Attend our live Tech Session webcast with Phantom to get a walkthrough of the ExtraHop App for Phantom and learn to automate critical security workflows: https://go.phantom.us/18-05-24-tech-session
The Phantom integration for ExtraHop Reveal(x) enables you to automate and orchestrate rapid security investigation, response, and remediation workflows. Reveal(x) provides a uniquely rich, real-time data source by turning unstructured packets into structured wire data and analyzing it in real-time. This data allows you to confidently configure Phantom to automate security workflows and investigations and orchestrate precise, rapid responses more effectively than ever before. In this post we'll go through three playbooks highlighting the valuable actions you can automate with Reveal(x) and Phantom.
How It Works
Reveal(x) automatically discovers and classifies everything communicating on the network and provides unprecedented depth of visibility into application layer (L7) transactions, as well as decrypting SSL traffic, even with PFS, for maximum visibility. Phantom can use these uniquely deep insights to kick off workflows that discover rogue DNS servers on your network and initiate vulnerability scans, block external clients from accessing internal databases, validate the IP reputation of suspicious endpoints, and more.
Playbook 1: Scan New DNS Servers for Vulnerabilities
This playbook discovers new DNS servers on your network and initiates Nessus vulnerability scans. Whether it's a rogue DNS server or your IT department's newly configured DNS server, this playbook enables you to automatically know that it exists and perform an in-depth scan.
The Phantom app queries the ExtraHop server through the ExtraHop REST API every 30 minutes for any newly discovered DNS servers on your network. If there are new DNS servers to report then ExtraHop sends Phantom the details to initiate this playbook and continue with a more in-depth investigation. ExtraHop retrieves all of the peers that each new DNS server has communicated with in the last 30 minutes as well as all of the protocols it has communicated over in that same timeframe. Finally the Nessus app scans each of the new DNS servers for potential security vulnerabilities.
Playbook 2: Block External Access to Internal Databases
This playbook processes an ExtraHop detection of an internal database being accessed externally and blocks the corresponding external client IP Address on a Palo Alto Networks Firewall. Leaking private data is a big concern and a simple oversight of a misconfigured firewall can wreak havoc, so with the power of wire data this playbook can block access in real-time and notify you to focus on a potential larger external access issue.
A trigger in the Phantom bundle detects an external IP address accessing an internal database. The trigger then sends this event from the ExtraHop appliance to a Phantom appliance. A Phantom playbook then begins with an automated investigation and remediation workflow. ExtraHop retrieves all of the peers that the external client and internal database server communicated with in the last 30 minutes as well as all of the protocols they communicated over in that same timeframe. Finally the Palo Alto Networks Firewall app blocks traffic from the specified external client IP address.
Playbook 3: Investigate Data Exfiltration Anomalies
This playbook processes an ExtraHop Addy anomaly of potential data exfiltration on your network. With Addy, your team can rest assured it will always be the first to know when there's a problem, so you can solve it quickly and proactively. This playbook puts that into action by automatically starting the investigation and taking the first steps toward responding to possible exfiltration of sensitive data.
After Reveal(x) detects a data exfiltration anomaly, it sends the important details of the anomaly to the Phantom appliance. This playbook first retrieves all of the peers acting as a client in the last 30 minutes for the device that triggered the anomaly. Then it filters out private IP addresses as defined in RFC1918. Next it looks up IP reputation scores for each of the non-private IP addresses that have communicated with the device that triggered the anomaly in the last 30 minutes. If a known bad IP address is found then that device will be tagged appropriately in ExtraHop and a task will be created for an analyst to manually look into this data exfiltration event further.
Unlock Easier Integrations
The Phantom integration for ExtraHop Reveal(x) enables you to integrate your existing security infrastructure together so that each part is actively participating in your defense strategy: quickly and easily integrate Reveal(x) with over 200 Phantom community apps without ever having to write a single line of code. This allows you to bring together the information needed to proactively identify potential security issues on your network in real-time, and gives you the tools to automate and orchestrate rapid security investigation, response, and remediation workflows between systems, ultimately improving efficiency and precision by orchestrating complex security workflows.
The Phantom integration is available for download on the Solutions Bundles Gallery.
Disclaimer: The example playbooks rely on third-party Phantom integrations that are tested and maintained independently of the ExtraHop app.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2018/revealx-phantom-integration-orchestration-automated-security-investigation-response/