Manage threat collections

ExtraHop Reveal(x) includes curated threat collections that identify suspicious hostnames, IP addresses, and URIs in charts and tables throughout the system. You must enable these threat collections before threat intelligence is applied to your network activity. In addition, you can upload threat collections from free or commercial sources as a custom threat collection.

Threat intelligence is applied only to the local appliance. If you have a Command appliance, you must enable or upload threat collections to the Command appliance and to each connected Discover appliance.

Learn more about threat intelligence.

Enable ExtraHop-curated threat collections

Enable the ExtraHop threat collection to display suspicious hostnames, IP addresses, and URIs in system charts and records.

  1. Log into the Web UI on a ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Threat Intelligence.
  3. In the ExtraHop Threat Intelligence table, select the Enabled checkbox in the Status column

Upload a threat collection

Upload threat collections from free and commercial sources to identify suspicious hosts, IP addresses, and URIs in system charts and records. Because threat intelligence data is updated frequently (sometimes daily), you might need to update a threat collection with the latest data. When you update a threat collection with new data, the collection is deleted and replaced, and not appended to an existing collection.

Tip:Upload STIX files through the REST API.

Custom threat collections must be formatted in Structured Threat Information eXpression (STIX) as TAR or TAR.GZ files. Reveal(x) currently supports STIX version 1.0 - 1.2.

  1. Log into the Web UI on a ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Threat Intelligence.
  3. Click Manage custom collections.
  4. Click Upload New Collection.
  5. In the Collection ID field, type a unique collection ID. The ID can only contain alphanumeric characters and spaces are not allowed.
  6. Click Choose file and select a STIX file in TAR or TAR.GZ format.
  7. Type a display name in the Display Name field.
  8. Click Upload Collection.
Published 2020-07-07 15:55