Detection SIEM Connector Description Issue

I’m working on adding more info to the ExtraHop Detection SIEM Connector - LEEF trigger that sends detections to QRadar (our SIEM) and while doing so I noticed that the descriptions for detections with a device as an offender or victim look like the following:

device:24643 sent a request to a database server outside the network. Investigate to determine if the server is malicious or if device:24643 is compromised. For example, if device:24643 is compromised, an attacker might be serving malware from the malicious server.

Is the above expected or is there something wrong with the trigger?

I don’t know what this specific trigger is doing, but the Trigger API does expose device properties for more readable names. I would probably use dhcpName if present and otherwise dnsNames[0]. Please note that these names are not guaranteed to be unique.

This trigger formats detections and sends them in syslog compatible format to a SIEM.

I’ve written code that can sub in a dhcp and/or device name. Unfortunately, there’s no easy way to programmatically determine if the device string is the offender or victim in the detection so it would be better if the trigger API included the correct device name in the Detection description.

Is this by design (not including the correct device name in the Detection description) or is this a bug?

This is not by design, and we have filed a ticket to address this (EX-44566). We use these markers (device:24643) to substitute a markdown link to the device with the best device name available. However, it seems there is one place where we are not doing this substitution for DETECTION_UPDATE triggers. Thanks for bringing this to our attention!

1 Like

Good to know, thanks!
Is there a way to keep track of this ticket?

Apologies, as I’ve referred to an internal ticket here. This is being treated as a high priority defect, and a fix is currently scheduled for our next 8.2 hotfix release. Keep an eye out for this in the release notes—we should have a fix out for you soon.

1 Like

I’ve checked the release notes for both 8.2 hotfixes and the 8.3 release…I didn’t see info about a fix for EX-44566. Has this been resolved and I missed it?

Sorry, it looks like this just missed the 8.3 release window. The ticket is marked as “in progress” for the next 8.2 hotfix, not yet released. I’ll update this thread once it lands.

Hi @cjdavis, just confirming this will be in 8.2.4 as well as 8.3.1.

1 Like