Skip to content

ExtraHop

Tested Versions: Reveal(x) 7.6.0.14

Chronicle can utilize ExtraHop's ability to gather network traffic in order to identify device assets, monitor domain name lookups, and watch web traffic. ExtraHop utilizes 'Triggers' in order to send data from the platform to external collectors. This document covers enabling 'Triggers' to send data to Chronicle.

Chronicle Data Types

  • DNS
  • DHCP

Requirements

  • Chronicle Forwarder

Syslog Server Setup

If utilizing ExtraHop to send DNS and DHCP data, create a destination syslog server for each data type to send to.

  1. In the ExtraHop WebUI, at the top right, select the gear icon and choose 'Administration...' from the options.
  2. In the 'Discover Appliance Administration' screen, click Open Data Streams.
  3. In the 'Open Data Stream' screen, select Add Target
  4. In the 'Add ODS Target' screen, change the 'Target Type' to Syslog.
  5. In the 'Target Configuration Section', name the target and fill out details for the syslog target as provided by CYDERES.
  6. Test the configuration and Save if working. Otherwise, contact CYDERES for help.

DHCP Trigger Setup

  1. In the ExtraHop WebUI, at the top right, select the gear icon and choose 'Triggers' from the options.
  2. In the Triggers settings screen, click the New button to add a new trigger.
  3. Name the new trigger 'Chronicle-DHCP-Request'. In the Events section add DHCP_REQUEST.
  4. In the Editor tab at the top. Add the following code to the Trigger Script box:

    var object = {
        "message" : DHCP.msgType,
        "gateway" : DHCP.gwAddr,
        "hardware_type" : DHCP.htype,
        "transaction" : DHCP.txId,
        "options" : DHCP.options
    }
    
    Remote.Syslog("Chronicle-DHCP").info(JSON.stringify(object));
    
  5. In the Assignments tab at the top, choose to assign the trigger to an existing DHCP servers group or 'Assign to All'.

  6. Select Save and Close.
  7. Add another New trigger.
  8. Name the new trigger "Chronicle-DHCP-Response". In the Events section add DHCP_RESPONSE.
  9. In the Editor tab at the top. Add the following code to the Trigger Script box:

    var object = {
        "message" : DHCP.msgType,
        "gateway" : DHCP.gwAddr,
        "hardware_type" : DHCP.htype,
        "transaction" : DHCP.txId,
        "options" : DHCP.options,
        'ip' : DHCP.offeredAddr
    }
    
    Remote.Syslog("Chronicle-DHCP").info(JSON.stringify(object));
    
  10. In the Assignments tab at the top, choose to assign the trigger to an existing DHCP servers group or 'Assign to All'.

  11. Select Save and Close.

DNS Trigger Setup

  1. In the ExtraHop WebUI, at the top right, select the gear icon and choose 'Triggers' from the options.
  2. In the Triggers settings screen, click the New button to add a new trigger.
  3. Name the new trigger 'Chronicle-DNS-Request'. In the Events section add DNS_REQUEST.
  4. In the Editor tab, add the following code to the Trigger Script box:

    var object = {
        "eh_event" : "dns",
        "client_ip" : Flow.client.ipaddr,
        "dst_ip" : Flow.server.ipaddr,
        "qname" : DNS.qname,
        "qtype" : DNS.qtype,
        "opcode" : DNS.opcode,
        "dns_type" : "request",
        "type" : DNS.qtype
    }
    
    Remote.Syslog("Chronicle-DNS").info(JSON.stringify(object));
    
  5. In the Assignments tab at the top, choose to assign the trigger to an existing DNS servers group or 'Assign to All'.

  6. Select Save and Close.
  7. Add another New trigger.
  8. Name the new trigger 'Chronicle-DNS-Response'. In the Events section add DNS_RESPONSE.
  9. In the Editor tab, add the following code to the Trigger Script box:

    var object = {
        "eh_event" : "dns",
        "client_ip" : Flow.client.ipaddr,
        "dst_ip" : Flow.server.ipaddr,
        "qname" : DNS.qname,
        "qtype" : DNS.qtype,
        "opcode" : DNS.opcode,
        "answers": DNS.answers,
        "dns_type" : "response"
    }
    
    Remote.Syslog("Chronicle-DNS").info(JSON.stringify(object));
    
  10. In the Assignments tab at the top, choose to assign the trigger to an existing DNS servers group or 'Assign to All'.

  11. Select Save and Close.

MITRE ATT&CK Coverage

View in the ATT&CK Navigator

DNS Coverage