ExtraHop¶
Tested Versions: Reveal(x) 7.6.0.14
Chronicle can utilize ExtraHop's ability to gather network traffic to identify device assets, monitor domain name lookups, and watch web traffic. ExtraHop utilizes 'Triggers' to send data from the platform to external collectors. This document covers enabling 'Triggers' to send data to Chronicle.
Chronicle Data Types¶
- EXTRAHOP_DNS
- EXTRAHOP_DHCP
Requirements¶
- Chronicle Forwarder
Syslog Server Setup¶
If utilizing ExtraHop to send DNS and DHCP data, create a destination syslog server for each data type to send to
- At the top right of the ExtraHop WebUI, select the gear icon and choose 'Administration...' from the options
- In the 'Discover Appliance Administration' screen, click Open Data Streams
- In the 'Open Data Stream' screen, select Add Target
- In the 'Add ODS Target' screen, change the 'Target Type' to Syslog
- In the 'Target Configuration Section', name the target and fill out details for the syslog target provided by Cyderes
- Test the configuration. If successful, click Save. If unsuccessful, contact Cyderes for assistance.
DHCP Trigger Setup¶
- At the top right of the ExtraHop WebUI, select the gear icon and choose 'Triggers' from the options
- In the Triggers settings screen, click the New button to add a new trigger
- Name the new trigger 'Chronicle-DHCP-Request'. In the Events section add DHCP_REQUEST.
-
In the Editor tab at the top. Add the following code to the Trigger Script box:
var object = { "message" : DHCP.msgType, "gateway" : DHCP.gwAddr, "hardware_type" : DHCP.htype, "client_hardware_address": DHCP.chaddr, "transaction" : DHCP.txId, "options" : DHCP.options } Remote.Syslog("Chronicle-DHCP").info(JSON.stringify(object)); -
In the Assignments tab at the top, choose to assign the trigger to an existing DHCP servers group or 'Assign to All'
- Select Save and Close
- Add another New trigger
- Name the new trigger "Chronicle-DHCP-Response". In the Events section add DHCP_RESPONSE.
-
In the Editor tab at the top. Add the following code to the Trigger Script box:
var object = { "message" : DHCP.msgType, "gateway" : DHCP.gwAddr, "hardware_type" : DHCP.htype, "transaction" : DHCP.txId, "options" : DHCP.options, "ip" : DHCP.offeredAddr } Remote.Syslog("Chronicle-DHCP").info(JSON.stringify(object)); -
In the Assignments tab at the top, choose to assign the trigger to an existing DHCP servers group or 'Assign to All'
- Select Save and Close
DNS Trigger Setup¶
- At the top right of the ExtraHop WebUI, select the gear icon and choose 'Triggers' from the options
- In the Triggers settings screen, click the New button to add a new trigger
- Name the new trigger 'Chronicle-DNS-Request'. In the Events section add DNS_REQUEST.
-
In the Editor tab, add the following code to the Trigger Script box:
var object = { "eh_event" : "dns", "client_ip" : Flow.client.ipaddr, "dst_ip" : Flow.server.ipaddr, "qname" : DNS.qname, "qtype" : DNS.qtype, "opcode" : DNS.opcode, "dns_type" : "request", "type" : DNS.qtype } Remote.Syslog("Chronicle-DNS").info(JSON.stringify(object)); -
In the Assignments tab at the top, choose to assign the trigger to an existing DNS servers group or 'Assign to All'.
- Select Save and Close.
- Add another New trigger.
- Name the new trigger 'Chronicle-DNS-Response'. In the Events section add DNS_RESPONSE.
-
In the Editor tab, add the following code to the Trigger Script box:
var object = { "eh_event" : "dns", "client_ip" : Flow.client.ipaddr, "dst_ip" : Flow.server.ipaddr, "qname" : DNS.qname, "qtype" : DNS.qtype, "opcode" : DNS.opcode, "answers": DNS.answers, "dns_type" : "response" } Remote.Syslog("Chronicle-DNS").info(JSON.stringify(object)); -
In the Assignments tab at the top, choose to assign the trigger to an existing DNS servers group or 'Assign to All'
- Select Save and Close
MITRE ATT&CK Coverage¶
