This guide takes you through how to connect ExtraHop Reveal(x) 360 to Expel Workbench.

Prerequisites

  1. You must have System and Access Administration privileges in ExtraHop to perform the steps in this guide.

Quick Start

Setup includes the following steps (select any step for detailed instructions):

  1. Enable API Access for Reveal(x) 360
  2. Add Reveal(x) 360 as a Security Device in Workbench
  3. Set up ExtraHop Console Access for Expel

Step 1: Enable API Access for Reveal(x) 360

Please ensure you have met the prerequisites before proceeding with this step.

The first step is to create API credentials so that Expel can make REST calls and start receiving alerts.

  1. Log in to Reveal(X) 360.
  2. Navigate to the System Settings icon at the top right of the page and select All Administration.
  3. Select API Access.
  4. In the Manage API Access section, select Enable.
  5. Select Create Credentials.
  6. In the Create Rest API Credentials section, configure the following:
    • Name - enter a name for the credential, for example, “Expel SOC”.
    • System access - Full read-only.
    • NDR Module Access - Full access.
    • NPM Module Access - Full access.
    • Packet and Session Key Access - No access.
  7. Select Save.
  8. Copy the API Endpoint, ID, and Secret credentials to a secure location.

Step 2: Add Reveal(x) 360 as a Security Device in Workbench

Now that you have your ExtraHop API Credentials, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Extrahop” and then select the ExtraHop Reveal(x) 360 integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration.
    • Location - enter the location of your integration
    • Server address - enter the API endpoint URL from Step 1.
    • API key ID - enter the ID from Step 1.
    • API key secret - enter the Secret from Step 1.
  6. Select Save.
  7. Your device should be created successfully within a few seconds. A few reminders:
    1. After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    2. To check on the status, select the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
    3. Polling will happen first; data will be received after that. You must refresh the page to see updates.
    4. If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.

Step 3: Set up ExtraHop Console Access for Expel

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, alerts cannot be verified by our analysts and an investigation cannot be initiated.

  1. Add a new user in the Extrahop 360 console. Refer to ExtraHop's RevealX 360 Setup and Administration Guide for more information.
  2. First name - type "Expel".
  3. Last name - type "Expel".
  4. Email - type "soc+<Your_Organization_Name>@expel.io".
    • Note: Be sure to include the "+" sign as part of the email address and substitute your organization name without the < > symbols.
  5. In the System Access section, select Full read-only privileges.
  6. Select Save.
  7. Select Done.
  8. Expel will handle the password reset and place the information into Workbench.

Troubleshooting

If your device status shows an Unhealthy connection in Workbench:
Please ensure you have enabled "Full access" permissions for the NDR and NPM modules as instructed in Step 1.