ExtraHop RevealX
App Vendor: ExtraHop RevealX
App Category: Network Security
Connector Version: 2.0.0
API Version: v1
About App
Extrahop's RevealX platform enhances cybersecurity by leveraging the network for comprehensive visibility and control. It simplifies security workflows, offering real-time threat detection, deep insights, and automated responses, allowing organizations to effectively counter cyberattacks.
The ExtraHop RevealX app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Create Alert | This action creates an alert. |
Delete Alert | This action deletes a specific alert. |
Generic Action | This is a generic action used to transcend the actions implemented by making a request to any endpoint. |
Get Activity Maps | This action retrieves all activity maps. |
Get Alert Details | This action retrieves the details of the specified alert. |
Get All Devices | This action retrieves all devices. |
Get Appliance Details | This action retrieves application details using the application ID. |
Get Detection Details | This action is retrieves get detection details using the detection ID. |
Get Device Details | This action retrieves device details. |
Get Device Groups | This action retrieves device groups. |
Get User Details (Beta) | This action retrieves all the user details. |
Get Watchlist Devices | This action retrieves all the devices that are in the watchlist. |
List Alerts | This action retrieves a list of all alerts. |
List Detections | This action lists detections along with their details. |
List Metrics | This action retrieves metrics for each specified object. |
List Users | This action will list all the users. |
Query Activity Maps | This action performs a network topology query and returns activity map data. |
Search Detection | This action is used to search detections using the specified search filters. |
Search Packets | This action will search packets. |
Update Alert | This action updates a specific alert. |
Update Detection | This action updates a detection using the detection ID. |
Update Watchlist | This action updates a watchlist by adding or removing devices. |
Configuration Parameters
The following configuration parameters are required for the ExtraHop RevealX app to communicate with the ExtraHop RevealX enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hostname | Enter the hostname of the ExtraHop API server. | Text | Required | |
API Key | Enter the API key of the ExtraHop API client. | Password | Optional | |
Client ID | Enter the client ID of the ExtraHop API. Example: er91dkqa68b8142r7kyi7rs8a | Text | Optional | |
Client Secret | Enter the client secret of the ExtraHop API. Example: 2w45slun5gaebaoj2628j7rqecdjh4s8haaaa25yr3n9okj75b2 | Password | Optional | |
Verify | Verify SSL/TLS certification while making requests. | Boolean | Optional | By default, this is disabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with ExtraHop RevealX. | Integer | Optional | Allowed range: 15-120 seconds Default value : 15 seconds |
Action: Create Alert
This action creates an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Description | Enter the description for the alert. | Text | Required | |
Field Name | Enter the name of the monitored metric. | Text | Required | This applies only to threshold alerts. |
Interval Length | Enter the interval length of the alert in seconds. | Integer | Required | This applies only to threshold alerts. Allowed values: 30, 60, 120, 300, 600, 900, 1200, and 1800. |
Name | Enter a unique name for the alert. | Text | Required | |
Operand | Enter the value to compare against the alert conditions. | Text | Required | The comparison method is defined by the selected operator. This applies only to threshold alerts. |
Operator | Enter the comparison operator for the operand. | Text | Required | This applies only to threshold alerts. Allowed values: ==, >, <, >=, <=. |
Stat Name | Enter the statistic name for the alert. Example: extrahop.application.dns | Text | Required | This applies only to threshold alerts. |
Units | Enter the evaluation interval for the alert condition. | Text | Required | This applies only to threshold alerts. Allowed values: none, period, 1 sec, 1 min, and 1 hr. |
Extra Params | Enter the extra parameters to create an alert. | Key Value | Optional | Allowed keys: severity, type and more. |
Example Request
[
{
"name": "Test 14",
"units": "1 min",
"operand": "0.01",
"operator": ">",
"stat_name": "extrahop.application.dns",
"field_name": "rsp_error",
"description": "Test 11",
"extra_params": {},
"interval_length": "30"
}
]Action: Delete Alert
This action deletes a specific alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the unique ID of the alert to delete. | Integer | Required | You can retrieve the Alert ID using the List Alerts action. |
Example Request
[
{
"alert_id": 42
}
]Action: Generic Action
This is a generic action used to transcend the actions implemented by making a request to any endpoint
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make a request. | Text | Required | Allowed values: GET, POST, PUT, DELETE, PATCH |
Endpoint | Enter the endpoint to make the request. Example: applications | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[
{
"method": "GET",
"endpoint": "/appliances",
"extra_fields": {},
"query_params": {}
}
]Action: Get Activity Maps
This action retrieves all activity maps.
Action Input Parameters
This action does not require any input parameters.
Action: Get Alert Details
This action retrieves the details of the specified alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the unique ID of the alert to retrieve details. Example: 35 | Integer | Required | You can retrieve the Alert ID using the List Alerts action. |
Example Request
[
{
"alert_id": 35
}
]Action: Get All Devices
This action retrieves all devices.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Active From | Enter the start time (in EPOCH milliseconds) to retrieve devices active after this timestamp. Enter 0 to denote current time. | Integer | Optional | |
Active Until | Enter the end time (in EPOCH milliseconds) to retrieve devices active before this timestamp. | Integer | Optional | |
Limit | Enter the maximum number of results to retrieve. Example: 7 | Integer | Optional | |
Offset | Enter the number of devices to skip from the start of the list. | Integer | Optional | |
Search Type | Enter the field to search for devices. | Text | Optional | Allowed values: any, name, discovery_id, and more. |
Value | Enter the text to specify the search criteria. | Text | Optional |
Example Request
[
{
"search_type": "any"
}
]Action: Get Appliance Details
This action is used to get appliance details using the application ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Appliance ID | Enter the appliance ID to retrieve details. Example: 0 | Integer | Required |
Example Request
[
{
"appliance_id": "0"
}
]Action: Get Detection Details
This action retrieves the detection details using the detection ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detection ID | Enter the detection ID of the detection to be retrieved. Example: 25769804021 | Integer | Required | You can retrieve the Detection ID using the List Detections Action. |
Example Request
[
{
"detection_id": "25769804021"
}
]Action: Get Device Details
This action retrieves the details of a device.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to retrieve the details. Example: 25769803837 | Integer | Required | You can retrieve the Device ID using the Get All Devices action. |
Example Request
[
{
"device_id": "25769803837"
}
]Action: Get Device Groups
This action retrieves device groups
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to retrieve the device group details. | Text | Required | |
Active From | Enter the timestamp to return the device group that the device belonged to after this time. Example: 1614556800 | Integer | Optional | |
Active Until | Enter the timestamp to return the device group that the device belonged to before this time. Example: 2014556800 | Integer | Optional |
Example Request
[
{
"device_id": "25769803837"
}
]Action: Get User Details (Beta)
This action retrieves all the user details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Username | Enter the username to retrieve the user details. | Text | Required | You can retrieve the Username using the List Users action. |
Action: Get Watchlist Devices
This action retrieves all the devices that are in the watchlist.
Action Input Parameters
This action does not require any input parameters.
Action: List Alerts
This action retrieves a list of all alerts.
Action Input Parameters
This action does not require any input parameters
Action: List Detections
This action lists detections along with their details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of detections to be returned in the response. Example: 3 | Integer | Optional |
Example Request
[
{
"limit": "3"
}
]Action: List Metrics
This action retrieves metrics for each specified object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cycle | Enter the aggregation period for metrics. | Text | Required | Allowed values: auto, 1sec, 30sec, 5min, 1hr, and 24hr |
From | Enter the start timestamp in EPOCH milliseconds to retrieve metrics collected after this time. Use 0 to indicate the time of the request. | Integer | Required | |
Metric Category | Enter the metric group to search within the metric catalog. | Text | Required | |
Metric Specs | Enter the metric specification objects to list metrics. Example: $json[[{"name": "rsp"}]] | List | Required | Allowed keys: name, key1, key2, calc_type, and percentiles |
Object IDs | Enter the list of object IDs to list metrics. To retrieve system health metrics, specify the ID of the sensor or console and set the object type to system. Example: $json[[34669803837,34669803837]] | List | Required | |
Object Type | Enter the type of the object to retrieve metrics. | Text | Required | Allowed values: network, device, application, vlan, device_group, and system |
Until | Enter the end timestamp in EPOCH milliseconds to retrieve metrics collected before this time. | Integer | Required |
Example Request
[
{
"cycle": "auto",
"until": "0",
"from_time": "1744737990000",
"object_ids": [
25769803837,
25769803831
],
"object_type": "device",
"metric_specs": [
{
"name": "rsp"
}
],
"metric_category": "http_server"
}
]Action: List Users
This action will list all the users
Action Input Parameters
This action does not require any input parameters
Action: Query Activity Maps
This action performs a network topology query and returns activity map data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Time | Specify the start timestamp for the query (in EPOCH milliseconds). | Integer | Required | |
Walks | Enter the list of one or more walk objects to include in the topology query. A walk is the path of traffic composed of one or more steps. For more information, see documentation. Example: $json[[{"origins": [{"object_id": 100,"object_type": "device_group"}],"steps": [{"relationships": [{"protocol": "any","role": "any"}]}]}]]. | List | Required | |
Until | Enter the end timestamp In EPOCH milliseconds for the query. | Integer | Optional | |
Extra Fields | Enter the extra fields to query activity maps. | Key Value | Optional | Allowed fields: weighting, edge_annotations, and more |
Action: Search Detection
This action is used to search detections using the specified search filters
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search Filters | Enter the filters to search detections in ExtraHop. Example: {status: $list[resolved]} | Key Value | Optional | Allowed fields: category, types and more |
Extra Fields | Enter the extra fields to be used to search detections. | Key Value | Optional |
Example Request
[
{
"extra_params": {},
"search_filters": {}
}
]Action: Search Packets
This action will search packets.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
From Time | Enter the timestamp to start the search. Example: 1744740600000 | Text | Required | |
Output | Enter the output format of the search results. Example: keylog_txt, extract, and more | Text | Optional | |
Include Secrets | Enter true to include secrets in the search results. This option is valid only for pcapng output format | Boolean | Optional | |
Limit Bytes | Enter the maximum number of KB to return in the search results. | Integer | Optional | Default value: 1 KB |
Limit Search Duration | Enter the maximum time to search for packets. | Text | Optional | Default unit is milliseconds. Default value is 5m. |
Download | Choose true to download the response. The response will be downloaded only if it is greater than 64mb. | Boolean | Optional | Default value: false |
Extra Params | Enter the extra parameters to be used to search packets | Key Value | Optional |
Action: Update Alert
This action updates a specific alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the unique ID of the alert to update it. | Integer | Required | You can retrieve the Alert ID using the List Alerts action. |
Alert Information | Enter the alert properties to update. Example: {description : test} | Key Value | Required | Allowed fields: description, notify_snmp, field_op, and more |
Example Request
[
{
"alert_id": 35,
"alert_information": {
"description": "Test 2"
}
}
]Action: Update Detection
This action is used to update a detection using the detection ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detection ID | Enter the ID of the detection to be updated. Example: 25769803111 | Integer | Required | You can retrieve the Detection ID using the List Detections action. |
Ticket ID | Enter the ticket ID of the detection to be updated. | Text | Optional | |
Assignee | Enter the assignee of the detection to be updated. | Text | Optional | |
Status | Enter the status of the detection to be updated. Example: new, in_progress, closed, acknowledged | Text | Optional | |
Resolution | Enter the resolution of the detection to be updated. | Text | Optional | Allowed values: action_taken, no_action_taken |
Participant ID | Enter the participant ID of the detection to be updated. | Integer | Optional | |
Usernames | Enter the list of usernames to be updated. | List | Optional | |
Origins | Enter the list of origins to be updated. | List | Optional |
Example Request
[
{
"status": "“Save Node Input” is disabled.",
"detection_id": "25769804021"
}
]Action: Update Watchlist
This action updates a watchlist by adding or removing devices.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Assign | Enter the resource IDs of the devices to add to the watchlist. Example: $json[[25769803837]] | List | Optional | Note: You must enter at least one of assign or unassign. |
Unassign | Enter the resource IDs of the devices to remove from the watchlist. Example: $json[[25769803837]] | List | Optional | Note: You must enter at least one of assign or unassign. |
Example Request
[
{
"assign": [
"25769803837"
],
"unassign": [
"25769803831"
]
}
]