Optimizing detections
Here are some best practices you should implement to improve your detections: add details about your network, enable the ExtraHop system to see potentially-suspicious traffic, and filter your page view by your priorities.
Tip: | Click the System Settings icon ![]() ![]() |
- Network Localities
- This setting enables you to classify internal or external endpoints that you trust, such as a
CIDR block of IP addresses that your devices regularly connect to.
Machine-learning detections and system metrics rely on device and traffic
classifications.
For example, if your devices regularly connect to an unknown but trusted domain that is classified as an external IP address, detections are suppressed for that domain.
- High Value Devices
- This setting helps you identify devices that are critical to your organization
as high value. The ExtraHop
system will automatically identify devices that provide authentication or
support essential services as high value, but you can identify other critical
devices manually.
For example, if you identify the laptop of an executive as a high value device, any detection involving the laptop will be recommended for triage, and any machine learning detection the laptop is involved in will receive an elevated risk score.
- Tuning Parameters
- This setting improves the accuracy of rules-based detections. You provide the ExtraHop
system with details about your network environment to provide context
about the observed devices.
For example, a rules-based detection is generated when an internal device communicates with external databases. If traffic to an external database is expected or the database is part of a legitimate cloud-based storage or production infrastructure, then you can set a tuning parameter to ignore traffic to the approved external database.
- Tuning Rules
- These settings enable you to hide detections
after the system has generated them. If you see a detection that does not add
value, you can reduce the noise from your overall view.
For example, if a detection is generated with an offender, victim, or other criteria that is not a concern for your network, you can hide all past and future detections with that criteria from view.
- Notification Rules
- These settings help automate communication within your organization and export
detections to your next-gen SIEM. You create rules that send emails
or call webhooks when events occur that are related to detections, recommended
investigations, threat briefings, or other important system events.
For example, you can create a notification rule that sends a message to your team over Slack when a new threat briefing is published.
- Security Operations Report
- This setting helps you create a report that summarizes ExtraHop data related to detections,
investigations, and network health.
For example, you can create a report that only contains information about open detections and investigations and is automatically delivered to your leadership on the first of every month.
- Detection Research Team Access (RevealX 360 only)
- This setting grants the ExtraHop Detection Research Team read-only access to your detections, metrics, and records to help improve the quality of detections.
- IDS Module
- This licensed module enables you to
merge extended rule-based coverage of an IDS with the investigation and
management workflows of your ExtraHop system.
For example, directly from the Detections page, you can filter, analyze, investigate, and tune detections based on cloud-updated Proofpoint ET Pro and ET Open rulesets.
- Threat Intelligence
- These settings enable you to add your own threat collections to default
ExtraHop and CrowdStrike threat intelligence.
For example, you can configure a TAXII feed that you curate yourself or receive from a trusted third-party provider.
- Decryption
- Encrypted HTTP traffic is a common vector for attacks, in part because attackers
know the traffic is typically hidden. And if your network has Active Directory,
a number of detections are hidden in encrypted traffic across the domain.
We strongly recommend that you enable decryption for TLS and Active Directory.
Thank you for your feedback. Can we contact you to ask follow up questions?