Skip to main content

Cyware Orchestrate

ExtraHop Reveal(x) NDR

App Vendor: ExtraHop Reveal(x) NDR

App Category: Network Security

Connector Version: 1.1.1

API Version: v1

Note

This is a beta app and the documentation is in progress.

About App

ExtraHop's Reveal(x) NDR platform enhances cybersecurity by leveraging the network for comprehensive visibility and control. It simplifies security workflows, offering real-time threat detection, deep insights, and automated responses, allowing organizations to effectively counter cyberattacks.

The ExtraHop Reveal(x) NDR app is configured with Cyware Orchestrate to perform the following actions:

Action Name

Description

Generic Action 

This is a generic action that transcends the actions implemented by making a request to any endpoint.

Get All Devices 

This action retrieves all devices.

Get Detection Details 

This action retrieves detection details using the detection ID.

Get All Detections 

This action retrieves all detections.

Get Device Details 

This action retrieves device details.

Get Device Groups 

This action retrieves device groups.

Get Packet Captures 

This action retrieves metadata for all packet captures.

Get User Details 

This action will get user details.

List Users 

This action will list all the users.

Search Detection 

This action searches detections with the given search filters.

Search Packets 

This action searches packets.

Update Detection 

This action updates detection.

Get Appliance Details 

This action retrieves appliance details using the appliance ID.

Configuration Parameters

The following configuration parameters are required for the ExtraHop Reveal(x) NDR app to communicate with the ExtraHop Reveal(x) NDR enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Hostname 

Enter the hostname of the ExtraHop API server.

Text

Required

API Key 

Enter the API key of the ExtraHop API client. 

Example:

2bc07e55971d4c9a88d0bb4d29ecbb29

Password

Required

Verify 

Select the SSL/TLS certification status. Choose your preference to verify SSL while making requests. It is recommended to select true. If false is selected, it may result in an incorrect establishment of the connection, potentially causing it to become broken.

Boolean

Optional

Allowed Values:

  • True

  • False

Default: 

True

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with ExtraHop Reveal(x) NDR.

Integer

Optional

Available range:

15-120 seconds

Default value:

15 seconds

Action: Generic Action

This is a generic action used to transcend the actions implemented by making a request to any endpoint.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Method 

Enter the HTTP method to make a request.

Text

Required

Endpoint 

Enter the endpoint to make the request to. 

Example: 

/api/vulnerabilities/{cve_id}/affected-projects

Text

Required

Query Params 

Enter the query parameters to pass to the API.

Key Value

Optional

Payload 

Enter the payload to pass to the API.

Any

Optional

Extra Fields 

Enter the extra fields to pass to the API.

Key Value

Optional

Action: Get All Devices

This action will get all devices.

Action Input Parameters 

No input parameters are required for this action.

Action: Get Detection Details

This action retrieves detection details using the detection ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Detection ID 

Enter the detection ID of the detection to be retrieved.

Text

Required

You can retrieve the Detection ID using the Get All Detections action.

Action: Get All Detections

This action retrieves all detections.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Limit 

Enter the number of detections to be retrieved. A random selection of specified number of detections will be retrieved.

Example:

3

Integer

Optional

Action: Get Device Details

This action retrieves device details.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Device ID 

Enter the device ID of the device to retrieve the device details.

Text

Required

You can retrieve the device ID which is displayed as API ID from the device page of ExtraHop system.  

Action: Get Device Groups

This action retrieves device groups.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Device ID 

Enter the device ID to retrieve the device group details.

Text

Required

You can retrieve the device ID which is displayed as API ID from the device page of ExtraHop system.   

Active from 

Enter the timestamp to return the device group that the device belonged to after this time. 

Example: 

1614556800

Integer

Optional

Active until 

Enter the timestamp to return the device group that the device belonged to before this time. 

Example: 

2014556800

Integer

Optional

Action: Get Packet Captures

This action retrieves metadata for all packet captures.

Action Input Parameters 

No input parameters are required for this action.

Action: Get User Details

This action retrieves user details.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Username 

Enter the username of the user to retrieve the user details.

Text

Required

 

Action: List Users

This action lists all the users.

Action Input Parameters 

No input parameters are required for this action.

Action: Search Detection

This action searches detections with the given search filters.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Search Filters 

Enter the search filters to be used for search detection. 

Example: 

{"status": "resolved"}

Key Value

Optional

 

Extra params 

Enter the extra parameters to be used for search detection.

Key Value

Optional

 

Action: Search Packets

This action searches packets.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

From Time 

Enter the timestamp to start the search.

Text

Required

Output 

Enter the output format of the search results. 

Example: 

  • pcap

  • keylog_txt

  • zip

  • pcapng

Text

Optional

Include Secrets 

Enter true to include secrets in the search results. This option is valid only for pcapng output format.

Boolean

Optional

Limit Bytes 

Enter the maximum number of bytes to return in the search results. 

Text

Optional

Default value: 

100 MB

Limit Search Duration 

Enter the maximum number of seconds to search. 

Text

Optional

Default value:

5m 

Extra Params 

Enter the extra parameters to be used to search packets.

Key Value

Optional

Action: Update Detection

This action updates detection.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Detection ID 

Enter the detection ID of the detection to be updated.

Text

Required

You can retrieve the Detection ID using the Get All Detections action. 

Ticket ID 

Enter the ticket ID of the detection to be updated.

Text

Required

Assignee 

Enter the assignee of the detection to be updated.

Text

Required

Status 

Enter the status of the detection to be updated. 

Example: 

  • new

  • in_progress

  • closed

  • acknowledged

Text

Required

Resolution 

Enter the resolution of the detection to be updated. 

Text

Required

Allowed values: 

  • action_taken

  • no_action_taken 

Participant ID 

Enter the participant ID of the detection to be updated.

Integer

Required

Usernames 

Enter the list of usernames to be updated.

List

Required

Origins 

Enter the list of origins to be updated.

List

Required

Action: Get Appliance Details

This action retrieves appliance details using the appliance ID.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Appliance ID 

Enter the appliance ID of the appliance to be fetched.

Text

Required