Document toolboxDocument toolbox

ExtraHop Reveal(x) collector

Overview

ExtraHop Reveal(x) provides complete east-west visibility, real-time threat detection inside the perimeter, and intelligent response at scale. Use this collector to send ExtraHop Reveal(x) logs to Devo.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

table

Flattening preprocessing

no

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Alerts

Get all the alert events

v1/alerts

alerts

ndr.extrahop.revealx360.alerts

v1.2.0

Detections

Get all the detection events

v1/detections

detections

ndr.extrahop.revealx360.detection

v1.2.0

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source

Collector service

Optional

Flattening details

Data source

Collector service

Optional

Flattening details

alerts

alerts

yes

Not required

detection

detection

yes

Not required

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

hostname

The hostname to ExtraHop Reveal(x) 360 API. (Ex : Base URL- https://{hostname}.api.cloud.extrahop.com/api/v1)

client_id

The ID for ExtraHop Reveal(x) 360 API.

token_endpoint

The token endpoint for to get the access token. ( Ex:-https://{hostname}.api.cloud.extrahop.com/oauth2/token)

secret

The secret to ExtraHop Reveal(x) 360 API

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

hostname

token_endpoint

client_id

secret

Authentication method

hostname

token_endpoint

client_id

secret

credentials

REQUIRED

REQUIRED

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Alerts

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

DevoSenderManager(internal_senders,manager,devo_us_1) -> Starting thread 2024-02-16T11:55:03.476 INFO InputProcess::MainThread -> Validating the rate limiter config given by the user 2024-02-16T11:55:03.476 INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead. 2024-02-16T11:55:03.476 INFO InputProcess::MainThread -> Adding raw config to the collector store 2024-02-16T11:55:03.476 INFO InputProcess::MainThread -> Running custom validation rules 2024-02-16T11:55:03.476 INFO InputProcess::MainThread -> Creating API client. 2024-02-16T11:55:03.477 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputInternalConsumer(internal_senders_consumer_0) -> Nothing retrieved from the persistence. 2024-02-16T11:55:03.477 INFO InputProcess::MainThread -> Created request client: <agent.modules.extrahop.commons.extrahop_client.ExtraHopClient object at 0x7f39e8cfda00> 2024-02-16T11:55:03.477 INFO InputProcess::MainThread -> ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) Finalizing the execution of init_variables() 2024-02-16T11:55:03.477 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(internal_senders,manager,devo_us_1) -> Nothing retrieved from the persistence. 2024-02-16T11:55:03.478 INFO InputProcess::MainThread -> InputThread(extrahop_revealx,1212345) - Starting thread (execution_period=60s) 2024-02-16T11:55:03.478 INFO InputProcess::MainThread -> ServiceThread(extrahop_revealx,1212345,alerts,predefined) - Starting thread (execution_period=60s) 2024-02-16T11:55:03.478 INFO InputProcess::MainThread -> ExtraHopPullerSetup(exatrhop_revealx_collector,extrahop_revealx#1212345,alerts#predefined) -> Starting thread 2024-02-16T11:55:03.478 INFO InputProcess::MainThread -> ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) - Starting thread 2024-02-16T11:55:03.478 WARNING InputProcess::ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) -> Waiting until setup will be executed 2024-02-16T11:55:03.478 WARNING InputProcess::ExtraHopPullerSetup(exatrhop_revealx_collector,extrahop_revealx#1212345,alerts#predefined) -> The token/header/authentication has not been created yet 2024-02-16T11:55:03.479 INFO InputProcess::ExtraHopPullerSetup(exatrhop_revealx_collector,extrahop_revealx#1212345,alerts#predefined) -> First run of the collector. Generating new access token. 2024-02-16T11:55:03.490 INFO OutputProcess::MainThread -> [GC] global: 34.2% -> 34.3%, process: RSS(43.61MiB -> 44.36MiB), VMS(929.29MiB -> 929.29MiB) 2024-02-16T11:55:03.498 INFO InputProcess::MainThread -> [GC] global: 34.2% -> 34.3%, process: RSS(43.26MiB -> 43.26MiB), VMS(497.02MiB -> 497.02MiB) 2024-02-16T11:55:04.007 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/mdtausif/Gitlab/devo-collector-extrahop-reveal/certs/chain.crt", "cert_path": "/home/mdtausif/Gitlab/devo-collector-extrahop-reveal/certs/int-if-integrations-india.crt", "key_path": "/home/mdtausif/Gitlab/devo-collector-extrahop-reveal/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-apac-0046", session_id: "139886749536368" 2024-02-16T11:55:06.489 INFO InputProcess::ExtraHopPullerSetup(exatrhop_revealx_collector,extrahop_revealx#1212345,alerts#predefined) -> Setup for module <ExtraHopPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

2024-02-16T12:29:07.496 INFO InputProcess::ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) -> Pull Started 2024-02-16T12:29:07.497 INFO InputProcess::ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) -> Fetching the data for extraHop 2024-02-16T12:29:09.029 INFO InputProcess::ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1708066747496):Number of requests made: 1; Number of events received: 9; Number of duplicated events filtered out: 9; Number of events generated and sent: 0; Average of events per second: 0.000. 2024-02-16T12:29:09.029 INFO InputProcess::ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1708066747496):Number of requests made: 1; Number of events received: 9; Number of duplicated events filtered out: 9; Number of events generated and sent: 0; Average of events per second: 0.000.

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2024-02-16T12:29:09.029 INFO InputProcess::ExtraHopPuller(extrahop_revealx,1212345,alerts,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1708066747496):Number of requests made: 1; Number of events received: 9; Number of duplicated events filtered out: 9; Number of events generated and sent: 0; Average of events per second: 0.000.

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the request_period_in_seconds parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

Error type

Error ID

Error message

Cause

Solution

SetupError

100

HTTP Error occurred while retrieving events from ExtraHop server

Client_id, Secret or token_endpoint are not correct

Make sure that credentials are correct.

101

Error occurred while retrieving events from ExtraHop server

Access_token is expired or invalid

Contact team in this case

PullError

 

300

HTTP Error occurred while retrieving events from ExtraHop server : {summery} , {details}

This error happens when the collector tries to fetch the data from API.

In this error you will find the HTTP error code as well as the summary and details.

301

Some Error occurred while retrieving events from ExtraHop server : {Exception}

Some exceptions occurred while making the API request.

Reach out to the developer with the exact error message.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Total number of messages sent: 0, messages sent since "2024-02-16 06:55:03.484110+00:00": 0 (elapsed 0.000 seconds)

Displays the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2024-02-16 06:55:03.484110+00:00.

  • 0 events where sent to Devo between the last UTC checkpoint and now.

  • Those 0 events required 0.000 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.2.0

Mar 21, 2024

IMPROVEMENTS
FEATURES

  • Updated the DCSDK version to 1.11.1

  • Added a new service detections

  • Added auto-update feature

Recommended version

v1.1.0

Feb 20, 2024

IMPROVEMENTS

Updated the DCSDK version to 1.11.0

Update

v1.0.0

Feb 16, 2024

FIRST RELEASE

Released the first version of the ExtraHop Revealx collector.

Initial release