Web UI Guide

About this guide

This guide provides information about the web-based user interface (Web UI) for the ExtraHop Discover and Command appliances.

The purpose of this guide is to help users understand the ExtraHop system architecture and functionality as well as learn how to operate the controls, fields, and options available throughout the Web UI.

Additional resources are available through the following links:

Introduction to the ExtraHop system

The ExtraHop system helps you monitor network activity and all of your applications. For example, you can learn how well applications are consuming network resources, how systems and devices are communicating with each other, and how to identify transactions that are flowing across the data link layer (L2) up to application layer (L7) in your network.

This guide explains how the ExtraHop system functions so that you can understand how your data is collected and analyzed. We also provide a list of learning resources and some activities to get you started.

ExtraHop platform architecture

The ExtraHop platform comprises a suite of appliances—Discover, Explore, Trace, and Command—that are designed to passively monitor the network traffic in your environment in real time. Each appliance provides you with different types of information about your network, which you can analyze to determine where problems in your network might be developing.

ExtraHop Discover appliance

The ExtraHop Discover appliance (EDA) provides top-level and detailed metrics about transactions and traffic between devices. The Discover appliance includes tools to analyze and visualize all of your network, application, client, infrastructure, and business data.

The Discover appliance passively collects unstructured wire data—all of the transactions on your network—and transforms this data into structured wire data.

Discover appliances are provisioned with storage to support 30 days of metric lookback. Note that actual lookback varies from appliance to appliance, depending on traffic patterns, transaction rates, and the number of active protocols.

Deploy a single Discover appliance, either physical or virtual, anywhere in your network environment.

ExtraHop Explore appliance

The ExtraHop Explore appliance (EXA) integrates with the ExtraHop Discover appliance to store transaction and flow records sent from the Discover appliance. You can see, save, and search the structured flow and transaction information about events on your network with a simple, unified UI, with no modifications to your existing applications or infrastructure. Deploy a cluster of three or more Explore appliances to take advantage of data redundancy and performance improvements.

ExtraHop Trace appliance

The ExtraHop Trace appliance (ETA) continuously collects network packets and integrates with the ExtraHop Discover and Command appliances. You can quickly retrieve all packets that match a set of search criteria within a given time interval. You can then download the packet capture file for further inspection in a packet analyzer, such as Wireshark.

Deploy a Trace appliance when you need access to more than the summary data collected by the Discover appliance.

ExtraHop Command appliance

The ExtraHop Command appliance (ECA) provides centralized management and reporting across multiple ExtraHop Discover, Explore, and Trace appliances that are distributed across data centers, branch offices, and the public cloud.

You can connect an Explore appliance or cluster to multiple Discover appliances, and then query the records stored by each Discover appliance from the Command appliance.

When you add a Trace appliance, you can search, download, and analyze the collected packets to gain further insight about the information flowing across your network.

For most large ExtraHop deployments, a dedicated Command appliance is the most efficient way to manage all of your remote appliances.

Data sources in the ExtraHop system

The ExtraHop Discover appliance collects data and generates metrics from two types of data sources: wire data and machine data, such as flow data.

Wire data

Wire data is observed in real time, which provides information about what’s happening on your network. With wire data, the ExtraHop system passively collects a copy of unstructured packets through a port mirror or tap and stores the data in the appliance datastore. The copied data goes through real-time stream processing, which transforms the packets into structured wire data through the following stages:

  1. TCP state machines are recreated to perform full-stream reassembly.
  2. Packets are constructed into flows.
  3. The structured data is analyzed and processed in the following ways:
    1. Transactions are identified
    2. Devices are automatically discovered by MAC and IP address and then classified by their activity.
    3. Metrics are generated and associated with protocols and sources, and the metric data is then aggregated into metric cycles.
  4. As new metrics are generated and stored, and the datastore becomes full, the oldest existing metrics are overwritten according to the first-in first-out (FIFO) principle.

Flow data

Flow data, a type of machine data, can also be collected from a network device and sent to the Discover appliance for analysis or storage. Flow data is an alternative option if wire data cannot be collected from a remote network.

A flow is a set of packets that are part of a single transaction between two endpoints. Similar to how the ExtraHop system can identify flows from wire data, flows from machine data on remote networks can be sent to a Discover appliance for analysis. Flows are identified through their unique combination of IP protocol (TCP/UDP), source and destination IP addresses, and source and destination ports.

The ExtraHop system supports the following types of flow data:
NetFlow v5
The Cisco proprietary protocol that defines a flow as a unidirectional flow of packets all sharing the following values: Ingress interface, source and destination IP address, IP protocol, source and destination ports, and the type of service. NetFlow v5 has a fixed record format with 20 fields and cannot be customized.
NetFlow v9
An adapted version of NetFlow v5 where the record format is template based. NetFlow v9 has 60+ fields in the records and can be customized. In the Discover appliance, these records are only partially parsed until the template packet is detected.
IPFIX
An open standard based on the NetFlow v9 standard. ExtraHop supports only the native format; formats where the Enterprise bit is set outside of a trigger is not supported.
AppFlow
The Citrix implementation of IPFIX with customized extensions to include application-level information such as HTTP URLs, HTTP request methods, status codes, and so on.
sFlow
A sampling technology for monitoring traffic in data networks. sFlow samples every nth packet and sends it to the collector whereas NetFlow sends data from every flow to the collector. The primary difference between sFlow and NetFlow is that sFlow is network layer independent and can sample anything. NetFlow v5 is IP based, but v9 and IPFIX can also look at Layer 2.

The Discover appliance enables you to add any of the above flow data sources. You can then view metrics for flow networks (a network device that sends information about flows seen across the device) and their interfaces.

With the Discover appliance working as a flow collector and analyzer, you can collect the flow network traffic through the following stages:
  1. Flow exporters detect and format traffic, caching information about the flow, including source and destination IP addresses, port, IP protocol, and number of bytes and packets.
  2. The flow exporter sends the cached information from the flow network to the Discover appliance, which acts as a collector and analyzer for the flow data.
  3. The flow network traffic is analyzed, flows are identified, and metrics are aggregated for the total number of bytes and total number of packets in each flow.

For example, when a client initiates a request to a server, the packet is sent to the router, which directs the packet to the destination server through the network topology. If that router is configured to be a flow network exporter, information about the flow is then formatted and sent to the Discover appliance for analysis.

By analyzing flows of network traffic, such as NetFlow traffic, an administrator can identify the top network flows (most bytes consumed), top network talkers (highest throughput), total number of bytes, and the total number of packets per router interface.

Device discovery

The ExtraHop system automatically discovers and classifies devices based on what is happening on the network. The default discovery mode is L3 device discovery, also known as Discover by IP.

First, the ExtraHop system creates an L2 device entry for every locally observed MAC address over the wire. Then, the ExtraHop system creates an L3 device entry for every locally observed IP address included in an Address Resolution Protocol (ARP) response. If the MAC address and IP address are associated with the same device, the Discover appliance links the parent L2 device and the child L3 device. The IP address and MAC address for a device are displayed in search results and in the overview section on a device protocol page, as shown in the following figure.



Here are some important considerations about L3 device discovery:

  • To discover L3 devices outside of your network, you can create a custom device or enable remote device discovery.
  • If a router has proxy ARP enabled, the ExtraHop system creates an L3 device for each IP address that the router answers ARP requests for.
  • L2 metrics that cannot be associated with a particular child L3 device (for example, L2 broadcast traffic) are associated with the parent L2 device.
  • L2 devices that are not gateways or custom devices do not count towards your licensed analysis capacity. These L2 devices receive L2 Analysis and are exempt from analysis priorities and the watchlist.

After a device is discovered, the ExtraHop system begins to collect metrics for the device based on analysis priorities. You can search for L2 and L3 devices in the ExtraHop system by their IP address, MAC address, or name (either a hostname observed from DNS traffic or a custom name that you assign to the device).

Device discovery modes

The default discovery mode is L3 discovery, which is also known as Discover by IP in the ExtraHop Admin UI. When you disable Discover by IP, all locally observed IP addresses that are associated with a MAC address are aggregated into one L2 device. It is important to note that disabling Discover by IP changes the number of devices that are discovered by the ExtraHop system.

For more information, see Discover new devices by IP address in the Admin UI Guide.

Device names and roles

After a device is discovered, the ExtraHop system tracks all of the wire data traffic associated with the device. The ExtraHop system discovers device names by passively monitoring naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol (CDP). A device can be identified by multiple names, which are all searchable. If a name is not discovered through a naming protocol, the default name is derived from device attributes (MAC address for L2 devices and the IP address for L3 devices). You can also create a custom name for a device.

Note:If a device name does not include a hostname, the ExtraHop system has not yet observed naming protocol traffic associated with that device. The ExtraHop system does not perform DNS lookups for device names.

Based on the type of traffic associated with the device, the ExtraHop system assigns a role to the device, such as a gateway, file server, database, or load balancer. You can change or add a role to a device.

Remote device discovery and custom devices

The ExtraHop system automatically discovers local L3 devices based on observed ARP traffic that is associated with IP addresses. By default, all IP addresses that are observed outside of locally-monitored broadcast domains are aggregated at one of the incoming routers in your network.

Note:If you have a proxy ARP configured in your network, the ExtraHop system might automatically discover remote devices. For more information, see this ExtraHop forum post.
To identify and learn about individual devices located outside of local routers, complete one of the following options:
  • Add a remote IP address range in the ExtraHop Admin UI to discover L3 devices for IP addresses that are outside of the local network. An L3 device is created for each IP address that is observed within the remote IP address range.
  • Create a custom device to collect metrics for a remote IP address or a range of IP addresses into one device. A single device is created for all of the IP addresses observed within the remote IP address range. For example, you can create a single device that collects metrics for several known IP addresses that belong to remote sites or cloud services.

Software frame deduplication

The ExtraHop system removes duplicate L2 and L3 frames and packets when metrics are collected and aggregated from your network activity by default. L2 deduplication removes identical Ethernet frames (where the Ethernet header and the entire IP packet must match); L3 deduplication removes TCP or UDP packets with identical IP ID fields on the same flow(where only the IP packet must match).

The ExtraHop system checks for duplicates and removes only the immediately-previous packet both on the flow (for L3 deduplication) or globally (for L2 deduplication) if the duplicate arrives within 1 millisecond of the original packet.

By default, the same packet traversing different VLANs is removed by L3 deduplication. In addition, packets must have the same length and the same IP ID, and TCP packets also must have the same TCP checksum.

L2 duplication usually only exists if the exact same packet is seen through the data feed, which is typically related to an issue with port mirroring. L3 duplication is often the result of mirroring the same traffic across multiple interfaces of the same router, which can show up as extraneous TCP retransmissions in the ExtraHop system.

The System Health page in the ExtraHop Web UI contains charts that display L2 and L3 duplicate packets that were removed by the ExtraHop system. Deduplication works across 10Gbps ports by default and across 1Gbps ports if software RSS is enabled. L3 deduplication currently is supported only for IPv4, not IPv6.

Introduction to the ExtraHop Web UI

The ExtraHop Discover and Command appliances provide access to network activity data through a dynamic and highly customizable Web UI.

This guide provides an overview of the global navigation and controls, fields, and options available throughout the UI.

Supported browsers for the ExtraHop Web UI

The following browsers are compatible with all ExtraHop appliances.

  • Firefox
  • Google Chrome
  • Internet Explorer 11
  • Safari

You must allow cookies and ensure that Adobe Flash Player is installed and enabled. Visit the Adobe website to confirm that Flash Player is installed and up-to-date.

Global navigation elements located at the top of the page contain links to the main sections of the Web UI. Within each section, the left pane contains links to specific pages or data.

The following figure shows both global and left pane navigation elements.



The following figure shows an example of how the left pane navigation changes based on the section you are viewing.



Here are definitions of each global navigation element:

Dashboards
Click Dashboards to view, create, or share dashboards for monitoring any aspect of your network or applications. System dashboards give you an instant view of the activity on your network. You can also create and share custom dashboards with other users.
Alerts
Click Alerts to view alert history, which displays information about each alert generated during the time interval.
Detections
If your Discover appliance is connected to the ExtraHop Machine Learning Service, the top level navigation shows the Detections menu. Click Detections to view detections identified from your wire data. You can access stored detections even if your appliance is disconnected from the Machine Learning Service.
Metrics
Click Metrics to find any application, network, or device discovered by the ExtraHop system and view their protocol metrics.
Records
If you have an Explore appliance, the top level navigation shows the Records menu. Click Records to query for all records stored on the Explore appliance for the current time interval. Records are structured information about transactions, messages, and network flows.
Packets
If you have a Trace appliance, the top level navigation shows the Packets menu. Click Packets to query for all packets stored on the Trace appliance for the current time interval.
Global search field
Type the name of any device hostname or IP address, application, or network to find a match on your Discover or Command appliance. If you have a connected ExtraHop Explore appliance, you can search for saved records. If you have a connected Trace appliance, you can search for packets.
Community forum icon
Visit the ExtraHop forum within a new browser tab to ask a product or bundle question.
Help icon
See help information for the page that you are currently viewing. To access the most current and comprehensive set of ExtraHop documentation, visit the ExtraHop Documentation website.
System Settings icon
Access system configuration options, such as Triggers, Alerts, Reports, and Custom Devices.
User option icon
Log in and log out of your Discover appliance or Command appliance, change your password, and access API options.
Pane toggle
Collapse or expand the left pane.
Global Time Selector
Change the time interval to view application and network activity that was observed by the ExtraHop system for a specific time period. The global time interval is applied to all metrics across the ExtraHop Web UI and does not change as you navigate to different pages.
Recent pages
See a list of the most recent pages you visited in a drop-down menu and make a selection to go back to a previous page. Repeated pages are deduplicated and condensed to save space.
Navigation path
View where you are in the system and click a page name to access a drop-down menu of pivot points, which let you access other protocols or sources.
Command menu drop-down
Click to access specific actions for the page you are viewing. For example, when you click Dashboards at the top of the page, the command menu provides actions for changing dashboard properties or creating a new dashboard.

Start analyzing data

Begin your data analysis journey with the ExtraHop system by following the basic workflows listed below. As you become familiar with the ExtraHop system, you can complete more advanced tasks, such as installing bundles and building triggers.

Here are some basic ways to navigate and work with the ExtraHop Web UI to analyze network activity.

Monitor metrics and investigate interesting data

When you first log into the ExtraHop system, you see the Activity dashboard. This dashboard is a good starting point because it shows you a summary of important metrics about application performance on your network. When you see a spike in traffic, errors, or server processing time, you can interact with dashboard data to drill down and identify which clients, servers, methods, or other factors contributed to the unusual activity.

You can then continue performance monitoring or troubleshooting by creating a custom dashboard to track a set of interesting metrics and devices.

Search for a specific device and investigate related metrics and transactions

If you want to investigate a slow server, you can search for the server in the ExtraHop system by device name or IP address and then investigate the server's activity on a protocol page. Was there a spike in response errors or requests? Was server processing time too high or did network latency affect the rate of data transfer? Click on different protocols in the left pane to investigate more metric data collected by the ExtraHop system. Drill down by peer IP addresses to see which clients or applications the server talked to.

To share protocol data with other teams, you can create a report.

If you have an Explore appliance, you can investigate entire transactions that the server participated in by creating a record query.

Get visibility into changes to your network by searching for protocol activity

You can get a top-down view of your network by looking at activity groups. An activity group is a collection of devices automatically grouped together by the ExtraHop system based on the protocol traffic observed over the wire. For example, you can find new or decommissioned servers that are actively communicating over a protocol by creating an activity map.

If you find a collection of devices that you want to continue monitoring, you can add a device tag or custom device name to make those devices easier to find in the ExtraHop system. You can also create a custom device group or a custom dashboard to monitor device group activity.

Advanced workflows for customizing your ExtraHop system

After becoming familiar with basic Web UI workflows, you can customize your ExtraHop system by setting up alert notifications, creating custom metrics, or installing bundles.

Set up alerts
Configure threshold and trend-based alerts that notify you when there is a potential issue with a network device. For more information, see Configure threshold alert settings and Configure trend alert settings.
Install a bundle to enhance ExtraHop features and integrations
Bundles are a saved set of system configurations that can be uploaded to an ExtraHop appliance. Check out the following popular bundles:

Apply a bundle to your ExtraHop system, or create a bundle to share with others. For more information, see Bundles.

Build a trigger to create custom metrics and applications
Triggers are custom scripts that perform an action upon a pre-defined event. Triggers require planning to make sure a trigger doesn’t negatively impact system performance. For more information, see Triggers.

Access keyboard shortcuts

Keyboard shortcuts help you quickly navigate across the ExtraHop Web UI and manage dashboards with a few keystrokes.

  1. Log into the Web UI on the Discover or Command appliance.
  2. Type one of the following keyboard combinations:
    Keyboard combinations Action
    ? Show or hide a hot key help menu
    G then S Go to Dashboard
    G then A Go to Alerts
    G then P Go to Application Metrics
    G then N Go to Network Metrics
    G then D Go to Device Metrics
    G then G Go to Group Metrics
    / Global Search
    O then H Open Page History
    O then M Open Metric Explorer
    G then E Go to System Settings
    G then T Go to Trigger Editor
    G then H Open Help
    O then Q View system information
    Ctrl+S Save widget configuration
    O then L Toggle Edit Layout Mode
    O then P Show Dashboard Properties
    C then D Copy the current dashboard
    D then D Delete the current dashboard
    O then S Toggle Descriptions
    CTRL+SHIFT+F Toggle Presentation Mode
    N then D Create a new dashboard
    N then F Create a new folder
    O then D Toggle Edit Dock
    P then P Print or Export to PDF
    S then R Open Scheduled Reports
    J Select the next item on the History
    K Select the previous item on the History

Manage dashboards with keyboard shortcuts

The following keyboard shortcuts only apply to dashboards.

  1. Log into the Web UI on the Discover or Command appliance and then click .Dashboards at the top of the page.
  2. Type one of the following keyboard combinations:
    Keyboard combinations Action
    O then L Toggle edit layout mode
    O then P Show dashboard properties
    C then D Copy the current dashboard
    D then D Delete the current dashboard
    O then S Toggle descriptions
    Ctrl+Up Arrow+F Toggle presentation mode
    N then D Create a new dashboard
    N then F Create a new folder
    O then D Toggle dock edit mode

Dashboards

Dashboards are an effective tool for monitoring high-priority network traffic or troubleshooting an issue. You can monitor general information about your network from built-in system dashboards, or build a custom dashboard to create a personalized view of metrics that are important to you.

A dashboard is an HTML page that displays real-time and historic metric data. Dashboards consolidate multiple metrics into a central location where you can investigate and share data. In this guide, you will learn about dashboard features and find links to dashboard resources and procedures.

Before you begin:

Here are some definitions you should know about dashboards in the ExtraHop system:

Dashboard dock
The left pane of the dashboard page, which provides access to all of your dashboards. Dashboards are organized within menus and folders.
Region
A compartment within the dashboard layout that contains widgets.
Widget
A configurable component for displaying metric data and information. Charts are the most common widget found in dashboards.
Time Selector
A tool that changes the time interval for the entire dashboard. You can also change the time interval for a specific region within the dashboard.

Interact with dashboard data

A dashboard is a launching point into data analysis and troubleshooting. When you observe a metric value that raises questions, a dashboard provides the following options for interacting with metric data and finding answers.

Change the time interval
Observe how data changes over time in the following ways:
Change the dashboard source
If you are viewing a dashboard with dynamic sources, you can change the source of the information you are viewing. For example, you could create a dashboard that showed you the total number of HTTP errors for a device. You could select any device on your appliance switch the source to view the total number of HTTP errors for any device on your ExtraHop system.

For more information, see Create a dashboard with dynamic sources.

Interact with chart data
A dashboard chart is a dynamic, interactive visualization of data. As you troubleshoot or analyze data, you can interact with chart data in several ways, as shown in the figures below.

Note:Copy or create a chart, and then edit the chart in Metric Explorer. When you copy or create a chart from a system dashboard or shared dashboard that you do not own, you must save the edited chart to your own custom dashboard.
Navigate to detections
Some charts display detection markers, which indicate detections associated with the source of the metric data during the time interval specified for the chart. Detection markers only appear if you are licensed for the ExtraHop Machine Learning Service and have enabled detections.

Hover over the detection marker to view the name of the identified detection, and then click the detection marker to navigate to the detail page for the detection for further investigation.

For example, in the following figure, you can see a detection marker that indicates that a DNS Server Errors detection was identified at 8:00 AM on the source.

Note:If the time interval of the chart is less granular than the duration of the detection, then the start time and duration of the detection is rounded to match the data points on the chart.

Only the following chart types can display detection markers:

  • Area
  • Line
  • Column
  • Line & column

Detection markers are a user preference that you can enable or disable from the User menu. For more information, see Enable or disable detection markers.

Monitor your network with system dashboards

When you first log into the Discover or Command appliance, you see the Activity dashboard. ExtraHop users have access to the Activity dashboard and the Network dashboard, which are known as system dashboards.

System dashboards give you different types of insights into the general behavior and health of your network:

Activity dashboard
Find top-talkers by application (L7) protocols and view recent alerts. For more information about charts in this dashboard, see Activity dashboard.
Network dashboard
Identify traffic latency and bottlenecks over the data link (L2), network (L3), and transport (L4) layers. For more information about charts in this dashboard, see Network dashboard.

If you see interesting data in a system dashboard chart, you can investigate further.

Monitor your network with custom or shared dashboards

If you want to monitor specific metrics or custom metrics, you can create a custom dashboard. Custom dashboards are stored separately for each user that accesses the ExtraHop Discover appliance. After you build a custom dashboard, you can share it with other ExtraHop users.

Working with custom dashboards

There are three ways to create your own dashboard: New dashboards are in placed in Edit Layout mode, which enables you to add, arrange, and delete components within the dashboard. After creating a dashboard, you can complete the following tasks:

Custom dashboards are located in the My Dashboard folder in the dashboard dock. To make changes to your dashboard at any time, click the command menu in the upper right corner of the page and select Edit Layout or Dashboard Properties.

To delete a dashboard, click the command menu in the upper right corner of the page, and then select Delete. Or edit the dashboard dock and select the trash icon next to the dashboard name and then click Delete Dashboard.

Important:You cannot recover a deleted dashboard. If a dashboard owner's account is deleted from the ExtraHop system, you have the option of transferring the dashboard to another user through the Admin UI. Otherwise, all custom dashboards associated with the user account are also deleted. To preserve dashboards, make a copy before the account is deleted.

Working with shared dashboards

Dashboards that have been shared with you are located in the Dashboard Inbox folder in the dashboard dock. You can organize your shared and custom dashboards, interact with dashboard data, or print dashboard data.

You cannot modify another user's dashboard , unless the dashboard owner grants you edit access. However, you can make a copy of a shared dashboard and then customize it.

To remove a shared dashboard from your dashboard dock, click the command menu in the lower right corner of the dashboard dock and then select Edit Dock. Click the trash icon next to the dashboard and then click Delete Dashboard.
Note:Only a dashboard owner can delete a dashboard.

Export and share dashboard data

You can export dashboard data to a CSV, Excel, or PDF file. You can export and share data by individual chart or by the entire dashboard.

To export chart data, click the chart title and make a selection from the drop-down menu. To export or share the entire dashboard, click the command menu in the upper right corner of the page to access the following options:

Check out the following resources that are designed to familiarize new users with building dashboards.

Create a dashboard

Dashboards provide a single location for important metrics that you care about. When you create a custom dashboard, a dashboard layout opens containing a single region with an empty chart widget and an empty text box widget. Edit a chart to incorporate real-time metrics into your dashboard, and edit a text box to provide information. Finally adjust the layout and add more widgets to complete your dashboard and begin monitoring your network.

Before you begin

Determine which metrics you want to monitor on your dashboard. Ask yourself the following questions:
  • Do I want to track if my server is offline or unavailable? Add availability metrics such as requests and responses to your dashboard charts.
  • Is my server functioning properly? Add reliability metrics such as errors to your dashboard charts.
  • Is my server properly resourced? Add performance metrics such as server processing time to your dashboard charts.

Create the dashboard layout

The following steps show you how to create the framework for your dashboard, which includes two empty widget types: a chart and a text box. Your new dashboard opens in Edit Layout mode (which is displayed in the upper right corner). Edit Layout mode enables you to quickly edit your chart and text box, and arrange the placement of widgets and regions on a dashboard.

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. On the Dashboards page, complete one of the following steps:
    • Click Create Dashboard at the bottom of the dashboard dock (from the bottom of the left pane).
    • Click the command menu in the upper right corner of the page and select Create Dashboard.
  3. In the Dashboard Properties window, type a name for your dashboard.
  4. Enter any other meta data for your dashboard, such as a name for the author or a description. Note that the Permalink provides a direct URL to your dashboard for any users who have sharing privileges for your dashboard.
  5. Click Create.

Edit a basic chart

The following steps show the general flow for editing a chart widget in the Metric Explorer tool. Begin by specifying sources and metrics to add data to your chart. For example, you can now add the availability, reliability, or performance metrics that you considered at the beginning of this procedure to your dashboard. Then choose a chart type to visualize the data.

  1. Click the chart to launch the Metric Explorer.
  2. Click Add Source.
  3. In the source search field, type the name of a source and then select the source from the search results.
  4. In the metric search field, type the protocol and metric name and then select the metric you want to add to the chart from the search results. For example, to monitor the reliability of web transactions, type HTTP errors and then select HTTP Errors from the search results.
  5. Select a chart type from the bottom of the Metric Explorer. Some charts might not be compatible with your selected metrics. For example, the heatmap chart can only display dataset metric data, such as server processing time. For more information about charts and compatible metrics, see Chart types.
  6. Optional: Select a drill down key to view detail metrics. Click Drill down by <None>, where <None> is the name of the detail metric key currently displayed in your chart. You can view up to 20 top key values in a chart for a specific time interval.
  7. Click Save.

Next steps

Edit a basic text box widget

The following steps show you how to display custom text in a dashboard region, which is a helpful tool for adding notes about a chart or data in a dashboard. The text box widget supports the Markdown syntax. A new text box widget contains sample text that is already formatted in Markdown to provide you with basic examples.

  1. Click the text box.
  2. Type and edit text in the left Editor pane. The HTML output text dynamically displays in the right Preview pane. For more formatting examples, see Format text in Markdown.
  3. Click Save.

Add more widgets and regions to your dashboard

Add and arrange the placement of regions and widgets on your dashboards.

  1. Click-and-drag dashboard components, such as a region or widgets, from the bottom of the page onto the workspace.
  2. To arrange dashboard components, click-and-drag the edge of a region or widget to resize them. If dashboard components overlap, they will be outlined in red. You must click and drag the sides of the widgets and regions to make room.
  3. Optional: Click Remove Extra Space to remove the empty vertical white space around widgets. Empty vertical white space will be removed from every region on the dashboard.
  4. After making your changes, click Exit Layout Mode.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.

Next steps

Now that your dashboard is complete, you can perform the following steps:

Chart editing tips

The following tips help you search for and select metrics when building a chart.

  • Filter search results to a specific source type or protocol by clicking Any Type or Any Protocol underneath the search fields.
  • You can only select the same source type that is currently in your metric set. A metric set contains one source type and metrics. For example, if you select the All Activity application as the source, you can only add more applications to that metric set. Add more sources of the same type to your chart by clicking Add Application, Add Device, Add Group, or Add Network. To include a different source type in your chart, click Add Source to start a new metric set.
  • Create an ad hoc group of more than one source in your chart by selecting Combine Sources. For example, you can combine two applications and then view a single metric value in the chart for both of these applications.
  • If you select a device group as your source, you can Drill down by Group Member to display individual metrics for up to 20 of the devices within the group.

Create a dashboard with dynamic sources

You can create a dashboard with dynamic sources to enable users to change the source of the dashboard at any time. If you have created a large number of dashboards that all have the same metrics, but different sources, you might want to consider replacing those dashboards with a single, dynamic-source dashboard.

Note:You cannot create reports for dashboards that contain dynamic source charts.
  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. Select a dashboard that you want to edit.
  3. Set the source of each chart to a source type variable.
    1. Click the name of a chart and then click Edit.
    2. In the Sources field, type $.
      The Source Type Variables list appears.
    3. From the Source Type Variables list, select the type of source that you are replacing. For example, if you are replacing a device source, select $device.
  4. Click Save.
    At the top of the dashboard, the View Source drop-down menu appears.
  5. From the View Source drop-down menu, select the source that you would like to view metrics for.
    If no data is displayed in the dashboard charts, try refreshing the page.
Tip:If you want to hide the dynamic source menu from your dashboard, append the following parameter to the end of the dashboard page URL: &hideTemplatePanel=true.

Before

After

For example:

https://eda/extrahop/#/Dashboard/XYFwM/?$device=16&from=30&interval_type=MIN&until=0&hideTemplatePanel=true

Next steps

Copying a dashboard If you want to copy a dashboard with dynamic sources,

Copy a dashboard

If you want to duplicate a useful dashboard, you can copy a dashboard and then replace or modify sources to display different application, device, or network data. You can only copy one dashboard at a time. You cannot drag a dashboard to a folder to copy it.

Note:If you only want to copy a dashboard so you can change the source across the entire dashboard, you might want to consider creating a dashboard with dynamic sources instead of making multiple copies of a single dashboard.
  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Select a dashboard that you want to copy.
  3. Click the command menu in the upper right corner of the dashboard page.
  4. Click Copy and complete one of the following steps:
    • Click Keep Sources to maintain the original data configurations in the new dashboard.
      Note:When you copy a dashboard with dynamic sources, the original data configurations are automatically maintained.
    • Click Modify Sources, which helps you to immediately update every region, chart, and widget within the copied dashboard with another source, and then complete the following steps:
      1. In the right pane of the Modify Sources window, click a source name. A search field opens.
      2. Type the name of a new source and then select the source from the drop-down list. Repeat this step if the dashboard contains more than one source that you want to replace.
      3. Click Create Dashboard.
    A copied dashboard with a modified version of the original title is created.
  5. To rename the copied dashboard, complete the following steps:
    1. Click the command menu in the upper right corner and the page.
    2. Select Dashboard Properties.
    3. In the Title field, type a new name.
    4. Click Save.
    Tip:To quickly copy a dashboard, type the keyboard shortcut CD and then update Dashboard Properties or modify sources.

Edit a dashboard layout

Place your dashboard into Edit Layout mode to add, delete, or rearrange the widgets and regions on your dashboard layout. You can only add or delete widgets or regions when the dashboard is in Edit Layout mode.

When you create a new dashboard, the dashboard is automatically placed into Edit Layout Mode. To edit the layout of an existing dashboard, complete the following steps:

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. Select a dashboard that you want to edit.
  3. Click the command menu in the upper right corner of the page, and then select Edit Layout.
  4. In Edit Layout mode, select from the following options:
    Add widgets and regions

    Click-and-drag a widget or region from the bottom of the page and place it onto the dashboard.

    Widgets are configurable dashboard components that provide the following functions:

    Chart: add metrics and select chart types to visualize data

    Text box: add explanations, links, and images to your dashboard

    Alert history: scan up to 40 recent alerts, sorted by severity

    Activity group: monitor devices that are grouped together automatically by protocol activity in the ExtraHop system

    Regions contain and logically group widgets together. Click-and-drag widgets into a region. The width of a region can include a maximum of six widgets. The length of a region and dashboard is unlimited.

    Delete widgets and regions
    To delete a region, click Delete in the region header. To delete a widget, click the title and then select Delete from the drop-down menu.
    Arrange the placement of widgets and regions

    Click the header of a region or widget to drag them into a different location. Click and drag the edge of a region or widget to resize them.

    If dashboard components overlap, they will be outlined in red. You must click and drag the sides of the widgets and regions to make room.

    Duplicate charts
    Click Duplicate to create a copy of a chart or text box in the same region.
  5. Optional: Click Remove Extra Space to remove the empty vertical white space around widgets. Empty vertical white space will be removed from every region on the dashboard.
  6. Click Exit Layout Mode in the upper right corner of the page to save your changes.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.

Edit a chart with the Metric Explorer

The Metric Explorer is a tool for creating and editing charts, which lets you construct dynamic visualizations of device and network behavior.

Create and edit a basic chart

With the Metric Explorer, you can edit sources, metrics, and data calculations, and then preview how metric data appears in different charts. When you are satisfied with your selections, save your chart to a dashboard.

The following steps show you the basic workflow and minimum requirements for completing a new chart.

  1. Click Add Source and then select a source.
    • You can select a static source for the chart by typing the name of an application, device, or network.
    • You can also select a dynamic source that can be dynamically modified by dashboard viewers by typing $ and selecting a variable from the Source Type Variable list. For more information about source type variables and dashboard templates, see Create a dashboard with dynamic sources.
  2. Select the source from the list of results.
  3. In the Metrics field, type a protocol and metric name. Then select the metric from the list of results, as shown in the following figure.
  4. Select a chart from the bottom of the Metric Explorer, as shown in the following figure.
  5. Optional: Click the drop-down link below the metric name to display a count or rate or percentile.
  6. Complete one of the following steps:
    • Click Save when creating or editing a chart from a dashboard. Your dashboard is updated with your basic chart.
    • Click Add to Dashboard when creating or editing a chart from a protocol page. Then select an existing dashboard from the list, or select Create Dashboard.

Configure advanced options for data analysis and chart customization

Depending on the metrics and chart type you select, you can configure advanced options for creating sophisticated visualizations with the Metric Explorer, as shown in the following figure.

Drill down on metric data and sources to display details
In the Details section from the Metrics tab, you can drill down to display detail metrics or drill down on a device group to display individual devices within the chart. You can also filter detail metrics for exact matches, or create a regex filter.
Add a baseline or threshold line from the Analysis tab
You add a dynamic baseline (trendline) or static threshold line to your chart. Baselines are calculated after the chart is saved. To see a line that represents a threshold, such as an service level agreement (SLA) value, add a static threshold line to your chart.
Rename legend labels and the chart title
For charts that display a legend, you can change a metric name in the chart legend with a custom label. In the Metric Explorer, click the label in the preview pane then select Rename. To rename a chart, click the chart title and select Rename.
Customize your chart from the Options tab
You can access the following options for customizing chart properties and the display of metric data in your chart:
  • Convert metric data from bytes to bits
  • Convert metric data from base 2 (Ki=1024) to base 10 (K = 1000)
  • Change the y-axis in a time-series chart from linear to log scale
  • Abbreviate metric values in a chart (for example, abbreviate 16,130,542 bytes to 16.1 MB)
  • Sort metric data in ascending or descending order in a bar, list, or value chart
  • Change the percentile precision in a pie chart
  • Hide or display a chart legend
  • Hide inactive metrics with a zero value so that these metrics are not visible in the chart, including the legend and label
  • Include sparkline in a list or value chart
  • Show the alert status for data displayed in list or value charts (for more information, see Alerts)
  • Switch the color display for metric data to grayscale (with exception to charts that display an alert status)
  • For IP address labels, display the hostname (if detected from DNS traffic in wire data) or origin IP address (if a proxy is detected from wire data)
  • Show the relative time for an expiration date, such as the number of days until an SSL certificate expires.
Note:Some options are only available for specific chart types. For example, the option to include a sparkline only appears in the Options tab for list and value charts.
Create an ad hoc group to combine data from multiple sources
From the Metric tab, you can create an ad hoc group of multiple sources within a set by selecting Combine Sources. For example, you can combine two applications and then view a single metric value in the chart for both of these applications.

Next steps

Practice building charts by completing the following walkthroughs:

Edit a text box widget

If you want to include explanatory text next to your dashboard charts or display a company logo in your dashboard, you can edit a text box widget. With the text box widget, you can display text, links, images, or sample metrics in your dashboard.

The text box widget supports Markdown, which is a simple formatting syntax that converts plain text into HTML with non-alphabetic characters, such as “#” or “*”. New text box widgets contain Markdown examples. A text box widget is automatically provided each time you create a dashboard. You can also add a text box widget to your dashboard layout.

To edit an existing text box widget, complete the following steps:

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. Select a dashboard containing the text box you want to edit.
  3. Click the command menu in the upper right corner and select Edit Layout.
  4. Click the text box.
  5. Type and edit text in the left Editor pane.
    The HTML output text dynamically displays in the right Preview pane. With Markdown, you can format the following types of content:
  6. Click Save to close the Metric Explorer.

Format text in Markdown

The following table shows common Markdown formats that are supported in the text box widget.

Note:Additional Markdown format examples are provided in the GitHub Guides: Mastering Markdown. However, not all Markdown syntax formatting options are supported in the ExtraHop text box widget.
Format Description Example
Headings Place a number sign (#) before your text to format headings. The level of heading is determined by the amount of number signs. ####Example H4 heading
Unordered lists Place a single asterisk (*) before your text. * First example * Second example
Ordered lists Place a single number and period (1.) before your text. 1. First example 2. Second example
Bold Place double asterisks before and after your text. **bold text**
Italics Place an underscore before and after your text. _italicized text_
Hyperlinks

Place link text in brackets before the URL in parentheses. Or type your URL.

Links to external websites open in a new browser tab. Links within the ExtraHop Web UI,such as dashboards or custom pages, open in the current browser tab.

[Visit our home page](https://www.extrahop.com)

https://www.extrahop.com

Blockquotes Place a right angle bracket and a space before your text.

On the ExtraHop website:

> Access the live demo and review case studies.

Monospace font Place a backtick (`) before and after your text. `example code block`
Emojis Copy and paste a Unicode block emoji into the text box. Adding emojis in Markdown syntax is unsupported. For Unicode emojis examples, see the Unicode Emoji Chart website.  

Add images in Markdown

You can add images to the text box widget by linking to them. Make sure your image is hosted on a network that is accessible to the Discover appliance.

Links to images must be specified in the following format:

![<alt_text>](<file_path>)

Where <alt_text> is the alternative text for the image name and <file_path> is the path of the image. For example:

![Graph](/images/graph_1.jpg)
Note:You also can add images by encoding them to Base64. For more information, see the following post on the ExtraHop forum, “Putting Images in Text Boxes.”

Add metric examples in Markdown

You can write a metric query to include a metric value inline with text in the text box widget.

The basic format for writing metric queries is:

%%metric:<definition>%%

Where <definition> is replaced with a JSON-defined structure that is based on the ExtraHop REST API query structure.

Note:The following metric queries are unsupported in the text box widget:
  • Time-series queries
  • Mean calculations
  • Multiple object_ids
  • Multiple metric_spec
  • Multiple percentiles

A metric query must contain the following parameters:

  • object_type
  • object_ids
  • metric_category
  • metric_spec

To retrieve the object_type, metric_spec, and metric_category values for a metric name, complete the following steps:

  1. Click Settings
  2. Click Metric Catalog.
  3. Type the metric name in the search field.
  4. Select the metric, and look for the values in the REST API Parameters section.

For more information, see the Metric Catalog section.

You can retrieve object_ids from the URL that you are browsing. The table below describes the parameter for each object type.

Object Type URL Parameter
Application applicationOID=
Network networkOID=
Group deviceGroupOID=
Device deviceOID=
Metric query examples for the text box widget

The following examples show you how to write top-level, or base, metric queries for application, device, and network objects. You can also write a query for detail metrics.

Application metrics

To specify the All Activity object, the object_ids is “0”.

This example query shows how you can retrieve HTTP metrics from the All Activity object, and displays the following output: “Getting [value] HTTP requests and [value] HTTP responses from All Activity.

Getting
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"req"}]
}%%HTTP requests and
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"rsp"}]
}%%
HTTP responses from All Activity.
Device metrics

You must specify either a client (“_client”) or server (“_server”) in the metric_category. To retrieve metrics for a specific device, specify the device object ID number in object_ids. To retrieve the device object ID (deviceOid), search for the device object in the ExtraHop global search. Select the device from your search results. The “deviceOid=” value will be embedded in the URL query string.

This example query shows how to retrieve metrics from a device client object, and displays the following output: “Getting [value] CLIENT DNS response errors from a specific device.

Getting
%%metric:{"object_type": "device",
"object_ids": [8],
"metric_category": "dns_client",
"metric_specs": [{"name":"rsp_error"}]
}%%
CLIENT DNS response errors from a specific device.

This example query shows how to retrieve metrics from a device server object, and displays the following output: “Getting [value] SERVER DNS response errors from a specific device.

Getting
%%metric:{
"object_type": "device",
"object_ids": [156],
"metric_category": "dns_server",
"metric_specs": [{"name":"rsp_error"}]
}%%
SERVER DNS response errors from a specific device.
Network metrics

To specify All Networks, the object_type is “capture” and the object_ids is “0.” To specify a specific VLAN, the object_type is “vlan” and the object_ids is the VLAN number.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] broadcast packets from all networks.

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "net","metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from all networks.

This example query shows how to retrieve metrics for a specific VLAN and displays the following output: “Getting [value] broadcast packets from VLAN 3.

Getting
%%metric:{
"object_type": "vlan",
"object_ids": [3],
"metric_category": "net",
"metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from VLAN 3.
Group metrics

To specify a group, the object_type is “activity_group” or “device_group.” You must specify either a client (“_client”) or server (“_server”) in the metric_category. The object_ids for the specific group must be retrieved from the REST API Explorer.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] HTTP responses from the HTTP Client Activity Group.

Getting
%%metric:{
"object_type": "activity_group",
"object_ids": [17],
"metric_category": "http_client",
"metric_specs": [{"name":"req"}]
}%%
HTTP responses from the HTTP Client Activity Group.
Detail metrics

If you want to retrieve detail metrics, your metric query should contain additional key parameters, such as key1 and key2:

  • object_type
  • object_ids
  • metric_category
  • metric_spec
    • name
    • key1
    • key2
The key parameters act as a filter for displaying detail metric results. For non-custom detail metrics, you can retrieve detail metric parameters from the Metric Catalog. For example, type HTTP Responses by URI, and then look at the parameter values in the REST API Parameters section.
Important:You must supply the object_ids in your query.

This example shows how to retrieve HTTP requests by URI for the All Activity application (object_ids is “0”):

%%metric:{ 
"object_type": "application", 
"object_ids": [0],  
"metric_category": "http_uri_detail", 
"metric_specs": [{"name":"req"}] 
}%%

This example query shows you how to retrieve HTTP requests by URIs that contain a key value for “pagead2” for the All Activity application (object_ids is “0”):

%%metric:{ 
"metric_category": "http_uri_detail", 
"object_type": "application",
"object_ids": [0], 
"metric_specs": [ 
{ 
"name": "req", 
"key1": "/pagead2/" 
} 
] 
}%%

This example query shows how to retrieve count metrics for all networks and displays the following output: “Getting [value] detail ICA metrics on all networks.

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "custom_detail",
"metric_specs": [{
"name":"custom_count",
"key1":"network-app-byte-detail-ICA"
}]
}%%
detail ICA metrics on all networks.

This example query shows how to retrieve a custom dataset statistic with topn keys and percentiles, and displays the following output: “The fifth percentile is: [value].

The fifth percentile is:
%%metric:{
"object_type": "vlan",
"object_ids": [1],
"metric_category": "custom_detail",
"metric_specs": [{
"name": "custom_dset",
"key1": "myCustomDatasetDetail",
"key2": "/10.10.7/",
"calc_type": "percentiles",
"percentiles": [5]
}]
}%%
.
Note:Sampleset metrics are unsupported in the text box widget. For example, adding the “calc_type”: “mean” parameter to your text box query is unsupported.

Edit a dashboard region

Dashboard regions, which contain charts and widgets, are highly customizable. As you work with dashboards, you might need to frequently change or copy a region. You can only delete, resize, or rearrange a region by editing the dashboard layout.

To edit basic properties of a region in a dashboard, complete the following steps:
  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Select a dashboard with the region you want to edit.
  3. Click the region header to access the following options:
    Rename a region
    Add a custom name to the region.
    Modify sources
    Quickly replace the data sources for each chart in a region with a different source after copying a chart, region, or dashboards.
    Copy a region
    Hover over Copy to... and make one of the following selections:
    • Select the name of an existing dashboard from the list. The dashboard page opens and displays the location of the copied region.
      Tip:The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard.
    Change the region time interval
    Apply a time interval to the entire region by enabling the Region Time Selector.
    Fullscreen
    Expand region contents into a fullscreen display.

Change the time interval for a dashboard region

In a dashboard, you can apply a time interval to an entire dashboard with the Global Time Selector, or apply a different time interval per region with the Region Time Selector.

  1. Log into the Web UI on Discover or Command appliance and then click Dashboards at the top of the page.
  2. Select a dashboard.
  3. Click the region header and then select Use Region Time Selector.
  4. Click Last 30 minutes and complete one of the following steps:
    • From the Time Interval tab, select one of the following options:
      • Select another time interval (such as Last 30 minutes, Last 6 hours, Last day, or Last week).
      • Specify a custom unit of time.
      • Select a custom time range. Click a day to specify the start date for the range. One click will specify a single day. Click another day to specify the end date for the range.
      • Compare metric deltas from two different time intervals.
    • From the History tab, select from up to five recent time intervals selected in a previous login session.
  5. Click Save to close the Region Time Selector.
    The new time interval is applied to all charts and widgets within the region.
  6. To remove the region time interval, click the region header and select Use Global Time Selector.
    When the time interval disappears from the region header, the global time interval is applied to the region.

Edit dashboard properties

To rename a dashboard, change the theme, or change the URL, you must edit the dashboard properties. When you create a dashboard, you have an opportunity to specify dashboard properties. However, you can change dashboard properties at any time.

You can only change properties for one dashboard at a time. You cannot multi-select dashboards and change a property, such as the dashboard author.

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. Select the dashboard that you want to edit.
  3. Click the command menu in the upper right corner of the page and then select Dashboard Properties.
  4. In the Dashboard Properties window, you can modify the following fields:
    Title
    Rename the dashboard.
    Author
    Change the author name.
    Description
    Change the dashboard description. Note that the description is only seen when editing dashboard properties.
    Permalink
    Change the URL for the dashboard. By default, the permalink, also known as a short code, is a five-character unique identifier that appears after /Dashboard in the URL. You can change the permalink to a more user-friendly name.
    Note:The permalink can have up to 100 characters combining letters, numbers, and the following symbols: dot (.), underscore (_), dash (-), plus sign (+), parentheses ( ), and brackets ([ ]). Other alphanumeric characters are unsupported. The permalink cannot contain spaces.
    Sharing
    To share a dashboard with users who can view and edit, click the link. For more information, see Share a dashboard.
    Editors
    View the list of ExtraHop users with editing access to the dashboard. To change the users, click Sharing.
    Theme
    Select one of the following themes to change the colors and appearance of the dashboard:

    Light: White background with dark text.

    Dark: Black background with white text.

    Space: Dark background with a stylized background image and text.

  5. Click Save.

Present a dashboard

You can set your dashboard to display in fullscreen mode for presentations or for your network operation center screens.

The fullscreen mode provides the following viewing options:
  • You can view and interact with the entire dashboard while in Presentation Mode.
  • You can view a continuous cycle of each chart in the dashboard in a Widget Slideshow.
  • You can view a single region in fullscreen display.

To present an entire dashboard in fullscreen display, complete the following steps:

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards in the top menu.
  2. Select the dashboard you want to present.
  3. In the upper right corner of the page, click the command menu and select one of the following options:
    Presentation Mode
    The dashboard dock and top navigation menus collapse. You can interact with the time interval and dashboard components while in presentation mode.
    Widget Slideshow
    A continuous cycle of charts and widgets in fullscreen display begins. Select how long you want each widget to display (for example, 20 seconds, 15 seconds, etc.). Click the x icon in the upper right corner of the screen to return to the dashboard.
    Tip:To open a dashboard in Presentation Mode, add /presentation to the end of the URL and then bookmark it. For example: https://<extrahop_ip>/extrahop/#/Dashboard/437/presentation

Share a dashboard

By default, all custom dashboards you create are private, which means that no ExtraHop users can view or edit your dashboard. However, you can share your dashboard by granting view or edit access to other ExtraHop users and groups.

Here are some importance considerations about sharing dashboards:

  • How a user interacts with a shared dashboard and the information they can view in the ExtraHop system is determined by user privileges, which are assigned by the ExtraHop administrator. For example, you can add a user with the Restricted read-only privilege, which allows that user to only view the dashboards that you share with them in the ExtraHop system. For more information, see the User privileges section in the ExtraHop Admin UI Guide.
  • When you grant a user edit access, that user can modify and share the dashboard with others. However, other users cannot delete the dashboard. Only the dashboard owner can delete a dashboard.
  • Group information is imported into the ExtraHop system from LDAP (such as OpenLDAP or Active Directory). User information is available after an ExtraHop user logs in to their account.
  • To share a dashboard with a non-ExtraHop user, you can create a PDF file of the dashboard. If you have a Command appliance, you can create a scheduled report, which sends the PDF file of the dashboard to any email recipient on a regular basis.
  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. In the left pane, select a dashboard you want to share.
    You cannot share system dashboards or dashboards that you do not have edit access to.
  3. Click the command menu in the upper right corner of the dashboard page and select Share.
  4. Grant view or edit access by making one of the following selections:
    Type of Access Selection
    All ExtraHop users can view Select All users and groups can view; only specified users and groups.
    All ExtraHop users can view and only specific users can edit
    1. Select All users and groups can view; only specified users and groups.
    2. In the Specify users and groups field, type the name of a user or group, and then select the name from the drop-down list.
    3. Next to the name, select Can edit and click Add User or Add User Group.
    Only select ExtraHop users can view
    1. Select Only specified users or groups can view or edit.
    2. In the Specify users and groups field, type the name of a user or group, and then select the name from the drop-down list.
    3. Next to the name, select Can view and click Add User or Add User Group.
    Only select ExtraHop users can both view and edit
    1. Select Only specified users or groups can view or edit.
    2. In the Specify users and groups field, type the name of a user or group, and select the name from the drop-down list.
    3. Next to the name, select Can edit and click Add User or Add User Group.
    No ExtraHop users can view or edit (private dashboard) Your custom dashboard is set to private by default. If you shared your dashboard and then want to make it private again, select Only specified users or groups can view or edit and remove access.
  5. Click Save.
    Note:How a user interacts with a dashboard and the information they can view in the ExtraHop system is determined by user privileges, which are assigned by the ExtraHop administrator. For more information, see the User privileges section in the ExtraHop Admin UI Guide.
    If you shared your dashboard, a small gray icon will appear next to your dashboard in the dock.

Remove access to a dashboard

You can remove or modify dashboard access that you granted to users and groups.

  1. In the left pane, select the custom dashboard that you want to modify.
  2. Click the command menu in the upper right corner of the page and select Share.
  3. Remove access for users or groups by completing one of the following steps:
    • Remove all access for a user or group by clicking the red delete (x) icon next to the user or group name.
    • Remove edit access by selecting Can view from the drop-down list next to the user or group name.
  4. Click Save.

Export data

You can export chart data from the ExtraHop system in CSV and XLSX formats.

You can also create PDFs of ExtraHop charts, pages, and dashboards.

Export data to Excel

  1. Log into the Web UI on the Discover appliance.
  2. Navigate to a dashboard or protocol page.
  3. Right-click any chart, table, or metric and select Export to Excel.

Export data to CSV

  1. Log into the Web UI on the Discover appliance.
  2. Navigate a dashboard or protocol page.
  3. Right-click any chart, table, or metric and select Export to CSV.

Create a PDF file

You can export data from a dashboard, protocol page, or individual chart as a PDF file.

  1. Find the dashboard or protocol page that contains the data you want to export and complete of one of the following steps:
    • To create a PDF file of the entire page, click the command menu in the upper right corner of the page and select Print (from the Discover appliance) or Export to PDF (from the Command appliance).
    • To create a PDF file of an individual chart or widget, click the chart title and select Print (from the Discover appliance) or Export to PDF (from the Command appliance) from the drop-down menu.
  2. A PDF preview dialog opens. Complete one of the following steps:
    • Click Print Page and then select PDF as the destination from the print settings in your browser.
    • From a Discover appliance, click Print Widget and select PDF as the destination from the print settings in your browser.
    • From a Command appliance, select PDF format customizations and then click Export to PDF. The process for generating a PDF might take several seconds.
    Tip:To access PDF print options through a keyboard shortcut, type pp.

Customize the format of a PDF file

When creating a PDF file of a dashboard or protocol page from a Command appliance, you have several options for customizing the appearance of your PDF file.

  1. Type a custom name for your PDF file or accept the default name.
  2. Choose one of the following page width options:
    Narrow
    Displays large text in chart titles and labels, but provides less space for displaying chart data. Long chart titles and labels might be truncated.
    Medium
    (Recommended) Displays a view of chart titles, legends, and data that is optimized for portrait page orientation.
    Wide
    Displays small text in chart titles and labels, but provides more space for displaying chart data.
  3. Choose one of the following page break options:
    Single page
    Displays the entire dashboard or protocol page on a single, continuous page. This setting might generate a PDF file that is larger than standard printer page sizes.
    Page break per region
    Displays each chart region on an individual page.
  4. Choose one of the following themes:
    Light
    White background with dark text.
    Dark
    Black background with white text.
    Space
    Dark background with a stylized background image and text.
  5. Click Export to PDF. The process for generating a PDF might take several seconds.

Next steps

The PDF file will download to your local computer. Each PDF file includes the dashboard title and time interval. Click View report on ExtraHop to open the original dashboard set to the time interval specified in the PDF file.

Organize custom and shared dashboards

You can filter, sort, rearrange, and create folders to help you organize dashboards within the dashboard dock (left pane) on the Dashboards page.

By default, dashboards are placed within the following dock folders:
Dashboard Inbox
Displays a list of dashboards that have been shared with you by other users. The Dashboard Inbox folder appears only if one or more dashboard have been shared with you.
My Dashboards
Displays a list of dashboards that you created. You can keep your dashboards private or share them with other users. Editing access to your dashboard can be granted on a per-user or user group basis. For more information, see Share a dashboard.
System Dashboards
Displays the Activity and Network dashboards, which are built-in dashboards that provide you with a general overview of network behavior and health. You can copy a system dashboard, but you cannot be delete, modify, move, or share these dashboards.

To organize dashboards across the dock, you can filter and sort dashboards with the controls at the top of the dashboard dock. You can also create and add custom dashboard folders.

Here are some considerations about organizing dashboards:
  • The dock must be in Edit Dock mode to rearrange dashboards. Click the command menu in the lower right corner of the dashboard dock and then select Edit Dock. You can also type the keyboard shortcut, OD. Click the Exit Edit Mode icon in the lower right corner of the dock when you are finished.
  • You cannot rearrange dashboards in the dock when they are sorted in ascending or descending order. You must first select the Custom Order icon at the top of the dashboard dock, as shown in the following figure.

  • You cannot move dashboards in or out of the System Dashboards folder.
  • When you filter dashboards, only the dashboards or folders that match the search string appear in the dashboard dock.
  • You cannot remove dashboards from the dock unless you delete them. To hide a dashboard, you can move the dashboard into a custom folder.
    Important:If you are a dashboard owner and you delete your dashboard from the dock, you cannot recover it. You can recover a shared dashboard that you deleted from the dock if the dashboard owner removes your access and shares with you again.

Create dashboard folders

You can create folders to organize dashboards in the dashboard dock. First create the folder, then edit the dock to add dashboards to the folder.

  1. Log into the WebUI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. In the bottom corner of the dashboard dock, click the command menu , and then click New Folder.
  3. Type a name for the folder and then click Save.
    An empty dashboard folder is added to the bottom of the dashboard dock.
  4. In the bottom corner of the dashboard dock, click the command menu , and then click Edit Dock.
  5. Click-and-drag dashboards into the folder. Note that you cannot add system dashboards to a custom folder.
  6. Optional: Click-and-drag the folder to a new location within the dashboard dock. You must have the sort option at the top of the dashboard dock set to Custom Order. You cannot rearrange dashboards and folders when they are sorted by ascending or descending order.
  7. In the bottom corner of the dashboard dock, click the Exit Edit Mode icon.
    Tip:You can type the following keyboard shortcuts to perform these steps:
    • NF - Create a dashboard folder
    • OD - Edit the dashboard dock

Chart types

Dashboard charts in the ExtraHop system offer multiple ways to visualize metric data, which can help you answer questions about your network behavior.

You select a chart type when you edit a chart in the Metric Explorer. But how do you know which chart to select? It helps to first decide which question you want to answer:
  • To learn how a metric changes over time, select a time-series chart such as the area, column, line, line & column, or status chart.
  • To learn how a metric value compares to a complete set of data, select a distribution chart such as the box plot, candlestick, heatmap, or histogram chart.
  • To learn the exact metric value for a time period, select a total value chart such as the bar, list, pie, table, or value chart.
  • To learn the alert status of this metric, select the list, status, or value chart.

Find more answers in the Charts FAQ.

The following table provides a list of chart types and overviews. Click on the chart type to see more details and examples.

Chart Type Description Type
Area chart Displays metric values as a line that connects data points over time, with the area between the line and axis filled in with color. Time-series
Column chart Displays metric data as vertical columns over a selected time interval. Time-series
Line chart Displays metric values as data points in a line over time. Time-series
Line & Column chart Displays metric values as a line, which connects a series of data points over time, with the option to display another metric as a column chart underneath the line chart. Time-series
Status chart Displays metric values in a column chart and the status of an alert assigned to both the source and metric in the chart. Time-series
Box plot chart Displays variability for a distribution of metric data. Each horizontal line in the box plot includes three or five data points. Distribution
Candlestick chart Displays variability for a distribution of metric data over time. Distribution
Heatmap chart Displays a distribution of metric data over time, where color represents a concentration of data. Distribution
Histogram chart Displays a distribution of metric data as vertical bars or bins. Distribution
Bar chart Displays the total value of metric data as horizontal bars. Total value
List chart Displays metric data as a list with optional sparklines that represent data changes over time. Total value
Pie chart Displays metric data as a portion or percentage of a whole. Total value
Table chart Displays multiple metric values in a table, which can be easily sorted. Total value
Value chart Displays the total value for one or more metrics. Total value

Area chart

Metric data is displayed as data points over time connected by a line, with the area between the line and the x-axis filled in with color.

If your chart contains more than one metric, data for each metric is displayed as an individual line, or a series. Each series is stacked together to illustrate the cumulative value of the data.

Select the area chart to see how the accumulation of multiple metric data points over time contribute to a total value. For example, an area chart can reveal how various protocols contribute to total protocol activity.

For more information about displaying rates in your chart, see the Display rates section.

Note:This chart supports detection markers, which indicate detections associated with chart data.

The following figure shows an example of an area chart.



Bar chart

The total value of metric data is displayed as horizontal bars.

Select the bar chart when you want to compare the data for more than one metric for a selected time interval.

The following figure shows an example of a bar chart.



Box plot chart

The box plot chart displays variability for a distribution of metric data. You can only display data from dataset metrics, such as server processing time, in this chart.

Each horizontal line in the box plot includes three or five data points. With five data points, the line contains a body bar, a vertical tick mark, an upper shadow line, and a lower shadow line. With three data points, the line contains a vertical tick mark, an upper shadow, and lower shadow. For more information about displaying specific percentile values in your chart, see Display percentiles.

The following figure shows an example of a box plot chart.



Candlestick chart

The candlestick chart displays variability for a distribution of metric data over time. You can only display data from dataset metrics or high-precision network (L2) byte and packet metrics.

Vertical lines at each time interval displays three or five data points. If the line has five data points, it contains a body, middle tick mark, an upper shadow line, and a lower shadow line. If the line has three data points, it contains a middle tick mark. For more information about displaying specific percentile values in your chart, see Display percentiles.

Select the candlestick chart to view the variability of data calculations for a specific period of time.

The following figure shows an example of a candlestick chart.



Column chart

Metric data is displayed as vertical columns over time. If your chart contains more than one metric, data for each metric is displayed as an individual column or as a series. Each series is stacked together to illustrate the cumulative value of the data.

Select the column chart to compare how accumulation of multiple metric data points at a specific time contribute to the total value.

Note:This chart supports detection markers, which indicate detections associated with chart data.

The following figure shows an example of a column chart.



Heatmap chart

The heatmap chart displays a distribution of metric data over time, where color represents a concentration of data. You can only select a dataset metric to display in the chart, such as server processing time or round trip time.

Select the heatmap when you want to identify patterns in the distribution of data.

Here are some important considerations about the heatmap chart:
  • The heatmap legend displays the color gradient that corresponds to the data range in the chart. For example, the darker color on the heatmap indicates a higher concentration of data points.
  • The default data range is between the 5th and 95th percentiles, which filters outliers from the distribution. Outliers can skew the scale of data displayed in your chart, making it more difficult to spot trends and patterns for the majority of your data. However, you can choose to view the full range of data by changing the default filter in the Options tab. For more information, see Filter outliers.
  • The selected theme, such as Light, Dark, or Space, affects whether a dark or light color indicates a higher concentration of data points.

The following figure shows an example of a heatmap chart.



Histogram chart

The histogram chart displays a distribution of metric data as vertical bars, or bins. You can only select a dataset metric to display in this chart, such as server processing time or round trip time.

Select the histogram chart to view the shape of how data is distributed.

Here are some important considerations about the histogram chart:
  • The default data range is from the 5th to 95th percentile (5th-95th), which filters outliers from the distribution. The minimum to maximum (Min-Max) view displays the full data range. Click the magnifying glass in the upper right corner of the chart to toggle between the two views.
  • Data is automatically distributed into bins on either a linear or log scale based on the data range. For example, when the data range spans several orders of magnitude, data is placed into bins on a log scale. Min-Max (log) appears in the upper right corner of the chart.
  • Click-and-drag to zoom in on multiple bins or a specific bin. Click the magnifying glass again in the upper right corner of the chart to zoom out to the original view (either 5th-95th or Min to Max).
    Note:Zooming in to view a custom time interval does not change the global or region time interval.
  • Your toggle selection (between the 5th-95th and Min-Max views) will persist for your chart, but not for the users that you shared your dashboard and chart with. To set a persistent toggle selection before sharing a dashboard, see Filter outliers.

The following figure shows an example of a histogram chart.



Note:This chart does not support baselines or threshold lines.

Line chart

Metric data is displayed as data points over time that are connected in a line. If your chart contains more than one metric, data for each metric is displayed as an individual line or as a series. Each series overlaps.

Select the line chart to compare changes over time.

Note:This chart supports detection markers, which indicate detections associated with chart data.

The following figure shows an example of a line chart.



Line & column chart

Metric data is displayed as data points over time connected by a line, with the option to display a column chart underneath the line chart. For example, if your chart contains more than one metric (for example, HTTP Requests and HTTP Errors), you can select Display as Columns to display one of the metrics as a column chart underneath the line chart.

Columns are displayed in the color red by default. To remove the red color, click Options and deselect Display columns in red.

Select the line & column chart to compare different metrics at different scales in one chart. For example, you can view error rates and the total number of HTTP responses in one chart.

Note:This chart supports detection markers, which indicate detections associated with chart data.

The following figure shows an example of a line & column chart.



List chart

Metric data is displayed as a list. Select the list chart to view long lists of metric values, such as detail metrics.

This chart includes the following options:
  • Add a sparkline, which is a simple area chart placed inline with the metric name and value. A sparkline shows how data changed over time. Click the Options tab and select Include Sparkline.
  • Display the metric value in an alert status color. Different colors indicate the severity of the configured alert. For example, if an alert threshold is crossed for a metric that is displayed in the list chart, the value for that metric appears in red. Click the Options tab and select Use color to show alert status.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a list chart.



Pie chart

Metric data is displayed as a portion or percentage of a whole. If your chart contains more than one metric, data for each metric is represented as single slice, or series, in the pie chart.

Select the pie chart to compare the metric values that are mutually exclusive, such as status code detail metrics for the top-level HTTP Response metric.

This chart includes the following options:
  • Display as a donut chart. Click the Option tab and select Show total value.
  • Specify the decimal precision, or the number of digits, displayed in your chart. Percentile precision is useful for displaying ratios of data, especially for service-level agreements (SLAs) that might require precise data for reporting. Click the Options tab, and in the Units section, select Show percents instead of counts. Then select 0.00% or 0.000% from the drop-down list.

The following figure shows an example of a pie chart.



Status chart

Metric data is displayed in a column chart. The color of each column represents the most severe alert status of the configured alert for the metric. You can only select one source and metric to display in this chart.

To view the status of all of the alerts associated with the selected metric category, click Show Related Alerts. A list of alerts is then displayed below the column chart.

Select the status chart to see how data and the alert status for your metric change over time.

Note:This chart does not support baselines.

The following figure shows an example of a status chart.



Table chart

Metric data is displayed across rows and columns in a table. Each row represents a source. Each column represents a metric. You can add multiple sources (of the same type) and metrics to a table.

Select the table chart when you want to view metric data in a grid and easily sort values across multiple metrics.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a table chart.



Value chart

The total value for one or more metrics is displayed as a single value. If you select more than one metric, metric values are displayed side-by-side.

Select the value chart to see the total value of important metrics, such as the total number of HTTP errors occurring on your network.

This chart includes the following options:
  • Add sparklines, which is a simple area chart placed underneath the metric value. A sparkline shows how data changed over time. Click the Options tab and select Include Sparkline.
  • Display the metric value in an alert status color. Different colors indicate the severity of the configured alert. For example, if an alert threshold is crossed for a metric, the value appears in red. Click the Options tab and select Use color to show alert status.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a value chart.



Create a chart

Charts are an essential tool for visualizing, analyzing, and understanding network behavior. You can create a custom chart from a dashboard or protocol page to visualize data from any of the 4,000+ built-in metrics or custom metrics available in the ExtraHop system. For example, if you observe an interesting server metric while troubleshooting, you can create a chart to visualize and further analyze that metric. Customized charts are then saved to dashboards.

The following steps show you how to quickly create a blank custom chart:
  1. Log into the Web UI on the Discover or Command appliance and complete one of the following steps:
    • Click Dashboards at the top of the page.
    • Click Metrics at the top of the page. Select a source from the left pane, and then click the name of an application, device, device group, or network from the center pane. A protocol page for the source appears.
  2. Click the command menu in the upper right corner of the page and then select Create Chart.
  3. Edit the chart in the Metric Explorer.
  4. To save your chart, click Add to Dashboard and complete one of the following steps:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.
    Tip:Here are some other ways to create a chart:
    • If you find a chart you like on a protocol page or dashboard, you can recreate and save that chart to your dashboard. Click the chart title and then select Create Chart From....
    • You can edit a dashboard layout and click-and-drag a new chart widget onto the dashboard.

Next steps

After you create a chart, learn more about working with dashboards:

Copy a chart

You can copy a chart from a dashboard or protocol page and then save the copied chart to a dashboard. Copied widgets are always placed into a new region on the dashboard, which you can later modify.

Tip:If you want to copy a dashboard chart or text box without creating a new region, click the command menu in the upper right corner of the dashboard page and click Edit Layout. Find the chart you want to copy and then click Duplicate.
  1. Log into the Discover or Command appliance and then click Dashboard at the top of the page.
  2. Select a dashboard that contains the chart or widget that you want to copy.
  3. Click the title.
    Note:You cannot click the title of a text box widget. To copy a text widget, you must first edit the dashboard layout. Click the command menu in the upper right corner of the text box widget, and then complete step 4.
  4. Hover over Copy to… to expand a drop-down list and then make one of the following selections:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.

Next steps

The chart is copied into a new region on the dashboard that is in Edit Layout mode. You can now edit your dashboard or chart in the following ways:

Drill down

An interesting metric naturally leads to questions about behavior in your network environment. For example, if you find a large number of DNS request timeouts on your network, you might wonder which DNS clients are experiencing those timeouts. Drill-down functionality in the ExtraHop system can help answer these types of questions when viewing metric data in charts.

In the ExtraHop system, you can easily drill down from a top-level metric into specific details about the devices, methods, or resources associated with that metric. When you drill down on a metric by a key (such as a client IP address or resource), the ExtraHop system calculates a topnset of up to 1,000 key-value pairs. You can then investigate these key-value pairs, known as detail metrics, to learn which factors are linked to the interesting activity.

Drill down on metrics from a dashboard or protocol page

Drilling down on any metric you see in a chart or legend helps you see which key, such as client IP address, server IP address, method, or resource, contributed to that value.

The following steps show you how to locate a metric and then drill down:

  1. Log into the Web UI on the Discover or Command appliance.
  2. Find an interesting metric by completing one of the following steps:
    • Click Dashboard, and then select a dashboard from the left pane. A dashboard appears containing metrics.
    • Click Metrics. Click Device, Device Group, Activity Group, or Application in the left pane. Then select a device, group, or application. A protocol page appears containing metrics.
    • Click Metrics, click Network in the left pane, and then select a flow network. A protocol page appears containing metrics.
  3. Click on a metric value or a metric label in the chart legend, as shown in the following figure. A menu appears.


    Tip:On a protocol page, you can also click a drill-down shortcut button in the DRILL DOWN section, located in the upper right corner of the page. The type of shortcut buttons vary by protocol.


  4. In the Drill down by… section, select a key. A detail metrics page with a topnset of metric values by key appears. You can view up to 1,000 key-values pairs on this page.
    Tip:If a View More link appears at the bottom of a chart, click View More to drill down on the metric displayed in the chart.
Drill down on network capture and VLAN metrics

When you see an interesting top-level metric about network activity on a Network capture or VLAN page, you can identify which devices are linked to that activity.

Note:For information about how to drill down on metrics from a flow network or flow network interface page, see the Drill down on metrics from a dashboard or protocol page section.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click Metrics.
  3. Click Networks in the left pane.
  4. Click a network capture or VLAN interface name.
  5. Click a network layer in the left pane, such as L3 or L7 Protocols. Charts that display metric values for the selected time interval appear. For most protocols and metrics, a Device table also appears at the bottom of the page.
  6. Click the chart data, which updates the list to display only the devices that are associated with the data.
  7. Click a device name. A Device page appears, which displays traffic and protocol activity associated with the selected device.
Investigate detail metrics

After you drill down on a metric from a dashboard, overview page, or protocol page, you can filter data or select different keys, such as status codes or URIs, to investigate your data from different perspectives.

The following figure shows you how to filter, pivot, sort, or export data.



If you drilled-down on a metric by IP, Client, or Server, IP addresses and hostnames (if observed from DNS traffic) appear in the table. Additional options are now available to you. For example, you can generate a geomap or directly navigate to a client or server protocol page, as shown in the following figure.



Filter results

A detail page can contain up to 1,000 key-value pairs. There are two ways to find specific results from all this data: filter results with a set of three filters (known as the trifield) or click a key in the table to create another drill-down filter.

The trifield filter is available below the chart to help you filter results in the following ways:

  • Type in the filter field to dynamically filter results
  • Click the Any Field drop-down list and make a selection
  • Choose an operator to define parameters for your filter:
    • Select = to perform an exact string match.
    • Select to perform an approximate string match. The ≈ operator supports regular expression.
      Note:To exclude a result, enter a regular expression. For more information, see Create regular expression filters in a chart.
    • Select to exclude an approximate string match from your results.
    • Select > or to perform a match for values greater than (or equal to) a specified value.
    • Select < or to perform a match for values less than (or equal to) a specified value.
  • Click Add filter to save the filter settings. You can save multiple filters for one query. Saved filters are cleared if you select another key from the Details section in the left pane.
Investigate threat intelligence data (ExtraHop Reveal(x) only)
Click the red camera icon to view threat intelligence information about a suspicious host, IP address, or URI found in detail metric data.
Highlight a metric value in the top chart
Select an individual row or multiple rows to change chart data in the top chart on the detail metric page. Hover over data points in the chart to view more information about each data point.
Pivot to more data by key
Click key names in the Details section to see more detail metric values, broken down by other keys. For IP address or host keys, click a device name in the table to navigate to a Device protocol page, which displays traffic and protocol activity associated with that device.
Adjust the time interval and compare data from two time intervals
By changing the time interval, you can view and compare metric data from different times in the same table. For more information, see Compare time intervals to find the metric delta.
Note:The global time interval in the upper left corner of the page includes a blue refresh icon and gray text that indicates when the drill-down metrics were last polled. To reload the metrics for the specified time interval, click the refresh icon in the Global Time Selector display. For more information, see View the latest data for a time interval.
Sort metric data in columns
Click the column header to sort by metrics to view which keys are associated with the largest or smallest metric values. For example, sort on processing time to see which clients experienced the longest website load times.
Change data calculation for metrics
Change the following calculations for metric values displayed in the table:
  • If you have a count metric in the table, click Count in the Options section in the left pane and then select Average Rate. Learn more in the Display a rate or count in a chart topic.
  • If you have a dataset metric in the table, click Mean in the Options section in the left pane and then select Summary. When you select Summary, you can view the mean and the standard deviation.
Export data
Right-click a metric value in the table to download a PDF, CSV, or Excel file.
Drill-down a second time by a key filter

After you first drill down on a top-level metric by key, a detail page appears with a topnset of metric values broken down by that key. You can then create a filter to drill down a second time by another key. For example, you can drill down on HTTP responses by status code, and then drill down again by the 404 status code to find more information about the servers, URIs, or clients associated with that status code.

Note:The option to drill-down a second time is only available for certain topnsets.

The following steps show you how to drill down from a chart and then drill down again from a detail metric page:

  1. Log into the Web UI on the Discover or Command appliance.
  2. Navigate to a dashboard or protocol page.
  3. Click a metric value or label.
  4. In the Drill down by… section, select a key.
    A detail page appears.
  5. Click a key in the table, such as a status code or method. (The key must not be an IP address or hostname.)
  6. In the Drill down by… section, select a key, as shown in the following figure.


    The key filter appears above the table. You can now view all the detail metrics associated with that single key.
  7. To remove this filter from the table and then apply the filter to the top chart, click the x icon, as shown in the following figure.


    The filter in the chart persists as you select other keys in the Details section.

Add detail metrics to chart

If you want to quickly monitor a set of detail metrics in a dashboard, without repeatedly performing the same drill-down steps, you can drill down on a metric when editing a chart in the Metric Explorer. A chart can display up to 20 of the top detail metric values broken down by key. A key can be a client IP address, hostname, method, URI, referrer, or more.

For example, a dashboard for monitoring web traffic might contain a chart displaying the total number of HTTP requests and responses. You can edit this chart to drill down on each metric by IP address to see the top talkers.

The following steps show you how to edit an existing chart and then drill down to display detail metrics:

  1. Log into the Web UI on the Discover or Command appliance.
  2. Navigate to a dashboard or protocol page.
  3. Click the chart title and then select Edit.
  4. In the Details section, click Drill down by <None>, where <None> is the name of the drill-down metric key currently displayed in your chart.
  5. Select a key from the drop-down list.
    Note:If you have more than one source selected in your metric set, such as two devices, the sources are automatically combined into an ad hoc source group as you drill down. You cannot deselect the Combine Sources checkbox. To view drill-down metrics for each source, you must remove a source from the metric set and then click Add Source to create a new metric set.
    If drill-down metric data for a common key is available for all of the metrics in a metric set, the drill-down metrics automatically appear in the drop-down list, as shown in the following figure. If a drill-down metric in the list is grayed out, data is unavailable for all of the metrics in that metric set. For example, client, server, and URI data are available for both HTTP Requests and HTTP Responses metrics in the metric set.

  6. You can filter drill-down metric keys with an approximate match, regular expression (regex), or exact match through one of the following steps:
    • In the Filter field, select the icon to display keys by an approximate match or with regex. You must omit forward slashes with regex in the approximate match filter.
      Note:The filter option to exclude results is only available on detail pages. If you want to exclude results in a dashboard chart, create a regex string.
    • In the Filter field, select the = icon to display keys by an exact match. In the Filter field, select the = icon to display keys by an exact match.
  7. Optional: In the top results field, enter the number of keys that you want to display. These keys will have the highest values.
  8. To remove a drill-down selection, click the x icon.
    Note:You can display an exact key match per metric, as shown in the following figure. Click the drill-down metric name (such as All Methods) to select a specific drill-down metric key (such as GET) from the drop-down list. If a key appears gray (such as PROPFIND), drill-down metric data is unavailable for that specific key. You can also type a key that is not in the drop-down list.

Display a rate or count in a chart

You can visualize errors, responses, requests, and other count metric data in a chart as a per second rate or as a total number of events over time. For high-precision Network Bytes and Network Packets metrics, you have the additional options to view the maximum, minimum, and average rate per second in a chart.

When editing a chart in the Metric Explorer, you can select a count or rate by clicking the drop-down link below the metric name, as shown in the following figure.

In addition, you can select from the following options for displaying rates and counts. Note that the type of metric you select affects which rate or count is automatically displayed.

Average rate
Calculates the average metric value per second for the selected time interval. For network-related metrics, such as Response L2 Bytes or NetFlow Bytes, the average rate per second is automatically displayed.
Count
Displays the total count of events for the selected time interval. For the majority of count metrics, such as errors, requests and responses, the count is automatically displayed.
Rate summary
Calculates the maximum, minimum, and average metric value per second. For high-precision metrics, such as Network Bytes and Network Packets, these three rates are automatically displayed in the chart as a summary. You can also select to view only the maximum, minimum, or average rate in a chart. High-precision metrics are collected with a 1-second level of granularity and are only available when you configure your chart with a network capture or device source.
Display the average rate in a chart

If you configured a chart with an error, response, request, or other type of count metric, then the total number of events over time is automatically displayed. You can further edit the chart to display an average rate per second for your data.

Before you begin

Create a chart and select a count metric, such as errors, requests, or responses, as your source. Save your chart to a dashboard.
The following steps show you how to add an average rate to an existing dashboard chart:
  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  3. Click Count below the metric name.
  4. Select Average Rate from the drop-down list. The unit “/s” is applied to metric units. You can toggle back to the count at any time.
  5. Click Save to close the Metric Explorer.
    Tip:When you select more than one count metric in a chart, avoid displaying rates and counts together in the same chart. It can skew the scale of the y-axis. The y-axis will include a "/s" on tick labels only if all metrics are displaying rates.
Display the maximum rate in a chart

To display a maximum rate per second of a metric in a chart, you must configure a chart with a high-precision metric.

The following steps show you how to configure a chart that displays a maximum rate:

  1. Log into the Web UI on the Discover or Command appliance and complete one of the following steps:
    • To create a new chart, click the command menu in the upper right corner of the page and then select Create chart.
    • To edit an existing chart, click Dashboards at the top of the page. Select a dashboard containing the chart that you want to edit. Click the chart title and select Edit.
  2. Click Add Source and select one of the following sources:
    • A network capture that is not a flow network.
    • A device, such as a server or client.
  3. Search for and select one of the following metrics:
    For a network capture source
    • Network Bytes (total throughput)
    • Network Packets (total packets)
    For a device source
    • Network Bytes (combined inbound and outbound throughput by device)
    • Network Bytes In (inbound throughput by device)
    • Network Bytes Out (outbound throughput by device)
    • Network Packets (combined inbound and outbound packets by device)
    • Network Packets In (inbound packets by device)
    • Network Packets Out (outbound packets by device)
  4. Select a chart type that is compatible with count metrics (includes line, value, column, bar, pie, and list charts).
    The default display for a high-precision metric is a rate summary that automatically displays the maximum, average, and minimum rate.
  5. Click Rate Summary below the metric name.
  6. Select Maximum Rate from the drop-down menu.
  7. Click Save to close the Metric Explorer.

Display percentiles or a mean in a chart

If you have a set of servers that are critical to your network, viewing the 95th percentile of server processing time in a chart can help you gauge how much servers are struggling. Percentiles are statistical measures that can show you how a data point compares to a total distribution over time.

You can only display percentile value and mean (average) calculations in charts that contain dataset or sampleset metrics. Dataset metrics are associated with timing and latency, such as server processing time and round trip time metrics. Sampleset metrics provide summaries of detail timing metrics, such as server processing time broken down by server, method, or URI.

When editing a chart in the Metric Explorer, you can select percentiles or the mean by clicking the drop-down link below the dataset or sampleset metric name, as shown in the following figure.

The Metric Explorer provides the following calculations for displaying percentiles and the mean.
Summary

For dataset metrics, the Summary is a range that includes the 95th, 75th, 50th, 25th, and 5th percentile values.

For example, each line in a candlestick chart contains five data points. If Summary is selected, the main body of the line represents the range from the 25th percentile to the 75th percentile. The middle tick mark represents the 50th percentile (median). The upper shadow above the body line represents the 95th percentile. The lower shadow represents the 5th percentile.

For sampleset metrics, the Summary displays the +/-1 standard deviation and the mean values. In the candlestick chart, the vertical tick mark in the line represents the mean, and the upper and lower shadows represent the standard deviation values.

Mean
The calculated average of data.
Median
The 50th percentile value of a dataset metric.
Maximum
The 100th percentile value of a dataset metric.
Minimum
The 0th percentile value of a dataset metric.
Percentile
A custom range of three or five percentile values for a dataset metric.
Display a custom range of percentiles

You can display a custom range of three or five percentile values for server processing time or round trip time metrics. You cannot display custom percentiles in a pie or status chart.

Before you begin

Create a chart and select a dataset or sampleset metric, and save it to a dashboard.

The following steps show you how to add a custom percentile range to an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart you want to edit.
    2. Click the chart title and select Edit.
  3. Click Summary below the metric name.
  4. Select Percentile... from the drop-down list.
  5. In the Set Percentiles field, type a number for each percentile value, separated by a comma. For example, to view the 10th, 30th, and 80th percentiles, type 10, 30, 80.
  6. Click Save. Your custom range is now displayed in the chart. You can toggle between your custom range and other percentile selections, such as Summary or Maximum, at any time.
  7. Click Save again to close the Metric Explorer.
Filter outliers in histogram or heatmap charts

Histogram and heatmap charts display a distribution of data. However, outliers can skew how the distribution displays in your chart, making it difficult to notice patterns or average values. The default filter option for these charts excludes outliers from the data range and displays the 5th-95th percentiles. You can change the filter to view the full range of data (minimums to maximums), including outliers, in your chart by completing the following procedure.

  1. Click the chart title and then select Edit to launch the Metric Explorer.
  2. Click the Options tab.
  3. From the Default filter drop-down list in the Filters section, select Min to Max.
  4. Click Save to close the Metric Explorer.

Edit metric labels in a chart legend

You can change the default metric label in a chart to a custom label. For example, you can change the default label, "Network Bytes," to a custom label such as "Throughput."

Custom labels only apply to individual charts. A custom label for a metric will persist if you copy the chart to another dashboard, share a dashboard with another user, or add new metrics to your chart.

However, if you make changes to the original metric, such as updating the data calculation (from median to 95th percentile, for example) or drilling down on the metric, the custom label will automatically clear. The label clears to prevent mislabeling or potential inaccuracy of the custom label when metric data changes.

Here are some considerations about changing the label of a chart legend:

  • For detail metrics, a custom label is automatically appended to all the keys displayed in the chart. However, you can change the order of the key in the label by including the variable, $KEY:
    • Type $KEY errors to display 172.21.1.1 errors
    • Type [$KEY] errors to display [172.21.1.1] errors
  • You cannot change labels in the box plot, candlestick, heatmap, table, or status charts.
  • You cannot rename metric delta or dynamic baseline labels.

Before you begin

Create a chart and select a metric.

The following steps show you how to change metric labels in an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  3. In the preview pane of the Metric Explorer, click the metric label.
  4. Select Rename from the drop-down menu.
  5. In the Display custom label field, type a new label. The label must be unique from other labels in the chart.
  6. Click Save, and then click Save again to close the Metric Explorer.
    The new label appears in your chart.

Add a dynamic baseline to a chart

Dynamic baselines help distinguish between normal and abnormal activity in your chart data. Baselines are only supported in the area, candlestick, column, line, and line & column charts.

Discover appliances calculate dynamic baselines based on historical data. To generate a new data point on a dynamic baseline, an appliance calculates the median value for a specified period of time.

Warning:Deleting or modifying a dynamic baseline can delete baseline data from the system. If a dynamic baseline is not referenced by any dashboards, the data will be deleted from the system to free unused system resources. You cannot recover a dynamic baseline after it is deleted.

Select a baseline type that best fits your environment. For example, if you regularly see dramatic changes from one day to another, select an hour-of-week baseline that compares activity seen on specific days of the week. If HTTP activity spikes on Saturdays, the hour-of-week baseline can help you compare the current spike in HTTP activity with the level seen on other Saturdays at the same hour. The following table describes how each type of baseline is calculated:

Baseline type Historical data What the baseline compares New baseline data points added
Hour of day 10 days Metric values from a given hour of a day. For example, every day at 2:00 PM. Every hour
Hour of week 5 weeks Metric values for a given hour on a specific day of the week. For example, every Wednesday at 2:00 PM. Every hour
Short-term trend 1 hour Metric values from each minute in one hour. Every 30 seconds

Here are some important considerations about adding a baseline to a chart:

  • Dynamic baselines require a Discover appliance to calculate and store baseline data. Therefore, creating a baseline consumes system resources, and configuring too many baselines might degrade system performance.
  • Deleting or modifying a dynamic baseline can delete dynamic baseline data from the Discover appliance.
  • Detail, sampleset, maximum rate, and minimum rate metrics are unsupported. If these types of metrics are selected in your chart, you will be unable to generate a dynamic baseline for this data.
  • The Discover appliance can begin building a dynamic baseline only if the necessary amount of historical data is available. For example, an Hour of day baseline requires 10 days of historical data. If the Discover appliance has only been collecting data for six days, the appliance will not begin plotting the baseline until it has four more days worth of data.
  • The Discover appliance does not retroactively plot a dynamic baseline for historical data. The Discover appliance only plots a dynamic baseline for new data.
  • If two identical dynamic baselines exist in separate dashboards, the dashboards reuse the baseline data; however, the baselines must be identical. If you select a new baseline type, the new dynamic baseline will not share data with the previous dynamic baseline.

The following steps show you how to add a dynamic baseline to an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and then select Edit.
  3. Click the Analysis tab.
  4. In the Dynamic Baselines section, select one of the following dynamic baseline type options:
    Option Description
    Hour of day Displays the median value for a given hour of the day. This option is most useful if activity in your environment usually follows a consistent daily pattern. If you regularly see dramatically different levels of activity on different days of the week, this option is less useful because the baseline usually does not match the current values.
    Hour of week Displays the median value for a given hour on a specific day of the week. This option is most useful if you regularly see significantly different levels of traffic during each day of the week.
    Short-term trend Displays the median value for the last hour. This option is useful for smoothing chart data to reveal short-term trends.
  5. Click Save to close the Metric Explorer and return to the dashboard.
    The ExtraHop system will begin calculating the dynamic baseline. New baseline data points are added every hour or 30 seconds, as shown in the following figure.

Add a static threshold line to a chart

Displaying a static threshold line in a chart can help you determine which data points are either below or above a significant value.

For example, you can create a line chart for server processing time to help you monitor the performance of an important database in your network environment. By adding a threshold line that defines an service level agreement (SLA) boundary of acceptable processing time, you can see when database performance is slowing down and address the issue.

You can add one or more threshold lines as you edit a chart with the Metric Explorer. These lines are local to the chart and not associated with other widgets or alerts. Threshold lines are only available for area, candlestick, column, line, line & column, and status charts.

The followin steps show you how to add a static threshold line to an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and then select Edit.
  3. Click the Analysis tab.
  4. In the Static Thresholds section, click Add Threshold Line.
  5. In the Value field, type a number that indicates the threshold value for the line. This value determines where the line appears on the y-axis of your chart.
    Note:For charts that display only count metrics (such as bytes, errors, and responses), the value of the threshold line automatically scales based on whether data is displayed as a rate or count. When data is only displayed as a count, the threshold line value automatically scales to the roll up period (either 30 seconds, 5 minutes, 1 hour, or 1 day). The data roll up period is determined by the time interval you select.
  6. In the Label field, type a name for your threshold line.
  7. In the Color field, select a color (gray, red, orange, or yellow) for your threshold line.
  8. Click Save to close the Metric Explorer.

Display device group members in a chart

If you have a chart that displays a device group, you can view metrics by top devices in the group, instead of viewing a single value for the entire device group. Drilling down by group member in the Metric Explorer lets you view up to 20 devices in the chart.

Before you begin

Create a chart that contains a device group or activity group as the selected source. Save the chart to a dashboard.

If you see fewer groups members in a chart than the number of results you specified, this could be because you selected an activity group with a small number of devices. For activity groups, devices are dynamically placed into an activity group based on the type of protocol traffic they are associated with.

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  3. In the Details field, click Drill down by <None>, where <None> is the name of the detail metric currently displayed in your chart. Then, select Group Member.
  4. In the top results field, enter the number of group members that you want to display. These devices will have the highest metric values. You can display up to 20 group members.
  5. Click Save to close the Metric Explorer.
    Note:If you drill down by group member, you cannot perform additional drill downs to see detail metrics for each device by a key. To see detail metrics by key for a device, we recommend creating another chart with specific devices selected as the source.

Create regular expression filters in a chart

Regular expression (regex) is supported in the Metric Explorer and can be added to filter detail metrics in a chart. The examples in this topic show you how to create regex strings for filtering detail metric keys, such as status codes and IP addresses.

In the ExtraHop system, regex is most effective when you want to filter detail metric data by a parameter contained within the detail metric key, such as a number within any IP address. Regex is also effective for excluding specific keys from charts or displaying a specific combination of keys. Learn more about drilling down for detail metrics as you edit a chart.

Chart Scenario Regex filter How it works
Compare HTTP status codes 200 to 404. (200|404) Matches 200 and 404 codes where the | symbol serves as an OR function.
Display any HTTP status code that contains a 4. [4] Matches any value that contains a 4. For example, this filter can return 204 and 400 status codes.
Display all 500-level HTTP status codes. ^[5] Matches any value that begins with a 5. For example, this filter can return 500 and 502 status codes.
Display all 400 and 500-level HTTP status codes. ^[45] Matches all values that begin with a 4 or 5. For example, this filter can return 400, 403, and 500 status codes.
Display any HTTP status codes except 200-level status codes. ^(?!2) Matches all values except values beginning with a 2, where ^(?!) specifies the range of results to exclude. For example, this filter can return 400, 500, and 302 status codes.
Display any IP address with a 187. 187. Matches 1, 8, and 7 characters in the IP address.
Review all IP addresses containing 187.18. 187\.18\. Matches 187 and the character . that follows the 187. For example, this filter returns results for 187.18.0.0.0, 180.187.0.0.0, or 187.180.0.0.0/16.
Display any IP address except 187.18.197.150. [^187.18.197.150] Matches anything except 187.18.197.150, where [^] specifies the exact value to exclude.
Exclude a list of specific IP addresses [^187.18.197.150|187.18.197.151|187.18.197.152] Matches anything except 187.18.197.150, 187.18.197.151, and 187.18.197.152, where the | symbol serves as an OR function and [^] specifies the exact values to exclude.

Find all devices talking to external IP addresses

The following steps show you how to find all of the external IP addresses that your internal devices are talking to. You can then see if any devices are making or receiving unauthorized connections from other devices outside of your network.

Tip:By default, any device with an RFC1918 IP address (included in a 10/8, 172.16/12, or 192.168/16 CIDR block) that the ExtraHop system automatically discovers is classified as an internal device. Because some network environments include non-RFC1918 IP addresses as part of their internal network, you can specify the locality of an IP address on the Network Localities page.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click Metrics at the top of the page.
  3. Click Activity Groups in the left pane.
  4. Click TCP Devices. At the top of the page, the External Accepted and External Connected metrics display how many IP addresses outside of your internal network are actively connected to all of your network devices.
  5. Click the blue metric value for either metric.
  6. In the Drill Down by… section, select Group Member. A detail metric page appears and shows all of the names of your network devices and the number of connections to external IP addresses.
  7. Click on a device name that you want to investigate. A protocol page for that device appears, which contains metrics related to the device.

Monitor a device for external IP address connections

If you have an authentication server or database that should not connect to IP addresses outside of your internal network, you can create a value chart in a dashboard that tracks External Accepted and External Connected metrics. From your dashboard, you can then monitor the number of external connections for a specific device.

Tip:By default, any device with an RFC1918 IP address (included in a 10/8, 172.16/12, or 192.168/16 CIDR block) that the ExtraHop system automatically discovers is classified as an internal device. Because some network environments include non-RFC1918 IP addresses as part of their internal network, you can specify the locality of an IP address on the Network Localities page.

The following steps show you how to create a value chart for these TCP metrics and then add the chart to a dashboard.

  1. Log into the Web UI on the Discover or Command appliance.
  2. Click Metrics at the top of the page.
  3. Click Devices in the left pane.
  4. Find a device and then click the device name.
  5. Click TCP in the left pane. In the Total Connections chart in the upper left corner, the External Accepted and External Connected metrics display how many IP addresses outside of your internal network are connected to the device.
  6. Click the Total Connections chart title.
  7. From the drop-down menu, select Create chart from…. The Metric Explorer opens with the device and TCP metrics already selected in the chart.
  8. At the bottom of the Metric Explorer, click the Value chart.
  9. In the left pane in the Metric section, click the x icon to delete each TCP metric that you do not want to view in the chart, as shown in the following figure.


    Your dashboard now contains metrics that help you track the ratio of all accepted connections to external accepted connections, and the ratio of all initiated connections to external initiated connections.
  10. Optional: Make additional edits to the chart with the Metric Explorer.
  11. Click Add to Dashboard and complete one of the following options:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.
  12. Optional: Make additional edits to the dashboard layout.
  13. Click Exit Layout Mode. Your dashboard is complete.

Compare time intervals to find the metric delta

Comparing metrics between two different time intervals helps you see the difference, or the delta, in metric data side-by-side in the same chart. If you create a delta comparison and navigate to another area of the Discover appliance, the comparison is disabled temporarily. When you return to your original page, the delta comparison you saved is enabled again.

  1. Find a chart with the metrics that you want to compare.
  2. In the upper left hand corner of the navigation bar, click the time interval.
  3. In the Time Interval tab, click Compare.
  4. In the Delta Comparison tab, select the time interval to compare with the original time interval.
  5. Click Save. New metric data from the Delta Comparison time interval is placed on the original chart.
  6. To remove the delta comparison, complete the following steps:
    1. Click the time interval.
    2. Click Remove Delta.
    3. Click Save.
    Note:Dynamic baselines will not appear on a chart when you are comparing metric deltas.

Sort metrics

On an application protocol page, if a metrics section on a protocol page contains a gear icon in the upper right corner, the metrics in that section can be sorted by key or value.

  1. Navigate to a protocol page by clicking Metrics and then select an application.
  2. Click the gear icon.
  3. Select Sort by Key or Sort by Value.

Create a chart from a protocol page

Protocol pages contain a large amount of metrics and data. While you cannot modify the charts on protocol pages, you can create a copy of an interesting chart on a protocol page and then add the copied chart to a dashboard. Your dashboard can be then modified and shared with other team members.

  1. Click Metrics and then select a source in the left pane.
  2. Find the chart that you want to copy. Click the chart title and select Create Chart. The Metric Explorer opens with the source and metric selected.
    Note:If you find a chart on an Application or Network Capture page, click Create Chart in the upper right corner of the page.
  3. Edit the chart as needed.
  4. Click Add to Dashboard:
    • Select Create Dashboard to create a dashboard, and then click Create.
    • Select an existing dashboard from the list, and then click Close.

Charts FAQ

Here are some answers to frequently asked questions about charts.

How do I create a chart?
You can create a chart in one of the following ways:
  • Create a new dashboard. An empty chart will appear in your new dashboard, which you can then edit with the Metric Explorer.
  • Add a new chart to an existing dashboard by editing the dashboard layout. In the upper right corner, click the properties menu and select Edit Dashboard Layout. You can then add new empty chart widgets to your dashboard.
  • Create a new chart based on a built-in chart from a protocol page. Click the chart title and select Create Chart from.... You can then save your chart to a dashboard.
How do I edit an existing chart?

Click on the chart title and select Edit. You edit a chart with the chart-building tool called the Metric Explorer. In the Metric Explorer, you select a source, protocol metrics to display from that source, and a chart type.

Which chart type should I select to compare data?
The following chart types are helpful if you want to compare two metrics together, for example the total number of requests compared to the total number of responses.
  • Bar chart
  • List chart
  • Table chart
  • Value chart
Which chart type should I select to observe changes over time?
The following chart types are helpful if you want to observe how a metric, such as errors, changes over time.
  • Line chart
  • Area chart
  • Column chart
When should I create a box plot, candlestick, or histogram chart?
Box plot, candlestick, and histogram charts help you visualize the statistical distribution of data for timing metrics in the ExtraHop system. Timing metrics include server processing time and round trip time.

Box plot chart: Displays the distribution summary of a single metric. You can compare different metrics such as processing time (for application latency) and round trip time (for network latency) side-by-side.

Candlestick chart: Displays changes to the distribution summary for a single metric over time.

Histogram chart: Displays the entire distribution for a single metric. Data is placed into bins instead of percentiles. Histograms help you quickly find outliers, because you can interpret the value of each bin, rather than interpret percentiles.

Note:Depending on the type of metric you select, you can view the distribution of metric activity as percentiles or as a mean and standard deviation. The box plot and candlestick charts display inner quartiles by default (5th, 25th, 50th, 75th, and 95th percentiles). Drill down on a timing metric to view the mean and standard deviation of a timing metric broken down by client, server, and other factors.
When should I create a heatmap?

A heatmap displays a distribution of percentiles over time. You can only view timing metrics such as server processing time and round trip time in a heatmap. For example, a heatmap is useful for identifying concentrations of high server latency at a specific time.

What are maximum, minimum, and average rates?

Network byte and packet data can be displayed in a chart as a maximum, minimum and average per second rate. The Rate Summary in a chart displays these three rates together.

Configuring a chart to display the Rate Summary is only available for high-precision metrics, where metric data is aggregated into 1-second intervals. In the ExtraHop system, high-precision metrics are Network Bytes and Network Packets. For more information, see Display a rate or count in a chart.

Can I add trend lines to my chart?

You can add a dynamic baseline to your chart. A baseline is essentially a trend line that is calculated based on historical data. Baselines help you distinguish between normal and abnormal activity in your chart data.

The Discover appliance does not begin calculating a dynamic baseline until the setting is enabled from the Options tab in the Metric Explorer. Therefore, dynamic baselines only appear for time periods that occur after the baseline was enabled. For more information, see Add a dynamic baseline to a chart.

You can also add a static threshold line to your chart. A threshold line helps you determine if activity is falling above or below a specific value, which is helpful for monitoring service level agreement (SLA) compliance. For more information, see Add a static threshold line to a chart

How do I add a rate to my chart?

Count metrics, such as errors, requests, and responses, are displayed as total counts in charts by default. But you can also display these metrics as a rate in a chart.

Below the metric name in the Metric Explorer, click Count, and select the type of rate to display.

For more information, see Display a rate or count in a chart.

How do I change the units in my chart?

Click the Options tab when editing a chart in the Metric Explorer. You can change units from bytes to bits, linear to log scale, or from the decimal prefix (1,000 bytes) to binary prefix (1,024 bytes). You can also abbreviate values in bar, value, and list chart types.

How do I change a chart name?

Click the chart title and select Rename.

How do I change the labels in my chart?

You can rename metric labels that appear in the legend for most charts. Click on the metric label in the chart and select Rename. This option is not available for box plot, candlestick, heatmaps, or status chart types.

Why do I see icons on some of my charts?
Detection markers are displayed as icons on charts to indicate detections associated with the source of the metric data during the time interval specified for the chart.

For example, in the following figure, one of the detection markers indicates that a detection lasting 5 hours was identified at 12:00 PM on the source.

Click the detection marker to navigate to the detail page for the detection for further investigation.

If detections markers are not displayed on your charts as expected, check for the following issues:

  • Your appliance is not licensed for the ExtraHop Machine Learning Service, which is required before you can see detections.
  • Detections markers might be disabled. You can enable or disable detection markers from the User menu.
  • You might be viewing a chart that does not support detection markers. Only the following chart types can display detection markers:
    • Area
    • Line
    • Column
    • Line & column
Why do I see Incompatible selections when I hover over a chart type?

Some chart types are only compatible with certain types of metrics. When editing a chart, you might see an Incompatible selections message as you hover over a chart type. This message means that the metric you already selected is incompatible with the chart type.

For example, If you selected an error, request, response, or network bytes metric, you will see an Incompatible selection message as you hover over the following chart types:
  • Heatmap
  • Histogram
  • Candlestick
  • Box plot

These chart types are only compatible with timing metrics such as server processing time and round trip time.

Why is there no data in my chart?

There might not be activity for the source or protocol metric you selected for your chart during the time interval you selected. Adjust the time interval to see if data appears in your chart.

If you are not seeing the traffic you are expecting, contact ExtraHop Support for help.

Activity dashboard

From the Activity dashboard, you can monitor general information about application activity and performance from the transport through the application layers (L4 - L7) on your network.

Each chart in the Activity dashboard contains visualizations of protocol metric data, organized by region. You cannot edit or delete the Activity dashboard. However, you can create your own custom dashboard to monitor specific metrics that are relevant to you.

The following information summarizes each region and its charts.

Traffic Overview
Determine whether traffic bottlenecks are related to a specific application protocol or network latency. The Traffic Overview region contains the following charts:

Network Packets by L7 Protocol Avg Rate chart: Find the protocol that has the highest volume of packet transmissions over the application layer (L7) during the selected time interval.

All Activity Network Round Trip Time: The 95th percentile line shows you the upper range of the time that it took for packets to traverse the network. If this value is over 250ms, then network issues could be slowing down application performance. Round trip time is a measurement of the time between when a client or server sent a packet and received an acknowledgment.

Alert History: View up to 40 of the latest alerts that were generated, and their severity levels. Alerts are user-configured conditions that establish baseline values for specific protocol metrics.

Active Protocols

Determine how application performance is affected by the protocols that are actively communicating over the wire. For example, you can quickly glance at charts that display server processing times and the ratio of errors to responses per protocol.

There is a chart for each active protocol. If you do not see a protocol you were expecting, applications might be not communicating over that protocol for the selected time interval.

For more information about protocols and to view metric definitions, see the ExtraHop Protocol Metrics Reference.

Note:In the ExtraHop Command appliance, you can display the Activity dashboard for each Discover appliance. The appliance name appears in the navigation bar; click the down arrow next to the appliance name to pivot the display to other Discover appliances.

Check out the following guides and resources that are designed to familiarize new users with our top features.

Network dashboard

From the Network dashboard, you can monitor how effectively data is transmitted over the data link, network, and transport (L2 - L4) layers.

Each chart in the Network dashboard contains visualizations of network metric data, organized by region. You cannot edit or delete the Network dashboard. However, you can create your own custom dashboard to monitor specific metrics that are relevant to you.

The following information summarizes each region.

Network L2 Metrics
Monitor the throughput rates over the data link (L2) layer by bits and packets, and monitor the types of frames transmitted. You can also determine how much data is sent to receivers by unicast, broadcast, or multicast distribution.
Network L4 Metrics
Monitor data transfer latency over the transport layer (L4). View TCP activity through connection, request, and response metrics. This data can indicate how effectively data is sent and received across the transport layer in your network.
Network Performance
Monitor how network performance is affecting applications. View overall network throughput by reviewing the throughput per application protocol and the magnitude of high TCP round trip times.
Network L3 Metrics
View data throughput at the network layer (L3) and see packets and traffic by TCP/IP protocols.
DSCP
View a breakdown of packets and traffic by Differentiated Services code points, which is part of the DiffServ network architecture. Every IP packet contains a field to express the priority of how the packet should be handled, which is called differentiated services. The values for the priorities are called code points.
Multicast Groups
View traffic that is sent to multiple receivers in a single transmission, and see packets and traffic by each receiver group. Multicast traffic on a network is organized into groups based on destination addresses.
Note:In the ExtraHop Command appliance, you can display the Network dashboard for each Discover appliance. The appliance name appears in the navigation bar; click the down arrow next to the appliance name to pivot the display to other connected Discover appliances.

Metrics

Metrics are measurements of network behavior. Metrics help you to gain visibility into what is happening in your network in real-time. In the ExtraHop system, metrics are calculated from wire data, and then associated with devices and protocols. The ExtraHop system provides a large number of metrics, which you can explore from protocol pages in the Metrics section of the ExtraHop Web UI. You can also search for metrics in the Metric Catalog, in the Metric Explorer, and by searching for metrics by source and then protocol.

Types of metrics

Each metric in the ExtraHop system is classified into a metric type. Understanding the distinctions between metric types can help you configure charts or write triggers to capture custom metrics. For example, a heatmap chart can only display dataset metrics.

Count
The number of events that occurred over a specific time period. You can view count metrics as a rate or a total count. For example, a byte is recorded as a count, and can either represent a throughput rate (as seen in a time series chart) or total traffic volume (as seen in a table). Rates are helpful for comparing counts over different time periods. A count metric can be calculated as a per-second average over time. When viewing high-precision, or 1-second, bytes and packet metrics, you can also view a maximum rate and minimum rate. Count metrics include errors, packets, and responses.
Count rate
The number of events that occurred over a specific time period. Count rate metrics and count metrics are calculated the same way. However, count rate metrics capture additional details that enable you to view the maximum and minimum rate for an interval. Count rate metrics include bytes and packets.
Distinct count
The number of unique events that occurred during a selected time interval. The distinct count metric provides an estimate of the number of unique items placed into a HyperLogLog set during the selected time interval.
Dataset
A distribution of data that can be calculated into percentiles values. Dataset metrics include processing time and round trip time.
Maximum
A single data point that represents the maximum value from a specified time period.
Sampleset
A summary of data about a detail metric. Selecting a sampleset metric in a chart enables you to display a mean (average) and standard deviation over a specified time period.
Snapshot
A data point that represents a single point in time.
Tip:Visit the Tip of the Week: Metric Types post on the ExtraHop community forum.

Metric sources

In the ExtraHop system, a metric is a measurement of observed network behavior. Metrics are generated from network traffic, and then each metric is associated with a source, such as an application, device, or network. When you select a source from the Metrics section of the Web UI, or in the Metric Explorer when building a chart, you can view metrics associated with that source. Each source provides access to a different collection of metrics.

Select from the following sources and groups as you configure dashboard widgets or navigate across protocol pages.

Applications

An application is a user-defined container that you can associate with multiple devices and protocols for a unified view of built-in metrics.

These containers can represent distributed applications on your network environment. For example, if you want a unified view of all the network traffic associated with a website—from web transactions to DNS requests and responses to database transactions—you can create a custom application that contains all of these related metrics.

The ExtraHop Web UI enables you to create basic applications that filter metrics by protocol. For advanced applications, you must write a trigger, which requires JavaScript code. For example, you must write a trigger to apply advanced filters for collecting metrics, to create custom application metrics, or to collect metrics from non-L7 traffic.

For more information about creating applications, see Create an application through the Web UI and Create an application through the Trigger API.

Networks

A network capture is the entry point into network devices and virtual LANs (VLANs) that are detected from wire data by the ExtraHop system. A flow network is a network device, such as a router or switch, that sends information about flows seen across the device. A flow network can have multiple interfaces.

Devices

Devices, also known as endpoints, are objects on your network with a MAC address and IP address that have been automatically discovered and classified by the ExtraHop system. Metrics are available for every discovered device on your network. An L2 device has a MAC address only; an L3 device has an IP address and MAC address.

For more information about how devices are automatically discovered and classified by the ExtraHop system, see Device discovery.
Device groups

A device group is a user-defined collection of devices that can help you track metrics across multiple devices.

You can create a dynamic device group by automatically adding all devices that meet matching criteria, or you can create a static device group by manually selecting individual devices.

Matching criteria for dynamic device groups can be a hostname, IP address, MAC address, or any of the filter criteria listed for the device on the Devices page. For example, you can create a dynamic group and then configure a rule to add all devices within a certain IP address range to that group automatically.

Activity groups

An activity group is a collection of devices automatically grouped together by the ExtraHop system based on network traffic. A device with multiple types of traffic might appear in more than one activity group; for example, if a CIFS client is authenticating through LDAP, the device will appear in both the CIFS Clients and the LDAP Clients activity groups. Activity groups make it easy to identify all the devices associated with a protocol, or determine which devices were associated with protocol activity during a specific time interval.

Create custom metrics

In addition to analyzing built-in protocol metrics in the ExtraHop system, you can create your own custom metrics to collect specific information about your environment. Creating a custom metric requires two parts: specifying metric parameters in the Metric Catalog and building a trigger to discover, collect, and store custom metric data. In this topic, you will learn how to create a custom metric from the Metric Catalog first and find links to resources for planning and building a trigger.

By creating a custom metric from the Metric Catalog first, you can add the new metric to a dashboard or chart before custom metric data is collected. If you build a trigger for a custom metric first without specifying metric parameters, you might not be able to access the custom metric until data is observed and collected by the ExtraHop system.

Note:Custom metrics are only available in Advanced Analysis.

The following steps show you how to create a custom metric with the Metric Catalog.

Before you begin

Be aware that the parameters you specify in the Metric Catalog become part of the code that is referenced by a trigger. Parameters such as the metric name and metric type cannot be changed after creating the custom metric in the Metric Catalog. Before you create a custom metric or write a trigger, identify which events and devices are needed to extract the data you need and determine whether a solution already exists. For more information, see Triggers.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click the System Settings icon and then click Metric Catalog.
  3. Click the command menu and select Create Metric Manually.
  4. In the Parameters section, complete the following steps to create the code that will be referenced by a trigger:
    1. In the Metric field, type a unique name for your metric. The trigger method that collects data for your custom metric must reference the exact metric name that you specify in the Metric field. Avoid spaces between words by typing underscores. When defining a detail metric name, specify the detail key in the name by appending the metric name with .by_<key_name_without spaces>, where <key_name_without_spaces> is the key metric name.
    2. In the Source Type field, select a source, or class, from the drop-down list that you want to retrieve data from. For more information about these classes, see General purpose classes in the Trigger API Reference.
    3. In the Metric Type field, select an option from the drop-down list that specifies how data will be stored and viewed in the ExtraHop system. The Metric Type selection appears in triggers as part of the method name, such as metricAddCount or metricAddDataset. For more information, see ExtraHop data types in the Trigger API Reference.
    4. In the Type field, select one of the following options:
    • Select Base Metric. A base, or top-level metric, includes the metric types, count, dataset. The Type selection appears in triggers as part of the method name, for example metricAddDataset.
    • Select Detail Metric. A detail metric consists of key-value pairs, where the key is a string or IP address and the value is a top-level metric type such as a count or dataset metric. The Type selection appears in triggers as part of the method name, for example metricAddDetailDataset.
    Important:Selections made in the Parameters section cannot be changed after you create the custom metric.
  5. In the Display section, complete the following steps to specify metric information that is searchable by ExtraHop users in the ExtraHop Web UI:
    1. In the Name field, type a user-friendly display name for your metric that is displayed in search results and charts in the ExtraHop system. You can include spaces in the display name.
    2. Optional: In the Units field, select an option from the drop-down list if you know the unit of measure to display in a chart for your metric data.
    3. Optional: In the Description field, type information that is displayed with search results for your metric in the ExtraHop system. The custom base metric description is automatically displayed for the detail metric in search results.
    4. Optional: (For detail metrics only) In the Key Label field, type a display name for the set of keys in your metric. For example, you can create the key label, User Agent, for a custom metric that collects requests per HTTP user agent. Key labels do not need to be unique.
  6. Optional: In the Detail Relationships section, complete one of the following steps if you want to associate a custom base metric with a custom detail metric:
    • (For base metrics) In the Detail Metrics field, click the field and search for a custom metric that you want users to view by drilling down from the custom metric. You can leave this blank if you do not want to provide drill-down data for your custom metric.
    • (For detail metrics) In the Base Metric field, select a top-level metric from the drop-down list that you want to associate with your custom detail metric. You can leave this blank if you do not want to associate additional metrics with your custom metric.
  7. When you are satisfied with the parameters, click Create. Your custom metric parameters are added to the ExtraHop system. REST API parameters for your metric appear in the Metric Catalog. You can now search for your metric and add your metric to charts.
    Important:You must build a trigger to discover, collect, and store custom metric data.

Next steps

Delete a custom metric

If you want to stop collecting custom metric data and remove the custom metric from the ExtraHop system, you must disable the trigger and then delete the custom metric entry from the Metric Catalog.

  1. Log into the Web UI on the Discover or Command applianceand click the Systems Setting icon at the top of the page.
  2. Click Triggers.
  3. Find the trigger associated with the custom metric you want to delete. Select the checkbox next to the trigger name and then click Disable. The trigger will stop collecting data for your custom metrics.
  4. Close the Trigger window and click the System Settings icon again.
  5. Click Metric Catalog.
  6. To delete a single custom metric, complete the following steps:
    1. Search for the metric and select it from the list.
    2. Click the command menu next to the Type to filter field and select Delete Selected Metric.
  7. To delete multiple custom metrics, complete the following steps:
    1. Search for a common term shared by the custom metrics you want to delete.
    2. Click the command menu next to the Type to filter field.
    3. Select the Custom Metrics Only checkbox. Built-in metrics are excluded from the search results.
    4. Select Delete All Matching Metrics. You can delete up to 1,000 metrics that match the search term even if they are not on the current page.
    5. Click Delete x Metrics to confirm their deletion.

Activity maps

An activity map is a dynamic visual representation of the L4-L7 protocol activity between devices in your network. You can see a 2D or 3D layout of device connections in real-time to learn about the traffic flow and relationships between devices.

Activity maps can help you with the following use cases:

Complete a data center or cloud migration
As part of your migration strategy, you must determine which services can be turned off and when. An activity map helps you identify which devices are still connected so you can prevent unexpected service disruptions during the migration process. For more information, see the Plan and monitor your migration with activity maps walkthrough.
Identify the root cause behind a slow application
Applications often depend on multiple tiers of services within a network. An activity map can help you identify the delivery chain of traffic to your slow application server. Click a device to investigate related metrics, which can shed more light onto the root cause of the slow-down.
Track suspicious devices or unexpected connections
During a security event, an activity map can help you identify affected devices by tracking the real-time east-west traffic associated with a suspicious device. As part of a daily security monitoring strategy, you can create an activity map to confirm that devices are not making unexpected connections with other devices.

Here are some important considerations about activity maps:

  • You can create activity maps for devices in Advanced, Standard, and L2 Analysis. You cannot create an activity map for devices in Discovery Mode. For more information, see Analysis levels.
  • If you create an activity map for a device, activity group, or device group that has no protocol activity during the selected time interval, the map appears without any data. Change the time interval or your origin selection and try again.
  • You can create an activity map in a Command appliance to view device connections across all of your Discover appliances. However, connected Discover appliances must be upgraded to firmware version 7.0 or later.

After creating an activity map, you can start investigating data. The following sections provide details about how to interact with an activity map and find information about the data you are viewing.

Layout

Devices are represented by circles and connections are represented by lines.

The placement of devices is optimized to display information. The layout can change as data about device activity is updated in real-time. For example, the layout is updated as new connections are observed or devices become inactive.

Note:When the time interval in the upper left corner of the page is set to Last 30 minutes, Last 6 hours, or Last day, activity map data will continually update every minute with real-time data. Set a custom time interval with a specific start and end time to stop real-time layout updates.
2D or 3D layout
By default, activity maps are displayed in a 2D layout. If you prefer, you can display your map in 3D, for example, to showcase the maps on a large screen in a network operations center. In the lower right corner of the activity map, click 3D. Maps that are displayed in a 3D layout automatically rotate.

Hover, pan, rotate, and zoom
Click-and-drag your mouse to pan across a 2D map or rotate a 3D map. Zoom controls are located in the bottom right corner of the page. You can also zoom with your mouse wheel.
Hold focus
To highlight a device of interest, click the device and select Hold Focus. You can then pan, zoom, and rotate the map while focusing on the selected device and its immediate peers.

Labels and icons

Circle labels contain details such as the device hostname, IP address, or MAC address.

Detections associated with a device on the map are displayed as animated pulses around the circle label. To investigate the detections, click the circle and then select the detection name in the Go to Detections... section.

Line labels contain protocol names associated with the device connection and the direction of traffic flowing between the devices, which is displayed as animated pulses.

Specific device roles are represented by an icon, which are listed in the table below.

Icon Device Role
Gateway
Device
Load balancer
HTTP server
Database server
File server
Custom device
Firewall

To optimize the display of information, not every label is displayed. Hover over any circle or line to display its label, as shown in the following figure.



Note:Device roles are automatically assigned to a device based on the type of traffic the ExtraHop system observes for that device. For more information, see Change or add a device role.

Circle and line size

The size of objects in the map corresponds with a metric value, which helps to highlight areas of increased activity, such as the number of bytes, or traffic volume, associated with a device connection.

At the bottom of the left pane, you can select a different metric for map elements:

Bytes: See all of the devices transmitting or receiving data during the time interval.

Connections: See only the devices that have established a new connection at least once during the time interval.

TCP Turns: See only the devices that switched between transmitting and receiving data at least once during the time interval.

Color

Blue and gray are default colors for circles and lines. These default colors are optimized to display information in a map. However, you can apply different colors to your map to highlight the severity level of an alert or show when a device connection was established.

Alert status

To see the severity level of an alert for a device in your map, select Display alert status in the lower left corner or the page, as shown in the following figure. The circle color then corresponds to the most severe status for all alerts assigned to a device during the time interval. If there is no alert assigned to a device or the alert level is informational, the default circle color is green.

To investigate the alert, click the circle and then select the device name in the Go to Device… section. On the device’s protocol page, scroll down to view the Alert History, as shown in the following figure.



Time interval comparison
When you compare two time intervals to find metric deltas, different colors in the map help you determine when device connections were established or when the protocol activity for a device changed. For example, after creating a comparison between Yesterday and the Last 30 minutes, new device connections or activity that only appear in the more recent time interval appear green. Previous device connections or activity that only appear in the earlier time interval are red. Devices connections that did not change between time intervals are blue. In the following figure, new connections that were established in the last thirty minutes are represented by green circles and lines.

Note: If all the devices are a single color, such as green, this means that the query did not produce results in the earlier time interval. For example, the origin device did not have any protocol activity in the earlier time interval.

Add steps and filters to a map

A step is a level of connections between devices. Devices in each step have a relationship to devices in previous step. These relationship are defined by their protocol activity.

Add a new step to an activity map to add another layer of information to your map. Click the drop-down list for a particular step, and then select a protocol activity.



You can also filter devices in a step by their group membership. For example, if you select HTTP Servers but only want to see your test servers in the map, you can filter HTTP Servers by a device group, such as My Test Servers.

For more information on how to add steps and filters to a map, see Create an activity map.

Manage activity maps

The following options for managing your activity map are available from the command menu in the upper right corner:

Best practices for investigating activity map data

If you find a device on your map that is worth investigating, you have several options to gather more information about that device.

Find recently-connected devices

Click the time interval in the top left corner of the page and click Compare. You can see how device connections changed between two different time intervals.

For more information, see Time interval comparison.

Navigate to protocol pages to find related metric activity

Click a circle or line to access a drop-down menu as shown in the following figure.



Select the device name from the menu to navigate to the Overview protocol page for that device. The protocol page contains a summary of important protocol metrics that were observed and associated with the device. From a protocol page, you can find related metrics such as errors, requests, responses, and server processing time. You can also drill down on a metric from a protocol page to view metric details, such as server IP address, client IP address, status codes, methods, and URIs.

Navigate to detections identified on the device
Devices on an activity map that have associated detections are displayed as animated pulses around the circle label. Click a circle with this detection marker to access a drop-down menu, as shown in the following figure.
Note:For ExtraHop Reveal(x) only, the risk score of each detection is displayed to help you prioritize which detections to investigate.

Select a detection name from the menu to navigate to the detail page for that detection. The detail page contains information about the type of detection that occurred and what it means, as well as when the detection occurred and the duration of the issue. For more information, see View details for individual detections.

Search for transaction records associated with a connection (Explore appliance only)
Click a circle or line to access the drop-down menu. Click Records. A records query page opens and displays all the records from each connected device, including all record types associated with the device connection protocols.

Create an activity map

An activity map is an interactive 2D or 3D display of real-time device connections based on protocol activity between devices. Activity maps help you visualize traffic flows and kick off troubleshooting based on an interesting data point in a map.

You can create an activity map for an active single device, a device group, or an activity group. After generating a basic map, you can then filter devices and connections in your map.

Note:You can create activity maps for devices in Advanced, Standard, and L2 Analysis. You cannot create an activity map for devices in Discovery Mode. For more information, see Analysis levels.

Create a basic activity map

A basic activity map shows you a single step, or level, of device connections between origin devices and peer devices on your network.

  1. Log into the Web UI on a Discover or Command appliance, and then click Metrics at the top of the page.
  2. Complete one of the following steps based on the origin type of the activity map:
    Option Description
    Create a map for a device Click Devices in the left pane and then click an individual device name.
    Note:You can only create activity maps for devices in Standard Analysis and Advanced Analysis.
    Create a map for a device group Click Activity Groups in the left pane and then click an activity group name.
    Create a map for an activity group Click Device Groups in the left pane and then click a device group name.
  3. In the View section in upper right corner of the page, click Activity Map.


    An activity map opens and displays the device or group and all of their connections to peer devices.

    Note:If you selected a device, activity group, or device group that has no protocol activity during the specified time interval, the activity map appears without any data. Change the time interval or your origin selection and try again.
  4. Filter connections by protocol activity by completing the following steps:
    1. Click the drop-down list in the Step 1 section of the left pane, as shown in the following figure.


    2. At the top of the drop-down list, search for and select a protocol activity and role. You can make more than one selection.
    3. Click anywhere outside of the drop-down list.
  5. Optional: Change the primary origin device by completing the following steps:
    1. In the Start from section in the left pane, click the device or group name. A drop-down list appears.


      Note:The analysis level for individual devices is displayed in the drop-down list.
    2. Search for and select another device or group to dynamically update the map origin for the map you are viewing.
  6. Optional: Create an ad hoc group of sources to quickly investigate traffic originating from multiple devices in the same map. Click Add Source.


Add connections and filter devices in your map

To better understand the path of traffic from origin devices to downstream devices, you can add more steps to your map. You can also create filters to include or exclude devices from the map. The following figure shows you how to add steps and create filters.

Add another level of device connections

A step defines a level of connection between devices in a map. Devices in each step have a relationship to the devices in the previous step. These relationships are defined by their protocol activity. You can add up to 5 steps to see how traffic flows from one device to another.

  1. Click Add Step, as shown in the following figure. All Peers is selected by default.


  2. At the top of the drop-down list, search for and select a protocol activity and role. You can make more than one selection.


  3. Click anywhere outside of the drop-down list.
Include or exclude devices

You can filter devices within a step by their device group or activity group membership.

  1. Click Add Group Filter.


  2. Click a drop-down list to search for and select a device group or activity group.
  3. Click anywhere outside of the filter menu to apply your filters.
  4. To remove or change a filter, complete the following steps:
    1. Click the device group name.


    2. Change the filter by clicking the drop-down list and then selecting another device group.
    3. Remove the filter by clicking the x icon, as shown in the following figure.


    4. Click anywhere outside of the filter menu to apply your filter updates.

Save and share an activity map

You can save an activity map and share it with others. By default, all activity maps that you create are private, which means that no ExtraHop users can view or edit your map. However, you can share your map when you save it by granting view or edit access to other ExtraHop users and groups.

Here are some important considerations about sharing activity maps:

  • How a user interacts with an activity map and the information they can view in the ExtraHop system is determined by user privileges, which are assigned by the ExtraHop administrator. For more information, see the User privileges section in the ExtraHop Admin UI Guide.
  • When you grant a user edit access, that user can modify and share the activity map with others. However, other users cannot delete the activity map. Only the map owner can delete an activity map.
  • Group information is imported into the ExtraHop system from LDAP (such as OpenLDAP or Active Directory). User information is available after an ExtraHop user logs in to their account.
  • If you are deleting a user, you will have the option to transfer their activity maps to another user.

The following steps show you how to save and share an activity map:

  1. Log into the Web UI on the Discover or Command appliance.
  2. Create an activity map.
  3. Click the Save icon in the upper right corner of the page, as shown in the following figure.


  4. Type a name for your map. The name must be unique.
  5. Optional: Type a description.
  6. Optional: Change the permalink shortcode to user-friendly name.
    Note:The shortcode cannot contain spaces and the shortcode must be unique.
  7. Share your dashboard by completing the following steps:
    1. Type a username or group.
    2. Make one of the following selections:
      Type of Access Selection
      ExtraHop users can view Select Can view and then click Add.
      ExtraHop users can both view and edit Click Can view and then click Can edit. Click Add.
  8. Click Save.
    Tip:You can also modify the properties for a saved map by clicking the command menu and then clicking Map Properties. To quickly modify share permissions, click the command menu and then click Share.

Next steps

Remove or change access to an activity map

You can remove or modify access to an activity map that you granted to users and groups. You must first create an activity map to access options to modify saved activity maps.

  1. Create an activity map, and then click the Open icon in the upper, as shown in the following figure.


  2. Click the activity map name.
  3. In the Sharing section, complete one of the following steps:
    • To remove access for users or groups, click the red delete x icon next to the user or group name.
    • To change access for an existing user or group, click Can view or Can edit, and make a different selection.
    • To add a new user or group, search for and click the user name. Click Can view or Can edit, and then click Add.
  4. Click Save.

Load and manage a saved activity map

You can view, update, or delete saved activity maps. First, you must first create a new map to access a list of saved and shared maps.

  1. Log into the Web UI on the Discover or Command appliance.
  2. Create an activity map and then click the Open icon in the upper right corner, as shown in the following figure.


  3. Choose one of the following activity map options:
    • To load a map, click the map name. If you want to modify and then re-save the map, make your changes and then click the Save icon.
      Tip:You can also modify the properties for a saved map by clicking the command menu and then clicking Map Properties.
    • To delete a map, click Delete next to the map name.
    Note:Users must have privileges to view or interact with activity maps. See User privileges in the ExtraHop Admin UI Guide.

Time intervals

The Time Selector is displayed in the top-left corner of the navigation bar and controls the global time interval for metrics displayed in the ExtraHop Web UI. Navigating from one area to another will not change the time interval for the metrics you are viewing. Whether you are viewing metrics in a dashboard, or drilling-down to view detailed metrics, the time interval stays the same.

Here are some considerations about time intervals:

  • Time intervals are preserved for each login session. Logging out of the Discover appliance will reset the global time interval to the last 30 minutes. You can access the five most recent unique time intervals from the History tab of the Time Selector.
  • The time interval is included at the end of the URL in your browser. To share a link with others that maintains a specific time interval, copy the entire URL. To maintain a specific time interval after logging out of the Discover appliance, bookmark the URL.
  • The time interval associated with the collection and presentation of network data is determined by your local NTP server by default. You can change the system time in the ExtraHop system from the Admin UI. For more information, see Configure the system time in the Admin UI Guide.

Change the time interval

This procedure shows you how to set the global time interval. You can also apply a time interval by dashboard or by region.
  1. Click the time interval in the upper left corner of the page (for example Last 30 minutes).
  2. Select from the following interval options:
    • A preset time interval (such as Last 30 minutes, Last 6 hours, Last day, or Last week).
    • A custom unit of time.
    • A custom time range. Click a day to specify the start date for the range. One click will specify a single day. Clicking another day will specify the end date for the range.
    • Compare metric deltas from two different time intervals.
  3. Click Save.
Tip:You can also set the time interval from the History tab by selecting from up to five recent time intervals set in a previous login session.

View the latest data for a time interval

On a dashboard page, metric data is reloaded automatically. For time intervals such as the last 30 minutes, day, or week, dashboards continuously update to display the latest data for that time interval.

On a protocol page, detail metrics page, or records query page, metric data are reloaded on request. On these pages, the time interval includes a blue refresh icon and gray text that indicates when the metric or record query was last loaded. To reload the metrics or query for the specified time interval, click the refresh icon.



Change chart data granularity

The ExtraHop system stores metrics in 30-second buckets of time. Metric data are then aggregated or rolled up into additional five-minute and one-hour buckets. Aggregating data helps to limit the number of data points rendered on a time-series chart so the granularity of data is easier to interpret. The time interval you select determines the best aggregation, or roll up, of data to display in a chart for the period of time you are viewing.

For example, if you select a large time interval, such as one week, metric data is aggregated into one-hour roll ups. On the x-axis of a line chart, you see a data point for every hour instead of a data point for every 30 seconds. If you want to increase the level of granularity, you can zoom in on a chart or change the time interval.

The ExtraHop system includes built-in high-precision metrics with 1-second roll ups, which are the Network Bytes and Network Packets metrics. These metrics are associated with a device or network capture source. For more information on how to view these metrics in a chart, see Display the maximum rate in a chart.

The ExtraHop system also includes built-in metrics for identifying the single busiest millisecond of traffic within a 1-second roll up. These metrics, which are Maximum Network Bytes per Millisecond and Maximum Packets per Millisecond, are associated with a network capture source and help you detect microbursts. Microbursts are rapid bursts of traffic that occur within milliseconds.

The following table provides information about how data is aggregated based on time interval.

Time Interval Aggregation Roll Up (if available) Notes
Less than six minutes 1-second A 1-second roll up is only available for custom metrics and for the following built-in metrics:
  • Network source:
    • Network Bytes (total throughput)
    • Network Packets (total packets)
    • Maximum Network Bytes per Millisecond
    • Maximum Network Packets per Millisecond
  • Device source:
    • Network Bytes (combined inbound and outbound throughput by device)
    • Network Bytes In (inbound throughput by device)
    • Network Bytes Out (outbound throughput by device)
    • Network Packets (combined inbound and outbound packets by device)
    • Network Packets In (inbound packets by device)
    • Network Packets Out (outbound packets by device)
120 minutes or less 30-second If a 30-second roll up is not available, a 5-minute or 60-minute roll up displays.
Between 121 minutes and 24 hours 5-minute If 5-minute roll up is not available, a 60-minute roll up displays.
Greater than 24 hours 60-minute
Note:If you have an extended datastore that is configured for 24-hour metrics, a specified time interval of 30 days or longer displays a 24-hour aggregation roll up.

Zoom in on a custom time range

You can click-and-drag across a chart to zoom in on interesting metric activity. This custom time range is then applied across the ExtraHop Web UI, which is useful for investigating other metric activity that occurred at the same time.

Zooming in on a time range is only available in charts with an x- and y-axis, such as line, area, candlestick, and histogram charts.

  1. Click-and-drag your mouse across the chart to select a time range. If the time range is less than one minute, the time range appears red. Drag the mouse until the time range appears green.
  2. Release the mouse button. The chart is redrawn to the custom time range and the time interval in the upper right corner of the navigation bar is updated.
  3. To revert from the custom time interval to your original time interval, click the undo icon—a magnifying glass with a minus sign—which is displayed next to the time interval in the upper right corner of the navigation bar.
    Tip:On a dashboard page, you can limit the zoom-in custom time range to a specific region. Click the region header, select Use Region Time Selector, and then zoom in on a chart. Each chart or widget within that region is updated to the custom time range.

Freeze the time interval to create a custom time range

If you see interesting data in an activity map, dashboard, or protocol page, you can freeze the time interval to instantly create a custom time range. Freezing the time interval is useful for creating links that you can share with others, and for investigating related metric activity that occurred at the same time.

  1. Log into the Web UI of the Discover or Command appliance.
  2. Click the time interval in the upper left corner of the page (for example, the Last 30 minutes).
  3. Click Freeze.
    The Custom time range automatically updates as shown in the figure below. The range begins with the earliest time from the previous time interval and ends with the time that you clicked Freeze.

  4. Click Save.
    The new custom time range will not change as you navigate across the Web UI. You can share or bookmark the URL in your browser.
    Note:The time interval is included at the end of the URL in your browser. To share a link with others that maintains a specific time interval, copy the entire URL. Creating a bookmark for the URL maintains the custom time range even after you log out of the Discover appliance.
  5. To remove the custom time range, change the time interval.

Alerts

Alerts make it easy to inform your teams when critical network, device, or application events occur, such as Software License Agreement (SLA) violations. You can configure alert settings to track specified criteria and generate alerts when configured conditions are met.

When an alert is generated, you can also direct the ExtraHop system to send an email message or an SNMP trap to designated people in your organization. You can also configure time ranges in which alerts are suppressed, such as weekends, to reduce unnecessary alerts.

Alerts are displayed on the Alert History page, which enables you to quickly assess the severity of the alert and view the source of the alert.

Alert types

You can configure threshold and trend alert settings in the ExtraHop Web UI. The ExtraHop system also generates alerts from detections, which are available with an optional license.

Detection alerts
Detection alerts are generated when a detection for a specified source and protocol is identified. Detections are unexpected deviations from normal patterns in device or application behavior or notable activity in your environment. Detections are automatically identified by ExtraHop systems that are licensed for the Machine Learning Service. See Detections for more information.

Detection alerts are useful for filtering detections by protocol or source so that you can receive alerts that only apply to a subset of detections you want to view.

Threshold alerts
Threshold-based alerts are generated when a monitored metric crosses a defined value in a time period. You can specify a top-level or a detail metric as the threshold.

Threshold alerts are useful for monitoring occurrences such as error rates that surpass a comfortable percentage or SLA-violations.

Trend alerts
Trend-based alerts are generated when a monitored metric deviates from the normal trends observed by the system. Trend alerts are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup.

Trend alert settings are more complex than threshold alerts, and are useful for metrics where thresholds are difficult to define.

Alert conditions

An alert is generated when the alert conditions that you configure are met. The areas of consideration are different depending on the alert type. For detection alerts, the monitored protocols and the firing mode are considered. For threshold or trend alerts, the monitored metric, the firing mode, and the alert expression are considered.

Monitored protocols
Specifies which protocols are watched by the alert configuration. The ExtraHop system generates an alert only if a detection is identified from traffic that is over a specified protocol.
Monitored metric
Specifies the metric tracked by the alert configuration. The ExtraHop system watches for instances when the value of the metric crosses a defined threshold or diverges from the trend. Threshold alert settings can track a top-level or detail metric, but trend alert settings can only track a top-level metric.
Firing mode
Specifies how often an alert is generated. Specify the edge-triggered alert option to issue a single alert when conditions are met even if the condition is ongoing. Specify a level-triggered alert option to issue alerts at specified intervals for as long as the conditions are true.
Alert expression
Specifies when to issue an alert. A series of options, such as the time interval, the metric value, and the rate, are combined to determine the alert expression. For example, you can set options to issue a threshold alert when the value of the monitored metric falls below 100 per second in a 1 minute interval. Options available for an alert expression vary by alert type and other configuration settings.

The values for each area are combined to determine the alert conditions; as the system monitors the specified metric, if the alerts conditions are met, the system issues an alert based on the specified firing mode and the alert type.

For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 100 times during a ten minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 100 per interval

Or, you can specify a per second, minute, or hour rate. For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 30 times per minute during a 10 minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 30 per minute

The alert conditions for a trend alert are slightly different than for a threshold alert. The following settings result in a trend alert when a spike (75th percentile) in HTTP web server processing time that lasts longer than 10 minutes, and where the metric value of the processing time is 100% higher than the trend:

Monitored metric: extrahop.device.http_server:tprocess

Firing mode: Edge-triggered

Alert expression: 75th percentile over 10 minutes > 200 percent of trend

Alert History

After you have configured settings for an alert or two, you can check out the Alert History page for any generated alerts. You can view all generated alerts on the Alert History page or you can view alerts generated from a specific source on an Alert History widget.

Alert History page

The Alert History page contains an entry for the most recent occurrence of each alert generated during the selected time interval.

The Alert History page displays the following information for each entry:

Severity
A color-coded indicator of the user-defined severity level of the alert. The severity levels are Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
Alert name
The name of the alert specified in the alert configuration settings.

For detection alerts, the name also includes the detection title. Click the alert name to view detection details from the Detections page.

For threshold alerts, click the alert name to open the Alert Details window and view additional information. For alerts that track top-level metrics, the Alert Details window is similar to the following image:

For alerts that track detail metrics, the Alert Details window is similar to the following image:

Tip:To view trend alert details, click Alert History Legacy Layout in the left-hand pane, and then click on the trend alert name.
Source
The name of the data source on which the alert conditions occurred. Click the source name to navigate to the source and display the protocol page that correlates to the protocol of the alert metric.

For example, if an alert configuration tracks when the HTTP processing time exceeds a specific threshold, click the source link to go to the HTTP protocol page of the source device or application.

If an alert is associated with multiple protocols, the link goes to the Overview page for the source instead of the protocol page.

Time
The time of the most recent occurrence of the alert conditions.
Alert type
Indicates a trend, threshold, or detection alert.

Alert History widget

The Overview page for each application, device, and network displays an Alert History widget if any alerts were generated from that source during the selected time interval.

For example, if you have assigned an alert configuration to a device group, you can go to the Overview page for an individual device and see if any alerts are generated from the device during the selected time interval.

The Alert History widget provides the same alert information and links that are on the Alert History page, such as alert name, severity, type, and time.

Configure detection alert settings

You can configure detection alert settings that monitor when a detection has occurred on specific protocols. When the conditions configured in the alert settings are met, the ExtraHop system generates a detection alert, which you can view in the Alert History.

Note:This topic applies to all ExtraHop systems, including ExtraHop Reveal(x).

Detection alerts are useful for monitoring unusual behavior that you want to be notified of right away. For example, if you are worried about spikes in SSH sessions on specific servers, you can configure alert settings to watch for detections that occur over SSH and assign the alert configuration to SSH servers.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click New to open the Alert Configuration window.
  4. Enter a unique name for the alert configuration in the Name field.
  5. From the Alert Type section, click Detection.
  6. Click the Source Type list and select the data source for the alert configuration.
    The alert configuration can be assigned only to the type of source selected.
  7. Select one of the following detection categories:
    Option Description
    Any category Watches for detections on assigned sources that occur over any detection category.
    Specific categories Watches for detections on assigned sources that occur only within specified detection categories.

    Click Select Categories to specify one or more categories. If you select Security, all security detection categories will apply. If you select IT Operations, all performance detections will apply.

    The type of detection categories vary by your ExtraHop system. Security detections are only available for ExtraHop Reveal(x). Learn more in Detections.
  8. Select one of the following protocols options:
    Option Description
    Any protocol Watches for detections on assigned sources that occur over any protocol.
    Specific protocols Watches for detections on assigned sources that occur only over specified protocols.

    Click Select Protocols to specify one or more categories, such as HTTP Client and HTTP Server.

  9. Select one of the following firing modes:
    Option Description
    Edge-Triggered Generates an alert only once when the alert conditions are true. The alert is generated again only if conditions are true after the metric value has returned to normal conditions twice.
    Level-Triggered Generates alerts continuously while the alert conditions are true for the specified time period.
  10. Click OK.

Next steps

Configure threshold alert settings

You can configure threshold alert settings that monitor when a specific metric crosses a defined boundary. When the conditions configured in the alert settings are met, the ExtraHop system generates a threshold alert, which you can view in the Alert History.

Threshold alerts are useful for monitoring occurrences such as SLA-violations or error rates that surpass a comfortable percentage. For example, you can configure threshold alert settings that generate alerts when an HTTP 500 status code is observed more than 100 times during a ten minute period.

Before configuring alert settings, determine which metric you want to monitor and the conditions the metric must meet for the ExtraHop system to generate a threshold alert.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click New to open the Alert Configuration window.
  4. Enter a unique name for the alert configuration in the Name field.
  5. Click Threshold.
  6. From the Detail section, specify the type of metric you want to monitor.
    Top-level
    Specifies the top-level metric, such as an HTTP response or DNS request.
    Detail
    Specifies the detail metric, such as the URI of an HTTP response.
  7. Select the metric you want to monitor.
    1. Click the Select metric icon .
    2. Click the source of the metric, such as an application.
    3. Click the protocol of the metric, such as HTTP, NetFlow, or custom.
      Depending on the source and metric type, some protocols contain secondary groups for client and server metrics.
    4. Locate and click the metric you want to monitor.
      Additional fields appear depending on the metric you select:
      • The Key pattern field enables you to further refine the metric, such as to specify the definition of a custom metric. The key pattern is interpreted as a regular expression and must adhere to Perl-Compatible Regular Expression (PCRE) syntax.
      • The Data point field displayed for top-level metrics enables you to specify a percentile value for the metric.
      • The Data point field displayed for detail metrics enables you to specify a mean value plus a standard number of deviations for a metric.
  8. Optional: To monitor the value of the selected metric divided by a secondary metric, click the Ratio checkbox and select a secondary metric from the field provided.
    For example, divide the number of DNS response errors by the total number of DNS responses to monitor the percentage of errors that exceed a specified threshold.
  9. Select one of the following firing modes:
    Edge-Triggered
    An edge-triggered alert is generated only once when the alert conditions are true. The alert is generated again only if conditions are true after the metric value has returned to normal conditions twice.
    Level-Triggered
    A level-triggered alert is generated continuously while the alert conditions are true for the specified time period.
  10. In the Alert When section, specify the following options that define the alert expression:
    Interval
    Specifies the length of the time interval.
    Operator
    Specifies how to compare the interval to the value.
    Note:The ExtraHop system does not record values of zero for metrics. Instead, the ExtraHop system observes a lack of values. If you specify a value of zero in your alert configuration, the alert never generates. To create an alert configuration with a zero value, select the < (less than) operator and type a value of 1.
    Value
    Specifies the number of metric occurrences to watch for.
    Rate
    Specifies the rate in which metric occurrences happen.

    For example, to issue an alert when the value of the observed metric crosses the threshold more than 10 times per minute in a 30 minute interval, set the following values in the Alert When options:

    Time interval: 30 minutes

    Operator: >

    Value: 10

    Rate: minute

    The Alert When options work with the Firing Mode options to determine how many times an alert should be generated.

  11. Click OK.

Next steps

Configure trend alert settings

You can configure alert settings that monitor when a specific metric deviates from normal trends observed by the system. When the conditions configured by the alert settings are met, the ExtraHop system generates a trend alert, which you can view in the Alert History.

Trend alerts are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup. For example, you can configure trend alert settings that generate alerts when a spike (75th percentile) in HTTP web server processing time lasts longer than 10 minutes, and where the metric value of the processing time is 100% higher than the trend.

Before configuring alert settings, determine which metric you want to monitor and the conditions the metric must meet for the ExtraHop system to generate a trend alert.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click New to open the Alerts Configuration window.
  4. Enter a unique name for the alert configuration in the Name field.
  5. Click Trend.
  6. Select the metric you want to monitor.
    1. Click the Select metric icon .
    2. Click the source of the metric, such as application.
    3. Click the protocol of the metric, such as HTTP, NetFlow, or custom.
      Depending on the source and metric type, some protocols contain secondary groups for client and server metrics.
    4. Locate and click the metric you want to monitor.
      Depending on the metric you select, the Key pattern field appears, which enables you to further refine the metric, such as to specify the definition of a custom metric. The key pattern is interpreted as a regular expression and must adhere to Perl-Compatible Regular Expression (PCRE) syntax.
    5. Click OK.
    6. If you have selected a dataset or sampleset metric, additional metrics options are available as described in Dataset and sampleset metric options for trend alerts.
  7. Optional: To monitor the value of the selected metric divided by a secondary metric, click the Ratio checkbox and select a secondary metric from the field provided.
    For example, divide the number of DNS response errors by the total number of DNS responses to monitor the percentage of errors that exceed a specified trend threshold.
  8. Select one of the following firing modes:
    Edge-Triggered
    An edge-triggered alert is generated only once when the alert conditions is true. The alert is generated again only if conditions are true after the metric value has returned to normal conditions twice.
    Level-Triggered
    A level-triggered alert is generated continuously while the alert conditions are true for the specified time period.
  9. In the Alert When section, specify the following options that define the alert expression:
    Metric calculation
    Specifies the method by which the metric should be calculated, which are described in Metric calculation options for trend alerts. It is important to note that the alert configuration does not disable incompatible options the way the Metric Explorer does. Be sure to select the median or a percentile calculation when adding a dataset metric or you might issue unintended alerts.
    Interval
    Specifies the length of the time interval.
    Operator
    Specifies how to compare the interval to the value.
    Note:The ExtraHop system does not record values of zero for metrics. Instead, the ExtraHop system observes a lack of values. If you specify a value of zero in your alert configuration, the alert will never be generated. To create an alert configuration with a zero value, select the < (less than) operator and type a value of 1.
    Value
    Specifies the trend value that will issue an alert. The observed metric is compared to a specified trend value.

    For example, if measured in percentages, a trend value of 100 means that the alert is generated when the observed metric matches the trend. A trend value of 150 means that the alert is generated when the observed metric is 50% above the trend. Likewise, enter a value of 50 for 50% below trend.

    Measure
    Specifies the unit by which the value is measured.

    For example, to issue an alert when the standard deviation of the observed metric over a 60 minute interval is equal to a trend value of 25%, set the following Alert When values:

    Metric calculation: std. deviation

    Interval: 60 minutes

    Operator: ==

    Value: 125

    Measure: percent of trend

    Alert When options work with the Firing Mode options to determine how many times an alert should be generated.

  10. Click the Trend Settings tab and configure trend-specific settings for the alert.
    1. In the Window field, select the calculation window for the trend from the options described in Window options for trend alerts.
    2. In the Lookback field, specify the number of minutes of lookback, which refers to how far back you can look up historical data.
    3. In the Weighting Model section, select and configure the model you want from the options described in Weighting model options for trend alerts.
  11. Click OK.

Next steps

Dataset and sampleset metric options for trend alerts

This section describes the additional options available for trend alert configurations that monitor dataset and sampleset metrics.

Option Description
Merge Merges all the datasets and applies the trending function to one superset of data.

For example, a 30-second aggregation roll up, or metric cycle, contains a single dataset for each 30-second interval. Therefore, a 30-minute interval has 60 datasets.

You can generate a trendline from these datasets with one of the following methods:

  • Determine the mean, median, or nth percentile of each dataset, and perform a trend calculation on this value. For example, you might want to determine the moving average (trend function) of the 95th percentile of processing time.
  • Merge all of the datasets together into one large dataset and perform a trend calculation on this value. For example, you might want to merge the datasets, then calculate the trimean (trend function) of the combined dataset.
Mean Calculates the mean of each dataset.
Percentile Calculates a percentile of each dataset as specified in the Percentile Value field.
Standard Deviation Calculates the normal deviation compared to the current trend alert through the same standard deviation parameters as the trend. The parameters can be absolute or relative, as specified in the Normalization field.
Absolute
Displays the standard deviation as a constant.
Relative to Mean
Displays the standard deviation relative to the mean.
Note:If not calculated as standard deviation, the selected dataset metric is calculated as an absolute sample.

Metric calculation options for trend alerts

This section describes the metric calculation options available when configuring the alert conditions for trend alerts.

Option Description
mean Specifies the mean value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) by server.
median Specifies the 50th percentile value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) or round trip time (rtt).
25th percentile Specifies the 25th percentile value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) or round trip time (rtt).
75th percentile Specifies the 75th percentile value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) or round trip time (rtt).
count (total) Specifies the count or total of the metric values as an absolute value.
std. deviation Calculates the normal deviation compared to the current metric. Only select this option for sampleset metrics, such as server processing time (tprocess) by server.
ANY Generates the alert when any of the specified conditions are present.
ALL Generates the alert when all of the specified conditions are present.
NONE Generates the alert when none of the specified conditions are present.

Window options for trend alerts

This section describes the Window field options available on the Trend Settings tab that you configure when configuring a trend alert.

Option Description
Same Hour of Week Calculates the trend within a specified 1-hour window each week.
Same Hour of Day Calculates the trend within a specified 1-hour window each day.
Minute Rolling Average Calculates the trend based on the average of the data gathered each minute within a specified amount of time from the present time.
Hour Rolling Average Calculates the trend based on the average of the data gathered each hour within a specified amount of time from the present time.

Weighting model options for trend alerts

This section describes the weighting model options are available when configuring trend alerts.

Option Description
Mean Specifies the manner in which to calculate the average.
Linear Average
Calculates the average with all data points weighted equally.
Single Exponential
Calculates the average with the most recent data points weighted more heavily.
Double Exponential
Calculates the average with the most recent data points weighted the most heavily.

For linear averages, the most recent value is weighted at 1 times the oldest value by default. For single and double exponential means, enter a number to weight the most recent value.

Percentile Specifies the percentile value to be referenced as a basis for creating the trend.
Percentile
Calculates the trend with data points from a user-specified percentile.
Min Value
Calculates the lowest data point gathered during the time interval.
Max Value
Calculates the highest data point gathered during the time interval.
Regression Specifies monitoring for increasing trends.
Linear
Calculates steadily increasing trends based on previous trends that are equally incremental.
2nd Degree Polynomial
Calculates exponentially accelerating trends by projecting a curve with the following equation:
y = ax2 + bx + c
Standard Deviation Calculates the normal deviation compared to the current trend.
Type
Applies a sample-based or population-based standard deviation.
Normalization
Displays the standard deviation relative to the mean.
Note:If a trend is a standard deviation, the same parameters as the trend are applied to alert configurations associated with that trend. If the trend is not a standard deviation, then the alert is calculated as "sample" and "absolute".
Static Value Calculates based on the specified static value. This option is useful to plot constant lines for SLAs.
Time Delta Applies the oldest trend to calculate a time range based on the lookback window.
Trimean Calculates the weighted average of the 25th, 50th, and 75th percentile values.
Winsorized Mean Replaces the most outlying values with the highest and lowest remaining values. Values above the 90th percentile become the same value as the 90th and values below the 10th percentile become the same value as 10th.

Assign an alert configuration to a source

Although you configure alert settings from the System Settings window, you assign an alert configuration to a source from the Metrics page in the ExtraHop Web UI. You must assign an alert to a source before it can monitor your environment.

Before you begin

You must configure an alert before it can be assigned. See Configure threshold alert settings, Configure trend alert settings, or Configure detection alert settings.
For threshold and trend alerts, you can only assign the alert configuration to the same source type as the monitored metric.

For detection alerts, you can only assign the alert configuration to the same source type you selected in the alert settings.

The following procedure shows you how to assign an alert configuration to a device, which is similar for assigning alert configurations to applications and device groups.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click Metrics from the top menu.
  3. Click Devices in the left pane.
  4. Select the checkbox for each device you want monitored by the alert configuration.
  5. Click the Assign Alert icon from the top of the page.
  6. Select the checkbox for each alert configuration you want to assign to the selected devices.
  7. Click Assign Alerts.
The alert configuration monitors the selected devices for the alert conditions specified in the alert settings.
Tip:You can also manage alert assignments from the Overview page for a source. From the Manage... section, click Assignments or Alerts to add or remove alert assignments from the source and to view which alerts are already assigned to the source.

Next steps

Add a notification to an alert configuration

You can add notifications to an alert configuration that will email specified addresses when an alert is generated. You can also send notifications to an SNMP listener.

Before you begin

You must configure an alert before you add notifications. See Configure threshold alert settings, Configure trend alert settings, or Configure detection alert settings.
  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Open the alert you want, and then click the Notifications tab.
  4. From the Severity list, specify one of the following severity levels for the generated alert:
    • Emergency
    • Alert
    • Critical
    • Error
    • Warning
    • Notice
    • Info
    • Debug
    You can specify the severity level for the alert without adding notifications. Although the severity level is displayed in emails, the level also appears in the Alert History.
  5. Select Send SNMP trap to specify whether notifications are sent to an SNMP listener.
    Users with administration privileges can configure the SNMP listener in the ExtraHop Admin UI.
  6. In the Email notification groups section, select the email groups that can receive notifications when an alert is generated.
    The Default group is selected by default. Users with unlimited privileges can configure additional email groups in the ExtraHop Admin UI.
  7. Optional: In the Additional email addresses section, specify any email addresses that are not included in a selected group, but should receive notifications when an alert is generated.
  8. Optional: In the Additional metrics in emails section, enter any additional metrics you want to include in the notification email.
    Enter the metric names, one per line, into the window or click the Find metric... button to search for a metric.
  9. Click the Description tab to add text that will appear in the body of the email notification.
    Alert descriptions support Markdown, which is a simple formatting syntax that converts plain text into HTML. When placed before or around text, certain non-alphabetic characters specify what HTML styling to apply to the text. For example, place double asterisks (**) before and after text you want to display as bold. For more information, see Add Markdown to an alert description.
  10. Click OK.

Add Markdown to an alert description

Alert descriptions support Markdown, which is a simple formatting syntax that converts plain text into HTML. When placed before or around text, certain non-alphabetic characters specify what HTML styling to apply to the text. For example, place double asterisks (**) before and after text you want to display as bold.

If you add a notification to the alert configuration, the description is included in the body of email notifications. The description is also displayed in the Alert Details, which you can access from the Alert History.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Open the alert you want, and then click the Description tab.
  4. In the text box, enter the description for the alert configuration.
    The following table shows common Markdown formats that are supported in the text box.
    Format Description Example
    Headings Place a number sign (#) before your text to format headings. The level of heading is determined by the amount of number signs. ####Example H4 heading
    Unordered lists Place a single asterisk (*) before your text. * First example * Second example
    Ordered lists Place a single number and period (1.) before your text. 1. First example 2. Second example
    Bold Place double asterisks before and after your text. **bold text**
    Italics Place an underscore before and after your text. _italicized text_
    Hyperlinks

    Place link text in brackets before the URL in parentheses. Or type your URL.

    Links to external websites open in a new browser tab. Links within the ExtraHop Web UI,such as dashboards or custom pages, open in the current browser tab.

    [Visit our home page](https://www.extrahop.com)

    https://www.extrahop.com

    Blockquotes Place a right angle bracket and a space before your text.

    On the ExtraHop website:

    > Access the live demo and review case studies.

    Monospace font Place a backtick (`) before and after your text. `example code block`
    Emojis Copy and paste a Unicode block emoji into the text box. Adding emojis in Markdown syntax is unsupported. For Unicode emojis examples, see the Unicode Emoji Chart website.  
  5. Click OK.

Create an exclusion interval for alerts

Exclusion intervals define a time in which alerts are suppressed. For example, if you do not want to be notified about alerts after hours or on the weekends, create an exclusion interval that specifies the time period to suppress alerts. After you create the exclusion interval, you can assign it to one or more alert configurations.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click the Exclusion Intervals tab, and then click New.
  4. Enter a unique name for the exclusion interval in the Name field.
  5. Optional: In the Assign to All section, you can assign the exclusion interval to all alert configurations or only to trend alert configurations.
    • To assign the exclusion interval to all existing and future alert configurations, click Alerts .
    • To assign the exclusion interval to all existing and future trend alert configurations, click Trend.
  6. From the Exclude section, specify one of the following time frame options for the exclusion interval:
    • To set a one-time exclusion interval, select From.
    • To set a daily exclusion interval, select Every day.
    • To set a weekly exclusion interval, select Every week from.
  7. Click OK.

Assign an exclusion interval to an alert

Assign one or more exclusion intervals to an alert configuration to suppress generation of alerts during a specified time frame.

Before you begin

You must configure an alert before you assign an exclusion interval. See Configure threshold alert settings, Configure trend alert settings, or Configure detection alert settings.
  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click the alert configuration you want to open in the Alert Configuration window.
  4. Click the Exclusion Intervals tab.
  5. Select the checkbox next to each exclusion interval you want to assign to the alert.
  6. Click OK.

View the exclusion interval history

The exclusion interval history displays the last 100 changes made to exclusion interval configurations.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click the Exclusion Intervals tab, and then click the History tab.
    The tab displays the following information:
    Change
    Displays the change that was made to the exclusion interval.
    Author
    Displays the author of the change.
    Timestamp
    Displays when the change was made.
  4. Click OK to close the window.

Detections

The ExtraHop system applies machine learning techniques to your wire data to identify unusual behaviors and potential risks to your network security or performance. Unlike other machine learning solutions that rely on logs or agent data, detections do not require additional configuration or maintenance as your network infrastructure changes.

Note:This topic applies to all ExtraHop systems, including ExtraHop Reveal(x).

After you have connected to the ExtraHop Machine Learning Service, the Detections page is enabled, and the ExtraHop system begins to analyze your stored data to identify performance and security detections.

Detections offer the following types of help:

  • Uncover hidden issues before they create problems for your users
  • Collect high-quality, actionable data to identify root causes of detections
  • Gain deeper insight into your network behavior
  • Find unknown performance issues, security issues, or infrastructure quirks

Here are important considerations about detections:

  • You must have at least four weeks of wire data metrics stored on the ExtraHop system before detections can be identified.
  • Users with restricted read-only privileges can only view metrics included in the dashboards that you share with them. Those users will be unable to view detections. For more information, see Share a dashboard with a restricted user.
  • If you are managing multiple ExtraHop Discover appliances through a Command appliance, you can access detections for any connected Discover appliance that is enabled for detections.

Depending on your ExtraHop system edition, your detections can highlight potential performance issues or security risks. Security detections are available only in ExtraHop Reveal(x).

Detection categories

The Machine Learning Service identifies security or IT operations detections depending on whether your license is activated on a Discover appliance or ExtraHop Reveal(x).

Security detections

The best way to stop attackers from stealing data or wreaking havoc on your network is to detect attacks before they cause harm. Even though attackers regularly develop new methods for evading detection, most attacks tend to follow familiar patterns or phases. ExtraHop Reveal(x) can detect unusual network behaviour associated with different phases of an attack. Security detections help you learn about security risks, what type of attack is associated with the risk, and which devices are affected by the risk.

Note:This topic applies only to ExtraHop Reveal(x).
Note:Security detections provide you with high-quality, actionable data about security risks. But these detections do not replace decision-making or expertise about your network. Always investigate detections to determine the root cause of unusual behavior and when to take action.

When you log into the Web UI of your ExtraHop system, click Detections. The Detections page appears with all of the security detections identified during the selected time interval.



Attack chain

Most network attacks tend to follow familiar patterns or phases. These phases can be assembled into an attack chain to characterize the progression of an attack. Below the timeline chart on the Detections page, the attack chain highlights the number of detections that are associated with each attack phase, as shown in the following figure.



Important:Multiple detections in the attack chain can be associated with an attack. Detections associated with attack phases can be detected in any order.

The following types of security risks are associated with each phase of the attack chain.

Command and control
A compromised device on your network is attempting to contact an attacker’s external Command and Control (C&C) server. After the connection is established, the C&C server can send additional malware, instructions for remote execution, and payloads to support the attack. Detections identify when an internal device is communicating to a suspicious system outside of your network in support of an attack.
Reconnaissance
An attacker has compromised a device and initiates suspicious scans from that device to learn about your network. The attacker is looking for potential targets (critical assets) as well as attempting to gain direct control of resources. Detections identify when an internal device is performing suspicious scans of devices, ports, services, applications, or files on your network.
Lateral movement
An attacker is progressively moving through your network from device to device in search of data and critical assets that are ultimately the target of their attack campaign. Detections identify the unusual movement of users or data within your network.
Exfiltration
An attacker is attempting an unauthorized transfer of data from your network to a system that the attacker controls. Detections identify unusual transfers of data from devices within your network to external systems.

Performance (IT operation) detections

Detections automatically surface network, application, and infrastructure problems and identify their root causes, so that you can direct your investigation to any trouble areas.

Note:Detections provide you with high-quality, actionable data about potential performance and IT operation issues. But these detections do not replace decision-making or expertise about your network. Always investigate detections to determine the root cause of the unusual behavior and when to take action.

Detections identify potential issues in the following performance and IT operation categories:

Authentication & Access Control
Detections identify unsuccessful attempts by users, clients, and servers to log in or access resources.
Database
Detections evaluate a suite of database protocols to determine whether your applications or users might be experiencing database access problems.
Desktop & App Virtualization
Detections identify when there are long Citrix load times or poor quality sessions for end users. SSH (secure shell) activity is also evaluated.
Network Infrastructure
Detections evaluate whether there are unusual events over the TCP, DNS, and DHCP protocols.
Service Degradation
Detections analyzes key protocols for Voice over IP (VoIP) and email communications within a network to identify service issues or performance problems.
Storage
Detections evaluate network file system traffic to determine whether users are having issues accessing specific files and shares.
Web Application
Detections analyze web traffic to find unexpected spikes in HTTP errors and warning codes. Poor web server performance is also analyzed.

Interpret detections

The Detections page displays the total number of detections for the selected time interval and details about each detection. The following sections show you what information you can learn from detections.

View total detections over time

The Timeline chart displays the total number of detections identified over time for the selected time interval. Each horizontal bar in the chart represents a single detection, so you can view the duration of each detection. Look for the tallest stack of bars to determine when the most detections occurred in the time interval. The total number of detections dynamically updates when you filter detections.

Tip:Hover over a bar to view the detection title, or click the bar to navigate directly to the detection detail page.


Click and drag across an area on the chart (which will become highlighted in green) to zoom in on a specific time range. The time interval dynamically updates to match the new time range in the chart, and details about each detection is displayed below the chart.

View details for individual detections

Each detection provides detailed information about the type of issue that occurred, when the issue occurred, and the source of the issue. Individual detections are listed below the Timeline chart, and they are sorted by their start time. The most recent detection is listed first.

The following figure shows you what type of information is provided within an individual detection:



Title
The title includes the anomalous metric and the device or application name that is the cause of the detection. Click the title to share detection.
Description
The description provides information about what the detection means. For most detections, detail metrics are provided so you can immediately begin your investigation.

For more information, see Investigate detections.

Duration
The duration of the detection indicates how long the anomalous value was detected by Machine Learning Service.

The minimum duration of a detection is 30 seconds. Detection data is analyzed every 30 seconds or every hour, depending on the metric. If the duration value displayed is ONGOING, the metric is being analyzed.

Risk score (ExtraHop Reveal(x) only)
Each detection has an associated risk score that can help you quickly identify urgent or critical detections in your environment. A risk score is displayed for each security detection and is color coded by severity:
  • Red = 80-99
  • Orange = 31-79
  • Yellow = 1-30

The risk score is calculated based on the following criteria:

Likelihood
An estimate of how likely it is that an attacker might discover and exploit the detection.
Skill level
The technical skill level required by an attacker to exploit the detection.
Impact
An estimate of the technical and business impact to company operations and value should an attacker exploit the detection.
Sparkline
Sparklines are simple line charts that show you the metric behavior that led up to the detection. The sparkline charts display a snapshot of metric data from the time frame around the duration of the detection (such as 6 hours), and not the overall time interval from the top of the page (such as the last 7 days).

Click the sparkline to open the Metric Explorer for the metric. Metric characteristics, such as the source, time interval, and drill-down details are preserved so that you can quickly create a chart from the metric or add additional sources and metrics for comparison.

Peak Value
The peak value is the maximum value from observed data that deviated from expected ranged for the duration of the detection.
Expected Range
The expected range includes values that represent a normal background level of activity, which is calculated based on 4 weeks of data. The expected range is the basis for comparison with observed values to detect changes in metric activity.
Deviation
A deviation is the quantity calculated to indicate the extent of change from an expected range.
Activity Maps
Click Activity Map to open an activity map that displays all of the L7 protocol activity and device connections to the client or server in the detection. For more information, see Activity maps.
Feedback
Click the feedback icon to let us know if the detection was helpful. Your feedback is valuable and helps us improve our identification process. All feedback is anonymous and will not have an immediate effect on your detections. You can submit feedback for an detection more than once.

How ExtraHop detections work

This section provides some background information on how the cloud-based ExtraHop Machine Learning Service identifies detections.

Essentially, a detection is identified when observed data exhibits anomalous behavior such as deviating from the expected range of data by a significant amount. You can view analysis results about anomalies on the Detections page in the ExtraHop Web UI. If available, the following information is provided for each detection: the measured deviation (which is the difference between the observed value and the expected range), the detection value, and the expected range of normal metric values at the time of the detection.

Here is how detections are generally identified: the ExtraHop system generates metrics from wire data for the protocols, devices, and applications discovered on your network. A subset of these metrics is delivered over an encrypted connection from the ExtraHop system to the Machine Learning Service in the cloud. The proprietary algorithm that drives the Machine Learning Service combines time series decomposition, unsupervised learning, heuristics, and ExtraHop's unique domain expertise. This combination helps to ensure that detections are both accurate and actionable. The ExtraHop system calculates the expected range of normal network behavior and then adapts to changing variations in protocols and metric data. The ExtraHop system identifies detections based on three variables:
  • Observed data, collected in real-time on your ExtraHop appliance
  • Expected range data, calculated from four weeks of historical data on your ExtraHop appliance
  • Threshold values, which are automatically adjusted by the algorithm based on historical metric data and heuristics defined by the IT networking domain experts at ExtraHop

Detections also provide anomalous 50th percentile or 75th percentile values for a subset of metrics that account for server processing time.

In most network monitoring tools, unusual activity is detected through manually-configured alerts and trend models for individual devices. However, as your network changes—because of hardware reconfigurations, organization mergers, business growth, or the addition of applications to your network—these types of alerts and models can become quickly outdated and potentially inaccurate. Detections automatically deliver consistent and accurate results about anomalous metrics and protocols without requiring manual configuration for individual devices.

Because unusual behavior is detected in real time, you can identify and resolve a potential issue before it becomes a larger problem. You can also review historical detection data to investigate issues related to known security or network outage events that previously occurred.

Note:If you need to define a specific threshold value for an anomaly, such as a service level agreement (SLA), we recommend manually configuring an alert.

Check out the following resources that are designed to familiarize new users with Detections.

Find and filter detections

You can filter detections by time interval, protocol, category, applications, or devices. Detections are sorted by their start time and the most recent detection is listed first.

  1. Log into the Web UI on a Discover or Command appliance, and then click Detections at the top of the page.
    A list of detections for the current time interval appears. If the list is empty, the Machine Learning Service has not identified detections for the selected time interval.
  2. In the left pane, filter detections by selecting the options as shown in the following figure:


Next steps

Investigate detections

Automated investigation is available for most detections. By viewing detail metrics in the detection description, you can immediately learn which factors contributed to an issue. When multiple factors contribute to an detection, you can also see the percentage of their contribution to the detection. For example, the following figure shows which client, server, and URI are linked to an HTTP 404 detection.



Note:Automated investigation is not available for server processing time detections. For these detections, you can investigate detections from a protocol page in the Discover or Command appliance.

To learn more about the scope of a detection on your network, you can continue your investigation by opening an activity map or visiting a protocol page.

Open an activity map from a detection

When a single client or server is associated with unusual L7 protocol activity, such as a high number of HTTP errors or DNS request timeouts, an activity map link appears.

  1. Log into the Web UI on a Discover or Command appliance, and then click Detections at the top of the page.
  2. Find the detection that you want to investigate. The following figure shows an example of the Activity Map link for a database server that sent an unusual number of errors.


  3. Click Activity Map.
    An activity map appears for the database server. The activity map in the following figure shows the two database clients that were connected to the server during the detection time frame.

You can now interact with the activity map to learn more about the effect of the database errors across the network:
  • Click any client in the map to access a menu that contains a Go to Device... link. Click the link to open a protocol page with client metrics, such as requests and responses.

  • In the left pane below Step 1, click Add Step and then click All Peers in the drop-down list. The map updates to show you which downstream devices are connected to the database clients, as shown in the following figure.

  • Save and then share your activity map with other ExtraHop users.

For more information about activity maps, see Activity maps.

If you want to further investigate anomalous metrics, you can navigate to a protocol page where you have access to additional charts, metrics, and tools.

  1. Log into the Web UI on a Discover or Command appliance, and then click Detections at the top of the page.
  2. Find the detection that you want to investigate.
  3. Click the source name, as shown in the following figure.


    The anomalous protocol page for the device or application appears, which displays all of the metric data associated with that specific device or application during the detection time interval, as shown in the figure below.

Next steps

From a protocol page, you can then choose one of the following options to further investigate metric data:

Best practices for investigating detections

The Machine Learning Service provides you with high-quality, actionable data about detections—but does not replace decision-making or expertise about your network. The following best practices explain how to determine which detections are worth further investigation and when to take action.

Change the time interval to see when detections occurred
Learn if detections occurred before, after, or during a reported problem. For example, does the time frame of the detection coincide with a reported issue, such as slow load times or login times? You can also compare detections from the past month to the current date, which gives you a sense of whether the occurrence or severity of detections is changing over time.

For more information, see Find and filter detections.

Compare additional metrics or sources
Click the sparkline to open the Metric Explorer for the metric. Metric characteristics, such as the source, time interval, and drill-down details are preserved so that you can quickly create a chart from the metric or add additional sources and metrics for comparison.
Create a detection alert
You can configure an alert to receive email notifications when a detection occurs. Detection alerts also help you quickly find detections for a specific device or application on the Alert History page.

For more information, see Configure detection alert settings.

Filter detections by protocol
Filter by protocol to quickly monitor critical protocols with a role in security, commerce, or communication processes.

For example, an FTP 530 error detection might indicate that someone is trying to gain unauthorized access to information on your network. Or Citrix server and client latency detections might indicate that users are experiencing long load times for their roaming desktop profiles.

Selecting different protocols can also show you how detections correlate to each other. An anomalous HTTP response time followed immediately by an anomalous CIFS server processing time might suggest that web servers are dependent on how quickly your file storage servers can send and receive file data.

For more information, see Find and filter detections.

Share a detection

If you find a detection that you want to share, you can send the URL from the detection detail page to other ExtraHop users.

Note:This topic applies to all ExtraHop systems, including ExtraHop Reveal(x).

Here are some important considerations about sharing detections:

  • You must copy and share the entire URL.
  • To view the detection, the ExtraHop user must have access to the Discover or Command appliance where the detection was identified.

The following steps show you how to select and share a detection:

  1. Log into the Web UI on a Discover or Command appliance, and then click Detections at the top of the page.
  2. Find the detection that you want to share.
  3. Click the detection title, as shown in the following figure.


  4. At the top of the browser, copy the entire URL.

Next steps

Geomaps

A geomap is a visual representation of worldwide activity based on a single count metric. The ExtraHop system determines the originating IP address of each metric event and plots it to a regional data point on the geomap.

View regional details

A metric tracked on a geomap displays a data point for each location from where metric data originates, and you can click the data point to display regional details.

For example, assign an SSH session metric to a geomap to find out if SSH attempts are coming from unauthorized locations. Click on a data point to show the IP addresses that sent the requests.

Click a data point to view the following regional activity details:

Summary
Displays the following information about user activity in the region:
  • The total number of IP addresses on which a response or a request has been made.
  • The number of unique IP addresses out of the total number of addresses.
  • The mean, or average, number of IP addresses per unique IP address.
Top locales
Displays the top two locales that generate the most activity in the region. Locales are cities that are geographically close together and can be summarized in one region. For example, the window might display Mountain View, California and Oakland, California as the top locales for a region.
Top users
Displays the top six users that have generated the most activity in the region. Each user is identified by IP address, and the number of responses or requests generated by each IP address is displayed.

View alert details

A metric tracked on a geomap might be associated with one or more alerts. If the metric activity meets alert conditions, the appearance of the data point indicates the severity level.

Alert severity levels are represented by the following colors on the geomap:

Gray
Indicates that no user-defined alerts are configured, or only edge-triggered alerts are configured.
Green
Indicates that no user-defined alerts are configured, or that an alert with a severity level of Debug and Informational was generated.
Orange
Indicates that at least one alert with a severity level of Notice or Warning was generated.
Red with spinning edges
Indicates that at least one alert with a severity level of Error or Critical was generated.
Red with sonar beacons
Indicates that at least one alert with a severity level of Emergency or Alert was generated.

For example, if an alert is configured to watch HTTP responses on a group of web servers so that any time the ratio of errors exceeds 5%, a critical-level notification is sent. If your geomap tracks HTTP responses on the same web servers, data points display as red with spinning edges in each region the alert condition is met.

The Firing Mode setting of an alert affects the data points on the geomap. For example, edge-triggered alerts are prompted only when the alert threshold is crossed, so the data point is red when the issue first occurs, but not continuously. Level-triggered alerts are generated continuously while the alert conditions are true, and the data point reflects the continuous state.

We recommend that you configure level-triggered alerts at the same interval (or more frequently) as the time interval that you are displaying in the geomap.

Click a data point to view the following alert details:

  • The IP addresses that have been generated an alert.
  • The alert severity level associated with each IP address.
  • The name of the alert associated with each IP address.

See Alerts for more information about configuring alerts and alert severity levels.

Each geomap displays the following information and controls:

Display controls
Settings that determine the look of the geomap and the time range of the data displayed.
Activity graphs
Graphs that display user activity in smaller data sets.
Autopilot
A feature that automatically navigates between the top eight regions with the most user activity.
Updater
A timer that counts down to the next refresh of the data on the geomap.

Check out the following guides and resources that are designed to familiarize new users with our top features.

Generate a geomap

The ExtraHop system makes it easy for you to generate a geomap on-the-fly from a metric detail page. The ExtraHop system determines the originating IP address of each metric event and plots it to a regional data point on the geomap.

You can only generate geomaps for count metrics that can be broken down by an IP address.

To learn about how geomaps work and what information is provided, see Geomaps.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Go to the device, application, or dashboard that displays the count metric you want to track.
    • To go to a device page, click Metrics, click Devices or Device Groups from the left pane, and then click the device you want.
    • To go to an application page, click Metrics, click Applications from the left pane, and then click the application you want.
    • To go to a dashboard, click Dashboards, and then click the dashboard you want.
    Note:If there is no dashboard or source page that displays the count metric you want, create a chart and add it to a dashboard.
  3. Click the label of the count metric to open a context menu, and then select the key for the detail metric you want from the Drill down by list.
    Depending on the metric, the available keys might be client, server, or IP.
    The detail page for the source of the metric appears.
  4. Click the View Geomap button.
    The geomap opens in full-screen on a new browser tab.
    Tip:You can save or bookmark the geomap URL to quickly return to it.

Packets

With an ExtraHop Trace appliance connected to a Discover appliance, you can search for and download packets for selected transactions through the Packets feature in the ExtraHop Web UI. The downloaded packets can then be analyzed through a third-party tool, such as Wireshark.

You must have a configured ExtraHop Trace appliance before you can store and query for packets. See our deployment guides to get started.

You can launch a quick packet query for the current time interval by clicking Packets from the top menu. The ExtraHop system queries packets for the selected time interval, such as the last 30 minutes, and displays the Packet Query page. If you change the time interval, the query starts again. Either end of the gray bar displays a timestamp, which is determined by the current time interval. The time on the right displays the starting point of the query and the time on the left displays the endpoint of the query. The blue bar indicates the time range during which the system found packets. You can drag to zoom on a period of time in the blue bar to run a query again for that selected time interval.

The following figure provides an overview of the Packet Query page and features:

Tip:Filter packets with Berkeley Packet Filter syntax.

There are multiple locations in the ExtraHop Web UI from which you can initiate a packet query:

  • Type an IP address in the global search field and then select the Search Packets icon .

  • Click Packets from the upper right corner of a device page.

  • Click the Packets icon next to any record on a record query results page. (Only available with a connected Explore appliance.)

  • Click on an IP address or hostname in any chart with metrics for network bytes or packets by IP address to see a context menu. Then, select the Packets icon to query for the device and time interval.

Configure global packet capture

When you enable the global packet capture feature on the Discover appliance, you start collecting packets for every flow to an SSD installed on your Discover appliance or, in the case of a virtual machine, to a regular disk drive.

Before you begin

Make sure you are licensed for the packet capture feature and that you have added the packet capture disk (an SSD on a physical appliance or an additional drive on a virtual machine). Note that the Packet Captures section in the Admin UI does not appear if your Discover appliance is not licensed for the feature. For information about adding an SSD drive, see Install an SSD for Packet Capture on the ExtraHop Discover Appliance.

For Discover virtual appliances, refer to your hypervisor manual for configuring an additional 500 GB disk.

  1. Log into the Admin UI on the Discover appliance.
  2. In the Packet Captures section, click Global Packet Capture.
  3. In the Start Global Packet Capture section, type the following information:

    Name: The name for the capture.

    Max Packets: The maximum number of packets to capture. This value cannot be a negative number.

    Max Bytes: The maximum number of bytes to captures. This value cannot be a negative number.

    Max Duration (milliseconds): The maximum duration that the global capture should run. If this value is set to 0, this field is ignored and the duration runs for an unlimited time.

    Snaplen: The maximum number of bytes copied per frame. By default, this value is 96 bytes, but you can set this value to a number between 1 and 65535.

  4. Click Start.
  5. Click Stop to stop the packet capture before any of the maximum limits are reached.
Download your packet capture from the View Packet Captures page and open the file in a packet analyzer such as Wireshark.

Records

Records are structured information about transaction, message, and network flows that are generated and sent from a Discover appliance to an Explore appliance for storage and retrieval. After your records are stored, you can query for them from the Discover or Command appliances.

Before you begin

You must have a configured ExtraHop Explore appliance and connect it to your Discover appliance before you can store and query for packets. See our deployment guides to get started.

With the Discover appliance, you start with a high-level view of your Discover appliance data, and then drill down to view your device data. With records stored on an Explore appliance, you can drill down to individual transactions from those devices, or you can query for outlying transactions, such as overly-long processing times or unusual response sizes.

For example, if you had fifty HTTP 503 errors, you could view details about those errors by querying the records stored on the Explore appliance. The records would contain specific information about each individual HTTP transaction, which might reveal the underlying problem.

There are two basic types of records: flow and L7. Flow records show network-layer communication between two devices over an (L3) IP protocol. L7 records show details from individual messages or transactions over L7 protocols. There are three types of supported L7 protocols: transactional (such as HTTP, CIFS, and NFS), message-based (such as ActiveMQ, DNS, and DHCP), and session-based (such as SSL and ICA).

Important:Most user privileges let you query for records, but collecting and storing records requires full write privileges and familiarity with writing triggers.

Here are a few definitions you should know about records in the ExtraHop Web UI:

Records: An object that contains fields, where each field is a name and a value pair. The value can be a string, number, boolean, array, or nested object.

Record types: An ID that determines what data is collected and stored on your Explore appliance. Because you must write a trigger to collect records, you need a way to identify the type of data you will collect. There are built-in record types, which collect all of the available known fields for a protocol. You can start with a built-in record type (such as HTTP) and write a trigger to collect only the fields for that protocol that matter to you (such as URI and status code). Or, advanced users can create a custom record type if they need to collect proprietary information that is not available through a built-in record type.

Record formats: A schema that lets you display stored records in a formatted table (or table view) when you run a record query. The Discover appliance has record formats for each built-in record type. However, if you create a custom record type, but do not create a corresponding record format, you will only be able to view your fields in a text verbose view—custom fields will not appear in any selectable lists, such as the Group By list.

Indicators of compromise (ExtraHop Reveal(x) only): Record query results that contain suspicious IP addresses, hostnames, and URIs appear with a red camera icon next to the record. For more information about indicators of compromise, see Threat intelligence - Reveal(x) only.

Collecting and storing built-in records

Any system protocol can be committed (collected and stored) as a record through a global trigger function. The basic trigger syntax is <protocol>.commitRecord().

HTTP.commitRecord() commits all detected HTTP traffic for the devices to which the trigger is assigned. The following figure shows the completed Trigger Configuration window.

For each built-in record type (such as HTTP), there is a corresponding built-in record format. Record formats control how records of a certain type are displayed in the ExtraHop Web UI, such as the display name of each field, the preferred order of fields, and which fields are visible by default. A record format is needed to show fields in the table view. Without a record format, all the fields in a record can still be viewed in verbose view, which displays all fields in plain text. (Modifying record formats for custom record types is an advanced feature.)

The following figure shows record results for all HTTP transactions.

Check out the following guides and resources that are designed to familiarize new users with our top features.

Collect flow records

You can automatically collect all flow records, which are network-layer communications between two devices over an IP protocol. If you enable this feature, but do not add any IP addresses or port ranges, all detected flow records are captured.

Before you begin

Configuring flow records for automatic collection is fairly straight-forward and can be a good way to test that your appliances are connected.
  1. Log into the Admin UI on your Discover appliance.
  2. In the ExtraHop Explore Settings section, click Automatic Flow Records.
  3. Select the Enabled checkbox.
  4. In the Publish Interval field, type a number between 60 and 21600. This value determines how often records from an active flow are sent to the Explore appliance. The default value is 1800 seconds.
  5. In the IP Address field, type a single IP address or IP address range in IPv4, IPv6, or CIDR format. Then, click the green plus (+) icon. (You can remove an entry by clicking the red delete (X) icon.)
  6. In the Port Ranges field, type a single port or port range. Then, click the green plus (+) icon.
  7. Click Save.
    Flow records that meet your criteria are now automatically sent to your connected Explore appliance. Wait a few minutes for records to be collected, and then verify that flow records are being collected in the next step.
  8. Click Records from the top navigation to launch a query. If you do not see any records, wait a few minutes and try again. If no records appear after five minutes, review your configuration or contact ExtraHop Support.

Collect L7 records

You can collect L7 records to store on your Explore appliance, which show details from individual messages or transactions over L7 protocols. These types of records require triggers.

Before you begin

In the following example, you will learn how to collect records for any device that sends or receives an HTTP response. First, we will write a trigger to collect information from the built-in HTTP record type. Then, we will assign the trigger to a web server. Finally, we will verify that the records are being sent to the Explore appliance.
  1. Log into the Web UI on your Discover appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Click New to launch the Trigger Configuration window.
  4. In the Configuration tab, complete your information, similar to the following example:

    Name: HTTP Responses

    Author: ExtraHop

    Description: This trigger collects HTTP responses.

    Debugging: Select the checkbox to enable debugging.

    Events: HTTP_RESPONSE

  5. Click the Editor tab.
  6. Type the following example code in the text box:
    HTTP.commitRecord()
    debug (“committing HTTP responses”)

    This code generates records for the HTTP record type when the HTTP_RESPONSE event occurs and corresponds to the built-in record format for HTTP.

  7. Click Save and Close. Next, assign this trigger to a web server.
  8. Click Metrics from the top menu and then click Devices in the left pane.
  9. Search for an active web server that you want to collect records for. For this example, we will select a web server called web-sea-example.
  10. Select the checkbox next to the web server (such as web-sea-example).
  11. Click Assign Trigger from the menu above the table.
  12. From the list, select the checkbox next to the trigger we previously created named HTTP Responses, and then click Assign Triggers.
    Records that meet your criteria are now sent to your connected Explore appliance. Wait a few minutes for records to be collected, and then verify that your records are being collected in the next step.
  13. Click Records from the top menu to launch a query. If you do not see any HTTP records, wait a few minutes and try again. If no records appear after five minutes, review your configuration or contact ExtraHop Support.

Collect custom records

You can customize the type of record details you generate and store on your Explore appliance by writing a trigger. We recommend that you also create a record format to control how the records display in the ExtraHop Web UI.

Before you begin

In the following example, you will learn how to only store records for HTTP transactions that results in a 404 status code. First, we will write a trigger to collect information from the built-in HTTP record type. Then, we will assign the trigger to a web server. Finally, we will create a record format to display selected record fields in the table view for our record query results.

Write and assign a trigger

Note that the trigger must be created on each Discover appliance that you want to collect these types of records from.

  1. Log into the Web UI on the Discover appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Click New to launch the Trigger Configuration window.
  4. In the Configuration tab, complete your information, similar to the following example:

    Name: HTTP 404 Errors

    Author: ExtraHop

    Description: Track 404 errors on primary web server.

    Debugging: Select the checkbox to enable debugging.

    Events: HTTP_RESPONSE

  5. Click the Editor tab to write the trigger specifications.
    The following figure shows an example configuration that only collects records when a 404 status code is detected. We also set a name (web404) for these types of records to identify them in a record query and added identifying information for debugging.

    In the next steps, assign the trigger to a device or device group for which you want to monitor 404 status codes.
  6. Click Metrics from the top menu.
  7. Click Devices.
  8. Select the checkbox for a device from the list. For our example, we will select a web server called web2-sea.
  9. Click the Assign Triggers icon, select the trigger you created in the previous steps, and then click Assign Triggers. In the following figure, we have selected our web server, web2-sea.
    After assigning the trigger, return to the System Settings > Trigger page and select the trigger you created. First, make sure your device has activity. Then, click the Runtime Log tab to see if the trigger is committing your records. For the following example, we intentionally visited unavailable web pages to generate 404 errors.

Query for your custom record type
  1. Click Records from the top menu.
  2. In the left pane, click the Record Type drop- down. Your newly created record type should appear in italics at the top of the list.
  3. Select the record type and then click out of the menu. For our example, we will select web404, as displayed in the figure below.
  4. Click the Verbose View icon.
  5. Click Fields and then click Select All.
    All of the information collected from the trigger about these records is shown in the query results.

Create a custom record format to display your record results in a table

Record formats are the recommended way to display your records with only the fields you want to see. Without a custom record format, the fields for your custom record will not appear in any selectable lists, such as the Group By list.

The quickest way to create a custom record format is to copy and paste the schema on read from a built-in record format into a new record format. If you have multiple Discover appliances, you need to create the custom record format on each appliance where the record results are viewed.
  1. Log into the ExtraHop Web UI on the Discover appliance.
  2. Click the System Settings icon and then click Record Formats.
  3. Click on the type of record you want to copy. For our example, we will copy the HTTP record format.
  4. Copy the contents in the text box below Schema on Read.
  5. Click New Record Format.
  6. Complete the following fields:

    Display Name: Type a unique name for your record format.

    Author: Identify the author for the record format.

    Record Type: Type the same record type ID you created in the trigger. In our example, this value is web404.

    Schema on Read: Paste the copied contents from step 4 into the text box. Edit the box to delete any unwanted fields. For our example in the figure below, we only kept the following fields: Client, Server, Method, Status Code, URI, and Processing Time.

Query for your custom record type
  1. Click Records from the top menu.
  2. In the left pane, click the Record Type drop- down. Your newly created record type should appear in italics at the top of the list.
  3. Select the record type and then click out of the menu. For our example, we will select web404, as displayed in the figure below.
  4. Click the Verbose View icon.
  5. Click Fields and then click Select All.
    All of the information collected from the trigger about these records is shown in the query results.

Record format settings

The Record Format Settings page displays a list of all built-in and custom record formats that are available on your local ExtraHop Discover or Command appliance. If you need to create a custom record format, we recommend that you begin by copy and paste the schema on read information from a built-in record format. Advanced users might want to create a custom record format with their own field-value pairs, and should apply the reference material provided in this section.

Record formats consist of the following settings:
Display Name
The name displayed for the record format in the Web UI. If there is no record format for the record, the record type is displayed.
Author
(Optional) The author of the record format. All built-in record formats display ExtraHop as the author.
Record Type
A unique alphanumeric name that identifies the type of information contained in the associated record format. The record type links the record format with the records that are sent to the Explore appliance. Built-in record formats have a record type that begins with a tilde (~). Custom record formats cannot have a record type that begins with a tilde (~).
Schema on Read
A JSON-formatted array with at least one object, which consists of a field name and value pair. Each object describes a field in the record and each object must have a unique combination of name and data type for that record format. You can create the following objects for a custom record format:
name
The name of the field.
display_name
The display name for the field. If the display_name field is empty, the name field is displayed.
description
(Optional) Descriptive information about the record format. This field is limited to the Record Format Settings page and is not displayed in any record query.
default_visible
(Optional) If set to true, this field displays in the Web UI as a column heading by default in table view.
facet
(Optional) If set to true, facets for this field display in the Web UI. Facets are a short list of the most common values for the field that can be clicked to add a filter.
data_type
The abbreviation that identifies the type of data stored in this field. The following data types are supported:
Data Type Abbreviation Description
application app ExtraHop application ID (string)
boolean b Boolean value
device dev ExtraHop device ID (string)
flow interface fint Flow interface ID
flow network fnet Flow network ID
IPv4 addr4 An IPv4 address in dotted-quad format. Greater or less than filters are supported.
IPv6 addr6 An IPv6 address. Only string-oriented filters are supported.
number n Number (integer or floating point)
string s Generic string
meta_type
The sub-classification of the data type that further determines how the information is displayed in the Web UI. The following meta-types are supported for each of the associated data types:
Data Type Meta Type
String
  • domain
  • uri
  • user
Number
  • bytes
  • count
  • expiration
  • milliseconds
  • packets
  • timestamp

Query for stored records on an Explore appliance from a Discover or Command appliance

After you connect your Explore appliance to your Discover and Command appliances, and records are sent to the Explore appliance, you can query for those stored records from either the Discover or Command appliance. In addition, you can save record queries to run at a later time.

You can query records that are stored in the Explore appliance from multiple areas in the ExtraHop Web UI. The following figure shows the main records page, that you access by clicking Records from the top menu.



  • Click Records from the top menu to start a new record query for all records stored on the Explore appliance.
  • From the records page, click Record Queries in the navigation bar or Saved Record Queries in the left pane to access any saved queries or start a new query.
  • Type a search term in the global search field at the top of the screen and click Search Records to start a query across all stored records.
  • Click the Records icon from the panel of Action icons on an application or device protocol page that has built-in record formats. This option queries for records that match the selected metric source and protocol.
  • Click the Records icon in the left-hand column from any drill-down metrics page. This option queries for records that match the selected metric source, protocol, and detailed stat value.

  • Click the Records icon from a chart widget or on a metric drill-down page.

No matter where you start your query from, you might have a large set of records results. You can narrow down your results by applying filters to find the specific record you need.

Next steps

Filter your records with a simple query

There are a number of ways you can filter your record query results to find the exact transaction you are looking for. The sections below describe each method and show examples you can start with to familiarize yourself.

If you are trying to filter records by simple criteria (say, if you want all HTTP transactions from a single server that generated 404s), you can create a simple query. For simple queries, start by clicking Records from the top menu to get to the main Records page, and then add a filter in one of the following ways:

  • Add a filter or refine results from the left pane
  • Add a filter from the trifield
  • Add a filter directly from record results
Filter record results from the left pane

When you click Records from the top menu, all of the available records for your selected time interval appear. You can then filter from the left pane to refine your results.



The Record Type drop-down menu displays a list of all of the record types that your Discover or Command appliance is configured to collect and store.

The Group By drop-down gives you a list of fields to further filter the record type by.

The Refine Results section shows you a list of record types that are currently on the Explore appliance with the current number of records in parenthesis.

Filter record results through the trifield

When you click Records from the top-level navigation, all of the available records for your selected time interval appear. A set of three filters (or the trifield) is available below the chart.

Select a field from the Any Field drop-down (such as Server), select an operator (such as the equal sign (=)), and then type a hostname. Click Add filter, and the filter is added above the filter bar.





Your results only show records that match the filter; in our example this means we only see results for transactions that are for the server named web2-nyc.

The following operators can be selected, based on the selected field name:

Operator Description
= Equals
Does not equal
Includes
≈/ Excludes
< Less than
Less than or equal to
> Greater than
Greater than or equal to
starts with Starts with
exists Exists
does not exit Does not exist
Filter directly from record results

You can select any field entry displayed in either table view or verbose view in your record results and then click the pop-up operator to add the filter. Filters are displayed below the chart summary (except for the record type field, which is changed in the left pane).



Filter your records with advanced query rules

For advanced queries, you can create and modify complex filters by clicking the Add Advance Filter button or by clicking the pencil icon next to any filter that you have added.



Here are some important things to know about advanced queries:
  • You can specify multiple criteria with OR (Match Any), AND (Match All), and NONE operators
  • You can group filters and nest them to four levels within each group
  • You can edit a filter group after you create it
  • You can create a descriptive name to identify the general purpose of the query

Create a complex filter with AND and OR operators

The following example shows how you can create an advanced query to filter your records with complex criteria. We will create a filter to return results for all HTTP records that include two URIs plus a status code greater than or equal to 400 or a processing time greater than 750 milliseconds.

Important:To try this example on your own Discover appliance, you must have HTTP traffic on your network.
  1. Click Records from the top menu.
  2. In the left pane, select HTTP from the Refine Results section. Only available records are displayed in the Refine Results section. This step ensures that you have available records for this query.
    Note:Record types do not appear as filters; they are displayed in the left pane.
  3. Click the Add Advanced Filter button . The button is on the right side of the page, above the records search results.
  4. Under Filter Definition, we will keep Match All. Match All is an AND operator and will let us search for criteria that matches the status code and the processing time criteria.
  5. Select Status Code, the greater than or equal to sign (), and then type 400 in the number field.
  6. Click Add Filter to add a filter for processing time.
  7. Select Processing Time, the greater than sign (>), and then type 750 in the number field.
    In the next steps, we will add a group of criteria that applies specifically to the fields we added.
  8. Click Add Group.
    We are keeping Match Any for this group. Match Any is an OR operator and will let us search for criteria that matches either of our URIs.
  9. Click the Any Field drop-down and select URI.
  10. Select the includes () symbol.
  11. Type a URI for one of your web servers in the text field. We will add assets.example.com.
  12. Click Add Filter inside the white box to add a second URI filter to the group.
  13. Click the Any Field drop-down and select URI.
  14. Select the includes () symbol.
  15. Type a URI for one of your web servers in the text field. We will add media.example.com.
  16. In the Custom Display Name field, type a descriptive name to make the filter easy to identify on the results page, otherwise the display name shows the first filter and the number of other applied rules:


    We will type “Slow and Broken Web Assets” in the field.

  17. Click Save.
After you click Save, the query automatically runs, and returns records that match either URI and that have either a status code equal to or greater than 400 or a processing time that is greater than 750 milliseconds.

Next steps

You can click Save Query as... from the top right of the page to save your criteria for another time.

Bundles

Bundles are a saved set of system configurations that can be uploaded to an ExtraHop appliance. You can download a number of bundles from the ExtraHop Solution Bundle Gallery or create your own. Bundles from the gallery are designed to help you configure your ExtraHop appliances to address specific use cases; for example, the Ransomware Bundle configures your ExtraHop appliance to detect and track ransomware activity.

The following system customizations can be saved as part of a bundle:

  • Alerts
  • Applications
  • Custom pages
  • Dashboards
  • Dynamic groups
  • Flex grids
  • Geomaps
  • Triggers

Check out the following guides and resources that are designed to familiarize new users with our top features.

Install a bundle

You can install a bundle from the ExtraHop Solution Bundle Gallery or you can install a bundle that you created on another ExtraHop appliance. To install a bundle, you must first download the bundle, upload the bundle to your ExtraHop appliance, and then apply the bundle.

Download a bundle from the ExtraHop website

You can download a number of pre-configured bundles created by the ExtraHop community.

  1. In a web browser, go to the ExtraHop Solution Bundles Gallery.
  2. Navigate to the bundle you want to download.
  3. Read all requirements and installation instructions for the bundle.
    Make sure that your ExtraHop appliance is running firmware later than the minimum version specified for the bundle. Bundles designed for later firmware versions might require features that are not available on earlier firmware.
  4. If you have not already logged into the ExtraHop website, click Login in the right pane and then specify a valid username and password.
  5. Click Download Now.
  6. Save the .json file to a location on your local machine.

Download a bundle from an ExtraHop appliance

  1. Log into the Web UI on the Discover or Command appliance.
  2. Click the System Settings icon and then click Bundles.
  3. In the Bundles table, click the name of the bundle.
  4. Click Download.
    The .json bundle file is downloaded to your local machine.

Upload and apply a bundle

After you have downloaded a bundle, you can upload and install the bundle on your appliance.

  1. Log into the Web UI of a Discover or Command appliance.
  2. Click the System Settings icon .
  3. Click Bundles.
  4. Click Upload.
  5. In the Load Bundle dialog box, click the Choose File button, and then select the bundle .json file.
  6. Click Upload.
  7. Select the Apply included assignments checkbox.
    Selecting this option assigns the bundle to the metric sources specified in the bundle. In most cases, it is best to apply the default assignments. However, keep in mind that more assignments will consume more system resources.
  8. From the Existing objects drop-down menu, select Overwrite.
    Selecting this option will overwrite any objects that have the same name as objects in the bundle. It is important to select overwrite to ensure that all bundle objects are imported and the bundle functions properly. However, we recommend that you check the names of objects in the bundle to make sure they are not shared with any objects in-use on your appliance.
  9. Click Apply.
  10. If you are installing a bundle from a Command appliance, select a Discover appliance from the Bundle Node Selection dialog box and click OK.
  11. In the Bundle Import Status dialog box, click OK.
  12. In the View Bundle window, click OK.

Next steps

  • Follow any installation instructions on the bundle page in the ExtraHop Solution Bundles Gallery.
  • Enable any triggers included in the bundle.
  • Configure any alerts in the bundle to notify relevant email addresses.

Create a bundle

You can save system configurations to a bundle file and then upload that file to other appliances or share your bundle with the ExtraHop community.

Before you begin

If you are planning to upload your bundle to the ExtraHop Solution Bundle Gallery, we recommend you first read the Bundles Best Practices Guide. The guide describes how to configure your bundle to function properly in other environments.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click the System Settings icon and then click Bundles.
  3. On the Bundles page, click New.
  4. Complete the following information in the Bundle Settings window:
    Name
    Assign a name to the bundle.
    Author
    Specify the creator of the bundle. This name is applied to the author field of all objects in the bundle. If you do not specify an author, each bundle object retains its author setting.
    Required Version
    Specify the earliest version of ExtraHop firmware that the bundle can run on. We recommend that you specify the version of ExtraHop firmware that is currently running on your appliance. Specifying the current version prevents your bundle from being accidentally installed on an appliance that does not support the bundle.
    Note:If you try to import a bundle that requires a newer firmware version, a warning message displays in the Actions section of the Bundle Settings window. However, this warning does not prevent someone from uploading and applying the bundle.
    Contents
    Select the system configurations that you want to add to the bundle, such as triggers, dashboards, and alerts. Click the arrow to expand the list of available items.
    Description (Optional)
    Type a description about the bundle.
  5. Click OK to save the bundle.
  6. In the Bundles table, click the name of the bundle you created.
  7. Click Download.
    The .json bundle file is downloaded to your local machine.

Post a bundle to the ExtraHop website

After you create a bundle, you can post your bundle to the ExtraHop Solutions Bundle Gallery to share your work with the ExtraHop community.

  1. Download the bundle you want to share from your ExtraHop appliance.
    1. Log into the Web UI of a Discover or Command appliance.
    2. Click the System Settings icon .
    3. Click Bundles.
    4. Click the name of the bundle.
    5. Click Download.
      The bundle downloads as a .json file.
  2. In a web browser, go to the ExtraHop Solution Bundles Gallery.
  3. Click Contribute Now.
  4. Sign in with your extrahop.com username and password.
  5. In the Title field, type the bundle name.
  6. In the Minimum ExtraHop version field, type the earliest version of the ExtraHop firmware that supports all of the features contained in the bundle.
    We recommend that you specify the version of ExtraHop firmware that is currently running on your appliance. Specifying the current version ensures that your bundle will not be accidentally installed on an appliance that does not support the bundle.
  7. In the Select categories field, select an appropriate category.
    You can find descriptions of each bundle category on the bundle gallery page at https://www.extrahop.com/community/bundles/.
  8. In the Description field, type a description for the bundle.
    You can include Markdown syntax to style the Description, Requirements, and Installation instructions sections.
  9. In the Requirements field, type any requirements for the bundle.
    For example, the Ransomware Bundle requires that your data feed be configured to view SMB/CIFS traffic for your network-attached storage.
  10. In the Installation instructions field, type instructions for installing the bundle.
    For example, if your bundle requires the user to configure a trigger in a specific way, include that information in the installation instructions.
  11. Click the Browse button.
  12. Select the .json bundle file that you downloaded from the Discover or Command appliance.
  13. Review how the bundle page will display in the Bundle Details Preview section.
  14. Click Submit Bundle.
Bundles are reviewed by ExtraHop Support before the bundle appears on the ExtraHop website. The amount of time needed to review a bundle varies depending on the complexity and size of the bundle. In general, you can expect to see your bundle on the ExtraHop website within a few business days.

System health

You can assess the health and performance of an ExtraHop Discover appliance through system health tools. Monitoring system health data enables you to ensure that your Discover appliance is running as expected, to discover and troubleshoot issues, and to assess areas that need improvement. In addition, the ExtraHop Admin UI provides status information and diagnostic tools for all ExtraHop appliances.

The System Health page provides a large collection of charts with data such as packet throughput, heap allocation, and number of monitored devices. For example, you can monitor the number of packets processed by the ExtraHop system to ensure that packets are continuously captured. If you are sending data to a remote, third-party system through an open data stream (ODS), you can troubleshoot transmission errors to determine whether more memory should be dedicated to open data streams or whether an open data stream trigger requires modification.

Charts on the System Health page are divided into the following sections:

Capture
Displays charts that pertain to the health and performance of the wire data collected by the ExtraHop system.
Remote
Displays charts that pertain to the health and performance of open data stream (ODS) transmissions to a third-party syslog, database, or server.
Datastore
Displays charts that pertain to the health and performance of the ExtraHop datastore.
Trend
Displays charts that monitor performance and usage trends.
SSL certificates
Displays status information for all SSL certificates on the ExtraHop appliance.

Each chart enables you to view how the data changes over specified time intervals. The time interval selected in the Global Time Selector is applied to all charts on the page.

The sparklines on each chart contain data points that display additional details about a single point in time. Hover your mouse over a data point to display the additional details.

View Status and Diagnostics tools in the Admin UI

The Status and Diagnostics section of the ExtraHop Admin UI displays data about the ExtraHop appliance you are logged into and the wire data feed, and provides troubleshooting tools such as audit logs, exception files, and support scripts. For example, you might want to monitor CPU statistics to determine whether CPU usage rates are within normal ranges. Or, you might want to consult audit logs to track down an issue.

The Admin UI is displayed by default when you log into an Explore or Trace appliance. To access the Admin UI from a Discover or Command appliance, click the System Settings icon , and then click Administration.

The Status and Diagnostics section includes the following pages:

Health statistics
Provides metrics to view the operating efficiency of the ExtraHop appliance.
Audit log
Enables you to view event logging data and to change syslog settings
Exception files
Enable or disable the creation ExtraHop appliance exception files.
Support scripts
Upload and run ExtraHop appliance support packages.

Capture charts

Drops

Displays the percentage of packets dropped at the network card interface, SPAN, or network tap on an ExtraHop Discover appliance.

How this information can help you

Packet drops often result when appliance thresholds are exceeded. Refer to the Datasheets page to discover what the limits are for your ExtraHop Discover appliance. If the percentage of packet drops exceed 2%, contact ExtraHop Support.

External timestamps

Displays the percentage of packets with an external timestamp read by the ExtraHop Discover appliance, based on the total number of packets processed.

How this information can help you

For internal purposes. The data in this chart might be requested by ExtraHop Support to help you diagnose an issue.

Capture heap allocation

Displays the amount of memory, expressed in bytes, that the ExtraHop Discover appliance dedicates to network packet capture.

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Incoming packets breakdown

Displays the rate of incoming packets, expressed in packets per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of packets captured in the selected time interval.
Current
The number of packets captured during the most recent second.
Max
The maximum number of packets captured in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Analyzed
The packets analyzed by the ExtraHop Discover appliance.
Filtered
The packets not included in network L2 metrics.
L2 duplicates
The identical Ethernet frames counted as duplicate L2 packets.
L3 duplicates
The identical TCP or UDP IPv4 packets counted as duplicate L3 packets.
How this information can help you

Exceeding product thresholds might result in data loss. For example, a high packet rate might result in packets dropped at the span source or at a span aggregator. Similarly, large amounts of L2 or L3 duplicates can also indicate an issue at the span source or span aggregator and might result in skewed or incorrect metrics.

The acceptable rate of packet per second depends on your product. Refer to the Datasheets page to discover what the limits are for your ExtraHop Discover appliance and determine if the rate of packets per second is too high.

Incoming throughput breakdown

Displays the throughput of incoming packets, expressed in bytes per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of bytes transferred in the selected time interval.
Current
The number of bytes transferred during the most recent second.
Max
The maximum number of bytes transferred in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Analyzed
The throughput analyzed by the ExtraHop Discover appliance.
Filtered
The throughput not included in network L2 metrics.
L2 duplicates
The identical Ethernet frames counted as duplicate L2 throughput.
L3 duplicates
The identical TCP or UDP IPv4 packets counted as duplicate L3 throughput.
How this information can help you

Exceeding product thresholds might result in data loss. For example, a high throughput rate might result in packets dropped at the span source or at a span aggregator. Similarly, large amount of L2 or L3 duplicates can also indicate an issue at the span source or span aggregator and might result in skewed or incorrect metrics.

The acceptable rate of bytes per second depends on your product. Refer to the Datasheets page to discover what the limits are for your ExtraHop Discover appliance and determine if the rate of bytes per second is too high.

Packet capture disk throughput

Displays the rate of bytes captured by the ExtraHop Discover appliance, expressed in bytes per second.

This chart also has the following metrics:

Total
The total number of bytes captured in the selected time interval.
Current
The number of bytes captured during the most recent second.
Max
The maximum number of bytes captured in a single second within the selected time interval.
How this information can help you

Monitor this chart for high amounts of throughput to the capture disk, which can indicate a large number of triggers with packet capture enabled. You might need to reassess the number of triggers or optimize packet capture triggers.

RPCAP packets

Displays the rate of remote packet capture (RPCAP) for all RPCAP peers, expressed in packets per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of RPCAP packets captured in the selected time interval.
Current
The number of RPCAP packets captured during the most recent second.
Max
The maximum number of RPCAP packets captured in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Encapsulation
The total number of RPCAP-encapsulated packets received by the Discover appliance.
Tunnel Eligible
The total number of RPCAP packets eligible to be forwarded to the Discover appliance.
Tunnel Sent
The total number of RPCAP-tunneled packets forwarded to the Discover appliance.
Tunnel Received
The total number of RPCAP-tunneled packets received by the Discover appliance.

The chart title contains the number of RPCAP peers. You can click the chart to open a second chart that displays the RPCAP packet metrics on a per-peer basis.

The RPCAP chart is only displayed if remote packet capture is enabled on the Discover appliance.

How this information can help you

Consult this chart after the initial setup of RPCAP to ensure that data is captured from every remote device on which RPCAP is deployed.

RPCAP throughput

Displays the rate of RPCAP throughput metrics for all RPCAP peers, expressed in bytes per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of RPCAP bytes transferred in the selected time interval.
Current
The number of RPCAP bytes transferred during the most recent second.
Max
The maximum number of RPCAP bytes transferred in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Encapsulation
The total number of RPCAP-encapsulated bytes received by the Discover appliance.
Tunnel Received
The total number of RPCAP-tunneled bytes received by the Discover appliance.

The chart title contains the number of RPCAP peers. You can click the chart to open a second chart that displays the RPCAP throughput metrics on a per-peer basis.

The RPCAP chart is only displayed if remote packet capture is enabled on the Discover appliance.

How this information can help you

Monitor this chart to ensure efficient usage of RPCAP resources and ensure that the Discover appliance can accommodate increases in RPCAP throughput.

TCP desyncs

Displays the occurrence rate of system-wide desyncs, expressed in desyncs per second, on the ExtraHop Discover appliance. A desync indicates that a transaction did not follow typical TCP behavior.

This chart also has the following metrics:

Total
The total number of desyncs that occurred in the selected time interval.
Current
The number of desyncs that occurred during the most recent second.
Max
The maximum number of desyncs that occurred in the selected time interval.
How this information can help you

A desync is recorded if synchronization is lost when processing a TCP connection. Large numbers of desyncs, such as over 100, might indicate dropped packets on the monitoring interface, SPAN, or network tap.

If adjustments to your SPAN does not reduce a large number of desyncs, contact ExtraHop Support.

Trigger drops

Displays the number of triggers dropped from the queue of triggers waiting to run on the ExtraHop Discover appliance.

How this information can help you

Any data displayed on this chart indicates that trigger drops are occurring and that trigger queues are backed up.

The Discover appliance queues trigger operations if a trigger thread is overloaded. If the queue grows too long, the system stops adding trigger operations to the queue and drops the triggers. Currently running triggers are unaffected.

The primary cause of long queues, and subsequent trigger drops, is a long-running trigger.

Trigger exceptions by trigger

Displays the number of unhandled exceptions, sorted by trigger, that occurred on the ExtraHop Discover appliance. You can click the chart to open a second chart. This is the same secondary chart displayed from the Trigger Load by Trigger chart.

How this information can help you

Trigger exceptions are the primary cause of trigger performance issues. If this graph indicates a trigger exception has occurred, the trigger should be corrected immediately.

Trigger executes

Displays the number of times triggers were run per second during the selected time interval. The chart provides an overall snapshot of all triggers currently running on the ExtraHop Discover appliance.

How this information can help you

Look for spikes or an upward trend in the chart and investigate any triggers that have resulted in the surge. For example, you might notice increased activity if a trigger has been modified or a new trigger has been enabled. View the Trigger executes by trigger chart to see which triggers are running most frequently.

Trigger executes by trigger

Displays the number of times each active trigger ran during the selected time interval on the ExtraHop Discover appliance.

How this information can help you

Look for triggers that run significantly more frequently than average, which might indicate several issues. For example, a trigger assigned to all applications or all devices might have a heavy performance cost. A trigger assigned to a device group that has been expanded collect metrics you do not want. To minimize performance impact, a trigger should be assigned only to the specific sources that you need to collect data from.

High activity might also indicate that a trigger is working harder than it needs to. For example, a trigger might run on multiple events where it would be more efficient to create separate triggers, or a trigger script might not adhere to recommended scripting guidelines as described in the Triggers Best Practices Guide.

Trigger heap allocation

Displays the amount of memory, expressed in bytes, that the ExtraHop Discover appliance dedicates to processing capture triggers.

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Trigger load

Displays the percentage of cycles on the ExtraHop Discover appliance that are consumed by triggers based on the total capture thread time.

You can mouse over a point on the graph to display the following metrics:

Load
The trigger cycle load at the selected point in time.
Cycles
The number of consumed cycles out of the total available cycles.
Executes
The number of trigger operations and the average number of trigger operations per second.
Average per execute
The average number of cycles consumed per trigger operation.
How this information can help you

Look for spikes or upward growth of the trigger load, especially after creating a new trigger or modifying an existing trigger. If you notice either condition, view the Trigger load by trigger chart to see which triggers are consuming the most resources.

Trigger load by thread

Displays the percentage of trigger cycle consumption per thread that occurred on the ExtraHop Discover appliance, based on the total capture time of the thread.

How this information can help you

The sparklines on this chart should display an even amount of consumption among multiple threads. Trigger drops might occur if the consumption of one thread is considerably higher than the others, even if the thread consumption is at a low percentage. For example, if consumption on one thread is 10% and 25% on another, then consumption is uneven and you should contact ExtraHop Support.

Trigger load by trigger

Displays the number of cycles consumed by each trigger enabled on the ExtraHop Discover appliance. You can click the chart to open a second chart that displays the consumption metrics on a per-trigger basis.

How this information can help you

Determine if any trigger appears to be consuming more cycles than average. If so, click to open the second chart and review the number of times the trigger has run. If the trigger has not run often, the trigger might be consuming more cycles than necessary, which can cause trigger drops.

Remote charts

The Remote section of the System Health page contains charts that pertain to the health and performance of open data stream (ODS) transmissions to a third-party syslog, database, or server.

The Remote section provides the following charts:

Connections

Displays the number of attempts by the ExtraHop Discover appliance to connect to remote, third-party systems through open data streams (ODS).

You can mouse over a point on the graph to display data in the following categories:

Connection attempts
The number of attempts to connect to the remote system.
Connection errors
The number of errors that occurred during attempts to connect to the remote system.

You can click the chart to open a second chart, which is the same secondary chart displayed from the Messages sent chart.