Visibility gets you many things: high-performing applications, faster remediation and, perhaps most importantly, peace of mind. That’s why we’re super excited to show off our recently announced partnership with the FireEye Threat Analytics Platform (TAP). Taking advantage of the ExtraHop Open Data Stream, we combine industry-leading security expertise from FireEye with the ExtraHop platform’s unprecedented wire data visibility.

In the video above, I walk through an example security event and show how the ExtraHop-FireEye integration enables you to track the attack from the initial compromise to the final data exfiltration:

1. A malicious actor from a known bad domain/IP sends a phishing email message with a malicious attachment. This is a common method for gaining initial system access, alongside stolen credentials or internal bad actors.
2. An unsuspecting user opens the attachment, and their host is compromised.
3. The compromised host downloads a rootkit from the same bad domain over HTTP, which then replaces common utilities and disables all logging.
4. The rooted host builds an outbound SSH connection to use as a reverse tunnel for command and control. Although firewalls block inbound SSH connections, outbound connections are often allowed.
5. The malicious actor scans the network for potential database targets using, for example, an Nmap TCP-SYN scan, a type of stealth port scan that avoids the full TCP three-way handshake.
6. Once an unsecured, internal database is found, the malicious actor tries common username/password combinations to identify possible points of access.
7. With successful credentials, the malicious actor queries the database for sensitive data.
8. After the sensitive data is found, the attacker uploads it to a hosted FTP server (hosted at the same origin IP) and then kills all connections.

Watch the video to see how the combination of ExtraHop wire data analytics and the FireEye TAP help you detect and investigate this type of threat. Specifically, this technology integration enables you to:

• Use FireEye to identify and alert on malicious characteristics in HTTP request and response metrics from ExtraHop, such as md5 fingerprints, IP addresses, and domains.
• Investigate other events related to the source IP address, such as email messages with large attachments and outbound SSH connections.
• Investigate the contextual communications of the target host using ExtraHop, including a flood of ICMP traffic and a high number of TCP SYNs sent without corresponding connections established. Combined, these communications indicate an Nmap TCP-SYN scan.
• Verify suspicious SSH and HTTP activity in ExtraHop, and examine unusual database communications that show a spike in data requested as well as Access Denied errors with common database usernames. The ExtraHop platform can even expose the exact SQL query that resulted in the large database response.
• Switch over to FTP communications for the targeted host to see a large FTP upload to the attacking IP address. With the ability to see which database was accessed and which queries used, you can take appropriate steps to address the data leakage.

Read about the ExtraHop platform’s security and compliance capabilities.

Ideally, this attack would be stopped by antivirus software or a firewall, but the ExtraHop-FireEye TAP integration equips you to identify and stop an attacker that makes it through a hardened perimeter. With real-time alerting and powerful forensic capabilities at your fingertips, you can help to mitigate the cost to your business.

Interested in learning more? Download our ExtraHop+FireEye datasheet or contact our field team.

At a recent ExtraHop user forum, users asked for guidance in creating dashboards.  Here in the ExtraHop Technical Marketing Engineering (TME) group, we have a methodology that has helped us successfully organize and create dozens of dashboards.  The cycle we go through is design, explore, implement, use, and iterate.

Using such a methodology and exploring the interface, dashboards are not only easy to create but also fun. It’s amazing to watch your data come alive and tell you things that you didn’t know before. As always, the ExtraHop platform Web Users guide is the complete reference on dashboards: https://forum.extrahop.com/static/WebUI_Users_Guide.pdf/.

What Are Dashboards?

ExtraHop dashboards are fully customizable HTML pages that display real-time and historic data for any of the thousands of built-in or any custom created metrics in the ExtraHop platform.

If you would like to create a dashboard while reading along this post, sign up for a the online demo or download the ExtraHop Discovery Edition.

What Does a Dashboard Look Like?

Let’s take a look at a dashboard final product. In the dashboard shown below, the user has built a page to track potential exfiltration of personally identifiable information (PII). If there are any indications that someone is attempting to extract data from secure databases, this dashboard will surface that information immediately. In this single dashboard, we have real-time statistics for a number of key indicators as well as a real-time runbook telling operators what to do if they see any of these warning signs.

Let’s break down the components of this dashboard:

• “Database transfer sizes (outliers)” – This shows the average transfer sizes in the database. Alert condition: A spike in database transfers would be unusual and warrant and investigation.
• “List of PII databases in use” – A list of all of the databases with PII in use.
• “Real-time DB Transactions” – The actual database queries taking place.
• “Unauthorized outbound SSH Connections” – Outgoing SSH connections are prohibited from databases. Alert condition: Any non-zero number.
• “Authentication: Brute force monitoring” – The rate of authentications in the environment. Alert condition: A spike in failed authentications would warrant further investigations.
• “Unauthorized outbound DNS Conenctions” – Show any external DNS lookups. Alert condition: Any non-RFC 1918 DNS servers in this list.
• “Certificates in use below 2048” – All certificates in the environment should be 2k or higher for this environment. Alert condition: Any certificates weaker than 2048  must be investigated immediately.
• “All connections must be encrypted” – Display the traffic for all encrypted and unencrypted connected sessions. Alert condition: If there is any unencrypted traffic, it should be alerted on immediately.

How Did We Build a Dashboard Like This?

For the TME team, we use a four-phase process in dashboard creation. These phases are: design, implementation, usage, and iteration. In working with our users and creating our own dashboards, we have found that first using the dashboards and then tweaking them leads to the best results. The most useful dashboards are the ones that go through multiple iterations over time.

Design Phase

Begin by sketching how you would like the dashboard to look. You can either drag and drop objects in the ExtraHop builder, use layout software, or just sketch on paper. Take note of the metrics that are going to be the most useful to you. You can find metrics in three different ways:

1) The Metric Explorer

Accessing the Metric Explorer allows you to explore any of the thousands of built-in or custom metrics in the ExtraHop platform.

2) Browsing ExtraHop pages and charts

Browsing ExtraHop pages is another good way to find metrics you are interested in and then add them directly to a new or existing dashboard.

3) Creating and committing a custom metric

ExtraHop Application Inspection Triggers allow you to create and commit a custom metric in a matter of minutes. These custom metrics can then be used in any dashboard. See this useful post on metric types and the trigger documentation: https://forum.extrahop.com/question/2353/tip-of-the-week-metric-types

Implementation Phase

To create a dashboard, click on the “New Dashboard” link the Summary screen of the ExtraHop UI. This will enter you into the layout mode. Remember that ExtraHop Dashboards are a feature in version 4.0 or higher.

The dashboard creation flow is to first create a region, then to populate that region with an object, and finally to configure that object.

1) Regions can be used to delineate time zones and define visual layout. For example, some regions can be tracking time deltas (this week today versus last week today) while another chart could be looking just at the last 30 minutes, 6 hours, or other time period.

2)   After a region is created objects are added to the region. The available objects for a region are: widgets, alert histories, activity groups, and text boxes.

3)   Widgets are the primary object type for metrics. Drag a widget into an area to create a chart. The available types of charts are: Area, Bar, Column, Candlestick, Line, Line and Column, List, Single Value, Status.

Look back at the example PII dashboard above. We are using candlestick lines for database transfer sizes because candlestick lines show average values very well—an outlier will be easy to spot. We are using a single value for unauthorized data connections because that value should always be zero; again, it will be easy to spot an outlier if the value is non-zero.  We are using text boxes (formatted using the Markdown language) to explain the values and what actions to take for operators and administrators.

Try different metric types and see which ones fit your data best.

Usage and Iteration Phases

To perfect your dashboards, you should try using it in your regular workflow and then iterating through revisions. Dashboards can be copied and modified as many times as needed, making it easy to refine them. With the push of a button, they can be shared between team members who can then make their own modifications. The best way to get a functional dashboard is to use it and refine it to make it serve your needs.

In future blog posts, we will deep-dive into individual widget types and explore when and were each may be best.

HL7 data is crucial to the healthcare industry, and the ability to extract meaningful insights from HL7 messages in real-time can help organizations improve patient outcomes, boost security, and save money.

ExtraHop’s Application Inspection trigger editor.

Not all organizations need the same information from their HL7 messages, so ExtraHop makes it possible to create custom triggers to pull out the metrics that benefit your business most, whether you’re a small healthcare clinic, a huge hospital network, or even an insurance provider.

The extensibility of the ExtraHop platform makes it simple to pull any piece of data out of an HL7 message and visualize it on a dashboard for comparison against other metrics. This post will walk you through a few concrete examples of how to pull specific pieces of info from an HL7 message.

Application Inspection Triggers Make It Easy to Parse HL7 Data

ExtraHop’s unique Application Inspection Triggers (AI triggers) provide the framework to parse and extract valuable content from within an HL7 message.

First, let’s start out at a high level by printing out an entire HL7 message. The code snippet below will grab the entire message off the wire and display it in the Runtime Log.

1. var msg = "";
2. for (var i = 0; i < HL7.segments.length; i++) {
3. msg += HL7.segments[i].name + "|" + HL7.segments[i].fields.join("|") + "\n";
4. }
5. log(msg);

Here’s what each section of that code actually does:

1. Initializes a variable called msg which will be used to gather up all the segments of the message.
2. Loops through all segments of the message.
3. Adds each segment to the msg variable separating each field with a “|” (the pipe character) and terminating the segment with a new line.
4. The loop terminates once all segments have been added to the msg variable.
5. The msg is then logged to output, seen on the Runtime Log.

Jump over to the Runtime Log tab to check it out. Be aware that as this trigger runs you’ll be catching all HL7 messages so expect to see a bunch.

You should end up with something similar to the following:

MSH|^~\&|EPICADT|DH|LABADT|DH|201301011226||ADT^A01|HL7MSG00001|P|2.3|
EVN|A01|201301011223||
PID|||MRN12345^5^M11||APPLESEED^JOHN^A^III||19710101|M||C|1 CATALYZE STREET^^MADISON^WI^53005-1020|GL|(414)379-1212|(414)271-3434||S||MRN12345001^2^M10|123456789|987654^NC|
NK1|1|APPLESEED^BARBARA^J|WIFE||||||NK^NEXT OF KIN
PV1|1|I|2000^2012^01||||004777^GOOD^SIDNEY^J.|||SUR||||ADM|A0|

How To Pull Only Specific Message Types From Your HL7 Stream

Let’s say you only wanted to see a specific message type? For example, maybe we want to examine ADT (Admit Discharge Transfer) messages.

1. if (HL7.msgType.indexOf("ADT") > -1){
2. var msg = "";
3. for (var i = 0; i < HL7.segments.length; i++) {
4. msg += HL7.segments[i].name + "|" + HL7.segments[i].fields.join("|") + "\n";
5. }
6. log(msg);
7. }

Two additional lines are needed.

1. Line 1 initiates an if statement that searches for ADT in the msgType (the message type). We could have searched for any type of message here. We also could have narrowed it down to, say…ADT^A01, a patient admit.
2. Line 7 closes the if statement with }.

Parsing Specific Segments Within HL7 Messages

Let’s take this one step deeper. Let’s say that we want to find a specific segment within an ADT^A01 message. What if we want to examine the PID segment within the ADT^A01 message?

1. var msg = "";
2. if (HL7.msgType.indexOf("ADT^A01") > -1){
3. for (var i = 0; i < HL7.segments.length; i++) {
4. if (HL7.segments[i].name == "PID" ){
5. msg += HL7.segments[i].name + "|" + HL7.segments[i].fields.join("|") + "\n";
6. }
7. log(msg);
8. }
9. }

Again, two additional lines of code are needed. Line 4 adds in an if statement that seeks out all PID segment names and Line 6 closes the if statement.

Let’s Get Specific: Pulling Patient Gender from Within the PID Segment of an HL7 Message

For our final trick, let’s forget about the entire segment and instead pull out the patient gender field from within the PID segment.

Let’s take a quick look at the PID segment from the example above. The segment is provided by ExtraHop, and the field we are looking for is at location 7.

Now that we’re getting a bit deeper into the HL7 message let me take a minute to explain a few of the properties we’re about to use. ExtraHop provides the segment as an array of objects where each object is of type {name: segment name, fields: Array of strings}. So, we first want to ensure that the name of the segment (HL7.segments[i].name) is PID and then we can go digging into the segments fields, specifically field 7 (HL7.segments[i].fields[7]). Remember that i is our looping variable.

Here’s the code to pull out patient gender from the PID segment:

1. var msg = "";
2. if (HL7.msgType.indexOf("ADT") > -1){
3. for (var i = 0; i < HL7.segments.length; i++) {
4. if (HL7.segments[i].name == "PID" ){
5. log(HL7.segments[i].fields[7]);
6. }
7. }
8. }

We’ve restructured the code snippet a bit. We’ve removed msg += HL7.segments[i].name + "|" + HL7.segments[i].fields.join("|") + "\n"; because we don’t want to grab the entire message and we’ve also removed log(msg);because we don’t want to print it out. Instead, we’ve added in log(HL7.segments[i].fields[7]); which grabs out the gender field.

Once you’ve got the hang of pulling any data you need out of HL7 messages, you can visualize that data in a dashboard and start getting valuable, easily-digested insights right away.

Here’s an example where we used the Javascript string split() method to pull just the city name out of the address field in an HL7 message and graph the city and gender of the patients being admitted in real time.

Being able to pull out literally any piece of information from an HL7 message really opens up some interesting possibilities.

Video Walkthrough: Parsing HL7 Messages

If you want a detailed walkthrough of how to implement the HL7 message parsing techniques explained in this post, check out the video below:

We Can’t Wait To See How You Use Real-Time HL7 Analytics

We would love to hear how you utilize this. Are there interesting use cases you develop in your environment? Or maybe you need some assistance? Feel free to share your stories or look for suggestions in the ExtraHop forum.