{
  "name": "extrahop",
  "title": "ExtraHop",
  "version": "0.3.1",
  "release": "beta",
  "description": "Collect logs from ExtraHop RevealX 360 with Elastic Agent.",
  "type": "integration",
  "download": "/epr/extrahop/extrahop-0.3.1.zip",
  "path": "/package/extrahop/0.3.1",
  "icons": [
    {
      "src": "/img/extrahop-logo.svg",
      "path": "/package/extrahop/0.3.1/img/extrahop-logo.svg",
      "title": "ExtraHop logo",
      "size": "32x32",
      "type": "image/svg+xml"
    }
  ],
  "conditions": {
    "kibana": {
      "version": "~8.18.5 || ^8.19.2 || ~9.0.5 || ^9.1.2"
    },
    "elastic": {
      "subscription": "basic"
    }
  },
  "owner": {
    "type": "elastic",
    "github": "elastic/security-service-integrations"
  },
  "categories": [
    "security"
  ],
  "signature_path": "/epr/extrahop/extrahop-0.3.1.zip.sig",
  "format_version": "3.3.2",
  "readme": "/package/extrahop/0.3.1/docs/README.md",
  "license": "basic",
  "screenshots": [
    {
      "src": "/img/extrahop-detection.png",
      "path": "/package/extrahop/0.3.1/img/extrahop-detection.png",
      "title": "Detection dashboard screenshot",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/extrahop-investigation.png",
      "path": "/package/extrahop/0.3.1/img/extrahop-investigation.png",
      "title": "Investigation dashboard screenshot",
      "size": "600x600",
      "type": "image/png"
    }
  ],
  "assets": [
    "/package/extrahop/0.3.1/LICENSE.txt",
    "/package/extrahop/0.3.1/changelog.yml",
    "/package/extrahop/0.3.1/lifecycle.yml",
    "/package/extrahop/0.3.1/manifest.yml",
    "/package/extrahop/0.3.1/validation.yml",
    "/package/extrahop/0.3.1/docs/README.md",
    "/package/extrahop/0.3.1/img/detection-dashboard.png",
    "/package/extrahop/0.3.1/img/extrahop-detection.png",
    "/package/extrahop/0.3.1/img/extrahop-investigation.png",
    "/package/extrahop/0.3.1/img/extrahop-logo.svg",
    "/package/extrahop/0.3.1/data_stream/detection/manifest.yml",
    "/package/extrahop/0.3.1/data_stream/detection/sample_event.json",
    "/package/extrahop/0.3.1/data_stream/investigation/manifest.yml",
    "/package/extrahop/0.3.1/data_stream/investigation/sample_event.json",
    "/package/extrahop/0.3.1/kibana/dashboard/extrahop-0987a5a3-15cb-4579-b298-08d170e7cb01.json",
    "/package/extrahop/0.3.1/kibana/dashboard/extrahop-b0c614d7-64df-4edd-9b21-7069602ae219.json",
    "/package/extrahop/0.3.1/kibana/search/extrahop-d2c0d7c5-4e87-4141-a8e4-63fc832bf6b6.json",
    "/package/extrahop/0.3.1/kibana/search/extrahop-ebb2005b-1947-4cb9-97fb-5f03cbe8b206.json",
    "/package/extrahop/0.3.1/data_stream/detection/fields/base-fields.yml",
    "/package/extrahop/0.3.1/data_stream/detection/fields/beats.yml",
    "/package/extrahop/0.3.1/data_stream/detection/fields/ecs.yml",
    "/package/extrahop/0.3.1/data_stream/detection/fields/fields.yml",
    "/package/extrahop/0.3.1/data_stream/detection/fields/is-transform-source-true.yml",
    "/package/extrahop/0.3.1/data_stream/investigation/fields/base-fields.yml",
    "/package/extrahop/0.3.1/data_stream/investigation/fields/beats.yml",
    "/package/extrahop/0.3.1/data_stream/investigation/fields/ecs.yml",
    "/package/extrahop/0.3.1/data_stream/investigation/fields/fields.yml",
    "/package/extrahop/0.3.1/data_stream/investigation/fields/is-transform-source-true.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_detection/manifest.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_detection/transform.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_investigation/manifest.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_investigation/transform.yml",
    "/package/extrahop/0.3.1/data_stream/detection/agent/stream/cel.yml.hbs",
    "/package/extrahop/0.3.1/data_stream/detection/elasticsearch/ingest_pipeline/default.yml",
    "/package/extrahop/0.3.1/data_stream/investigation/agent/stream/cel.yml.hbs",
    "/package/extrahop/0.3.1/data_stream/investigation/elasticsearch/ilm/default_policy.json",
    "/package/extrahop/0.3.1/data_stream/investigation/elasticsearch/ingest_pipeline/default.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_detection/fields/base-fields.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_detection/fields/beats.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_detection/fields/ecs.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_detection/fields/fields.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_detection/fields/is-transform-source-false.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_investigation/fields/base-fields.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_investigation/fields/beats.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_investigation/fields/ecs.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_investigation/fields/fields.yml",
    "/package/extrahop/0.3.1/elasticsearch/transform/latest_investigation/fields/is-transform-source-false.yml"
  ],
  "policy_templates": [
    {
      "name": "extrahop",
      "title": "ExtraHop RevealX 360 Logs",
      "description": "Collect logs from ExtraHop RevealX 360 API.",
      "inputs": [
        {
          "type": "cel",
          "vars": [
            {
              "name": "url",
              "type": "text",
              "title": "URL",
              "description": "Base URL of the ExtraHop RevealX 360 API.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "client_id",
              "type": "text",
              "title": "Client ID",
              "description": "Client ID of the ExtraHop RevealX 360 API.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "client_secret",
              "type": "password",
              "title": "Client Secret",
              "description": "Client Secret to authenticate ExtraHop RevealX 360 API.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "proxy_url",
              "type": "text",
              "title": "Proxy URL",
              "description": "URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "ssl",
              "type": "yaml",
              "title": "SSL Configuration",
              "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n"
            }
          ],
          "title": "Collect logs from ExtraHop RevealX 360 API",
          "description": "Collecting logs via ExtraHop RevealX 360 API."
        }
      ],
      "multiple": true,
      "deployment_modes": {
        "default": {
          "enabled": true
        },
        "agentless": {
          "enabled": true
        }
      }
    }
  ],
  "data_streams": [
    {
      "type": "logs",
      "dataset": "extrahop.detection",
      "title": "Collect Detection logs from ExtaHop RevealX 360.",
      "release": "beta",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "initial_interval",
              "type": "text",
              "title": "Initial Interval",
              "description": "How far back to pull the logs from ExtraHop RevealX 360 API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "24h"
            },
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the ExtraHop RevealX 360 API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "5m"
            },
            {
              "name": "batch_size",
              "type": "integer",
              "title": "Batch Size",
              "description": "Page size for the response of the ExtraHop RevealX 360 API.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": 10000
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field event.original.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "description": "Tags for the data-stream.",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "extrahop-detection"
              ]
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve extrahop.detection fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "ExtraHop RevealX 360 Detection",
          "description": "Collect ExtraHop RevealX 360 Detection logs.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "extrahop",
      "path": "detection"
    },
    {
      "type": "logs",
      "dataset": "extrahop.investigation",
      "ilm_policy": "logs-extrahop.investigation-default_policy",
      "title": "Collect Investigation logs from ExtaHop RevealX 360.",
      "release": "beta",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "cel",
          "vars": [
            {
              "name": "interval",
              "type": "text",
              "title": "Interval",
              "description": "Duration between requests to the ExtraHop RevealX 360 API. Supported units for this parameter are h/m/s.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": "1h"
            },
            {
              "name": "enable_request_tracer",
              "type": "bool",
              "title": "Enable request tracing",
              "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field event.original.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "description": "Tags for the data-stream.",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "extrahop-investigation"
              ]
            },
            {
              "name": "http_client_timeout",
              "type": "text",
              "title": "HTTP Client Timeout",
              "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve extrahop.investigation fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "cel.yml.hbs",
          "title": "ExtraHop RevealX 360 Investigation",
          "description": "Collect ExtraHop RevealX 360 Investigation logs.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "extrahop",
      "path": "investigation"
    }
  ]
}
