Users can access the ExtraHop system in three ways: through a set of pre-configured user accounts, through local user accounts configured on the appliance, or through remote user accounts configured on existing authentication servers, such as LDAP, SAML, Radius, and TACACS+.
This topic is about default and local accounts. See Remote Authentication to learn how to configure remote accounts.
- This account provides full system read and write privileges to the browser-based user interface and to the ExtraHop command-line interface (CLI). On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
- The shell account, by default, has access to non-administrative shell commands in the ExtraHop CLI. On physical appliances, the default password for this account is the service tag number on the front of the appliance. On virtual appliances, the default password is default.
|Note:||The default ExtraHop password for either account when deployed in Amazon Web Services (AWS) and Google Cloud Platform (GCP) is the instance ID of the virtual machine.|
The ExtraHop system supports remote authentication for user access. Remote authentication enables organizations that have authentication systems such as LDAP (OpenLDAP or Active Directory, for example) to enable all or a subset of their users to log in to the system with their existing credentials.
Centralized authentication provides the following benefits:
- User password synchronization.
- Automatic creation of ExtraHop accounts for users without administrator intervention.
- Management of ExtraHop privileges based on user groups.
- Administrators can grant access to all known users or restrict access by applying LDAP filters.
If your ExtraHop system is configured for SAML or LDAP remote authentication, you can create an account for those remote users. Preconfiguring accounts on the ExtraHop system for remote users enables you to share dashboards and other system customizations with those users before they log in.
If you choose to auto-provision users when you configure SAML authentication, then the user is automatically added to the list of local users when they log in for the first time. However, you can create a remote SAML user account on the ExtraHop system when you want to provision a remote user before that user has logged in to the system. Privileges are assigned to the user by the provider. After the user is created, you can add them to local user groups.
User groups enable you to manage access to shared content by group instead of by individual user. Dashboards and activity maps can be shared with a user group, and any user who is added to the group automatically has access. You can create a local user group—which can include remote and local users. Alternatively, if your ExtraHop system is configured for remote authentication through LDAP, you can configure settings to import your LDAP user groups.
- Click Create User Group to create a local group. The user group appears in the list. Then, select the checkbox next to the user group name and select users from the Filter users... drop-down list. Click Add Users to Group.
- (LDAP only) Click Refresh All User Groups or select multiple LDAP user groups and click Refresh Users in Groups.
- Click Reset User Group to remove all shared content from a selected user group. If the group no longer exists on the remote LDAP server, the group is removed from the user group list.
- Click Enable User Group or Disable User Group to control whether any group member can access shared content for the selected user group.
- Click Delete User Group to remove the selected user group from the system.
- View the following properties for listed user groups:
- Group Name
- Displays the name of the group. To view the members in the group, click the group name.
- Displays Local or Remote as the type of user group.
- Displays the number of users in the group.
- Shared Content
- Displays the number of user-created dashboards and activity maps that are shared with the group.
- Displays whether the group is enabled or disabled on the system. When the status is Disabled, the user group is considered empty when performing membership checks; however, the user group can still be specified when sharing content.
- Members Refreshed (LDAP only)
- Displays the amount of time elapsed since the group membership was refreshed. User
groups are refreshed under the following conditions:
- Once per hour, by default. The refresh interval setting can be modified on the page.
- An administrator refreshes a group by clicking Refresh All User Groups or Refresh Users in Group, or programmatically through the REST API. You can refresh a group from the User Group page or from within the Member List page.
- A remote user logs in to the ExtraHop system for the first time.
- A user attempts to load a shared dashboard that they do not have access to.
Administrators determine the level of access and functionality users have with the ExtraHop system. In addition to setting the privilege level for local users, you can enable options for any user privilege level.
For information about user privileges for the REST API, see the REST API Guide.
Set the privilege level for your user to determine which areas of the ExtraHop system they can access. Users with unlimited or cloud setup privileges can access all areas of the ExtraHop system, including packets, session keys, and detections.
|Unlimited||System and Access Administration (Reveal(x) 360 only)||System Administration (Reveal(x) 360 only)||Cloud Setup (Reveal(x) 360 only)||Full Write||Limited Write||Personal Write||Full Read-Only||Restricted Read-Only|
|Create, view, and load shared activity maps||Y||Y||Y||Y||Y||Y||Y||Y||N|
|Save activity maps||Y||Y||Y||Y||Y||Y||Y||N||N|
|Share activity maps||Y||Y||Y||Y||Y||Y||N||N||N|
|Create and modify alerts||Y||Y||Y||Y||Y||N||N||N||N|
|Create a bundle||Y||Y||Y||Y||Y||N||N||N||N|
|Upload and apply a bundle||Y||Y||Y||Y||Y||N||N||N||N|
|View list of bundles||Y||Y||Y||Y||Y||Y||Y||Y||N|
|View and organize dashboards||Y||Y||Y||Y||Y||Y||Y||Y||Y|
|Create and modify dashboards||Y||Y||Y||Y||Y||Y||Y||N||N|
Administrators can configure the Detections Access Control global policy to specify whether all users, or only specified users can access detections. The privilege level of the user determines the level of access to detections.
|Modify detection status and notes||Y||Y||Y||Y||Y||Y||N||N||N|
|Create and modify investigations||Y||Y||Y||Y||Y||Y||N||N||N|
|Create and modify tuning rules||Y||Y||Y||Y||Y||N||N||N||N|
|Create and modify notification rules||Y||Y||Y||Y||Y||N||N||N||N|
|View Analysis Priorities page||Y||Y||Y||Y||Y||Y||Y||Y||N|
|Add and modify analysis levels for groups||Y||Y||Y||Y||Y||N||N||N||N|
|Add devices to a watchlist||Y||Y||Y||Y||Y||N||N||N||N|
|Transfer priorities management||Y||Y||Y||Y||Y||N||N||N||N|
|Create and modify device groups||Y||Y||Y||Y||Y||N||N||N||N|
|Records (Explore appliance)|
|View record queries||Y||Y||Y||Y||Y||Y||Y||Y||N|
|View record formats||Y||Y||Y||Y||Y||Y||Y||Y||N|
|Create, modify, and save record queries||Y||Y||Y||Y||Y||N||N||N||N|
|Create, modify, and save record formats||Y||Y||Y||Y||Y||N||N||N||N|
|Scheduled Reports (Command appliance)|
|Create, view, and manage scheduled reports||Y||Y||Y||Y||Y||Y||N||N||N|
|Manage threat collections||Y||Y||Y||Y||N||N||N||N||N|
|View threat intelligence information||Y||Y||Y||Y||Y||Y||Y||Y||N|
|Create and modify triggers||Y||Y||Y||Y||Y||N||N||N||N|
|Access the ExtraHop Administration settings||Y||Y||Y||Y||N||N||N||N||N|
|Connect to other appliances||Y||Y||Y||Y||N||N||N||N||N|
|Manage other appliances (Command appliance)||Y||Y||Y||N||N||N||N||N||N|
|Manage users and API access||Y||Y||N||Y||N||N||N||N||N|
The following privilege options can be assigned to users with limited Web UI and API privileges.
- No access
- Full access
- Full access to detections is determined by your privilege level. See the Privilege Levels table to see what level of detections each privilege level can access.
|Note:||(Reveal(x) Enterprise only) The Detections Access settings appear only if the global privilege policy for detections access control is set to Only specified users can access detections.|