundle also provides detail metrics, records, and alerts.Requirements
Reveal(x) Summer 2018 or laterInstallation Instructions
- Download the bundle on this page.
- Log into the ExtraHop Web UI and complete the following procedures:
- Upload and Apply a Bundle
- Enable each of the Reveal(x) Extras alerts, which begin with "RXE". Click Alerts from the System Settings icon and then click on the alert name. Clear the Disable Alert checkbox. Optionally, you can configure notification settings and alert thresholds to fit your environment.
- Enable each of the Reveal(x) Extras triggers, which begin with "RXE". Click Triggers from the System Settings icon and select the checkboxes next to the trigger. Then, click Enable from the toolbar.
- Configure the RXE: Authentication trigger script by modifying the following settings:
- Set the
failedLoginDisableInterval
variable to match yourReset account lockout counter after
policy setting in Active Directory. - Set the
accountLockoutDuration
variable to match yourAccount lockout duration
policy setting in Active Directory. - Add the names of any privileged accounts in your environment to the
priv_names
array. - Optionally, set the
commit_exa_record
variable totrue
to send Kerberos Request (RXE) and Kerberos Response (RXE) records to an ExtraHop Explore appliance. If you are unfamiliar with triggers, learn how to build a trigger.
- Set the
- Configure the RXE: North-South Monitoring trigger script by modifying the following settings:
- To receive alerts when traffic is detected from specific countries, add those countries to the 'countryAlerts' array. Country names must match GeoLite2 naming conventions. For example, the following array contains Canada and North Korea:
const countryAlerts = ['Canada', 'North Korea'];
- To send North-South Monitor (RXE) records to an ExtraHop Explore appliance, set the 'commit_exa_record' variable to 'true'.
- To receive alerts when traffic is detected from specific countries, add those countries to the 'countryAlerts' array. Country names must match GeoLite2 naming conventions. For example, the following array contains Canada and North Korea:
- Configure the RXE: TLS Auditing trigger script by modifying the following settings:
- Set the
notifyAt
variable to the number of days that you would like to be notified before a certificate expires. Certificates that expire in less than the specified number of days are classified as expiring certificates. - Add the subject names of any certificates that you want to exclude from metrics to the
whitelist
array.
- Set the