Extrahop Security Detections workflow

Hello Community,

Just wanted to see how others have incorporated Extrahop Reveal(x) detections into their security operations workflows (i.e SIEM, Tickets, Email alerts, etc.) Currently I have email alerts set to go out but because a majority of our detections seem to be benign, it very “noisy”. and most of the team just punts them into a subfolder in their inbox. I tend to just login to our ECA and go through the detections cards manually and acknowledge them as I investigate their nature and look for opportunities to “tune” things out by Hiding the detections. Anyone else have ideas on workflow and how to improve the fidelity of the detections?

Hi Kevin,

Thanks for the feedback. You’ve touched on a number of areas we’re currently exploring:

The first is how you get notifications about detections. We’ve heard from a number of customers that they want to handle notification through the SIEM rather than getting emails from each vendor, so our current thinking is to invest our time in giving the SIEM enough information to make a great alert before revisiting our own email alerts.

The second is the percentage of detections that are perceived as noise because the detected behavior was benign. My team would love to know more about which benign behaviors are triggering detections - we’ve identified a set of improvements that could remove certain types of benign detection, and we’d be very interested to discuss further.

Since both next steps are probably best suited to a non-public forum, is it okay for my coworker @swagatdasgupta to reach out over forum private message or over email?

Thanks,
Ted

@teddriggs yes that would fine :smile:. I also have our detections going to our Splunk instance and I have a dashboard I created that gives me a breakdown summary on the type Detections and counts we’re seeing in the last 24hours. This is part of a “Situational Awareness” dashboard I try to look at daily to just get an overview of what’s going on across multiple toolsets.