ExtraHop Reveal(x) 360 Plugin for Threat Exchange
ExtraHop Reveal(x) 360 Plugin for Threat Exchange
This document explains how to configure the ExtraHop integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin supports pulling URL (IP Address, Hostname) type of indicators from ExtraHop Reveal(x) 360. This plugin does not support pushing any indicators to ExtraHop Reveal(x) 360.
Prerequisites
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- ExtraHop Reveal(x) 360 account with API Access enabled.
- Connectivity to the following host: ExtraHop Reveal(x) 360 login URL. Example: https://extrahop-bd.cloud.extrahop.com/
Compatibility
This plugin is compatible with the below Netskope CE versions: Netskope CE: v4.1.0, v4.2.0
ExtraHop Reveal(x) 360 Plugin Support
| Fetched Indicator Types | Shared Indicator Types |
|---|---|
| URL (IP Address, Hostname) | Not supported |
Mappings
Mappings for Pull (Netskope field – ExtraHop Reveal(x) 360 fields)
| Netskope CE Fields | ExtraHop Fields |
|---|---|
| Value | object_value, hostname |
| Type | URL |
| Severity | risk_score |
| Comments | Id: “id”,
Risk Score: “risk_score”, Type: “type”, Mattire Information: “mitre_tactics”, Description: “description” |
| Firstseen | mod_time |
| Lastseen | mod_time |
Mappings for Push
- Push is not supported.
Permissions
- The REST API Access and generate credentials access should be enabled for the system, For more details refer to the ExtraHop Reveal(x) 360 documentation here.
- API Access
| Functionality | Permissions |
|---|---|
| Pull Indicators |
System Access > Full read-only. NDR Module Access > Full access. |
API Details
We have used the ExtraHop Reveal(x) 360 Rest API for authenticating the credentials and pulling the data from ExtraHop Reveal(x) 360.
List of APIs Used
| API Detail | Method | API Endpoint |
|---|---|---|
| Generate Token | POST | /oauth2/token |
| Pull Indicators | POST | /api/v1/detections/search |
Generate Token
API Endpoint: /oauth2/token
Method: POST
Parameters:
grant_type: client_credentials
Headers:
Content-Type: application/x-www-form-urlencoded
Authorization: Basis <base64 encoded client id and client secret separated by colon>
API Request Endpoint:
https://extrahop-bd.api.cloud.extrahop.com/oauth2/token?grant_type=client_credentials
Sample API Response:
{
"access_token": "eyJraWQiOiJkbndoem42RUNpaW9mSDRSTWdVV0FlZ1lhRHMrVlRDeDhXN1dJZnpVYjZjPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIyYTFsN2ZkaGRxdHR1YzlpcXBzamd1bHNpcSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiY2NwXC9kZXRlY3Rpb25fYWNjZXNzX2xldmVsLmZ1bGwgY2NwXC9ucG1fYWNjZXNzX2xldmVsLm5vbmUgY2NwXC9wYWNrZXRzX2xldmVsLm5vbmUgY2NwXC93cml0ZV9sZXZlbC5mdWxsX3JlYWRvbmx5IiwiYXV0aF90aW1lIjoxNjk3OTgzNzAxLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0yLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMl85YU9FMWltMXIiLCJleHAiOjE2OTc5ODQzMDEsImlhdCI6MTY5Nzk4MzcwMSwidmVyc2lvbiI6MiwianRpIjoiNTllMjc0ZGItMTYxMS00MDRjLTk1NzgtZWJiNDQwZmE5ZTU3IiwiY2xpZW50X2lkIjoiMmExbDdmZGhkcXR0dWM5aXFwc2pndWxzaXEifQ.pw-cbQTSVC1HlRdl_v63s3wbHnqsDNfVJ1Ln9H0GsJvHENKG5borLHIPTsquhov6rEmmzzs6NxMhX5VFY0dH0XWgmrV5BFN4Q5vASQ2lZVY_1NjEqYsJAcVLrzmxy7TqMN_L7kuoX5ijN_mAezxwfnj4hQfrd1ojUVt7_wzSUIVpZy6dDARs1EdrrFAZw70zXW7vTUlzhkiqMthAwD2TaoxOcewHFlC3lgvIjz_DoEYUB09qsP0EJ4oQNaCxetJjPkddN2DqVXEnAi5Jvz6fILbT-wFWua-AEBvk-GXGMXBUKCYs4g-ZvnWnSpcfsMAJZTTOO-05qpbnYE-K3N7qOQ",
"expires_in": 600,
"token_type": "Bearer"
}
Pull Data
Example:
API Endpoint: api/v1/detections/search
Method: POST
Parameters: None
Body:
{
"offset": 0,
"limit": 1,
"mod_time": 1696524883357,
"filter": {
"risk_score_min": 0
},
"sort": [
{
"direction": "asc",
"field": "mod_time"
}
]
}
API Request Endpoint:
https://extrahop-bd.api.cloud.extrahop.com/api/v1/detections/search
Sample API Response:
[
{
"id": 21474836485,
"start_time": 1696521252445,
"update_time": 1696521252445,
"end_time": 1696521252445,
"mod_time": 1696524883357,
"title": "ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement",
"description": "The ExtraHop system observed activity that matched rule values in signature ID\n(SID) 2027185:\n\n * Flow: [tcp] any → internal 445\n * Payload: `/SMB.*(?i)ipconfig(?-i)/s`\n\n\nRule Created: 2019-04-11 \n\n\n",
"risk_score": 45,
"type": "ids_bad_unknown",
"recommended_factors": [],
"recommended": false,
"categories": [
"sec",
"sec.ids"
],
"properties": {
"sid": "2027185"
},
"participants": [
{
"role": "offender",
"object_id": 12884901896,
"object_type": "device",
"object_value": "10.1.0.86",
"hostname": "pc2.i.rx.tours",
"id": 2171,
"external": false,
"scanner_service": null
},
{
"role": "victim",
"object_id": 12884901899,
"object_type": "device",
"object_value": "10.1.0.238",
"hostname": "pc3.i.rx.tours",
"id": 2174,
"external": false,
"scanner_service": null
}
],
"ticket_id": null,
"assignee": null,
"status": null,
"resolution": null,
"mitre_tactics": [],
"mitre_techniques": [],
"appliance_id": 5,
"is_user_created": false
}
]
Performance Matrix
Here is the performance reading conducted after pulling 100K IoCs on a Large CE instance with the below specifications.
| Stack details | Size: Large
RAM: 32 GB CPU: 16 Cores |
| Indicators pulled from ExtraHop Reveal(x) 360 | ~20K per minute |
User Agent
The user agent added for this plugin is in the following format:
netskope-ce-<CE VERSION>-<MODULE NAME>-<PLUGIN NAME>-v<PLUGIN VERSION>
Example
netskope-ce-4.2.0-cte-extrahop-reveal(x)-360-v1.0.0
Workflow
- Configure Netskope tenant.
- Configure URL List on Netskope tenant.
- Configure the CTE Netskope plugin.
- Configure the CTE ExtraHop Reveal(x) 360 plugin.
- Configure Sharing between ExtraHop Reveal(x) 360 and Netskope CTE plugin.
- Validate the ExtraHop Reveal(x) 360 plugin.
Click play to watch a video.
Get you ExtraHop Reveal(x) 360 Base URL, Client ID, and Client Secret
- Log in to your ExtraHop Reveal(x) 360 instance and go to Settings > API Access.
- Scroll down and click Create Credentials.
- Provide a name for your Rest API Credentials and provide the below access.
- System Access > Full read-only.
- NDR Module Access > Full access.
- Click Save.
- Copy the API Endpoint and remove the oath2/token from it. This will be the Base URL for the plugin.
- Copy the ID and Secret. This secret will not be visible later so make sure to make a copy.
Configure the ExtraHop Reveal(x) 360 Plugin
- Go to Settings > Plugins, then search for and select the ExtraHop Reveal(x) 360 (CTE) plugin box.
- Enter and select these parameters:
- Configuration Name: Enter a unique name for the configuration.
- Sync Interval: Leave the default.
- Aging Criteria: Expiry time of the plugin in days. ( Default: 90 )
- Override Reputation: Set a value to override the reputation of indicators received from this configuration.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Enable if a proxy is required for communication.
- Click Next.
- Enter and select these parameters:
- Base URL: ExtraHop Reveal(x) 360 API Base URL. This Base URL is displayed in the Reveal(x) 360 API Access page under API Endpoint. The Base URL should not include the /oauth/token.
- Client ID: ExtraHop Reveal(x) 360 API Client ID.
- Client Secret: ExtraHop Reveal(x) 360 API Client Secret.
- Minimum Risk Score: Only the indicators with severity greater than or equal to the specified value will be fetched. Select a value between 0-99. If no value is provided all the indicators will be fetched.
- Initial Range: Number of days to pull the data for the initial run.
- Click Save.
Configuring a Business Rule for ExtraHop Reveal(x) 360
To share indicators fetched from ExtraHop Reveal(x) 360 to the Threat Exchange, you need a business rule that will filter out the indicators that you want to share. To configure a business rule, follow these steps:
- Go to Threat Exchange > Business Rules and click Create New Rule.
- Add your required filter for the IOCs you want to share and click Save.
Configuring Sharing for the ExtraHop Reveal(x) 360 Plugin
To share IoCs from the ExtraHop Reveal(x) 360 plugin to Netskope, follow these steps:
- Go to Threat Exchange > Sharing and click Add Sharing Configuration.
- Select your Source Configuration(ExtraHop Reveal(x) 360), Business Rule, Destination Configuration(Netskope), and Target, and Select the existing IoC List Name or create a new IoC list on the platform.
- Click Save.
Validate the ExtraHop Reveal(x) 360 Plugin
Validate the Pull
- You can verify the pulling of IoCs from the plugin by going to Loggings and checking the pulled logs from the ExtraHop Reveal(x) 360 plugin.
- You can check the pulled data stored in CE under Threat Exchange > Threat IoCs. Search the IoCs pulled from the plugin. You can also filter the IoCs based on the tags, as shown below.
- To verify the pull from the ExtraHop Reveal(x) 360 platform, log in to the ExtraHop Reveal(x) 360 platform and go to the Detection tab on the top. You will see the detections, we pull the offender’s hostname and IP address of the detections.
Validate the Push
The ExtraHop Reveal(x) 360 plugin does not support the pushing of IoCs.
You can push the IoCs pulled from the ExtraHop Reveal(x) 360 to Netskope or any Third-party plugin supported in Threat Exchange.
Follow these steps to verify the pushed IoCs to Netskope.
- To validate the pushed indicator on Netskope Cloud Exchange, go to Threat IoCs and search for IoCs that are shared with Netskope.
- You can also verify the pushed IoCs from Logging in Cloud Exchange.
- Filter the logs available from the Netskope plugin.
To validate the IoCs shared on Netskope, follow these steps:
- Log in to Netskope tenant. Go to Policies > Web > URL Lists. Click on your URL List which you selected while configuring the sharing and check the shared IoCs.
Note: We have shared both types of URLs (IPv4 and Hostname) pulled from ExtraHop Reveal(x) 360 to Netskope URL List.
Troubleshooting
Unable to pull IoCs from the Plugin
If you are not able to pull any IoCs from the plugin it might be due to one of the following reasons:
- IoCs are not available at all for pulling.
- The Detections present on ExtraHop Reveal(x) 360 does not contain the Offender’s information i.e., Object Value or Hostname.
- There are no detections on ExtraHop Reveal(x) 360 matching the severity selected on the configuration page.
What to do: If you are receiving the above issue it might be due to one of the above-mentioned points. In order to resolve this issue follow these steps respectively:
- IOCs are not available at all for pulling.
- Log in to the ExtraHop Reveal(x) 360 platform and navigate to the Detection tab on the top. You will see the detections and under the offender section the hostname and IP address of the detections.
- Log in to the ExtraHop Reveal(x) 360 platform and navigate to the Detection tab on the top. You will see the detections and under the offender section the hostname and IP address of the detections.
- The Detections present on ExtraHop Reveal(x) 360 does not contain the Offender’s information, like Object Value or Hostname.
- Check under the Detections if the detections present on the platform have Offender information (Hostname or IP address) – The detections will only be fetched if it has at least any one of these details.
- There are no detections on ExtraHop Reveal(x) 360 matching the severity selected on the configuration page.
