Document toolboxDocument toolbox

ids.extrahop

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
5 min read

Introduction

The tags beginning with ids.extrahop identify events generated by ExtraHop.

Tag structure

The full tag must have three levels. The first two are fixed as ids.extrahop. The third level identifies the type of event sent. 

Technology

Brand

Type

ids

extrahop

  • audit
  • detections
  • cifs
  • crwd
  • dhcp
  • dns
  • ftp
  • http
  • kerberos
  • ldap
  • llmnr
  • mongodb
  • nfs
  • ntlm
  • rdp
  • rfb
  • rpc
  • ssh
  • ssl
  • telnet
  • flow

Therefore, the valid tags and tables include:

  • ids.extrahop.audit
  • ids.extrahop.detections
  • ids.extrahop.cifs
  • ids.extrahop.crwd
  • ids.extrahop.dhcp
  • ids.extrahop.dns
  • ids.extrahop.ftp
  • ids.extrahop.http
  • ids.extrahop.kerberos
  • ids.extrahop.ldap
  • ids.extrahop.llmnr
  • ids.extrahop.mongodb
  • ids.extrahop.nfs
  • ids.extrahop.ntlm 
  • ids.extrahop.rdp
  • ids.extrahop.rfb
  • ids.extrahop.rpc
  • ids.extrahop.ssh
  • ids.extrahop.ssl
  • ids.extrahop.telnet
  • ids.extrahop.flow

How is the data sent to Devo?

You can send the logs generated by ExtraHop using the tool NXLog. Learn more about how to configure your product and start forwarding logs to Devo here.

Log samples

The following are sample logs sent to each of the ids.extrahop tags:

TagLog sample
ids.extrahop.auditname=\\"Alert notification\\" event_id=158258207165673 alert_name=\\"CIFS Error Threshold\\" alert_comment=\\"\\" object_name=\\"Cisco BAC0B1\\" object_type=\\"device\\" object_id=68719477011 object_str_id=\\"cc167ebac0b10000\\" macaddr=\\"52:57:73:06:0f:12\\" ipaddr=\\"None\\" alert_expression=\\"((extrahop.device.cifs_server:rsp_error) over 60 sec) > 1000 (units: period)\\" alert_value=\\"1122.0\\" alert_severity=3'
ids.extrahop.cifs{"proto": "TCP", "clientAddr": "45.101.71.49", "serverAddr": "101.251.238.152", "clientPort": 49282, "serverPort": 445, "reqBytes": 108, "reqL2Bytes": 162, "reqPkts": 1, "rspBytes": 77, "rspL2Bytes": 131, "rspPkts": 1, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "accessTime": null, "error": "STATUS_INVALID_INFO_CLASS", "isCommandFileInfo": true, "isCommandLock": false, "isCommandRead": false, "isCommandWrite": false, "isCommandCreate": false, "isCommandDelete": false, "isCommandRename": false, "method": "SMB2_GET_INFO", "reqSize": 104, "rspSize": 73, "resource": "ush_ddm13_01_cv_cifs_02\\\\\\\\CV_MAGNETIC\\\\\\\\V_5996658\\\\\\\\CHUNK_61334350\\\\\\\\SFILE_CONTAINER_299", "share": null, "statusCode": 3221225475, "user": "espinozakim", "processingTime": 0.196, "reqTransferTime": 0, "rspTransferTime": 0}1599001423010.471'
ids.extrahop.crwd

{"Time": "2021-01-01T01:00:01.000Z", "DetectionId": 1234567891, "ImageFileName": "\\Device\\HarddiskVolume1\\Program Files\\MyApp\\myapp.exe", "CommandLine": "\"/mydir/file.jpg -parameter Files\\MyApp\\myapp.exe\" -SCMStartup MaxThreads=10", "PID": "pid:adfd01563a1f5d6a5d5f6a3a1fa4d2f1:179625143625", "AID": "adfd01563a1f5d6a5d5f6a3a1fa4d2f1", "SHA256HashData": "a7ba8e9f91810fa8f8a9b7a5f1aa99317758ab1c4a1af5a6f69ef5afae4f1a5c", "UserSid": "jdoe", "OffenderIP": "1.2.3.4", "VictimIP": ["10.10.0.12","10.10.0.13","10.10.0.14","10.10.0.15","10.10.0.16"], "Message": "Crowdstrike process information has been correlated with an Extrahop detection.", "URL": "https://var/generic/alpha/dog.txt/#/file.txt/1234567891"}

ids.extrahop.detections{"url": "https://opt/until/seven/alejandro71/truth/together/beat.json/#/bin/plant/specific/take/seychelles/national/mother.mp4/90194368224", "agent": "eh02p-ms", "manager": "ExtraHop", "agent_time": 1594207427, "alertgroup": "eh_detections", "alertkey": "extrahop.detection.device", "agent_location": "eh02p-ms", "description": "[srv-26.moss.info](#/etc/serve/stand.mov/71c23d0f7030415db083b30fd0fa0820.fff48b9bc70a0000/etc/indicate/evidence/president/usually.mp34?from=1594201380&interval_type=DT&until=1594201920) sent an unusually high number of TCP SYN packets to many IP addresses or ports across your network. An attacker might be looking for devices or services that are listening on open TCP ports. This detection appears when a device sends an unusually large number of TCP SYN packets without completing the connection across a large number of ports or IP addresses.\\\\n\\\\nThis device scanned approximately 1700 port and device combinations.\\\\n\\\\nThe following port was scanned:\\\\n\\\\n* 22 (SSH)", "first_event_time": 1594201380, "class": "TCP SYN Scan Detected", "source": "Security:Reconnaissance", "type": "tcp_syn_scan:Subsided", "risk_score": 37, "participantsIP": ["offender:46.18.86.231"], "participantsMAC": ["offender:a7:ee:08:0c:35:9a"], "participantsDNS": ["offender:srv-26.moss.info"], "participantsDHCP": [], "participantsCDP": [], "participantsNETBIOS": [], "participantsAPPID": [], "properties": {"query_name": "beacons2.gvt2.com", "client_port": 62444, "server_port": 53}}'
ids.extrahop.dhcp{"proto": "UDP", "clientAddr": "25.89.37.156", "serverAddr": "124.61.108.96", "clientPort": 67, "serverPort": 67, "vendor": "RTIAgent", "paramReqList": null, "clientReqDelay": 0, "reqBytes": 254, "reqL2Bytes": 600, "reqPkts": 2, "gwAddr": "25.89.37.156", "htype": 1, "chaddr": "72:1f:a2:7c:32:5c", "msgType": "DHCPINFORM", "txId": 1599128256}1599127936562.3'
ids.extrahop.dns{"proto": "UDP", "clientAddr": "211.163.99.71", "serverAddr": "193.149.238.32", "clientPort": 65413, "serverPort": 53, "clientZeroWnd": 0, "serverZeroWnd": 0, "opcode": "QUERY", "qname": "desktop-47.ellis-gonzalez.org", "qtype": "A", "txId": 1519, "error": "NXDOMAIN", "isAuthoritative": false, "isRspTruncated": false, "isRecursionAvailable": true, "isAuthenticData": false, "rspBytes": 132, "rspL2Bytes": 178, "rspPkts": 1, "processingTime": 0.267, "answers": []}'
ids.extrahop.flow{"time":1591173363716.285,"host":"email-18.rose.com","source":"Extrahop","sourcetype":"_json","index":"app","event":{"eh_event":"flow","device_group":"all-traffic","client_ip":"85.204.206.117","client_port":63967,"protocol":"tcp","server_ip":"107.142.16.32","server_port":8403,"server_bytes":0,"server_name":["srv-10.ryan.com"],"client_name":["srv-15.savage.org"],"client_bytes":80,"EDA_Name":"81.252.122.230"}}'
ids.extrahop.ftp{"proto": "TCP", "clientAddr": "80.121.158.101", "serverAddr": "145.237.58.17", "clientPort": 56443, "serverPort": 21, "reqBytes": 6, "reqL2Bytes": 64, "reqPkts": 1, "rspBytes": 50, "rspL2Bytes": 108, "rspPkts": 1, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "roundTripTime":2.859, "args": "", "cwd": "/bin/plant/but.mp3", "error": null, "isReqAborted": false, "isRspAborted": false, "method": "PASV", "path": null, "statusCode": 227, "processingTime": 0.692, "user": "gonzalezdesiree", "transferBytes": null}1599144725876.928'
ids.extrahop.http{"proto": "TCP", "clientAddr": "124.163.41.107", "serverAddr": "147.121.40.113", "clientPort": 53527, "serverPort": 8081, "reqBytes": 207, "reqL2Bytes": 339, "reqPkts": 2, "rspBytes": 5835, "rspL2Bytes": 6165, "rspPkts": 5, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "contentType": "text/opt/kenya/mind/bed.png", "host": "147.121.40.113:8081", "method": "POST", "uri": "147.121.40.113:8081/etc/this/indicate/fish.tiff31/dev/set/with.json2", "referer": null, "origin": null, "title": null, "userAgent": "gjames", "isRspAborted": false, "isReqAborted": false, "isRspChunked": false, "isRspCompressed": false, "isPipelined": false, "reqSize": 87, "rspSize": 5748, "isSQLi": false, "isXSS": false, "reqTimeToLastByte": 0, "rspTimeToLastByte": 2.589, "rspTimeToFirstHeader": 2.218, "rspTimeToFirstPayload": 2.218, "processingTime": 2.218, "thinkTime": 0.18, "statusCode": 200, "rspVersion": "1.1"}1599001423010.471'
ids.extrahop.kerberos{"proto": "TCP", "clientAddr": "5.91.218.33", "serverAddr": "178.180.165.142", "clientPort": 59067, "serverPort": 389, "reqBytes": 0, "reqL2Bytes": 0, "reqPkts": 0, "rspBytes": 0, "rspL2Bytes": 0, "rspPkts": 0, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "error": null, "processingTime": null, "cNameType": null, "cNames": null, "clientPrincipalName": null, "cRealm": null, "msgType": "AP_REP", "realm": null, "ticketHash": null, "sNameType": null, "sNames": null, "serverPrincipalName": null, "isPriv": false, "user": "xbrown"}1599001423010.471'
ids.extrahop.ldap{"proto": "TCP", "clientAddr": "202.42.190.150", "serverAddr": "147.181.94.92", "clientPort": 53566, "serverPort": 389, "reqBytes": 551, "reqL2Bytes": 609, "reqPkts": 1, "rspBytes": 0, "rspL2Bytes": 0, "rspPkts": 0, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "bindDN": null, "searchFilter": "(&(objectclass=group)(|(|(|(|(|(|(|(|(objectsid=01020000000000052000000021020000)(objectsid=010500000000000515000000661ebe016b3e49402c584a4f69f81800))(objectsid=010500000000000515000000661ebe016b3e49402c584a4f97780e00))(objectsid=010500000000000515000000661ebe016b3e49402c584a4f76820900))(objectsid=010500000000000515000000661ebe016b3e49402c584a4f0f380a00))(objectsid=010500000000000515000000661ebe016b3e49402c584a4f1c1c0000))(objectsid=010500000000000515000000661ebe016b3e49402c584a4f0c8d0c00))(objectsid=010500000000000515000000661ebe016b3e49402c584a4f01020000))(objectsid=010500000000000515000000661ebe016b3e49402c584a4ffc0f1300)))", "searchScope": "wholeSubtree", "dn": "dc=ad,dc=nike,dc=com", "method": "SearchRequest", "msgSize": 551, "saslMechanism": null, "isEncrypted": false}'
ids.extrahop.llmnr{"proto": "UDP", "clientAddr": "fe80::b1dd:4ee7:64ef:b97b", "serverAddr": "ff02::1:3", "clientPort": 58330, "serverPort": 5355, "qname": "TruePS", "opcode": "QUERY", "qtype": "AAAA", "reqBytes": 24, "reqL2Bytes": 90, "reqPkts": 1, "error":null,"answer":{"name":"DF-NIKHAM-HMI02","ttl":30,"type":"A","data":"19.115.40.238"}}1599144910663.173'
ids.extrahop.mongodb{"proto": "TCP", "clientAddr": "187.73.119.64", "serverAddr": "128.34.210.199", "clientPort": 57072, "serverPort": 27017, "reqBytes": 58, "reqL2Bytes": 198, "reqPkts": 2, "rspBytes": 524, "rspL2Bytes": 594, "rspPkts": 1, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "isReqAborted": false, "isReqTruncated": false, "reqSize": 58, "reqTimeToLastByte": 0, "collection": "$cmd", "database": "admin", "method": "QUERY", "opcode": "OP_QUERY", "user": null}1599145180211.204'
ids.extrahop.nfs{"proto": "TCP", "clientAddr": "115.119.60.4", "serverAddr": "72.146.104.188", "clientPort": 747, "serverPort": 2049, "reqBytes": 156, "reqL2Bytes": 296, "reqPkts": 2, "rspBytes": 8324, "rspL2Bytes": 8464, "rspPkts": 2, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "accessTime": 1.772, "authMethod": "AUTH_SYS", "error": "null", "isCommandFileInfo": false, "isCommandRead": true, "isCommandWrite": false, "method": "READ", "offset": 18446744071680470000, "renameDirChanged": false, "reqSize": 152, "rspSize": 8320, "resource": ".../7db0b459-55f6-42a5-b399-264cc14a53a3/7db0b459-55f6-42a5-b399-264cc14a53a3-delta.vmdk", "statusCode": "OK", "user":edwardgreen, "version": 3, "txId": 1703069359, "isRspAborted": false, "processingTime": 1.772, "reqTransferTime": 0, "rspTransferTime": 0}1599145213995.978'
ids.extrahop.ntlm{"proto": "TCP", "senderAddr": "41.177.6.13", "receiverAddr": "134.182.165.33", "senderPort": 445, "receiverPort": 49717, "ntlmRspVersion":johnsteele, "challenge": "67eab270b7b8b3f7", "msgType": "NTLM_CHALLENGE", "domain": "NIKE", "workstation":johnsteele, "user":johnsteele, "l7proto": "CIFS", "windowsVersion": "6.3.9600"}1599145243896.42'
ids.extrahop.rdp{"proto": "TCP", "clientAddr": "38.24.157.112", "serverAddr": "169.33.106.105", "clientPort": 65334, "serverPort": 3389, "cookie": null, "requestedProtocols": ["TLS", "Hybrid/bin/ulambert/ythompson/industry/opportunity.mp4", "Early User Auth"], "selectedProtocol": "Early User Auth", "isEncrypted": true}1599145268966.152'
ids.extrahop.rfb{"proto": "TCP", "clientAddr": "199.157.59.120", "serverAddr": "218.243.225.239", "clientPort": 62566, "serverPort": 5900, "version": "003.008", "error": null, "authType": 2, "authResult": 0}1599134326181.602'
ids.extrahop.rpc{"proto": "TCP", "clientAddr": "152.163.171.144", "serverAddr": "91.210.116.22", "clientPort": 58737, "serverPort": 49155, "clientBytes": 0, "clientL2Bytes": 0, "clientPkts": 0, "serverBytes": 376, "serverL2Bytes": 434, "serverPkts": 1, "serverRTO": 0, "clientRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "authType": "SEC_CHAN - Packet Privacy", "interface": "lsarpc", "operation": "LsarLookupSids3"}1599145231289.075'
ids.extrahop.ssh{"proto": "TCP", "clientAddr": "47.216.218.249", "serverAddr": "31.81.36.181", "clientPort": 37818, "serverPort": 22, "clientBytes": 0, "clientL2Bytes": 0, "clientPkts": 0, "serverBytes": 0, "serverL2Bytes": 0, "serverPkts": 0, "serverRTO": 0, "clientRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "reqBytes": 0, "reqL2Bytes": 0, "reqPkts": 0, "rspBytes": 0, "rspL2Bytes": 0, "rspPkts": 0, "rspRTO": 0, "reqRTO": 0, "clientVersion": "2.0", "serverVersion": "2.0", "clientImplementation": "OpenSSH_7.4p1", "serverImplementation": "babeld-eebf1bc", "clientCipherAlgorithm": null, "serverCipherAlgorithm": null, "clientMacAlgorithm": null, "serverMacAlgorithm": null, "clientCompressionAlgorithm": null, "serverCompressionAlgorithm": null, "kexAlgorithm": null, "duration": 333}1599145375033.609'
ids.extrahop.ssl{"proto": "TCP", "clientAddr": "95.141.235.220", "serverAddr": "71.80.45.71", "clientPort": 40097, "serverPort": 443, "reqBytes": 0, "reqL2Bytes": 0, "reqPkts": 0, "rspBytes": 0, "rspL2Bytes": 0, "rspPkts": 0, "rspRTO": 0, "reqRTO": 0, "clientZeroWnd": 0, "serverZeroWnd": 0, "clientBytes": 0, "clientL2Bytes": 0, "clientPkts": 0, "serverBytes": 0, "serverL2Bytes": 0, "serverPkts": 0, "serverRTO": 0, "clientRTO": 0, "version": "TLSv1.2", "cipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "isWeakCipherSuite": false, "isCompressed": false, "certificateSubject": "*srv-66.wright-hess.com", "certificateIssuer": "DigiCert Global CA G2", "certificateNotAfter": 1631217600, "certificateNotBefore": 1568016000, "certificateFingerprint": "7C7FEF2DE04C58900BB1409B0037B97D208E7895", "certificateSignatureAlgorithm": "sha256WithRSAEncryption", "certificateKeySize": 2048, "certificateIsSelfSigned": false, "certificateSerial": "01cf23897aa0e904964a25861a889591", "certificateSubjectAlternativeNames": ["*email-24.brooks.com", "*db-00.villanueva-sullivan.com", "*srv-80.pittman.info", "*email-97.simmons-davis.net", "*web-72.suarez-davis.com", "*email-25.patel.com", "*srv-23.ramsey.info", "*laptop-86.casey-cruz.org", "*srv-39.miller.com", "*lt-48.kramer.info", "*db-66.johnson-johnson.com", "*desktop-66.ingram.com", "*laptop-38.burton-young.org", "*srv-66.wright-hess.com", "*desktop-90.arnold-patton.org", "*laptop-45.gibson.org", "*db-99.burch.net"], "isRenegotiate": false, "handshakeTime": 27.178, "host": "srv-13.wallace.com", "clientCertificateRequested": false, "ja3Hash": "7420b4f827cd9cc70e34073cf48fc795", "ja3sHash": "303951d4c50efb2e991652225a6f02b1"}1599001423010.471'
ids.extrahop.telnet{"proto": "TCP", "senderAddr": "212.208.247.16", "receiverAddr": "113.36.190.151", "senderPort": 23, "receiverPort": 59138, "senderBytes": 0, "senderL2Bytes": 0, "senderPkts": 0, "receiverBytes": 0, "receiverL2Bytes": 0, "receiverPkts": 0, "receiverRTO": 0, "senderRTO": 0, "senderZeroWnd": 0, "receiverZeroWnd": 0, "command": null, "option": null}1599145448163.479'