Analysis priorities

The ExtraHop system provides the highest level of analysis for your devices based on the licensed capacity of your platform. However, you can specify higher levels of analysis for important device groups and activity groups, or add critical devices to a watchlist.

Important:Analysis priorities can be centrally managed from a Command appliance for multiple Discover appliances. Learn how to manage analysis priorities from a Command appliance.

Each device discovered by the ExtraHop system is prioritized for an analysis level that determines the type of information that is collected and the types of metrics that are generated. All device metrics include records and packets for ExtraHop systems that are configured with a recordstore or packetstore.

Advanced Analysis
These devices can generate L2-L7 metrics for charts, activity maps, detections, and charts about protocol activity. Learn how to prioritize groups for Advanced Analysis or add an individual device to a watchlist.
Standard Analysis
These devices can generate L2-L3 metrics for charts, activity maps, and charts about protocol activity. Learn how to prioritize groups for Standard Analysis.
Discovery Mode
All devices receive a minimum of this analysis level and can generate charts about protocol activity.
L2 Parent Analysis
This analysis level is only applicable if L3 Discovery is enabled on the ExtraHop system. Then, the L2 parent device receives a minimum of this analysis level, except for gateways and routers.

See a table that compares these analysis levels.

See the Analysis Priorities FAQ to learn about licensing capacities.

Prioritizing devices and groups

By default, the ExtraHop system automatically fills each analysis level to the maximum device capacity and prioritizes built-in device groups that typically support or provide essential services to most networks.

Most devices can be added to a watchlist to ensure Advanced Analysis or you can add device groups and activity groups to an ordered list to prioritize them for Advanced Analysis and Standard Analysis.

Here are some important considerations about adding devices to the watchlist:

  • Devices remain on the watchlist even when they are inactive, but metrics are not collected for inactive devices.
  • The number of devices in the watchlist cannot exceed your Advanced Analysis capacity.
  • Devices can only be added to the watchlist from a device properties page or the device list page. You cannot add devices to the watchlist from the Analysis Priorities page.
  • If you want to add several devices to the watchlist, we recommend that you create a device group and then prioritize that group for Advanced Analysis.
  • Devices receiving L2 Parent Analysis level cannot be added to the watchlist.

Here are some important considerations about adding devices to groups:

  • Order device groups and activity groups from the highest to lowest priority in the list.
  • Click-and-drag groups to change their order in the list.
  • Make sure that each device in the group is active: groups that contain large amounts of devices take up capacity and inactive devices do not generate metrics.

Here are some important considerations about automatically filling to capacity:

  • By default, the Automatically Fill option is turned on.
  • Devices prioritized in the watchlist or through a prioritized group fill the higher analysis levels first.
  • The earliest-discovered devices fill the highest available analysis level to capacity and then begin to fill the next level.
  • If the Automatically Fill option is turned off, all devices that are not in prioritized groups or in the watchlist are removed and the ExtraHop system sets the priority for each device.

Compare analysis levels

Analysis Level Features Maximum Capacity How to Receive this Level
Advanced Analysis
  • L2-L7 metrics
  • Activity maps
  • Protocol activity
  • Detections
  • Records
  • Packets
  • Up to 16,000 devices, depending on your platform and license
  • Prioritize device groups and activity groups
  • Add a device to a watchlist
Standard Analysis
  • L2-L3 metrics
  • Activity maps
  • Protocol activity
  • Records
  • Packets
  • Up to 100,000 devices, depending on your platform
  • Prioritize device groups and activity groups
Discovery Mode
  • Protocol activity
  • Records
  • Packets
  • Unlimited devices
  • These devices do not count towards analysis capacity
  • All devices not in Standard, Advanced, or L2 Parent Analysis receive Discovery Mode
L2 Parent Analysis

(Only applicable if L3 Discovery is enabled)

  • L2-L3 metrics
  • Activity maps
  • Records
  • Packets
  • Unlimited devices
  • These devices do not count towards analysis capacity
  • L2 parent devices automatically receive L2 Parent Analysis, except for gateways and routers
Published 2020-08-10 09:56