Send records from ExtraHop to Google BigQuery
You can configure your ExtraHop system to send transaction-level records to a Google BigQuery server for long-term storage, and then query those records from the ExtraHop system and the ExtraHop REST API. Records on BigQuery recordstores expire after 90 days.
Before you begin
- You need the BigQuery project ID
- You need the credential file (JSON) from your BigQuery service account. The service account requires the BigQuery Data Editor, BigQuery Data Viewer, and BigQuery User roles.
- For access to the ExtraHop Cloud Recordstore, your sensors must be able to access
outbound TCP 443 (HTTPS) to these fully qualified domain names:
- bigquery.googleapis.com
- oauth2.googleapis.com
- www.googleapis.com
- www.mtls.googleapis.com
- iamcredentials.googleapis.com
You can also review the public guidance from Google about computing possible IP address ranges for googleapis.com.
- If you want to configure the BigQuery recordstore settings with Google Cloud
workload identity federation authentication, you need the configuration file from
your workload identity pool.
Note: The workload identity provider must be set up to provide a fully valid OIDC ID Token in response to a Client Credentials request. For more information about workload identity federation, see https://cloud.google.com/iam/docs/workload-identity-federation.
Send records from ExtraHop to BigQuery
Note: | Any triggers configured to send records through commitRecord to an Explore appliance are automatically redirected to BigQuery. No further configuration is required. |
Important: | If your ExtraHop system includes a Command appliance, configure all appliances with the same recordstore settings or transfer management to manage settings from the Command appliance. |
Important: | Do not modify or delete the table in BigQuery where the records are stored. Deleting the table deletes all stored records. |
Transfer recordstore settings
If you have a Command appliance connected to your ExtraHop sensors, you can configure and manage the recordstore settings on the sensor, or transfer the management of the settings to the Command appliance. Transferring and managing the recordstore settings on the Command appliance enables you to keep the recordstore settings up to date across multiple sensors.
Thank you for your feedback. Can we contact you to ask follow up questions?