The ExtraHop system automatically discovers and classifies devices that are actively communicating over the wire, such as clients, servers, routers, load balancers, and gateways. Each device receives the highest level of analysis available, based on your appliance configuration.
By clicking Assets in the top menu and then clicking Devices, you can see a list of the devices discovered on your network. You can search for a specific device, and then click the name to display an overview page that contains all of the discovered information and traffic and protocol metrics associated with the device.
It is important to know that devices listed in the ExtraHop system might not have a one-to-one correlation to the physical devices in your environment. For example, if a single physical device has multiple active network interfaces, that device is identified as multiple devices in the ExtraHop Web UI.
By clicking on a device name, you can view all of the information discovered by the ExtraHop system about the device on the Overview page. The Overview page is divided into three sections: a top-level summary, a properties panel, and an activity panel.
The device summary provides information that identifies the device and its role on your network.
Here are some ways you can learn more about the device:
- Click the pencil icon to view or modify device properties such as device role, device group memberships, or tag assignments.
- Click View Records to go to the Records page, which is filtered to display records for this device. Records are only available if the Command or Discover appliance is connected to an Explore appliance.
- Click View Packets to go to the Packets page, which is filtered to display packets for this device. Packets are only available if the Command or Discover appliance is connected to a Trace appliance.
The device properties section provides information that identifies known attributes and assignments for the device, such as tags, aliases, and the analysis level.
Here are some ways you can learn more about device properties:
- Click a tag to go to the Devices page, which is filtered by the name of the tag in the search bar.
- Click an active username to go to the Users page, which is filtered by the user name in the search bar. The user name is extracted from the authentication protocol, such as LDAP or Active Directory.
- Click View Groups to view a list of device groups the device belongs to and to modify the group membership.
- Click Edit Properties to view or modify device properties such as device role, device group memberships, or tag assignments.
- Click Edit Assignments to view or modify which alert configurations and triggers are assigned to the device.
The device activity section provides information about how the device is communicating with other devices on your network. CIick on the type of activity you want to investigate from the top of the section to display the details in the content pane. For example, click Alerts to view a list of alerts that were issued for the device in the specified time interval.
Here are some ways you can investigate activity on the device:
- Click Traffic, then drill down on metrics
in traffic charts.
Note: Traffic charts are not displayed if the device is in Discovery Mode. You can configure analysis priority rules to elevate this device to Advanced Analysis or Standard Analysis.
- Click Detections, then click a detection name to view detection
Note: Detections require a connection to the cloud-based ExtraHop Machine Learning Service
- Click Alerts, then click an alert name to view alert details.
- Click Peer Devices to display an activity map, which is visual representation of the L4-L7 protocol activity between devices in your network. To modify the activity map with additional filters and steps, click Open Activity Map.
|Tip:||You can bookmark the Overview page to a specific activity view by
setting the tab URL parameter to one of the following values: |
For example, the following bookmark URL defaults to the detection activity view on the Overview page:
Both custom devices and device groups are ways that you can aggregate your device metrics. Custom devices are user-created devices that collect metrics based on specified criteria, while device groups gather metrics for all of the specified devices in a group. With device groups, you can still view metrics for each individual device or group member. The metrics for a custom device are collected and displayed as if for a single device—you cannot view individual device metrics.
Both device groups and custom devices can dynamically aggregate metrics based on your specified criteria. We recommend selecting reliable criteria, such as the device IP address, MAC address, VLAN, tag, or type. While you can select devices by their name, if the DNS name is not automatically discovered, the device is not added.
|Device Groups||Custom Devices|
|Performance cost||Comparatively low. Because device groups only combine metrics that have already been calculated, there is a relatively low effect on metric collection. However, a high number of device groups with a large number of devices and complex criteria will take more time to process.||Comparatively high. Because the metrics for custom devices are aggregated based on user-defined criteria, large numbers of custom devices, or custom devices with extremely broad criteria, require more processing. Custom devices also increase the number of system objects to which metrics are committed.|
|View individual device metrics||Yes||No|
|Best practices||Create for local devices where you want to view and compare the metrics in a single chart. Device groups can be set as a metric source.||Create for devices that are outside of your local network, or for types of traffic that you want to organize as a single source. For example, you might want to define all physical interfaces on a server as a single custom device to better view metrics for that physical appliance as a whole.|
The ExtraHop system automatically discovers local L3 devices based on observed ARP traffic that is associated with IP addresses. By default, all IP addresses that are observed outside of locally-monitored broadcast domains are aggregated at one of the incoming routers in your network.
To collect metrics for a segment of traffic across multiple IP addresses and ports, you can create a custom device from a Command or Discover appliance. You might create a custom device to track individual devices outside of your local broadcast domain or you might create a single custom device to collect metrics for several known IP addresses or CIDR blocks for a remote site or cloud service. A single custom device counts as one device towards your licensed capacity for Advanced Analysis or Standard Analysis. Any triggers or alerts are also assigned to the custom device as a single device.
Create a custom device when you want to collect metrics for devices that are outside of your local network or when you have a group of devices that you want to aggregate metrics for as a single device. These devices can even be different physical interfaces that are located on the same device; aggregating the metrics for these interfaces can make it easier to understand how heavily taxed your physical resources are as a whole, rather than by interface.
After you create a custom device, all of the metrics associated with the IP addresses and ports are aggregated into a single L2 device. While typical L2 devices only collect MAC addresses and L2-L3 metrics, custom devices also collect L2-L7 metrics.
While custom devices aggregate metrics based on their defined criteria, the metric calculations are not treated the same as for discovered devices. For example, you might have a trigger assigned to a custom device that commits records to an Explore appliance. However, the custom device is not shown as either a client or a server in any transaction records. The ExtraHop system populates those attributes with the L2 or L3 device that corresponds to the conversation on the wire data.
Custom devices can affect the overall system performance, so you should avoid the following configurations:
- Avoid creating multiple custom devices for the same IP addresses or ports. Custom devices that are configured with overlapping criteria might degrade system performance.
- Avoid creating a custom device for a broad range of IP addresses or ports, which might degrade system performance.
- Create a custom device (with guidance on performance impact)
- Delete or disable custom devices
- Add a device to the watchlist for Advanced Analysis (applies to custom devices)
- Walkthrough: Create a custom device to monitor remote office traffic
- REST API: Create a custom device
Device groups are collections of devices that are configured either statically (where you add each device individually) or dynamically (where you add the criteria that is applied to matching devices). In addition, there are some built-in device groups that group devices by their discovery time, by their role, and by type.
There is no performance impact to collecting metrics with device groups. However, we recommend that you prioritize these groups by their importance to make sure that the right devices receive the highest level of analysis.
Device groups are a good choice when you have devices that you want to collectively apply as a source. For example, you could collect and display metrics for all of your high-priority production web servers in a dashboard.
By creating a device group, you can manage all of those devices as a single metric source instead of adding them to your charts as individual sources. However, note that any assigned triggers or alerts are assigned to each group member (or individual device).
Each device or device group receives the highest level of analysis possible, based on your license and your system configuration. In addition, if you have a Command appliance, you can manage your analysis priorities from a centralized location for all connected Discover appliances.
Learn more about how analysis priorities work and how you can optimize metrics for your high-priority devices.