Phantom + ExtraHop Integration Logo

Phantom Playbook Integration

Rich Wire Data Insights Meet Simple, Powerful Automation

ExtraHop delivers network detection and response (NDR) with unprecedented visibility into your network, automatic discovery and classification of every asset, and 100Gbps analytics on every transaction, including encrypted communications. With Phantom, you can use this data to integrate with other tools and automate investigation and response actions for faster, more effective security operations.

Automate Investigations. Orchestrate Responses. Stop Threats Faster.

Phantom enables simple automation and orchestration of complex processes through playbooks. With playbooks, Phantom users can take data from hundreds of products and use a simple drag-and-drop interface to send data between platforms and automate investigation and response actions. Below are the pre-constructed playbooks available in the ExtraHop for Phantom app. You can also build your own!

Use Case

Scan New DNS Servers for Vulnerabilities

This playbook discovers new DNS servers on your network and initiates Nessus vulnerability scans. Whether it's a rogue DNS server or your IT department's newly configured DNS server, this playbook enables you to automatically know that it exists and perform an in-depth scan.

Block External Access to Internal Databases

This playbook processes an ExtraHop detection of an internal database being accessed externally and blocks the corresponding external client IP Address on a Palo Alto Networks Firewall. Leaking private data is a big concern and a simple oversight of a misconfigured firewall can wreak havoc, so with the power of wire data this playbook can block access in real-time and notify you to focus on a potential larger external access issue.

Investigate Data Exfiltration Anomalies

This playbook processes an ExtraHop machine learning anomaly indicating potential data exfiltration on your network. With ExtraHop machine learning anomaly detection, your team can rest assured it will always be the first to know when there's a problem, so you can solve it quickly and proactively. This playbook puts that into action by automatically starting the investigation and taking the first steps toward responding to possible exfiltration of sensitive data.

How It Works

ExtraHop Reveal(x) analyzes wire data to discover and classify every asset communicating on your environment, and uses machine learning to develop a running baseline for what normal behavior looks like. Reveal(x) provides rich data about every asset, and can do even deeper analysis on assets defined as critical; things like databases, file servers, and anywhere sensitive data is stored or communicated. Reveal(x) sees who's acting on your critical assets, and what they're doing, right down to the DB queries or file manipulation commands they're executing.When something abnormal happens that indicates a security threat, an anomaly is recorded and mapped to a step of the attack chain.

With Phantom, This data can be used to accelerate your current investigation processes, automate away slow, tedious steps, and automate rapid responses so that attacks can be stopped in action, or investigated soon enough to prevent further damage.

For more detail, get the joint integration brief from ExtraHop and Phantom

Reveal(x) Workflow

Why Wire Data

Wire data provides an unbiased, complete, immutable, and detailed record of all communication in your environment in a way that log data cannot. Applications without logging enabled can still be monitored, and even where logging is configured, ExtraHop captures critical details not included in the logs.

By supplementing your existing data sources with wire data, your SIEM can get complete visibility into everything communicating in your enterprise, enabling it to detect more threats and empowering your incident responders to discover root cause faster.