The ExtraHop system automatically discovers and classifies devices, also known as endpoints, that are actively communicating over your network, such as clients, servers, routers, load balancers, and gateways. Each device receives the highest level of analysis available, based on your system configuration.
The ExtraHop system can discover and track devices by their MAC address (L2 Discovery) or by their IP addresses (L3 Discovery). Enabling L2 Discovery offers the advantage of tracking metrics for a device even if the IP address is changed or reassigned through a DHCP request. If L3 Discovery is enabled, it is important to know that devices might not have a one-to-one correlation to the physical devices in your environment. For example, if a single physical device has multiple active network interfaces, that device is identified as multiple devices by the ExtraHop system.
After a device is discovered, the ExtraHop system begins to collect metrics based on the analysis level configured for that device. The analysis level determines the types of metrics that are generated and which features are available for organizing metric data.
Click Assets from the top menu and then click Devices to display the following charts that provide insight about the active devices discovered on your network during the selected time interval:
- Active Devices
- Displays the total number of devices that have been discovered by the ExtraHop system. Click the number to view a list of all discovered devices. From the Active Devices list, you can search for specific devices or click a device name to view device details on the Device Overview page.
- New Devices
- Displays the number of devices that have been discovered within the past month and the percentage rate of change. Click the number to view a list of all of these devices.
- Devices by Role
- Displays each device role and the number of devices assigned to each role that is active during the specified time interval. Click a device role to see a built-in Device Group Overview page that includes metric data, peer IPs, and protocol activity for that group of devices. You can also add additional filter criteria and save the group as a new dynamic device group.
- Devices by Protocol Activity
- Displays a list of protocol activity found on your network. Click a protocol name or device count to see a built-in Device Group Overview page with specific metric charts about that protocol activity. Click an activity map to see all device-to-device connections. You can also add additional filter criteria and save the group as a new dynamic device group.
By clicking on a device name, you can view all of the information discovered about the device by the ExtraHop system on the Device Overview page. The Device Overview page is divided into three sections: a top-level summary, a properties panel, and an activity panel.
The device summary provides information such as the device name, the current IP address or MAC address, and the role assigned to the device. If viewing from a console, the name of the site associated with the device is also displayed.
The device properties section provides the following known attributes and assignments for the device.
- High Value Device
- A high value icon appears if the ExtraHop system observed the device providing authentication or essential services; you can also manually specify a device as high value. Risk scores are increased for detections on high value devices.
- IP Addresses
- A list of IP addresses observed on the device at any time during the selected time interval. If L2 Discovery is enabled, the list might display both IPv4 and IPv6 addresses that are simultaneously observed on the device, or the list might display multiple IP addresses assigned through DHCP requests at different times. A timestamp indicates when the IP address was last observed on the device. Click an IP address to view other devices where the IP address has been seen.
- Associated IP Addresses
- A list of IP addresses, usually outside of the network, that are associated with the device at any time during the selected time interval. For example, a VPN client on your network might be associated with an external IP address on the public internet. A timestamp indicates when the IP address was last associated with the device. Click an associated IP address to view details such as the geographic location and other devices the IP address has been associated with.
- Cloud Instance Properties
The following cloud instance properties appear for the device when you configure the properties through the REST API:
- Cloud Account
- Cloud Instance Type
- Virtual Private Cloud (VPC)
- Cloud Instance Name (appears in the Known Alias property)
- Cloud Instance Description (instance metadata appears automatically for devices in Flow Analysis)
See Add cloud instance properties through the ExtraHop API Explorer for more information.
- A list of authenticated users logged into the device. Click a user name to go to the Users page and view which other devices the user is logged into.
- Known Aliases
- A list of alternative device
names and the source program or protocol.
Note: Multiple DNS names are supported.
- Hardware and Software
- The hardware or vendor make and model of the device and any operating
systems running on the device.
The ExtraHop system observes the network traffic on devices to automatically determine the vendor make and model, or you can manually assign a new make and model.
Tip: (CrowdStrike integration on Reveal(x) 360 only) Click links from CrowdStrike devices to view device details in CrowdStrike Falcon and initiate containment of CrowdStrike devices that are participants in a security detection.
- The tags assigned to the device. Click a tag name to view the other devices that the tag is assigned to.
- First and Last Seen
- The timestamps from when the device was first discovered and when activity was last observed on the device. NEW appears if the device was discovered within the last five days
- The level of analysis that this device receives.
Here are some ways you can view and modify device properties:
The device activity section provides information about how the device is communicating with other devices and which detections and alerts are associated with the device.
- Click Traffic to view charts for protocol and peer data,
and then drill
down on metrics in traffic charts.
Note: Traffic charts are not available if the device analysis level is Discovery Mode. To enable traffic charts for the device, elevate the device to Advanced Analysis or Standard Analysis.
- Click Detections to view a list of detections, and then click a detection name to view detection details.
- Click Similar Devices to view a list of devices with similar network traffic behavior observed by machine-learning analysis. Similar devices can help you gain insight into normal device behavior when threat hunting. This tab is only displayed if there are similar devices associated with the device.
- Click Alerts to view a list of alerts, and then click an alert name to view alert details. This tab is only displayed if there are alerts associated with the device.
- Click Peer Devices to view an activity map, which is a visual representation of the L4-L7 protocol activity between devices in your network. To modify the activity map with additional filters and steps, click Open Activity Map.
|Tip:||You can bookmark the Device Overview page to a specific activity view
by setting the tab URL parameter to one of the following values:
For example, the following URL always displays detection activity for the specified device:
Type an IP address in the global search field or click an IP address link from a Device Overview page to view details about an IP address.
The following information appears for an IP address seen on a device:
- Each device where the IP address is currently observed, regardless of the selected time interval.
- Each device where the IP address was previously observed within the selected time interval, including the timestamp from when the IP address was last seen on the device.
If L2 Discovery is enabled, both IPv4 and IPv6 addresses might be simultaneously observed on the device, or different IP addresses might be assigned to the device by DHCP over time.
The following information appears for an IP address associated with a device:
- The geolocation of the IP address and links to the ARIN Whois website.
- Each device where the associated IP address was seen outside of the network at any time during the selected time interval. For example, a VPN client on your network might be associated with an external IP address on the public internet.
- Any cloud services associated with the IP address.
- The IP address of the device as seen by the ExtraHop system on your network.
- The timestamp when the associated IP address was last seen on the device.
Here are some ways you can view additional IP address and device information:
Both custom devices and device groups are ways that you can aggregate your device metrics. Custom devices are user-created devices that collect metrics based on specified criteria, while device groups gather metrics for all of the specified devices in a group. With device groups, you can still view metrics for each individual device or group member. The metrics for a custom device are collected and displayed as if for a single device—you cannot view individual device metrics.
Both device groups and custom devices can dynamically aggregate metrics based on your specified criteria. We recommend selecting reliable criteria, such as the device IP address, MAC address, VLAN, tag, or type. While you can select devices by their name, if the DNS name is not automatically discovered, the device is not added.
|Device Groups||Custom Devices|
|Performance cost||Comparatively low. Because device groups only combine metrics that have already been calculated, there is a relatively low effect on metric collection. However, a high number of device groups with a large number of devices and complex criteria will take more time to process.||Comparatively high. Because the metrics for custom devices are aggregated based on user-defined criteria, large numbers of custom devices, or custom devices with extremely broad criteria, require more processing. Custom devices also increase the number of system objects to which metrics are committed.|
|View individual device metrics||Yes||No|
|Edit control for limited write users||Yes
Users with limited write privileges can create and edit device groups. This global privilege policy must be enabled from Administration settings.
|Best practices||Create for local devices where you want to view and compare the metrics in a single chart. Device groups can be set as a metric source.||Create for devices that are outside of your local network, or for types of traffic that you want to organize as a single source. For example, you might want to define all physical interfaces on a server as a single custom device to better view metrics for that server as a whole.|
Custom devices enable you to collect metrics for devices that are outside of your local network or when you have a group of devices that you want to aggregate metrics for as a single device. These devices can even be different physical interfaces that are located on the same device; aggregating the metrics for these interfaces can make it easier to understand how heavily taxed your physical resources are as a whole, rather than by interface.
You might create a custom device to track individual devices outside of your local broadcast domain or to collect metrics about several known IP addresses or CIDR blocks from a remote site or cloud service. You can collect remote site metrics for custom devices to learn how remote locations consume services and to gain visibility into traffic between remote sites and a data center. See the Protocol Metrics Reference for a full list of remote site metrics and descriptions.
After you create a custom device, all of the metrics associated with the IP addresses and ports are aggregated into a single device that collects L2-L7 metrics. A single custom device counts as one device towards your licensed capacity for Advanced Analysis or Standard Analysis, which enables you to add a custom device to the watchlist. Any triggers or alerts are also assigned to the custom device as a single device.
While custom devices aggregate metrics based on their defined criteria, the metric calculations are not treated the same as for discovered devices. For example, you might have a trigger assigned to a custom device that commits records to a recordstore. However, the custom device is not shown as either a client or a server in any transaction records. The ExtraHop system populates those attributes with the device that corresponds to the conversation on the wire data.
Custom devices can affect the overall system performance, so you should avoid the following configurations:
- Avoid creating multiple custom devices for the same IP addresses or ports. Custom devices that are configured with overlapping criteria might degrade system performance.
- Avoid creating a custom device for a broad range of IP addresses or ports, which might degrade system performance.
If a large number of custom devices is affecting your system performance, you can delete or disable a custom device. The unique Discovery ID for the custom device always remains in the system. See Create a custom device to monitor remote office traffic to familiarize yourself with custom devices.
A device group is a user-defined collection that can help you track metrics across multiple devices that are typically grouped by shared attributes such as protocol activity.
You can create a static device group that requires you to manually add or remove a device from the group. Or, you can create a dynamic device group that includes criteria that determines which devices are automatically included in the group. For example, you can create a dynamic device group based on the device discovery time that adds devices that are discovered during a specific time interval.
By default, the Device Group page includes the following dynamic device groups that you can overwrite or delete:
- New Devices (Last 24 Hours)
- Includes assets and endpoints that were first seen by the ExtraHop system over the last 24 hours.
- New Devices (Last 7 Days)
- Includes assets and endpoints that were first seen by the ExtraHop system over the last 7 days.
The ExtraHop system also includes built-in dynamic device groups by role and by protocol. You can assign built-in device groups as a metric source for objects such as charts, alerts, triggers, and activity maps. You cannot overwrite or delete a built-in device group, but you can add filter criteria and save it as a new device group.
From the Devices page, click a device count for a role or protocol, such as Domain Controller or CIFS clients, to view the Device Group Overview page. Clicking the filter at the top of the page enables you to add additional criteria and update the page data on demand instead of requiring you to create a device group.
There is no performance impact to collecting metrics with device groups. However, we recommend that you prioritize these groups by their importance to make sure that the right devices receive the highest level of analysis.
Device groups are a good choice when you have devices that you want to collectively apply as a source. For example, you could collect and display metrics for all of your high-priority production web servers in a dashboard.
By creating a device group, you can manage all of those devices as a single metric source instead of adding them to your charts as individual sources. However, note that any assigned triggers or alerts are assigned to each group member (or individual device).
After a device is discovered, the ExtraHop system tracks all of the traffic associated with the device to determine the device name and role.
The ExtraHop system discovers device names by passively monitoring naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol (CDP).
If a name is not discovered through a naming protocol, the default name is derived from device attributes, such as MAC addresses and IP addresses. For some devices discovered on flow sensors, the ExtraHop system assigns names based on the role of the device such as Internet Gateway or Amazon DNS Server. You can also create a custom name or set a cloud instance name for a device.
A device can be identified by multiple names, which appear as Known Aliases on the Device Overview page. If a device has multiple names, the order of priority for the default display name is the custom name followed by the cloud instance name, the DHCP name, the public DNS name, and then other naming protocols. You can search by any name to find a device.
|Note:||Custom names are not synchronized across connected ExtraHop systems. For example, a custom name created on a sensor is not available from a connected console.|
If a device name does not include a hostname, the ExtraHop system has not yet observed naming protocol traffic associated with that device. The ExtraHop system does not perform DNS lookups for device names.
Based on the type of traffic associated with the device or the device model, the ExtraHop system automatically assigns a role to the device, such as a gateway, file server, database, or load balancer. The Other role gets assigned to devices that cannot be identified.
A device can only be assigned one role at a time. You can manually change a device role, or the ExtraHop system might re-assign a different role if observed traffic and behavior changes. For example, if a PC has been repurposed into a Web server, you might change the role immediately, or the change might be observed over time and the role updated by the system.
The ExtraHop system identifies the following roles:
|Custom Device||A user-created device that collects metrics based on specified criteria. The ExtraHop system automatically assigns this role when you create a custom device. You cannot manually assign the Custom role to a device.|
|Attack Simulator||A device that runs breach and attack simulation (BAS) software to simulate attacks in a network.|
|Database||A device that primarily hosts a database instance.|
|DHCP Server||A device that primarily processes DHCP server activity.|
|DNS Server||A device that primarily processes DNS server activity.|
|Domain Controller||A device that acts as a domain controller for Kerberos, CIFS, and MSRPC server activity.|
|File Server||A device that responds to read and write requests for files over NFS and CIFS/SMB protocols.|
|Firewall||A device that monitors incoming and outgoing network traffic and blocks traffic according to security rules. The ExtraHop system does not automatically assign this role to devices.|
|Gateway||A device that acts as a router or gateway. The ExtraHop system looks for devices associated with a large amount of unique IP addresses (past a certain threshold) when identifying gateways. Gateway device names include the router name such as Cisco B1B500. Unlike other L2 parent devices, you can add a gateway device to the watchlist for Advanced Analysis.|
|IP Camera||A device that sends image and video data through the network. The ExtraHop system assigns this role based on the device model.|
|Load Balancer||A device that acts as a reverse proxy for distributing traffic across multiple servers.|
|Medical Device||A device designed for healthcare needs and medical environments. The ExtraHop system might assign this role if a device is a known medical make and model or if the device processes DICOM traffic.|
|Mobile Device||A device that has a mobile operating system installed, such as iOS or Android.|
|NAT Gateway||A device that acts as a Network Address Translation (NAT) gateway. The ExtraHop system might assign this role if a device is associated with four or more OS fingerprint families or with four or more hardware or vendor makes and models. After a device is assigned this role, device properties for software, hardware make and model, and authenticated users no longer appear for the device.|
|PC||A device such as a laptop, desktop, Windows VM, or macOS device that processes DNS, HTTP, and SSL client traffic.|
|Printer||A device that enables users to print text and graphics from other connected devices. The ExtraHop system assigns this role based on the device model or on traffic observed over mDNS (multicast DNS).|
|VoIP Phone||A device that manages voice over IP (VoIP) phone calls.|
|VPN Client||An internal device that communicates with a remote IP address. If VPN client discovery is enabled, the ExtraHop system automatically assigns this role to internal devices communicating with remote IP addresses through a VPN gateway. You cannot manually assign the VPN Client role to a device.|
|VPN Gateway||A device that connects two or more VPN devices or networks together to bridge remote connections. The ExtraHop system assigns this role to devices with a large number of external VPN peers if automatic classification for this role is enabled in the running configuration.|
|Vulnerability Scanner||A device that runs vulnerability scanner programs.|
|Web Proxy Server||A device that processes HTTP requests between a device and another server.|
|Web Server||A device that primarily hosts web resources and responds to HTTP requests.|
|Wi-Fi Access Point||A device that creates a wireless local area network and projects a wireless network signal to a designated area. The ExtraHop system assigns this role based on the device model.|