Web UI Guide

About this guide

This guide provides information about the web-based user interface (Web UI) for the ExtraHop Discover and Command appliances.

The purpose of this guide is to help users understand the ExtraHop system architecture and functionality as well as learn how to operate the controls, fields, and options available throughout the Web UI.

Additional resources are available through the following links:

Contact us

We value your feedback.

Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.

If you need additional help, please contact ExtraHop Support. at or visit the ExtraHop Customer Support Portal at https://customers.extrahop.com/.

Email: support@extrahop.com

Support Portal Website: https://customers.extrahop.com/

Telephone:

  • 877-333-9872 (US)
  • +44 (0)203 7016850 (EMEA)
  • +65-31585513 (APAC)

Introduction to the ExtraHop system

The ExtraHop system provides a comprehensive network detection and response solution for tracking security threats and IT operations. You can monitor how applications consume network resources, how systems and devices communicate with each other, and how transactions flow across the data link layer (L2) to application layer (L7) in your network.

This guide explains how the ExtraHop system collects and analyzes your data and how the core system functionalities can help you access top-level and detailed metrics, transactions, and packets about the traffic on your network.

Smart Sensor Analytics

ExtraHop system provides a smart sensor that captures, stores, and analyzes metric data about your network—and offers different levels of data analysis, collection, and storage based on your needs. The sensor is provisioned with storage to support 30 days of metric lookback. Note that actual lookback varies by traffic patterns, transaction rates, the number of endpoints, and the number of active protocols.

The browser-based system interface provides tools that enable you to explore and visualize data, investigate findings in both top-down and bottoms-up workflows, and customize how you collect, view, and share your network data.

Metric Analytics

The ExtraHop system collects and stores multiple depths of network interactions. Packets are the raw data transferred between two endpoints. Records are structured information about transaction, message, and network flows. Metrics are aggregated observations about endpoint interactions over time.

For example, when a client sends an HTTP request to a web server, here is what each data type contains:

  • The packet contains the raw data that was sent and received in the interaction.
  • The related record contains the time-stamped metadata about the interaction: when the request happened, the IP address of the client and server, the requested URI, any error messages.
  • The related metric (HTTP Requests) contains an aggregate of that interaction with other observed interactions during the specified time period, such as how many requests occurred, how many of those requests were successful, how many clients sent requests, and how many servers received the requests.

Both metrics and records can be customized to extract and store specific metadata with JavaScript-based triggers. While the ExtraHop system has over 4600 built-in metrics, you might want to create a custom metric that collects and aggregates 404 errors from only critical web servers. And, you might want to maximize your record storage space by only collecting transactions that occurred over a suspicious port.

Data feeds

The type of data feed you connect to the ExtraHop system determines how packets are collected, stored, and analyzed.

Wire data

The ExtraHop system passively collects a copy of unstructured packets through a port mirror or tap and stores the data in the local datastore. The copied data goes through real-time stream processing that transforms the packets into structured wire data through the following stages:

  1. TCP state machines are recreated to perform full-stream reassembly.
  2. Packets are collected and grouped into flows.
  3. The structured data is analyzed and processed in the following ways:
    1. Transactions are identified
    2. Devices are automatically discovered and classified by their activity.
    3. Metrics are generated and associated with protocols and sources, and the metric data is then aggregated into metric cycles.
  4. As new metrics are generated and stored, and the datastore becomes full, the oldest existing metrics are overwritten according to the first-in first-out (FIFO) principle.
Flow data

Alternatively, you can configure the ExtraHop system to collect flows from machine data on remote networks. A flow is a set of packets that are part of a single transaction between two endpoints. By analyzing flows of network traffic, an administrator can identify the top network flows (most bytes consumed), top network talkers (highest throughput), total number of bytes, and the total number of packets per router interface.

Note:Reveal(x) systems cannot be configured to collect flow data.

The ExtraHop system acts as a flow collector or analyzer and supports the following types of flow data:
NetFlow v5
The Cisco proprietary protocol that defines a flow as a unidirectional flow of packets that share the following values: ingress interface, source and destination IP address, IP protocol, source and destination ports, and the type of service. NetFlow v5 has a fixed record format with 20 fields and cannot be customized.
NetFlow v9
An adapted version of NetFlow v5 where the record format is template based. NetFlow v9 has 60+ fields in the records and can be customized. In the Discover appliance, these records are only partially parsed until the template packet is detected.
IPFIX
An open standard based on the NetFlow v9 standard. ExtraHop supports only the native format; formats where the Enterprise bit is set outside of a trigger are not supported.
AppFlow
The Citrix implementation of IPFIX with customized extensions to include application-level information such as HTTP URLs, HTTP request methods, status codes, and so on.
sFlow
A sampling technology for monitoring traffic in data networks. sFlow samples every nth packet and sends it to the collector whereas NetFlow sends data from every flow to the collector. The primary difference between sFlow and NetFlow is that sFlow is network layer independent and can sample anything. NetFlow v5 is IP based, but v9 and IPFIX can also look at Layer 2.
Software frame deduplication

The ExtraHop system removes duplicate L2 and L3 frames and packets when metrics are collected and aggregated from your network activity by default. L2 deduplication removes identical Ethernet frames (where the Ethernet header and the entire IP packet must match); L3 deduplication removes TCP or UDP packets with identical IP ID fields on the same flow (where only the IP packet must match).

The ExtraHop system checks for duplicates and removes only the immediately-previous packet both on the flow (for L3 deduplication) or globally (for L2 deduplication) if the duplicate arrives within 1 millisecond of the original packet.

By default, the same packet traversing different VLANs is removed by L3 deduplication. In addition, packets must have the same length and the same IP ID, and TCP packets also must have the same TCP checksum.

L2 duplication usually only exists if the exact same packet is seen through the data feed, which is typically related to an issue with port mirroring. L3 duplication is often the result of mirroring the same traffic across multiple interfaces of the same router, which can show up as extraneous TCP retransmissions in the ExtraHop system.

The System Health page in the ExtraHop Web UI contains charts that display L2 and L3 duplicate packets that were removed by the ExtraHop system. Deduplication works across 10Gbps ports by default and across 1Gbps ports if software RSS is enabled. L3 deduplication currently is supported only for IPv4, not IPv6.

Device discovery

The ExtraHop system can discover and track devices by their MAC address (L2 Discovery) or by their IP addresses (L3 Discovery). L2 Discovery offers the advantage of tracking metrics for a device even if the IP address is changed or reassigned through a DHCP request.

Device IPv4 and IPv6 addresses are learned from Address Resolution Protocol (ARP) messages, the Neighbor Discovery Protocol (NDP) responses, local broadcasts, or local subnet multicast traffic. The MAC address and IP address for devices appear in search results and throughout the system with the device information.

After a device is discovered, the ExtraHop system begins to collect metrics based on the analysis level configured for that device through analysis priorities. You can search for devices by their MAC address, IP address, or name (such as a hostname observed from DNS traffic, NetBIOS name, Cisco Discovery Protocol (CDP) name, DHCP name, or a custom name that you assigned to the device).

Important:Previous versions of the ExtraHop system were configured for L3 Discovery. If your ExtraHop system is upgraded to version 8.0, the Device Discovery settings do not change automatically. If you switch to L2 Discovery, metrics begin accumulating on different devices with the same IP address. Learn how to enable L2 Discovery.
L2 Discovery

The ExtraHop system creates a device entry for every local MAC address discovered over the wire. IP addresses are mapped to the MAC address, but metrics are stored with the device MAC address even if the IP address changes.

IP addresses observed outside of locally-monitored broadcast domains are aggregated at one of the incoming routers in your network. If a device sends a DHCP request through a router acting as a DHCP relay agent, the ExtraHop system detects and maps the IP address to the device MAC address. If the IP address changes for the device with a subsequent request through the DHCP relay agent, the ExtraHop system updates its mapping and continues to keep track of the device metrics by the MAC address.

Both MAC address and IP address are discovered for the remote device.

If a DHCP relay agent is not configured, remote devices can be discovered by their IP addresses through Remote L3 Discovery.

L3 Discovery

When L3 Discovery is enabled, the ExtraHop system creates and links two entries for each local discovered device: an L2 parent entry with a MAC address and an L3 child entry with IP addresses and the MAC address.

Here are some important considerations about L3 discovery:

  • If a router has proxy ARP enabled, the ExtraHop system creates an L3 device for each IP address that the router answers ARP requests for.

  • If you have a proxy ARP configured in your network, the ExtraHop system might automatically discover remote devices.

  • L2 metrics that cannot be associated with a particular L3 child device (for example, L2 broadcast traffic) are associated with the L2 parent device.

  • L2 parent devices that are not gateways or custom devices do not count towards your licensed analysis capacity. These devices are configured for the L2 Parent Analysis level.

Configure L3 Discovery

Remote L3 Discovery

If the ExtraHop system detects an IP address that does not have associated ARP or NDP traffic, that device is considered a remote device. Remote devices are not automatically discovered, but you can add a remote IP address range and discover devices that are outside of the local network. A device entry is created for each IP address that is observed within the remote IP address range. (Remote devices do not have L2 parent entries.)

Only the IP address is discovered for the remote device.

Here are some conditions when you should configure Remote L3 Discovery:

  • Your organization has a remote office without an on-site ExtraHop system but users at that site access central data center resources that are directly monitored by an ExtraHop system. The IP addresses at the remote site can be discovered as devices.

  • A cloud service or other type of off-site service hosts your remote applications and has a known IP address range. The remote servers within this IP address range can be individually tracked.

Configure devices for Remote L3 Discovery

Network locality

By default, any device with an RFC1918 IP address (included in a 10/8, 172.16/12, or 192.168/16 CIDR block) is classified on the system as an internal device.

However, because some network environments include non-RFC1918 IP addresses as part of their internal network, you can change the internal or external classification for IP addresses from the Network Localities page.

Centralized Management

The ExtraHop system can be configured as a centralized system with connections to multiple sensors, data warehouses, and packetstores that are distributed across data centers, branch offices, and cloud services.

The system interface on the Command appliance provides visibility across all of your data in a single view and enables you to sync certain advanced configurations (such as triggers and alerts) and settings (custom parameters, analysis priorities, and recordstores)

Here are some benefits to centralized management:

  • Create a dashboard that displays sensor data from each of your remote offices.
  • Query for records and view detections that show potential issues across multiple sites.
  • Limit user accounts to a single system instead of creating multiple accounts for each sensor.

Introduction to the ExtraHop Web UI

The ExtraHop Discover and Command appliances provide access to network activity data through a dynamic and highly customizable Web UI.

This guide provides an overview of the global navigation and controls, fields, and options available throughout the UI. See Introduction to the ExtraHop system to learn how the ExtraHop system collects and analyzes your data.

Supported browsers

The following browsers are compatible with all ExtraHop systems. Apply the accessibility and compatibility features provided by your browser to access content through assistive technology tools.

  • Firefox
  • Google Chrome
  • Microsoft Edge
  • Safari
Important:Internet Explorer 11 is no longer supported. We recommend that you install the latest version of any supported browser.

Global navigation elements located at the top of the page contain links to the main sections of the Web UI. Within each section, the left pane contains links to specific pages or data.

The following figure shows both global and left pane navigation elements.



Here are definitions of each global navigation element:

Overview pages
Overview pages enable you to quickly evaluate the scope of suspicious activity on your network, learn about protocol activity and device connections, and investigate inbound and outbound traffic on your network.
  • View the Security Overview for information about security detections on your network.
  • View the Network Overview for information about active devices on your network.
  • View the Perimeter Overview for information about traffic traveling in and out of your network.
Dashboards
Click Dashboards to view, create, or share dashboards for monitoring any aspect of your network or applications. System dashboards give you an instant view of the activity and potential security threats on your network.
Alerts
Click Alerts to view information about each alert generated during the time interval.
Detections
If your Discover appliance is connected to the ExtraHop Machine Learning Service, the top level navigation shows the Detections menu. Click Detections to view detections identified from your wire data. You can access stored detections even if your appliance is disconnected from the Machine Learning Service.
Note:Machine learning detections require a connection to ExtraHop Cloud Services.
Assets
Click Assets to find any application, network, or device discovered by the ExtraHop system. You can view protocol metrics for your assets, active users, or network activity by protocol.
Records
If your ExtraHop system is configured with a recordstore, the top level navigation shows the Records menu. Click Records to query for all stored records for the current time interval. Records are structured information about transactions, messages, and network flows.
Packets
If your ExtraHop system is configured with a packetstore, the top level navigation shows the Packets menu. Click Packets to query for all stored packets for the current time interval.
Global search field
Type the name of any device hostname or IP address, application, or network to find a match on your Discover or Command appliance. If you have a connected ExtraHop Explore appliance, you can search for saved records. If you have a connected Trace appliance, you can search for packets.
Help icon
See help information for the page that you are currently viewing. To access the most current and comprehensive set of ExtraHop documentation, visit the ExtraHop Documentation website.
System Settings icon
Access system configuration options, such as Triggers, Alerts, Scheduled Reports, and Custom Devices. Click to view the ExtraHop appliance and version and view system notices.
User option icon
Log in and log out of your Discover appliance or Command appliance, change your password, and access API options.
Pane toggle
Collapse or expand the left pane.
Global Time Selector
Change the time interval to view application and network activity that was observed by the ExtraHop system for a specific time period. The global time interval is applied to all metrics across the ExtraHop Web UI and does not change as you navigate to different pages.
Recent pages
See a list of the most recent pages you visited in a drop-down menu and make a selection to go back to a previous page. Repeated pages are deduplicated and condensed to save space.
Navigation path
View where you are in the system and click a page name in the path to navigate back to that page.
Command menu drop-down
Click to access specific actions for the page you are viewing. For example, when you click Dashboards at the top of the page, the command menu provides actions for changing dashboard properties or creating a new dashboard.

Start analyzing data

Begin your data analysis journey with the ExtraHop system by following the basic workflows listed below. As you become familiar with the ExtraHop system, you can complete more advanced tasks, such as installing bundles and building triggers.

Here are some basic ways to navigate and work with the ExtraHop Web UI to analyze network activity.

Monitor metrics and investigate interesting data

When you first log in to the ExtraHop system, you see the Activity dashboard. This dashboard is a good starting point because it shows you a summary of important metrics about application performance on your network. When you see a spike in traffic, errors, or server processing time, you can interact with dashboard data to drill down and identify which clients, servers, methods, or other factors contributed to the unusual activity.

You can then continue performance monitoring or troubleshooting by creating a custom dashboard to track a set of interesting metrics and devices.

Check out the following walkthroughs to learn more about monitoring data in dashboards:

Search for a specific device and investigate related metrics and transactions

If you want to investigate a slow server, you can search for the server in the ExtraHop system by device name or IP address and then investigate the server's activity on a protocol page. Was there a spike in response errors or requests? Was server processing time too high or did network latency affect the rate of data transfer? Click on different protocols on the Devices page to investigate more metric data collected by the ExtraHop system. Drill down by peer IP addresses to see which clients or applications the server talked to.

If your ExtraHop system is connected to a recordstore, you can investigate entire transactions that the server participated in by creating a record query.

Check out the following walkthroughs to learn more about exploring metrics and records:

Get visibility into changes to your network by searching for protocol activity

You can get a top-down view of your network by looking at built-in protocol groups. An protocol group is a collection of devices automatically grouped together by the ExtraHop system based on the protocol traffic observed over the wire. For example, you can find new or decommissioned servers that are actively communicating over a protocol by creating an activity map.

If you find a collection of devices that you want to continue monitoring, you can add a device tag or custom device name to make those devices easier to find in the ExtraHop system. You can also create a custom device group or a custom dashboard to monitor device group activity.

Advanced workflows for customizing your ExtraHop system

After becoming familiar with basic Web UI workflows, you can customize your ExtraHop system by setting up alert notifications, creating custom metrics, or installing bundles.

Set up alerts
Alerts track specified metrics to notify you of traffic deviations that might indicate an issue with a network device. Configure a threshold alert to notify you when a monitored metric crosses a defined value. Configure a trend alert to notify you when a monitored metric deviates from the normal trends observed by the system.
Install a bundle to enhance ExtraHop features and integrations
Bundles are a saved set of system configurations that can be uploaded to an ExtraHop appliance. Check out the following popular bundles:

Install a bundle on your ExtraHop system, or create a bundle that you can share with others.

Build a trigger to create custom metrics and applications
Triggers are custom scripts that perform an action upon a pre-defined event. Triggers require planning to make sure a trigger doesn't negatively impact system performance.

Check out the following walkthroughs to learn more about exploring metrics and records:

Access keyboard shortcuts

Keyboard shortcuts help you quickly navigate across the ExtraHop Web UI and manage dashboards with a few keystrokes.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Type one of the following keyboard combinations:
    Keyboard combinations Action
    ? Show or hide the keyboard shortcuts help menu
    G then S Go to Dashboards
    G then A Go to Alerts
    G then P Go to Application metrics
    G then N Go to Network metrics
    G then D Go to Device metrics
    G then G Go to Protocol metrics
    / Global search
    O then H Toggle recent pages
    J Select the next item in recent pages
    K Select the previous item in recent pages
    O then M Open Metric Explorer
    G then E Go to System Settings
    G then T Go to Triggers
    G then H Open Help
    O then Q View system information
    Ctrl+S Save widget configuration
    O then L Toggle Edit Layout Mode
    O then P Show Dashboard Properties
    C then D Copy the current dashboard
    D then D Delete the current dashboard
    O then S Toggle Descriptions
    CTRL+SHIFT+F Toggle Presentation Mode
    N then D Create a new dashboard
    N then F Create a new folder
    O then D Toggle Edit Dock
    P then P Print or Export to PDF
    S then R Open Scheduled Reports (Command appliance only)

Manage dashboards with keyboard shortcuts

The following keyboard shortcuts only apply to dashboards.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Type one of the following keyboard combinations:
    Keyboard combinations Action
    O then L Toggle edit layout mode
    O then P Show dashboard properties
    C then D Copy the current dashboard
    D then D Delete the current dashboard
    O then S Toggle descriptions
    Ctrl+Up Arrow+F Toggle presentation mode
    N then D Create a new dashboard
    N then F Create a new folder
    O then D Toggle dock edit mode

Time intervals

The Time Selector is displayed in the top-left corner of the navigation bar and controls the global time interval for metrics displayed in the ExtraHop Web UI. Navigating from one area to another will not change the time interval for the metrics you are viewing. Whether you are viewing metrics in a dashboard, or drilling-down to view detailed metrics, the time interval stays the same.

Here are some considerations about time intervals:

  • Time intervals are preserved for each login session. Logging out of the Discover appliance will reset the global time interval to the last 30 minutes. You can access the five most recent unique time intervals from the History tab of the Time Selector.
  • The time interval is included at the end of the URL in your browser. To share a link with others that maintains a specific time interval, copy the entire URL. To maintain a specific time interval after logging out of the Discover appliance, bookmark the URL.
  • The time interval associated with the collection and presentation of network data is determined by your local NTP server by default. You can change the system time in the ExtraHop system from the Admin UI. For more information, see Configure the system time in the Admin UI Guide.

Change the time interval

This procedure shows you how to set the global time interval. You can also apply a time interval by dashboard or by region.
  1. Click the time interval in the upper left corner of the page (for example Last 30 minutes).
  2. Select from the following interval options:
    • A preset time interval (such as Last 30 minutes, Last 6 hours, Last day, or Last week).
    • A custom unit of time.
    • A custom time range. Click a day to specify the start date for the range. One click will specify a single day. Clicking another day will specify the end date for the range.
    • Compare metric deltas from two different time intervals.
  3. Click Save.
Tip:You can also set the time interval from the History tab by selecting from up to five recent time intervals set in a previous login session.

View the latest data for a time interval

Pages that display monitored metric data, such as dashboards and protocol pages, are continuously updated to display the latest data for the selected time interval.

Detail metrics pages, detections, records, packets, and alerts are reloaded on request by clicking the refresh data icon at the top left corner of the page.

Change chart data granularity

The ExtraHop system stores metrics in 30-second buckets of time. Metric data are then aggregated or rolled up into additional five-minute and one-hour buckets. Aggregating data helps to limit the number of data points rendered on a time-series chart so the granularity of data is easier to interpret. The time interval you select determines the best aggregation, or roll up, of data to display in a chart for the period of time you are viewing.

For example, if you select a large time interval, such as one week, metric data is aggregated into one-hour roll ups. On the x-axis of a line chart, you see a data point for every hour instead of a data point for every 30 seconds. If you want to increase the level of granularity, you can zoom in on a chart or change the time interval.

The ExtraHop system includes built-in high-precision metrics with 1-second roll ups, which are the Network Bytes and Network Packets metrics. These metrics are associated with a device or network capture source. For more information on how to view these metrics in a chart, see Display the maximum rate in a chart.

The ExtraHop system also includes built-in metrics for identifying the single busiest millisecond of traffic within a 1-second roll up. These metrics, which are Maximum Network Bytes per Millisecond and Maximum Packets per Millisecond, are associated with a network capture source and help you detect microbursts. Microbursts are rapid bursts of traffic that occur within milliseconds.

The following table provides information about how data is aggregated based on time interval.

Time Interval Aggregation Roll Up (if available) Notes
Less than six minutes 1-second A 1-second roll up is only available for custom metrics and for the following built-in metrics:
  • Network source:
    • Network Bytes (total throughput)
    • Network Packets (total packets)
    • Maximum Network Bytes per Millisecond
    • Maximum Network Packets per Millisecond
  • Device source:
    • Network Bytes (combined inbound and outbound throughput by device)
    • Network Bytes In (inbound throughput by device)
    • Network Bytes Out (outbound throughput by device)
    • Network Packets (combined inbound and outbound packets by device)
    • Network Packets In (inbound packets by device)
    • Network Packets Out (outbound packets by device)
120 minutes or less 30-second If a 30-second roll up is not available, a 5-minute or 60-minute roll up displays.
Between 121 minutes and 24 hours 5-minute If 5-minute roll up is not available, a 60-minute roll up displays.
Greater than 24 hours 60-minute
Note:If you have an extended datastore that is configured for 24-hour metrics, a specified time interval of 30 days or longer displays a 24-hour aggregation roll up.

Zoom in on a custom time range

You can click-and-drag across a chart to zoom in on interesting metric activity. This custom time range is then applied across the ExtraHop Web UI, which is useful for investigating other metric activity that occurred at the same time.

Zooming in on a time range is only available in charts with an x- and y-axis, such as line, area, candlestick, and histogram charts.

  1. Click-and-drag your mouse across the chart to select a time range. If the time range is less than one minute, the time range appears red. Drag the mouse until the time range appears green.
  2. Release the mouse button. The chart is redrawn to the custom time range and the time interval in the upper right corner of the navigation bar is updated.
  3. To revert from the custom time interval to your original time interval, click the undo icon—a magnifying glass with a minus sign—which is displayed next to the time interval in the upper right corner of the navigation bar.
    Tip:On a dashboard page, you can limit the zoom-in custom time range to a specific region. Click the region header, select Use Region Time Selector, and then zoom in on a chart. Each chart or widget within that region is updated to the custom time range.

Freeze the time interval to create a custom time range

If you see interesting data in an activity map, dashboard, or protocol page, you can freeze the time interval to instantly create a custom time range. Freezing the time interval is useful for creating links that you can share with others, and for investigating related metric activity that occurred at the same time.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the time selector in the upper left corner of the page.
  3. Select a preset time interval.
  4. Click Freeze.
    The Custom time range automatically updates as shown in the figure below. The range begins with the earliest time from the previous time interval and ends with the time that you clicked Freeze.

  5. Click Save.
    The new custom time range will not change as you navigate across the Web UI. You can share or bookmark the URL in your browser.
    Note:The time interval is included at the end of the URL in your browser. To share a link with others that maintains a specific time interval, copy the entire URL. Creating a bookmark for the URL maintains the custom time range even after you log out of the Discover appliance.
  6. To remove the custom time range, change the time interval.

Overview pages

Overview pages enable you to quickly evaluate the scope of suspicious activity on your network, learn about protocol activity and device connections, and investigate inbound and outbound traffic on your network.

  • View the Security Overview for information about security detections on your network.
  • View the Network Overview for information about active devices on your network.
  • View the Perimeter Overview for information about traffic traveling in and out of your network.

Security Overview

The Security Overview displays several charts that highlight data from different perspectives about detections. These charts can help you evaluate the scope of security risks, launch investigations into unusual activity, and mitigate security threats. Detections are analyzed every 30 seconds or every hour, depending on the metric.

Site Selector
Click the site selector at the top of the page to view data for one or more sites in your environment. The site selector enables you to view combined traffic across your networks or to focus on a single site to help you quickly find device data.
Executive Report
Click Generate Executive Report to create a PDF file. The Executive Report provides a summary of the top detections and risks to your network from the last week. The Executive Report only includes information for the selected sites.
Total Security Detections
This count chart shows you the number of detections that occurred during the selected time interval. By changing the time interval, you can see how many detections occurred for a given time period. Click the number to open the Detections page. Learn more about detections.
Detections by Security Category
This chart provides a quick way to see the types of attacks your network might be at risk for. Click any number to open a filtered view of detections that match the selected security category, and continue your investigation.
Assets with Detections
This count chart shows you the number of detections that occurred on devices that receive Advanced Analysis—the highest level of analysis.
Detections by Device Role
This chart shows you a breakdown of detections by device role with the highest associated risk score, so you can quickly identify any business-critical systems that might be at risk. Click the number next to the device role to open a filtered list of related devices. Click the number of detections to open a filtered view of detections for the devices assigned to the role.
Highest Risk Score
This count chart shows you the number of the highest risk score amongst all of your detections. Click the number to open a filtered view of all detections sorted by risk score.
Detections by Risk Score
This chart shows you a gradient view of how many detections are in each risk level.
Top Detections by Title
This chart shows you a list of detection titles, sorted by highest-count. Click the number to open a filtered view of the selected detection. Each detection title summarizes what caused the detection; click the title name to open all detections in that title and begin your investigation.

Learn more about network security with the Security dashboard.

Network Overview

The Network Overview displays the active devices on your network, how they are communicating, and trends in important metrics. The Network Overview refreshes activity map and network health indicator data every minute.

Site Selector
Click the site selector at the top of the page to view data for one or more sites in your environment. The site selector enables you to view combined traffic across your networks or to focus on a single site to help you quickly find device data.
Executive Report
Click Generate Executive Report to create a PDF file. The Executive Report provides a summary of the top detections and risks to your network from the last week. The Executive Report only includes information for the selected sites.
Active Devices
This count chart shows you the total number of devices that have been discovered by your ExtraHop system. Click the number to view a list of all discovered devices. The percentage shows you the rate of change for the selected time interval.
New Devices
This count chart shows you how many devices have been discovered within the past five days. Click the number to view a list of all of these devices.

Activity maps

An activity map cycles through the following protocols each minute when activity is detected:

  • CIFS
  • Database (DB)
  • DNS
  • FTP
  • HTTP
  • LDAP
  • SSH
  • SSL
  • Telnet

Here are some ways you can interact with the activity map:

  • Click the protocol name to open the activity map in a view that enables you to add steps and group filters. You can then save your modified activity map to revisit.
  • Click the arrows around the protocol name to cycle through the available protocols. Protocols without activity in the specified time interval do not display.
  • Click controls from the lower right corner of the activity map to pause and resume cycling, toggle between 2D and 3D visualization, and to zoom in and out of the map.
  • Hover over a circle to see device labels and highlight device connections.
  • Click a circle and then click the device name to view a protocol page for the device.

Learn more about navigating activity maps.

Network health indicators

Network health indicators show you general trends related to network and security health. Network health indicators might signal weaknesses or issues in network performance or potentially suspicious activity.

Each network health indicator displays the percentage of change in network activity compared to the previous time interval. Metrics are listed in descending order, by percentage of greatest change to least. Network health indicators with no activity during the specified time interval are not displayed.

Depending on the type of network activity and the amount of change, you can launch an investigation by clicking the metric title to drill down to a detail page. You can then investigate which factors are contributing to the activity.

For example, click the title, such as Weak Ciphers Sessions. A detail page appears with all the clients, servers, certificates, and SNIs that were associated with weak cipher sessions, as shown in the following figure.

The following network health indicators can appear on the Network Overview page.

DNS - Address Mapping Record Queries
This network health indicator shows you the number of DNS requests received by DNS servers that included the A record type. An A record maps a domain name to the IP address (IPv4) of the domain host. Click the metric title to see which clients sent the most requests.
Why is this metric a security health indicator?
While DNS address mapping queries are normal, large or sudden increases can be an indicator of potential data exfiltration or a DNS tunnel. A DNS tunnel is a technique that encodes data into DNS queries for data exfiltration or command and control attacks. For example, sensitive data can be encoded into the hostname within the A record. You can view the A record by clicking the records icon next to a client that sent a high number of DNS requests.
DNS - FTP Responses
This network health indicator shows you the number of FTP responses sent by DNS servers. Click the metric title to see which servers sent the highest number of FTP responses.
Why is this metric a security health indicator?
The primary activity for DNS servers should be to resolve hostnames instead of sending files over FTP. Attackers can exploit weaknesses in DNS servers, which often go undetected. If there is an increasing number of FTP data transfer by DNS servers, investigate this suspicious activity.
DNS - Request Timeouts
This network health indicator shows you the number of timeouts that occurred after repeated unanswered DNS query requests were sent from clients. Click the metric title to see which clients were affected and which servers were not responding.
Why is this metric a security health indicator?
DNS can be a bottleneck in your network if hostname resolution cannot take place. A spike, or large increase in request timeouts, is disruptive to your network in general, and can also be an indicator of a distributed denial of service (DDoS).
DNS - Requests with Suspicious Hosts
This network health indicator shows you the number of DNS requests that included a suspicious hostname, according to threat intelligence applied to your Reveal(x) system. Click the metric title to see which hosts are considered suspicious. Click the red camera icon to see threat intelligence details about the hostname.
Why is this metric a security health indicator?
Threat intelligence provides known data about suspicious IP addresses, hostnames, and URIs. You should always investigate indicators of compromise that are identified by threat intelligence. You can view information about the entire DNS transaction by clicking the records icon next to a suspicious host query.
DNS - Text Record Queries
This network health indicator shows you the number of DNS requests received by DNS servers that included the TXT record type. A TXT record associates human-readable text with a host. Click the metric title to see which client sent the most DNS requests with the TXT record type.
Why is this metric a security health indicator?
DNS queries that include TXT records are typically uncommon, and large increases can be an indicator of a potential DNS tunnel. A DNS tunnel is a technique that encodes data into DNS queries for data exfiltration or command and control attacks. For example, malware or sensitive data can be encoded into the TXT record. You can view the TXT record by clicking the records icon next to a client that sent a high number of DNS requests.
HTTP - 404 Not Found Error
This network health indicator shows you the number of HTTP responses that included the 404 (Not Found) status code. Click the metric title to see which URIs were associated with the 404 status code.
Why is this metric a security health indicator?
While a certain number of 404 errors might be considered normal, a large increase in this client-side error could indicate a potential web directory scan. Attackers rely on information about the underlying web server and associated components that are returned in the HTTP 404 status code.
HTTP - 500 Server Errors
This network health indicator shows you the number of HTTP responses sent by servers that contained the 500 (Server Error) status code. Click the metric title to see which URIs were associated with the 500 status code.
Why is this metric a security health indicator?
A large or sudden increase in this server-side error could indicate a potential web directory scan. Web penetration tools deployed by attackers rely on information about the underlying web server and associated components that are returned in the HTTP 500 status code.
HTTP - Requests with Suspicious Hosts
This network health indicator shows you the number of HTTP requests that included a suspicious hostname, according to threat intelligence found in your Reveal(x) system. Click the metric title to see which hosts are considered suspicious. Click the red camera icon to see related threat intelligence details about the host.
Why is this metric a security health indicator?
Threat intelligence provides known data about suspicious IP addresses, hostnames, and URIs. You should always investigate indicators of compromise that are identified by threat intelligence. You can view information about the entire HTTP transaction by clicking the records icon next to a suspicious host.
HTTP - Requests with Suspicious URIs
This network health indicator shows you the number of HTTP requests that included a suspicious URI, according to threat intelligence found in your Reveal(x) system. Click the metric title to see which URIs are considered suspicious. Click the red camera icon to see related threat intelligence details about the URI.
Why is this metric a security health indicator?
Threat intelligence provides known data about suspicious IP addresses, hostnames, and URIs. You should always investigate indicators of compromise that are identified by threat intelligence. You can view information about the entire HTTP transaction by clicking the records icon next to a suspicious URI.
SSL - Expired Certificate Sessions
This network health indicator shows you the number of TLS/SSL sessions that were established with an expired certificate. Click the metric title to see which expired certificates had the most sessions.
Why is this metric a security health indicator?
Certificate authorities add expiration dates to certificates, which are required for establishing a secure TLS or SSL session. Sessions established with expired certificates could indicate that servers have certificate verification disabled, or that users ignored browser warnings when establishing the session. This type of activity increases the vulnerability of devices to man-in-the-middle attacks. Consider configuring your web servers to remove expired certificates.
SSL - Insecure SSLv3 Protocol Sessions
This network health indicator tells you the number of connections on your network that were established with SSL version 3.0. Click the metric title to see a list of servers and clients with SSLv3 sessions.
Why is this metric a security health indicator?
Known vulnerabilities, such as BEAST and POODLE, are associated with SSLv3. If you have a high number of SSLv3 sessions, consider configuring servers to support the latest version of TLS.
SSL - Insecure TLS 1.0 Protocol Sessions
This network health indicator tells you the number of connections on your network that were established with TLS version 1.0. Click the metric title to see a list of servers and clients with TLS 1.0 sessions.
Why is this metric a security health indicator?
Known vulnerabilities, such as BEAST and POODLE, are associated with TLS 1.0. If you have a high number of TLS 1.0 sessions, consider configuring servers to support the latest version of TLS.
SSL - Self-signed Sessions
This network health indicator shows you the number of TLS/SSL sessions that were established with self-signed certificates. Click the metric title to see which clients were associated with self-signed certificate sessions.
Why is this metric a security health indicator?
Self-signed certificates are not issued or verified by a certificate authority. The presence of self-signed certificates might indicate that software on your systems is not validating certificates, making your network vulnerable to man-in-the-middle attacks. A sudden or large increase in sessions with self-signed certificates could also indicate that an attacker is communicating with command and control servers.
SSL - Weak Cipher Sessions
This network health indicator shows you the number of the number of TLS/SSL sessions that were established with weak ciphers. Click the metric title to see which clients are associated with weak ciphers.
Why is this metric a security health indicator?
A cipher suite is a set of encryption algorithms that help secure a TLS/SSL connection. Algorithms within a cipher suite that are associated with known vulnerabilities are considered weak. You can view the cipher suite by clicking the records icon next to a client. Consider configuring your web servers to remove weak ciphers.
TCP - Suspicious TCP Connections
This network health indicator shows you the number of the number of outbound connections to suspicious IP addresses, according to threat intelligence found in your Reveal(x) system. Click the metric title to see which IP addresses are considered suspicious. Click the red camera icon to see related threat intelligence details about the IP address.
Why is this metric a security health indicator?
Threat intelligence provides known data about suspicious IP addresses, hostnames, and URIs. You should always investigate indicators of compromise that are identified by threat intelligence.

Learn more about your network with the Network dashboard.

Perimeter Overview

The Perimeter Overview displays charts and interactive visualizations that help you monitor traffic that is entering and leaving your network through connections with external endpoints.

Site Selector
Click the site selector at the top of the page to view data for one or more sites in your environment. The site selector enables you to view combined traffic across your networks or to focus on a single site to help you quickly find device data.
Executive Report
Click Generate Executive Report to create a PDF file. The Executive Report provides a summary of the top detections and risks to your network from the last week. The Executive Report only includes information for the selected sites.
Internal Endpoints Accepting Inbound Connections

This count chart displays the number of internal endpoints that accepted inbound connections from external endpoints during the selected time interval. Click the chart to open a filtered view of these conversations.

Suspicious Inbound Connections
This count chart displays the number of connections that were initiated by suspicious external endpoints. ExtraHop identifies suspicious endpoints through threat intelligence data. Click the chart to open a filtered view of these conversations.
Suspicious Outbound Connections
This count chart displays the number of connections that internal endpoints initiated with suspicious external endpoints. ExtraHop identifies suspicious endpoints through threat intelligence data. Click the chart to open a filtered view of these conversations.
Total External Traffic
This chart shows the rate that data is moving outbound and inbound from connections with external endpoints. Click the Inbound Traffic or Outbound Traffic data label to access menu options to create a new chart, search for related records, or drill down by conversation.

Halo visualization

The halo visualization provides three views of your network connections to external endpoints: Large Data Upload, Uncommon Destinations, and Cloud Service Traffic.

External endpoints are displayed in the outer ring with connections to internal endpoints, which are displayed as circles in the middle of the visualization. These visualizations enable you to prioritize your investigation for connections marked with high-risk detections or for critical assets.

Click Large Data Upload to view connections where a large amount of data (25 MB or more) was transferred out of your network to an external endpoint in a single transmission.

Click Uncommon Destinations to view connections to uncommon or unknown endpoints.

Click Cloud Service Traffic to view connections to cloud service providers. You can toggle between views that show Bytes Out to providers and Bytes In to your network.

Here are some ways that you can interact with these halo visualizations:
  • Hover over endpoints or connections to view hostnames and IP addresses.
  • Click endpoints or connections to hold focus and display information and links for your selection in an information panel to the right.
  • Adjust the time interval to view connections at specified times, such as unexpected activity during evenings or weekends.

Dashboards

Dashboards are an effective tool for monitoring high-priority network traffic or troubleshooting issues because they consolidate multiple metric charts into a central location where you can investigate and share data. You can also add text boxes, formatted through Markdown, to provide content for stakeholders.

Dashboards and collections are located in the dashboard dock.

Click Collections to display all of the dashboard collections you own or that have been shared with you. The number of dashboards in each collection is displayed. Click the collection name to view the owner, who the collection is shared with, and the list of dashboards in the collection.

Only the collection owner can modify or delete a collection. However, because dashboards can be added to multiple collections, you can create a collection and share it with other users and groups.

Click Dashboards to display an alphabetized list of all of the dashboards that you own or that have been shared with you, including dashboards shared through a collection. The owner of each dashboard is displayed. An icon next to the owner name indicates that the dashboard was shared with you.

Creating dashboards

If you want to monitor specific metrics or custom metrics, you can create a custom dashboard. Custom dashboards are stored separately for each user that accesses the ExtraHop Discover appliance. After you build a custom dashboard, you can share it with other ExtraHop users.

There are several ways to create your own dashboard:

New dashboards are opened in Edit Layout mode, which enables you to add, arrange, and delete components within the dashboard. After creating a dashboard, you can complete the following tasks:

Click the command menu in the upper right corner of the page to edit the dashboard properties or delete the dashboard.

Note:You cannot recover a deleted dashboard. If a dashboard owner's account is deleted from the ExtraHop system, you have the option of transferring the dashboard to another user through the Admin UI. Otherwise, all custom dashboards associated with the user account are also deleted. To preserve dashboards, make a copy before the account is deleted.

Learn how to monitor your network by completing a dashboard walkthrough.

Viewing dashboards

Dashboards are composed of chart widgets, alert widgets, and text box widgets that can present a concise view about critical systems or about systems managed by a particular team.

Click within a chart to interact with the metric data:

  • Click a chart title to view a list of metric sources and menu options.
  • Click a metric label to drill down and investigate by a metric detail.
  • Click a metric label and click Hold Focus to display only that metric in the chart.
  • Click a chart title or a metric label and then click Description to learn about the source metric.
  • Click a detection marker to navigate to the detection detail page

Change the time selector to observe data changes over time:

Export and share dashboard data

By default, all custom dashboards are private and no other ExtraHop users can view or edit your dashboard.

Share your dashboard to grant view or edit permission to other ExtraHop users and groups, or share a collection to grant view-only permission to multiple dashboards.

You can only modify a shared dashboard if the owner granted you edit permission. However, you can copy and customize a shared dashboard without edit permission.

Export data by individual chart or by the entire dashboard:

  • To export individual chart data, click the chart title and select one of the following options from the drop-down menu: Export to CSV or Export to Excel.
  • To present or export the entire dashboard, click the command menu in the upper right corner of the page and select one of the following options: Presentation Mode, Export to PDF or Scheduled Reports (Command appliance only).

System dashboards

The ExtraHop system provides the following built-in dashboards that display common protocol activity about the general behavior and health of your network.

System dashboards are located in the default System Dashboards collection in the dashboard dock and cannot be added to another collection. System dashboards can be viewed by any user except for restricted users.

Activity dashboard
Find top-talkers by application (L7) protocols and view recent alerts. For more information about charts in this dashboard, see Activity dashboard.
Network dashboard
Identify traffic latency and bottlenecks over the data link (L2), network (L3), and transport (L4) layers. For more information about charts in this dashboard, see Network dashboard.
Security dashboard (Reveal(x) only)
Monitor general information about potential security threats on your network. For more information about charts in this dashboard, see Security dashboard.

Activity dashboard

Monitor general information about application activity and performance from the transport through the application layers (L4 - L7) on your network.

The Activity dashboard is a built-in, system dashboard, and you cannot edit, delete, or add system dashboards to a collection. However, you can copy a chart from a system dashboard and add it to a custom dashboard, or you can make a copy of the dashboard and edit it to monitor metrics that are relevant to you.

Each chart in the Activity dashboard contains visualizations of protocol metric data, organized by region. The following information summarizes each region and its charts.

Traffic Overview
Determine whether traffic bottlenecks are related to a specific application protocol or network latency. The Traffic Overview region contains the following charts:

Network Packets by L7 Protocol Avg Rate chart: Find the protocol that has the highest volume of packet transmissions over the application layer (L7) during the selected time interval.

All Activity Network Round Trip Time: The 95th percentile line shows you the upper range of the time that it took for packets to traverse the network. If this value is over 250ms, then network issues could be slowing down application performance. Round trip time is a measurement of the time between when a client or server sent a packet and received an acknowledgment.

Alerts: View up to 40 of the latest alerts that were generated, and their severity levels. Alerts are user-configured conditions that establish baseline values for specific protocol metrics.

Active Protocols

Determine how application performance is affected by the protocols that are actively communicating over the wire. For example, you can quickly glance at charts that display server processing times and the ratio of errors to responses per protocol.

There is a chart for each active protocol. If you do not see a protocol you were expecting, applications might be not communicating over that protocol for the selected time interval.

For more information about protocols and to view metric definitions, see the ExtraHop Protocol Metrics Reference.

Note:In the Command Sensor, you can display the Activity dashboard for each site. The site name appears in the navigation bar; click the down arrow next to the name to pivot the display to other sites.

Network dashboard

Monitor how effectively data is transmitted over the data link, network, and transport (L2 - L4) layers.

The Network dashboard is a built-in, system dashboard, and you cannot edit, delete, or add a system dashboard to a collection. However, you can copy a chart from a system dashboard and add it to a custom dashboard, or you can make a copy of the dashboard and edit it to monitor metrics that are relevant to you.

Each chart in the Network dashboard contains visualizations of network metric data, organized by region. The following information summarizes each region.

Network L2 Metrics
Monitor the throughput rates over the data link (L2) layer by bits and packets, and monitor the types of frames transmitted. You can also determine how much data is sent to receivers by unicast, broadcast, or multicast distribution.
Network L4 Metrics
Monitor data transfer latency over the transport layer (L4). View TCP activity through connection, request, and response metrics. This data can indicate how effectively data is sent and received across the transport layer in your network.
Network Performance
Monitor how network performance is affecting applications. View overall network throughput by reviewing the throughput per application protocol and the magnitude of high TCP round trip times.
Network L3 Metrics
View data throughput at the network layer (L3) and see packets and traffic by TCP/IP protocols.
DSCP
View a breakdown of packets and traffic by Differentiated Services code points, which is part of the DiffServ network architecture. Every IP packet contains a field to express the priority of how the packet should be handled, which is called differentiated services. The values for the priorities are called code points.
Multicast Groups
View traffic that is sent to multiple receivers in a single transmission, and see packets and traffic by each receiver group. Multicast traffic on a network is organized into groups based on destination addresses.
Note:In the ExtraHop Command appliance, you can display the Network dashboard for each Discover appliance. The appliance name appears in the navigation bar; click the down arrow next to the appliance name to pivot the display to other connected Discover appliances.

Security dashboard

Monitor general information about potential security threats on your network.

The Security dashboard is a built-in, system dashboard, and you cannot edit, delete, or add a system dashboard to a collection. However, you can copy a chart from a system dashboard and add it to a custom dashboard, or you can make a copy of the dashboard and edit it to monitor metrics that are relevant to you.

Each chart in the Security dashboard contains visualizations of protocol metric data, organized by region. The following information summarizes each region and its charts.

Security Overview
Click the links to visit the Security Overview page, which can help you evaluate the scope of a suspicious activity on your network. The Security Overview page dynamically displays high-risk detections, trending security metrics, and rotating activity maps that display network activity by protocol.
Note:Machine learning detections require a connection to ExtraHop Cloud Services.
Alerts
See which alerts were issued most recently in your environment. For more information about configuring and interpreting alerts, see Alerts.
Threat Intelligence
See the number of connections and transactions that contain suspicious hostnames, IP addresses, or URIs found in threat intelligence. Click a blue metric value or metric name in the legend to drill down on a suspicious metric. A detail page appears that displays a red camera icon next to the suspicious object. Click the red camera icon to learn about the threat intelligence source.
Note:Threat intelligence metrics display a zero value for one or more of the following reasons:
  • Your Reveal(x) subscription does not include threat intelligence. Threat intelligence requires a Reveal(x) Premium or Ultra subscription.
  • You have not enabled threat intelligence for your Reveal(x) system..
  • You enabled threat intelligence for a connected Command appliance instead of the Discover appliance where you are viewing the Security dashboard.
  • No suspicious objects were found.
SSL - Weak Ciphers
See the number of active SSL sessions with weak cipher suites on your network. You can also see which clients and servers are participating in those sessions along with which cipher suites those sessions are encrypted with. DES, 3DES, MD5, RC4, null, anonymous, and export cipher suites are considered to be weak because they include an encryption algorithm that is known to be vulnerable. Data encrypted with a weak cipher suite is potentially insecure.
SSL - Certificates
See which SSL certificates in your network are self-signed, wildcard, expired, and expiring soon. Self-signed certificates are signed by the entity that issues the certificate, rather than a trusted certificate authority. Although self-signed certificates are cheaper than certificates issued by a certificate authority, they are also vulnerable to man-in-the-middle attacks.

A wildcard certificate applies to all first-level subdomains of a given domain name. For example, the wildcard certificate *.company.com secures www.company.com, docs.company.com, and customer.company.com. Although wildcard certificates are cheaper than individual certificates, wildcard certificates create a greater risk if they are compromised because they can apply to any number of domains.

Vulnerability Scans
See which devices are scanning applications and systems on your network to search for weaknesses and potential targets, such as critical assets. In the left chart, you can identify which devices are sending the most scan requests, which are HTTP requests associated with known scanner activity. In the right chart, you can see which user-agents are associated with the scan requests. The user-agent can help you determine if scan requests are associated with known vulnerability scanners such as Nessus and Qualys.
DNS
See which DNS servers are most active on your network and the total number of reverse DNS lookup failures those servers have encountered. A reverse DNS lookup failure occurs when a server issues an error in response to a client request for a pointer (PTR) record. Failures in reverse DNS lookups are normal, but a sudden or steady increase in failures on a specific host might indicate that an attacker is scanning your network.
Note:In the ExtraHop Command appliance, you can display the Security dashboard for each Discover appliance. The appliance name appears in the navigation bar; click the down arrow next to the appliance name to pivot the display to other Discover appliances.

Create a dashboard

Dashboards provide a single location for important metrics that you care about. When you create a custom dashboard, a dashboard layout opens containing a single region with an empty chart widget and an empty text box widget. Edit a chart to incorporate real-time metrics into your dashboard, and edit a text box to provide information. Finally adjust the layout and add more widgets to complete your dashboard and begin monitoring your network.

Before you begin

Determine which metrics you want to monitor on your dashboard. Ask yourself the following questions:
  • Do I want to track if my server is offline or unavailable? Add availability metrics such as requests and responses to your dashboard charts.
  • Is my server functioning properly? Add reliability metrics such as errors to your dashboard charts.
  • Is my server properly resourced? Add performance metrics such as server processing time to your dashboard charts.

Create the dashboard layout

The following steps show you how to create the framework for your dashboard, which includes two empty widget types: a chart and a text box. Your new dashboard opens in Edit Layout mode (which is displayed in the upper right corner). Edit Layout mode enables you to quickly edit your chart and text box, and arrange the placement of widgets and regions on a dashboard.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. On the Dashboards page, complete one of the following steps:
    • Click Dashboards in the dashboard dock and then click Create Dashboard at the bottom of the dock.
    • Click the command menu in the upper right corner of the page and select New Dashboard.
  4. In the Dashboard Properties window, type a name for your dashboard.
  5. Enter any other meta data for your dashboard, such as a name for the author or a description. Note that the Permalink provides a direct URL to your dashboard for any users who have sharing privileges for your dashboard.
  6. Click Create.

Edit a basic chart

The following steps show the general flow for editing a chart widget in the Metric Explorer tool. Begin by specifying sources and metrics to add data to your chart. For example, you can now add the availability, reliability, or performance metrics that you considered at the beginning of this procedure to your dashboard. Then choose a chart type to visualize the data.

  1. Click the chart to launch the Metric Explorer.
  2. Click Add Source.
  3. In the source search field, type the name of a source and then select the source from the search results.
  4. In the metric search field, type the protocol and metric name and then select the metric you want to add to the chart from the search results. For example, to monitor the reliability of web transactions, type HTTP errors and then select HTTP Errors from the search results.
  5. Select a chart type from the bottom of the Metric Explorer. Some charts might not be compatible with your selected metrics. For example, the heatmap chart can only display dataset metric data, such as server processing time. For more information about charts and compatible metrics, see Chart types.
  6. (Optional): Select a drill down key to view detail metrics. Click Drill down by <None>, where <None> is the name of the detail metric key currently displayed in your chart. You can view up to 20 top key values in a chart for a specific time interval.
  7. Click Save.

Next steps

Edit a basic text box widget

The following steps show you how to display custom text in a dashboard region, which is a helpful tool for adding notes about a chart or data in a dashboard. The text box widget supports the Markdown syntax. A new text box widget contains sample text that is already formatted in Markdown to provide you with basic examples.

  1. Click the text box.
  2. Type and edit text in the left Editor pane. The HTML output text dynamically displays in the right Preview pane. For more formatting examples, see Format text in Markdown.
  3. Click Save.

Add more widgets and regions to your dashboard

Add and arrange the placement of regions and widgets on your dashboards.

  1. Click-and-drag dashboard components, such as a region or widgets, from the bottom of the page onto the workspace.
  2. To arrange dashboard components, click-and-drag the edge of a region or widget to resize them. If dashboard components overlap, they will be outlined in red. You must click and drag the sides of the widgets and regions to make room.
  3. (Optional): Click Remove Extra Space to remove the empty vertical white space around widgets. Empty vertical white space will be removed from every region on the dashboard.
  4. After making your changes, click Exit Layout Mode.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.

Next steps

Now that your dashboard is complete, you can perform the following steps:

Chart editing tips

The following tips help you search for and select metrics when building a chart.

  • Filter search results to a specific source type or protocol by clicking Any Type or Any Protocol underneath the search fields.
  • You can only select the same source type that is currently in your metric set. A metric set contains one source type and metrics. For example, if you select the All Activity application as the source, you can only add more applications to that metric set. Add more sources of the same type to your chart by clicking Add Application, Add Device, Add Group, or Add Network. To include a different source type in your chart, click Add Source to start a new metric set.
  • Create an ad hoc group of more than one source in your chart by selecting Combine Sources. For example, you can combine two applications and then view a single metric value in the chart for both of these applications.
  • If you select a device group as your source, you can Drill down by Group Member to display individual metrics for up to 20 of the devices within the group.

Create a dashboard with dynamic sources

You can create a dashboard with dynamic sources to enable users to change the source of the dashboard at any time. If you have created a large number of dashboards that all have the same metrics, but different sources, you might want to consider replacing those dashboards with a single, dynamic-source dashboard.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select a dashboard that you want to edit.
  4. Set the source of each chart to a source type variable.
    1. Click the name of a chart and then click Edit.
    2. In the Sources field, type $.
      The Source Type Variables list appears.
    3. From the Source Type Variables list, select the type of source that you are replacing. For example, if you are replacing a device source, select $device.
  5. Click Save.
    At the top of the dashboard, the View Source drop-down menu appears.
  6. From the View Source drop-down menu, select the source that you would like to view metrics for.
    If no data is displayed in the dashboard charts, try refreshing the page.
Tip:If you want to hide the dynamic source menu from your dashboard, append the following parameter to the end of the dashboard page URL: &hideTemplatePanel=true.

Before

After

For example:

https://eda/extrahop/#/Dashboard/XYFwM/?$device=16&from=30&interval_type=MIN&until=0&hideTemplatePanel=true

Next steps

Copy a dashboard

If you want to duplicate a useful dashboard, you can copy a dashboard and then replace or modify sources to display different application, device, or network data. You can only copy one dashboard at a time.

Note:If you only want to copy a dashboard so you can change the source across the entire dashboard, you might want to consider creating a dashboard with dynamic sources instead of making multiple copies of a single dashboard.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select a dashboard that you want to copy.
  4. Click the command menu in the upper right corner of the dashboard page.
  5. Click Copy and complete one of the following steps:
    • Click Keep Sources to maintain the original data configurations in the new dashboard.
      Note:When you copy a dashboard with dynamic sources, the original data configurations are automatically maintained.
    • Click Modify Sources, which helps you to immediately update every region, chart, and widget within the copied dashboard with another source, and then complete the following steps:
      1. In the right pane of the Modify Sources window, click a source name. A search field opens.
      2. Type the name of a new source and then select the source from the drop-down list. Repeat this step if the dashboard contains more than one source that you want to replace.
      3. Click Create Dashboard.
    A copied dashboard with a modified version of the original title is created.
  6. To rename the copied dashboard, complete the following steps:
    1. Click the command menu in the upper right corner and the page.
    2. Select Dashboard Properties.
    3. In the Title field, type a new name.
    4. Click Save.
    Tip:To quickly copy a dashboard, type the keyboard shortcut CD and then update Dashboard Properties or modify sources.

Edit a dashboard layout

Place your dashboard into Edit Layout mode to add, delete, or rearrange the widgets and regions on your dashboard layout. You can only add or delete widgets or regions when the dashboard is in Edit Layout mode.

When you create a new dashboard, the dashboard is automatically placed into Edit Layout Mode. To edit the layout of an existing dashboard, complete the following steps:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select a dashboard that you want to edit.
  4. Click the command menu in the upper right corner of the page, and then select Edit Layout.
  5. In Edit Layout mode, select from the following options:
    Add widgets and regions

    Click-and-drag a widget or region from the bottom of the page and place it onto the dashboard.

    Widgets are configurable dashboard components that provide the following functions:

    Chart: add metrics and select chart types to visualize data

    Text box: add explanations, links, and images to your dashboard

    Alerts: scan up to 40 recent alerts, sorted by severity

    Activity Group: monitor devices that are grouped together automatically by protocol activity in the ExtraHop system

    Regions contain and logically group widgets together. Click-and-drag widgets into a region. The width of a region can include a maximum of six widgets. The length of a region and dashboard is unlimited.

    Delete widgets and regions
    To delete a region, click Delete in the region header. To delete a widget, click the title and then select Delete from the drop-down menu.
    Arrange the placement of widgets and regions

    Click the header of a region or widget to drag them into a different location. Click and drag the edge of a region or widget to resize them.

    If dashboard components overlap, they will be outlined in red. You must click and drag the sides of the widgets and regions to make room.

    Duplicate charts
    Click Duplicate to create a copy of a chart or text box in the same region.
  6. (Optional): Click Remove Extra Space to remove the empty vertical white space around widgets. Empty vertical white space will be removed from every region on the dashboard.
  7. Click Exit Layout Mode in the upper right corner of the page to save your changes.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.

Edit a chart with the Metric Explorer

The Metric Explorer is a tool for creating and editing charts, which lets you construct dynamic visualizations of device and network behavior.

Create and edit a basic chart

With the Metric Explorer, you can edit chart components, such as sources, metrics, and data calculations, and then preview how metric data appears in different chart types. When you are satisfied with your selections, save your chart to a dashboard.

The following steps show you the basic workflow and minimum requirements for completing a new chart.

  1. Click Add Source and then select a source.
    • You can select a static source for the chart by typing the name of an application, device, or network.
    • You can also select a dynamic source that can be dynamically modified by dashboard viewers by typing $ and selecting a variable from the Source Type Variable list. For more information about source type variables and dashboard templates, see Create a dashboard with dynamic sources.
  2. Select the source from the list of results.
  3. In the Metrics field, type a protocol and metric name. Then select the metric from the list of results, as shown in the following figure.
  4. Select a chart from the bottom of the Metric Explorer, as shown in the following figure.
  5. (Optional): Click the drop-down link below the metric name to display a count or rate or percentile.
  6. Complete one of the following steps:
    • Click Save when creating or editing a chart from a dashboard. Your dashboard is updated with your basic chart.
    • Click Add to Dashboard when creating or editing a chart from a protocol page. Then select an existing dashboard from the list, or select Create Dashboard.

Configure advanced options for data analysis and chart customization

Depending on the metrics and chart type you select, you can configure advanced options for creating sophisticated visualizations with the Metric Explorer, as shown in the following figure.

Drill down on metric data and sources to display details
In the Details section from the Metrics tab, you can drill down to display detail metrics or drill down on a device group to display individual devices within the chart. You can also filter detail metrics for exact matches, or create a regex filter.
Add a baseline or threshold line from the Analysis tab
You add a dynamic baseline or static threshold line to your chart. Baselines are calculated after the chart is saved. To see a line that represents a threshold, such as an service level agreement (SLA) value, add a static threshold line to your chart.
Rename legend labels and the chart title
For charts that display a legend, you can change a metric name in the chart legend with a custom label. In the Metric Explorer, click the label in the preview pane then select Rename. To rename a chart, click the chart title and select Rename.
Customize your chart from the Options tab
You can access the following options for customizing chart properties and the display of metric data in your chart:
  • Convert metric data from bytes to bits
  • Convert metric data from base 2 (Ki=1024) to base 10 (K = 1000)
  • Change the y-axis in a time-series chart from linear to log scale
  • Abbreviate metric values in a chart (for example, abbreviate 16,130,542 bytes to 16.1 MB)
  • Sort metric data in ascending or descending order in a bar, list, or value chart
  • Change the percentile precision in a pie chart
  • Hide or display a chart legend
  • Hide inactive metrics with a zero value so that these metrics are not visible in the chart, including the legend and label
  • Include sparkline in a list or value chart
  • Show the alert status for data displayed in list or value charts (for more information, see Alerts)
  • Switch the color display for metric data to grayscale (with exception to charts that display an alert status)
  • For IP address labels, display the hostname (if detected from DNS traffic in wire data) or origin IP address (if a proxy is detected from wire data)
  • Show the relative time for an expiration date, such as the number of days until an SSL certificate expires.
Note:Some options are only available for specific chart types. For example, the option to include a sparkline only appears in the Options tab for list and value charts.
Create an ad hoc group to combine data from multiple sources
From the Metric tab, you can create an ad hoc group of multiple sources within a set by selecting Combine Sources. For example, you can combine two applications and then view a single metric value in the chart for both of these applications.

Next steps

Practice building charts by completing the following walkthroughs:

Regular expression filters

Filter your search results by writing regular expression (regex) strings in certain search fields throughout the ExtraHop Web UI. For example, you can filter for parameters in a detail metric key, such as a number within an IP address. You can also filter by excluding specific keys or combination of keys from charts.

Regex-capable search fields have visual indicators throughout the system and accept standard syntax. If you want to configure record relationships for a custom detail metric, the regex syntax has advanced requirements. For more information, see the section on Additional Filters.
Search fields with an asterisk
Click the asterisk in the field to enable regex strings.

This type of field is available from the following system pages:
  • Filtering a table of devices
  • Creating filter criteria for a dynamic device group
Certain search fields with a trifield operator
Click the operator drop-down to see the regex option.

This type of field is available from the following system page:
  • Editing a chart in Metric Explorer
Certain search fields with a tooltip
Hover over the tooltip in the field to see the regex option.

This type of field is available from the following system page:
  • Creating a threshold alert

The following table includes examples of standard regex syntax.

Chart Scenario Regex filter How it works
Compare HTTP status codes 200 to 404. (200|404) Matches 200 and 404 codes where the | symbol serves as an OR function.
Display any HTTP status code that contains a 4. [4] Matches any value that contains a 4. For example, this filter can return 204 and 400 status codes.
Display all 500-level HTTP status codes. ^[5] Matches any value that begins with a 5. For example, this filter can return 500 and 502 status codes.
Display all 400 and 500-level HTTP status codes. ^[45] Matches all values that begin with a 4 or 5. For example, this filter can return 400, 403, and 500 status codes.
Display any HTTP status codes except 200-level status codes. ^(?!2) Matches all values except values beginning with a 2, where ^(?!) specifies the range of results to exclude. For example, this filter can return 400, 500, and 302 status codes.
Display any IP address with a 187. 187. Matches 1, 8, and 7 characters in the IP address.
Review all IP addresses containing 187.18. 187\.18\. Matches 187 and the character . that follows the 187. For example, this filter returns results for 187.18.0.0.0, 180.187.0.0.0, or 187.180.0.0.0/16.
Display any IP address except 187.18.197.150. [^187.18.197.150] Matches anything except 187.18.197.150, where [^] specifies the exact value to exclude.
Exclude a list of specific IP addresses [^187.18.197.150|187.18.197.151|187.18.197.152] Matches anything except 187.18.197.150, 187.18.197.151, and 187.18.197.152, where the | symbol serves as an OR function and [^] specifies the exact values to exclude.
Additional filters

When you create a custom detail metric from the Metric Catalog, you can add advanced regex syntax to the Additional Filters search field in the Record Relationships section.

The tooltip appears after you select Detail Metric and is not available when Base Metric is selected.

The regex syntax in this field must meet the following requirements:
  • If your key contains multiple values, your regex syntax must include a single capture group. A capture group is designated by parenthesis. Your capture group determines the filter value.

  • If you want to return a specific value from a detail metric key that contains multiple record field values, the regex must follow this syntax:

    $KEY:/<regex>/

    For example, if your detail metric key is ipaddr:host:cipher and you only want to return the IP address value, you would type the following:

    $KEY:/^([^:]+):.+/

  • If your key contains multiple record field values, the values are separated by a delimiter that is specified in the trigger that is generating the key. The placement of the delimiters in your regex syntax must match the delimiters in the detail key. For example, if you have a key with three values that are separated by a delimiter that is a colon, the three values for the key in your regex syntax must be separated by two colons.
Tip:If you want to return all record field values in a detail metric key, type $KEY. For example, if your detail metric key is ipaddr:host:cipher, type $KEY in the search field to return all three of those field record values (IP address, hostname, and SSL cipher suite).

Edit a text box widget

If you want to include explanatory text next to your dashboard charts or display a company logo in your dashboard, you can edit a text box widget. With the text box widget, you can display text, links, images, or sample metrics in your dashboard.

The text box widget supports Markdown, which is a simple formatting syntax that converts plain text into HTML with non-alphabetic characters, such as "#" or "*". New text box widgets contain Markdown examples. A text box widget is automatically provided each time you create a dashboard. You can also add a text box widget to your dashboard layout.

To edit an existing text box widget, complete the following steps:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select a dashboard containing the text box you want to edit.
  4. Click the command menu in the upper right corner and select Edit Layout.
  5. Click the text box.
  6. Type and edit text in the left Editor pane.
    The HTML output text dynamically displays in the right Preview pane. With Markdown, you can format the following types of content:
  7. Click Save to close the Metric Explorer.

Format text in Markdown

The following table shows common Markdown formats that are supported in the text box widget.

Note:Additional Markdown format examples are provided in the GitHub Guides: Mastering Markdown. However, not all Markdown syntax formatting options are supported in the ExtraHop text box widget.
Format Description Example
Headings Place a number sign (#) before your text to format headings. The level of heading is determined by the amount of number signs. ####Example H4 heading
Unordered lists Place a single asterisk (*) before your text. * First example * Second example
Ordered lists Place a single number and period (1.) before your text. 1. First example 2. Second example
Bold Place double asterisks before and after your text. **bold text**
Italics Place an underscore before and after your text. _italicized text_
Hyperlinks

Place link text in brackets before the URL in parentheses. Or type your URL.

Links to external websites open in a new browser tab. Links within the ExtraHop Web UI,such as dashboards or custom pages, open in the current browser tab.

[Visit our home page](https://www.extrahop.com)

https://www.extrahop.com

Blockquotes Place a right angle bracket and a space before your text.

On the ExtraHop website:

> Access the live demo and review case studies.

Monospace font Place a backtick (`) before and after your text. `example code block`
Emojis Adding emojis in Markdown syntax is unsupported; however, you can copy and paste a Unicode emoji image into the text box.

See the Unicode Emoji Chart website for images.

 

Add images in Markdown

You can add images to the text box widget by linking to them. Make sure your image is hosted on a network that is accessible to the ExtraHop system.

Links to images must be specified in the following format:

![<alt_text>](<file_path>)

Where <alt_text> is the alternative text for the image name and <file_path> is the path of the image. For example:

![Graph](/images/graph_1.jpg)
Note:You also can add images by encoding them to Base64. For more information, see the following post on the ExtraHop forum, "Putting Images in Text Boxes."

Add metric examples in Markdown

You can write a metric query to include a metric value inline with text in the text box widget.

The following example shows the basic format for writing metric queries:

%%metric:{
    "metric_category": "<metric_category>",
    "object_type": "<object_type>",
    "object_ids": [object_id],
    "metric_specs": [
        {
            "name": "<metric_spec>"
        }
    ]
}%%

To locate the object_type, metric_spec, and metric_category values for a metric, complete the following steps:

  1. Click Settings
  2. Click Metric Catalog.
  3. Type the metric name in the search field.
  4. Select the metric, and note the values for metric_category, object_type, and metric_spec in the REST API Parameters section.
The following figure displays values for NFS Server - TCP Requests by Client.

To locate the object_id for a device, device group, or other asset, complete the following steps:

  1. Click Assets, and then click an asset type from the left pane.
  2. Click the name of the asset you want, and then open the properties window.
  3. Note the value displayed for the REST API ID.
The following figure displays the properties for a device with an ID of 18697.

After you locate the values for the metric you want to display, add them to the metric query in the text editor. The value will be displayed in the text widget.

The following example markup will display the number of TCP requests received, listed by client IP address, for an NFS server with the object ID 18697.

Note:The following metric queries are unsupported in the text box widget:
  • Time-series queries
  • Mean calculations
  • Multiple object_ids
  • Multiple metric_spec
  • Multiple percentiles
Metric query examples for the text box widget

The following examples show you how to write top-level, or base, metric queries for application, device, and network objects. You can also write a query for detail metrics.

Application metrics

To specify the All Activity object, the object_ids is "0".

This example query shows how you can retrieve HTTP metrics from the All Activity application object, and displays the following output: "Getting [value] HTTP requests and [value] HTTP responses from All Activity."

Getting
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"req"}]
}%%HTTP requests and
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"rsp"}]
}%%
HTTP responses from All Activity.
Device metrics

You must specify either a client ("_client") or server ("_server") in the metric_category. To retrieve metrics for a specific device, specify the device object ID number in object_ids. To retrieve the device object ID (deviceOid), search for the device object in the ExtraHop global search. Select the device from your search results. The "deviceOid=" value will be embedded in the URL query string.

This example query shows how to retrieve metrics from a device client object, and displays the following output: "Getting [value] CLIENT DNS response errors from a specific device."

Getting
%%metric:{"object_type": "device",
"object_ids": [8],
"metric_category": "dns_client",
"metric_specs": [{"name":"rsp_error"}]
}%%
CLIENT DNS response errors from a specific device.

This example query shows how to retrieve metrics from a device server object, and displays the following output: "Getting [value] SERVER DNS response errors from a specific device."

Getting
%%metric:{
"object_type": "device",
"object_ids": [156],
"metric_category": "dns_server",
"metric_specs": [{"name":"rsp_error"}]
}%%
SERVER DNS response errors from a specific device.
Network metrics

To specify All Networks, the object_type is "capture" and the object_ids is "0." To specify a specific VLAN, the object_type is "vlan" and the object_ids is the VLAN number.

This example query shows how to retrieve metrics for all networks, and displays the following output: "Getting [value] broadcast packets from all networks."

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "net","metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from all networks.

This example query shows how to retrieve metrics for a specific VLAN and displays the following output: "Getting [value] broadcast packets from VLAN 3."

Getting
%%metric:{
"object_type": "vlan",
"object_ids": [3],
"metric_category": "net",
"metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from VLAN 3.
Group metrics

To specify a group, the object_type is "device_group." You must specify either a client ("_client") or server ("_server") in the metric_category. The object_ids for the specific group must be retrieved from the REST API Explorer.

This example query shows how to retrieve metrics for all networks, and displays the following output: "Getting [value] HTTP responses from the HTTP Client Device Group."

Getting
%%metric:{
"object_type": "device_group",
"object_ids": [17],
"metric_category": "http_client",
"metric_specs": [{"name":"req"}]
}%%
HTTP responses from the HTTP Client Device Group.
Detail metrics

If you want to retrieve detail metrics, your metric query should contain additional key parameters, such as key1 and key2:

  • object_type
  • object_ids
  • metric_category
  • metric_spec
    • name
    • key1
    • key2
The key parameters act as a filter for displaying detail metric results. For non-custom detail metrics, you can retrieve detail metric parameters from the Metric Catalog. For example, type HTTP Responses by URI, and then look at the parameter values in the REST API Parameters section.
Important:You must supply the object_ids in your query.

This example shows how to retrieve HTTP requests by URI for the All Activity application (object_ids is "0"):

%%metric:{ 
"object_type": "application", 
"object_ids": [0],  
"metric_category": "http_uri_detail", 
"metric_specs": [{"name":"req"}] 
}%%

This example query shows you how to retrieve HTTP requests by URIs that contain a key value for "pagead2" for the All Activity application (object_ids is "0"):

%%metric:{ 
"metric_category": "http_uri_detail", 
"object_type": "application",
"object_ids": [0], 
"metric_specs": [ 
{ 
"name": "req", 
"key1": "/pagead2/" 
} 
] 
}%%

This example query shows how to retrieve count metrics for all networks and displays the following output: "Getting [value] detail ICA metrics on all networks."

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "custom_detail",
"metric_specs": [{
"name":"custom_count",
"key1":"network-app-byte-detail-ICA"
}]
}%%
detail ICA metrics on all networks.

This example query shows how to retrieve a custom dataset statistic with topn keys and percentiles, and displays the following output: "The fifth percentile is: [value]."

The fifth percentile is:
%%metric:{
"object_type": "vlan",
"object_ids": [1],
"metric_category": "custom_detail",
"metric_specs": [{
"name": "custom_dset",
"key1": "myCustomDatasetDetail",
"key2": "/10.10.7/",
"calc_type": "percentiles",
"percentiles": [5]
}]
}%%
.
Note:Sampleset metrics are unsupported in the text box widget. For example, adding the "calc_type": "mean" parameter to your text box query is unsupported.

Edit a dashboard region

Dashboard regions, which contain charts and widgets, are highly customizable. As you work with dashboards, you might need to frequently change or copy a region. You can only delete, resize, or rearrange a region by editing the dashboard layout.

To edit basic properties of a region in a dashboard, complete the following steps:
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select a dashboard with the region you want to edit.
  4. Click the region header to access the following options:
    Rename a region
    Add a custom name to the region.
    Modify sources
    Quickly replace the data sources for each chart in a region with a different source after copying a chart, region, or dashboards.
    Copy a region
    Hover over Copy to... and make one of the following selections:
    • Select the name of an existing dashboard from the list. The dashboard page opens and displays the location of the copied region.
      Tip:The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard.
    Change the region time interval
    Apply a time interval to the entire region by enabling the Region Time Selector.
    Fullscreen
    Expand region contents into a fullscreen display.

Change the time interval for a dashboard region

In a dashboard, you can apply a time interval to an entire dashboard with the Global Time Selector, or apply a different time interval per region with the Region Time Selector.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select a dashboard.
  4. Click the region header and then select Use Region Time Selector.
  5. Click Last 30 minutes and complete one of the following steps:
    • From the Time Interval tab, select one of the following options:
      • Select another time interval (such as Last 30 minutes, Last 6 hours, Last day, or Last week).
      • Specify a custom unit of time.
      • Select a custom time range. Click a day to specify the start date for the range. One click will specify a single day. Click another day to specify the end date for the range.
      • Compare metric deltas from two different time intervals.
    • From the History tab, select from up to five recent time intervals selected in a previous login session.
  6. Click Save to close the Region Time Selector.
    The new time interval is applied to all charts and widgets within the region.
  7. To remove the region time interval, click the region header and select Use Global Time Selector.
    When the time interval disappears from the region header, the global time interval is applied to the region.

Edit dashboard properties

To rename a dashboard, change the theme, or change the URL, you must edit the dashboard properties. When you create a dashboard, you have an opportunity to specify dashboard properties. However, you can change dashboard properties at any time.

You can only change properties for one dashboard at a time. You cannot multi-select dashboards and change a property, such as the dashboard author.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select the dashboard that you want to edit.
  4. Click the command menu in the upper right corner of the page and then select Dashboard Properties.
  5. In the Dashboard Properties window, you can modify the following fields:
    Title
    Rename the dashboard.
    Author
    Change the author name.
    Description
    Change the dashboard description. Note that the description is only seen when editing dashboard properties.
    Permalink
    Change the URL for the dashboard. By default, the permalink, also known as a short code, is a five-character unique identifier that appears after /Dashboard in the URL. You can change the permalink to a more user-friendly name.
    Note:The permalink can have up to 100 characters combining letters, numbers, and the following symbols: dot (.), underscore (_), dash (-), plus sign (+), parentheses ( ), and brackets ([ ]). Other alphanumeric characters are unsupported. The permalink cannot contain spaces.
    Sharing
    To share a dashboard with users who can view and edit, click the link. For more information, see Share a dashboard.
    Editors
    View the list of ExtraHop users with editing access to the dashboard. To change the users, click Sharing.
    Theme
    Select one of the following themes to change the colors and appearance of the dashboard:

    Light: White background with dark text.

    Dark: Black background with white text.

    Space: Dark background with a stylized background image and text.

  6. Click Save.

Present a dashboard

You can set your dashboard to display in fullscreen mode for presentations or for your network operation center screens.

The fullscreen mode provides the following viewing options:

  • You can view and interact with the entire dashboard while in Presentation Mode.
  • You can view a continuous cycle of each chart in the dashboard in a Widget Slideshow.
  • You can view a single region in fullscreen display.

To present an entire dashboard in fullscreen display, complete the following steps:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select the dashboard you want to present.
  4. In the upper right corner of the page, click the command menu and select one of the following options:
    Presentation Mode
    The dashboard dock and top navigation menus collapse. You can interact with the time interval and dashboard components while in presentation mode.
    Widget Slideshow
    A continuous cycle of charts and widgets in fullscreen display begins. Select how long you want each widget to display (for example, 20 seconds, 15 seconds, etc.). Click the x icon in the upper right corner of the screen to return to the dashboard.
    Tip:To open a dashboard in Presentation Mode, add /presentation to the end of the URL and then bookmark it. For example:

    https://<extrahop_ip>/extrahop/#/Dashboard/437/presentation

Share a dashboard

By default, all custom dashboards you create are private, which means that no ExtraHop users can view or edit your dashboard. However, you can share your dashboard by granting view or edit access to other ExtraHop users and groups.

Here are some importance considerations about sharing dashboards:

  • How a user interacts with a shared dashboard and the information they can view in the ExtraHop system is determined by user privileges, which are assigned by the ExtraHop administrator. For example, you can add a user with the Restricted read-only privilege, which allows that user to only view the dashboards that you share with them in the ExtraHop system. For more information, see the User privileges section in the ExtraHop Admin UI Guide.
  • When you grant a user edit permission, that user can modify and share the dashboard with others, and add it to a collection. However, other users cannot delete the dashboard. Only the dashboard owner can delete a dashboard.
  • Group information is imported into the ExtraHop system from LDAP (such as OpenLDAP or Active Directory). User information is available after an ExtraHop user logs in to their account.
  • To share a dashboard with a non-ExtraHop user, you can create a PDF file of the dashboard. If you have a Command appliance, you can create a scheduled report, which sends the PDF file of the dashboard to any email recipient on a regular basis.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. In the left pane, select a dashboard you want to share.
    You cannot share system dashboards or dashboards that you do not have edit access to.
  4. Click the command menu in the upper right corner of the dashboard page and select Share.
  5. To grant view permission to every user, select Allow all users to view this dashboard.
  6. To grant view or edit permission to specified users and groups, complete the following steps:
    1. Type the name of a user or group, and then select the name from the drop-down list.
    2. Next to the name, select Can view or select Can edit.
  7. Click Save.
    Note:How a user interacts with a dashboard and the information they can view in the ExtraHop system is determined by user privileges, which are assigned by the ExtraHop administrator. For more information, see the User privileges section in the ExtraHop Admin UI Guide.
    If you shared your dashboard, a small gray icon will appear next to your dashboard in the dock.

Remove access to a dashboard

You can remove or modify dashboard access that you granted to users and groups.

  1. In the left pane, select the custom dashboard that you want to modify.
  2. Click the command menu in the upper right corner of the page and select Share.
  3. Remove access for users or groups by completing one of the following steps:
    • Remove all access for a user or group by clicking the red delete (x) icon next to the user or group name.
    • Remove edit access by selecting Can view from the drop-down list next to the user or group name.
  4. Click Save.

Create a dashboard collection

You can create a collection to organize dashboards that you own and that have been shared with you.

Here are some important considerations about dashboard collections:

  • Your user privileges determine whether you can create and share collections.
  • You can add any dashboard to a collection that you own or have permission to view or edit.
  • You can add a dashboard to multiple collections.
  • You can share a collection if you own or have edit permission for all of the dashboards in that collection.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Click Collections at the top of the dashboard dock and then click Create Collection at the bottom of the dock.
  4. In the Name field, type a unique name for the collection.
  5. (Optional): In the Description field, add information about the collection.
  6. (Optional): Type the name of a user or group in the Sharing drop-down list, select from the search results, and then click Add.
  7. Type the name of a dashboard in the Contents drop-down list and then select from the search results.
    The name of the owner is displayed for each added dashboard.
    Tip:The dashboard at the top of the list is displayed by default when the collection is selected in the dashboard dock. Click and drag the icon next to a dashboard name to re-order the list.

  8. Click Save.
    The collection is added to the dashboard dock.

Share a dashboard collection

By default, all dashboard collections are private, which means that no other users can view or edit your collection. However, you can share your collection with other users and groups.

Here are some important considerations about sharing dashboard collections:

  • You can only share a collection if you own or have permission to edit all of the dashboards in the collection.
  • Users can only view the dashboards in a shared collection; they cannot edit any collection properties.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Click Collections at the top of the dashboard dock.
  4. Click the collection you want to share and then click Edit.
  5. Type the name of a user or group in the Sharing drop-down list and then select from the search results.
  6. Click Add.
    The user or group is displayed in a list of shared users.

    Tip:Remove a user or group by clicking the remove (X) icon next to the name.
  7. Click Save.
    The collection appears in the dashboard dock for each shared user.

Export data

You can export chart data from the ExtraHop system in CSV and XLSX formats.

You can also create PDFs of ExtraHop charts, pages, and dashboards.

Export data to Excel

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Navigate to a dashboard or protocol page.
  3. Right-click any chart, table, or metric and select Export to Excel.

Export data to CSV

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Navigate a dashboard or protocol page.
  3. Right-click any chart, table, or metric and select Export to CSV.

Create a PDF file

You can export data from a dashboard, protocol page, or individual chart as a PDF file.

  1. Find the dashboard or protocol page that contains the data you want to export and complete of one of the following steps:
    • To create a PDF file of the entire page, click the command menu in the upper right corner of the page and select Print (from the Discover appliance) or Export to PDF (from the Command appliance).
    • To create a PDF file of an individual chart or widget, click the chart title and select Print (from the Discover appliance) or Export to PDF (from the Command appliance) from the drop-down menu.
  2. A PDF preview dialog opens. Complete one of the following steps:
    • Click Print Page and then select PDF as the destination from the print settings in your browser.
    • From a Discover appliance, click Print Widget and select PDF as the destination from the print settings in your browser.
    • From a Command appliance, select PDF format customizations and then click Export to PDF. The process for generating a PDF might take several seconds.
    Tip:To access PDF print options through a keyboard shortcut, type pp.

Customize the format of a PDF file

When creating a PDF file of a dashboard or protocol page from a Command appliance, you have several options for customizing the appearance of your PDF file.

  1. Type a custom name for your PDF file or accept the default name.
  2. Choose one of the following page width options:
    Narrow
    Displays large text in chart titles and labels, but provides less space for displaying chart data. Long chart titles and labels might be truncated.
    Medium
    (Recommended) Displays a view of chart titles, legends, and data that is optimized for portrait page orientation.
    Wide
    Displays small text in chart titles and labels, but provides more space for displaying chart data.
  3. Choose one of the following page break options:
    Single page
    Displays the entire dashboard or protocol page on a single, continuous page. This setting might generate a PDF file that is larger than standard printer page sizes.
    Page break per region
    Displays each chart region on an individual page.
  4. Choose one of the following themes:
    Light
    White background with dark text.
    Dark
    Black background with white text.
    Space
    Dark background with a stylized background image and text.
  5. Click Export to PDF.
    The process for generating a PDF might take several seconds.

Next steps

The PDF file will download to your local computer. Each PDF file includes the dashboard title and time interval. Click View report on ExtraHop to open the original dashboard set to the time interval specified in the PDF file.

Chart types

Dashboard charts in the ExtraHop system offer multiple ways to visualize metric data, which can help you answer questions about your network behavior.

You select a chart type when you edit a chart in the Metric Explorer. But how do you know which chart to select? It helps to first decide which question you want to answer:
  • To learn how a metric changes over time, select a time-series chart such as the area, column, line, line & column, or status chart.
  • To learn how a metric value compares to a complete set of data, select a distribution chart such as the box plot, candlestick, heatmap, or histogram chart.
  • To learn the exact metric value for a time period, select a total value chart such as the bar, list, pie, table, or value chart.
  • To learn the alert status of this metric, select the list, status, or value chart.

Find more answers in the Charts FAQ.

The following table provides a list of chart types and overviews. Click on the chart type to see more details and examples.

Chart Type Description Type
Area chart Displays metric values as a line that connects data points over time, with the area between the line and axis filled in with color. Time-series
Column chart Displays metric data as vertical columns over a selected time interval. Time-series
Line chart Displays metric values as data points in a line over time. Time-series
Line & Column chart Displays metric values as a line, which connects a series of data points over time, with the option to display another metric as a column chart underneath the line chart. Time-series
Status chart Displays metric values in a column chart and the status of an alert assigned to both the source and metric in the chart. Time-series
Box plot chart Displays variability for a distribution of metric data. Each horizontal line in the box plot includes three or five data points. Distribution
Candlestick chart Displays variability for a distribution of metric data over time. Distribution
Heatmap chart Displays a distribution of metric data over time, where color represents a concentration of data. Distribution
Histogram chart Displays a distribution of metric data as vertical bars or bins. Distribution
Bar chart Displays the total value of metric data as horizontal bars. Total value
List chart Displays metric data as a list with optional sparklines that represent data changes over time. Total value
Pie chart Displays metric data as a portion or percentage of a whole. Total value
Table chart Displays multiple metric values in a table, which can be easily sorted. Total value
Value chart Displays the total value for one or more metrics. Total value

Area chart

Metric data is displayed as data points over time connected by a line, with the area between the line and the x-axis filled in with color.

If your chart contains more than one metric, data for each metric is displayed as an individual line, or a series. Each series is stacked together to illustrate the cumulative value of the data.

Select the area chart to see how the accumulation of multiple metric data points over time contribute to a total value. For example, an area chart can reveal how various protocols contribute to total protocol activity.

For more information about displaying rates in your chart, see the Display rates section.

Note:This chart supports detection markers, which indicate detections associated with chart data.
Note:Machine learning detections require a connection to ExtraHop Cloud Services.

The following figure shows an example of an area chart.



Bar chart

The total value of metric data is displayed as horizontal bars.

Select the bar chart when you want to compare the data for more than one metric for a selected time interval.

The following figure shows an example of a bar chart.



Box plot chart

The box plot chart displays variability for a distribution of metric data. You can only display data from dataset metrics, such as server processing time, in this chart.

Each horizontal line in the box plot includes three or five data points. With five data points, the line contains a body bar, a vertical tick mark, an upper shadow line, and a lower shadow line. With three data points, the line contains a vertical tick mark, an upper shadow, and lower shadow. For more information about displaying specific percentile values in your chart, see Display percentiles.

The following figure shows an example of a box plot chart.



Candlestick chart

The candlestick chart displays variability for a distribution of metric data over time. You can only display data from dataset metrics or high-precision network (L2) byte and packet metrics.

Vertical lines at each time interval displays three or five data points. If the line has five data points, it contains a body, middle tick mark, an upper shadow line, and a lower shadow line. If the line has three data points, it contains a middle tick mark. For more information about displaying specific percentile values in your chart, see Display percentiles.

Select the candlestick chart to view the variability of data calculations for a specific period of time.

The following figure shows an example of a candlestick chart.



Column chart

Metric data is displayed as vertical columns over time. If your chart contains more than one metric, data for each metric is displayed as an individual column or as a series. Each series is stacked together to illustrate the cumulative value of the data.

Select the column chart to compare how accumulation of multiple metric data points at a specific time contribute to the total value.

Note:This chart supports detection markers, which indicate detections associated with chart data.

The following figure shows an example of a column chart.



Heatmap chart

The heatmap chart displays a distribution of metric data over time, where color represents a concentration of data. You can only select a dataset metric to display in the chart, such as server processing time or round trip time.

Select the heatmap when you want to identify patterns in the distribution of data.

Here are some important considerations about the heatmap chart:
  • The heatmap legend displays the color gradient that corresponds to the data range in the chart. For example, the darker color on the heatmap indicates a higher concentration of data points.
  • The default data range is between the 5th and 95th percentiles, which filters outliers from the distribution. Outliers can skew the scale of data displayed in your chart, making it more difficult to spot trends and patterns for the majority of your data. However, you can choose to view the full range of data by changing the default filter in the Options tab. For more information, see Filter outliers.
  • The selected theme, such as Light, Dark, or Space, affects whether a dark or light color indicates a higher concentration of data points.

The following figure shows an example of a heatmap chart.



Histogram chart

The histogram chart displays a distribution of metric data as vertical bars, or bins. You can only select a dataset metric to display in this chart, such as server processing time or round trip time.

Select the histogram chart to view the shape of how data is distributed.

Here are some important considerations about the histogram chart:
  • The default data range is from the 5th to 95th percentile (5th-95th), which filters outliers from the distribution. The minimum to maximum (Min-Max) view displays the full data range. Click the magnifying glass in the upper right corner of the chart to toggle between the two views.
  • Data is automatically distributed into bins on either a linear or log scale based on the data range. For example, when the data range spans several orders of magnitude, data is placed into bins on a log scale. Min-Max (log) appears in the upper right corner of the chart.
  • Click-and-drag to zoom in on multiple bins or a specific bin. Click the magnifying glass again in the upper right corner of the chart to zoom out to the original view (either 5th-95th or Min to Max).
    Note:Zooming in to view a custom time interval does not change the global or region time interval.
  • Your toggle selection (between the 5th-95th and Min-Max views) will persist for your chart, but not for the users that you shared your dashboard and chart with. To set a persistent toggle selection before sharing a dashboard, see Filter outliers.

The following figure shows an example of a histogram chart.



Note:This chart does not support baselines or threshold lines.

Line chart

Metric data is displayed as data points over time that are connected in a line. If your chart contains more than one metric, data for each metric is displayed as an individual line or as a series. Each series overlaps.

Select the line chart to compare changes over time.

Note:This chart supports detection markers, which indicate detections associated with chart data.

The following figure shows an example of a line chart.



Line & column chart

Metric data is displayed as data points over time connected by a line, with the option to display a column chart underneath the line chart. For example, if your chart contains more than one metric (for example, HTTP Requests and HTTP Errors), you can select Display as Columns to display one of the metrics as a column chart underneath the line chart.

Columns are displayed in the color red by default. To remove the red color, click Options and deselect Display columns in red.

Select the line & column chart to compare different metrics at different scales in one chart. For example, you can view error rates and the total number of HTTP responses in one chart.

Note:This chart supports detection markers, which indicate detections associated with chart data.

The following figure shows an example of a line & column chart.



List chart

Metric data is displayed as a list. Select the list chart to view long lists of metric values, such as detail metrics.

This chart includes the following options:
  • Add a sparkline, which is a simple area chart placed inline with the metric name and value. A sparkline shows how data changed over time. Click the Options tab and select Include sparklines.
  • Display the metric value in an alert status color. Different colors indicate the severity of the configured alert. For example, if an alert threshold is crossed for a metric that is displayed in the list chart, the value for that metric appears in red. Click the Options tab and select Color indicates alert status.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a list chart.



Pie chart

Metric data is displayed as a portion or percentage of a whole. If your chart contains more than one metric, data for each metric is represented as single slice, or series, in the pie chart.

Select the pie chart to compare the metric values that are mutually exclusive, such as status code detail metrics for the top-level HTTP Response metric.

This chart includes the following options:
  • Display as a donut chart. Click the Option tab and select Show total value.
  • Specify the decimal precision, or the number of digits, displayed in your chart. Percentile precision is useful for displaying ratios of data, especially for service-level agreements (SLAs) that might require precise data for reporting. Click the Options tab, and in the Units section, select Show percents instead of counts. Then select 0.00% or 0.000% from the drop-down list.

The following figure shows an example of a pie chart.



Status chart

Metric data is displayed in a column chart. The color of each column represents the most severe alert status of the configured alert for the metric. You can only select one source and metric to display in this chart.

To view the status of all of the alerts associated with the selected metric category, click Show Related Alerts. A list of alerts is then displayed below the column chart.

Select the status chart to see how data and the alert status for your metric change over time.

Note:This chart does not support baselines.

The following figure shows an example of a status chart.



Table chart

Metric data is displayed across rows and columns in a table. Each row represents a source. Each column represents a metric. You can add multiple sources (of the same type) and metrics to a table.

Select the table chart when you want to view metric data in a grid and easily sort values across multiple metrics.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a table chart.



Value chart

The total value for one or more metrics is displayed as a single value. If you select more than one metric, metric values are displayed side-by-side.

Select the value chart to see the total value of important metrics, such as the total number of HTTP errors occurring on your network.

This chart includes the following options:
  • Add sparklines, which is a simple area chart placed underneath the metric value. A sparkline shows how data changed over time. Click the Options tab and select Include sparklines.
  • Display the metric value in an alert status color. Different colors indicate the severity of the configured alert. For example, if an alert threshold is crossed for a metric, the value appears in red. Click the Options tab and select Color indicates alert status.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a value chart.



Create a chart

Charts are an essential tool for visualizing, analyzing, and understanding network behavior. You can create a custom chart from a dashboard or protocol page to visualize data from any of the 4,000+ built-in metrics or custom metrics available in the ExtraHop system. For example, if you observe an interesting server metric while troubleshooting, you can create a chart to visualize and further analyze that metric. Customized charts are then saved to dashboards.

The following steps show you how to quickly create a blank custom chart:
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Complete one of the following steps:
    • Click Dashboards at the top of the page.
    • Click Assets at the top of the page. Select a source from the left pane, and then click the name of an application, device, device group, or network from the center pane. A protocol page for the source appears.
  3. Click the command menu in the upper right corner of the page and then select Create Chart.
  4. Edit the chart in the Metric Explorer.
  5. To save your chart, click Add to Dashboard and complete one of the following steps:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.
    Tip:Here are some other ways to create a chart:
    • If you find a chart you like on a protocol page or dashboard, you can recreate and save that chart to your dashboard. Click the chart title and then select Create Chart From....
    • You can edit a dashboard layout and click-and-drag a new chart widget onto the dashboard.

Next steps

After you create a chart, learn more about working with dashboards:

Copy a chart

You can copy a chart from a dashboard or protocol page and then save the copied chart to a dashboard. Copied widgets are always placed into a new region on the dashboard, which you can later modify.

Tip:If you want to copy a dashboard chart or text box without creating a new region, click the command menu in the upper right corner of the dashboard page and click Edit Layout. Find the chart you want to copy and then click Duplicate.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Select a dashboard that contains the chart or widget that you want to copy.
  4. Click the title.
    Note:You cannot click the title of a text box widget. To copy a text widget, you must first edit the dashboard layout. Click the command menu in the upper right corner of the text box widget, and then complete step 4.
  5. Hover over Copy to… to expand a drop-down list and then make one of the following selections:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.

Next steps

The chart is copied into a new region on the dashboard that is in Edit Layout mode. You can now edit your dashboard or chart in the following ways:

Drill down

An interesting metric naturally leads to questions about the factors associated with that metric value. For example, if you find a large number of DNS request timeouts on your network, you might wonder which DNS clients are experiencing those timeouts. In the ExtraHop system, you can easily drill down from a top-level metric to view the devices, methods, or resources associated with that metric.

When you drill down on a metric by a key (such as a client IP address, method, URI, or resource), the ExtraHop system calculates a topnset of up to 1,000 key-value pairs. You can then investigate these key-value pairs, referred to as detail metrics, to learn which factors are linked to the interesting activity.

Drill down from a dashboard or protocol page

Clicking a metric in a chart or legend helps you see which key, such as client IP address, server IP address, method, or resource, contributed to that value.

The following steps show you how to locate a metric and then drill down:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Find an interesting metric by completing one of the following steps:
    • Click Dashboard, and then select a dashboard from the left pane. A dashboard appears containing metrics.
    • Click Assets, click Device, Device Group, or Application in the left pane. Then select a device, group, or application. A protocol page appears containing metrics.
    • Click Assets, click Networks in the left pane, and then select a flow network. A protocol page appears containing metrics.
  3. Click on a metric value or a metric label in the chart legend, as shown in the following figure. A menu appears.


    Tip:On a protocol page, you can also click a drill-down shortcut button in the Drill Down section, located in the upper right corner of the page. The type of shortcut buttons vary by protocol.


  4. In the Drill down by… section, select a key. A detail metrics page with a topnset of metric values by key appears. You can view up to 1,000 key-values pairs on this page.
    Tip:If available, click the View More link at the bottom of a chart to drill down on the metric displayed in the chart.

Drill down on network capture and VLAN metrics

Click an interesting top-level metric about network activity on a Network capture or VLAN page to identify which devices are linked to that activity.

Note:For information about how to drill down on metrics from a flow network or flow network interface page, see the Drill down from a dashboard or protocol page section.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click Assets.
  3. Click Networks in the left pane.
  4. Click a network capture or VLAN interface name.
  5. Click a network layer in the left pane, such as L3 or L7 Protocols. Charts that display metric values for the selected time interval appear. For most protocols and metrics, a Device table also appears at the bottom of the page.
  6. Click the chart data, which updates the list to display only the devices that are associated with the data.
  7. Click a device name. A Device page appears, which displays traffic and protocol activity associated with the selected device.

Drill down from a detection

For certain detections you can drill down to see more details about the metric or key that contributed to the unusual behavior. The metric name or key appears as a link at the bottom of an individual detection.

Note:Detections with metrics or keys that do not have detail metrics do not include a drill down option. Detections that only display anomalous protocol activity instead of a metric also do not include a metric drill down option. For example, you cannot drill down on a detection for Anomalous DNS Client activity, as shown in the figure below. Instead, click the links for the device or application name, Activity Map, or Records to learn more about the anomalous activity.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click Detections at the top of the page.
  3. Find an interesting detection that is associated with a metric and click the metric name or key. In the following figure, by clicking on the response code, we can drill down to see all of the clients that received DNS responses with NXDOMAIN/QUERY:A.


  4. In the Drill down by... section, click a key such as Client.
    A detail metric page appears, where you can investigate metrics listed by key.

Drill down from an alert

Click the metric name or key in a threshold or detection alert to see which key, such as client, server, method, or resource, contributed to the metric value or unusual behavior.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click Alerts at the top of the page.
    Note:You can also access alerts from an Alert widget on a dashboard or at the bottom of the following protocol pages:
    • Application Overview page
    • Devices Group Overview page
    • Network Overview page
  3. Click the name of a threshold alert or a detection alert.
    Alert details appear.
  4. Click a metric name or key, as shown in the following figure.


  5. In the Drill Down by section, click a key, such as Client, Method, Referer, Server, or URI.
    A detail metric page appears, where you can investigate metrics listed by key.

Investigate detail metrics

After you drill down on a metric from a dashboard, protocol page, detection, or alert, you can investigate metric values by key on a detail metric page. Filter metric data or select different keys, such as status codes or URIs, to view data from different perspectives.

The following figure shows you how to filter, pivot, sort, or export data on a detail metric page.



If you drilled-down on a metric by IP, Client, or Server, IP addresses and hostnames (if observed from DNS traffic) appear in the table. Additional options are now available to you. For example, you can generate a geomap or directly navigate to a client or server protocol page, as shown in the following figure.



Filter results

A detail page can contain up to 1,000 key-value pairs. There are two ways to find specific results from data: filter results or click a key in the table to create another drill-down filter.

To filter results, click Any Field, and then select a field, which varies by key. For example, you can select Network Locality for Client or Server keys. Then, select one of the following operators:

  • Select = to perform an exact string match.
  • Select to perform an approximate string match. The ≈ operator supports regular expression.
    Note:To exclude a result, enter a regular expression. For more information, see Create regular expression filters.
  • Select to exclude an approximate string match from your results.
  • Select > or to perform a match for values greater than (or equal to) a specified value.
  • Select < or to perform a match for values less than (or equal to) a specified value.
  • Click Add filter to save the filter settings. You can save multiple filters for one query. Saved filters are cleared if you select another key from the Details section in the left pane.

To complete the filter, enter or select a value that you want to filter results by, and then click Add Filter.

Investigate threat intelligence data (ExtraHop Reveal(x) Premium and Ultra only)
Click the red camera icon to view threat intelligence details about a suspicious host, IP address, or URI found in detail metric data.
Highlight a metric value in the top chart
Select an individual row or multiple rows to change chart data in the top chart on the detail metric page. Hover over data points in the chart to view more information about each data point.
Pivot to more data by key
Click key names in the Details section to see more detail metric values, broken down by other keys. For IP address or host keys, click a device name in the table to navigate to a Device protocol page, which displays traffic and protocol activity associated with that device.
Adjust the time interval and compare data from two time intervals
By changing the time interval, you can view and compare metric data from different times in the same table. For more information, see Compare time intervals to find the metric delta.
Note:The global time interval in the upper left corner of the page includes a blue refresh icon and gray text that indicates when the drill-down metrics were last polled. To reload the metrics for the specified time interval, click the refresh icon in the Global Time Selector display. For more information, see View the latest data for a time interval.
Sort metric data in columns
Click the column header to sort by metrics to view which keys are associated with the largest or smallest metric values. For example, sort on processing time to see which clients experienced the longest website load times.
Change data calculation for metrics
Change the following calculations for metric values displayed in the table:
  • If you have a count metric in the table, click Count in the Options section in the left pane and then select Average Rate. Learn more in the Display a rate or count in a chart topic.
  • If you have a dataset metric in the table, click Mean in the Options section in the left pane and then select Summary. When you select Summary, you can view the mean and the standard deviation.
Export data
Right-click a metric value in the table to download a PDF, CSV, or Excel file.
Drill-down a second time by a key filter

After you first drill down on a top-level metric by key, a detail page appears with a topnset of metric values broken down by that key. You can then create a filter to drill down a second time by another key. For example, you can drill down on HTTP responses by status code, and then drill down again by the 404 status code to find more information about the servers, URIs, or clients associated with that status code.

Note:The option to drill-down a second time is only available for certain topnsets.

The following steps show you how to drill down from a chart and then drill down again from a detail metric page:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Navigate to a dashboard or protocol page.
  3. Click a metric value or label.
  4. In the Drill down by… section, select a key.
    A detail page appears.
  5. Click a key in the table, such as a status code or method. (The key must not be an IP address or hostname.)
  6. In the Drill down by… section, select a key, as shown in the following figure.


    The key filter appears above the table. You can now view all the detail metrics associated with that single key.
  7. To remove this filter from the table and then apply the filter to the top chart, click the x icon, as shown in the following figure.


    The filter in the chart persists as you select other keys in the Details section.

Add detail metrics to a chart

If you want to quickly monitor a set of detail metrics in a dashboard, without repeatedly performing the same drill-down steps, you can drill down on a metric when editing a chart in the Metric Explorer. Most charts can display up to 20 of the top detail metric values broken down by key. A key can be a client IP address, hostname, method, URI, referrer, or more. Table and list widgets can display up to 200 top detail metric values.

For example, a dashboard for monitoring web traffic might contain a chart displaying the total number of HTTP requests and responses. You can edit this chart to drill down on each metric by IP address to see the top talkers.

The following steps show you how to edit an existing chart and then drill down to display detail metrics:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Navigate to a dashboard or protocol page.
  3. Click the chart title and then select Edit.
  4. In the Details section, click Drill down by <None>, where <None> is the name of the drill-down metric key currently displayed in your chart.
  5. Select a key from the drop-down list.
    Note:If you have more than one source selected in your metric set, such as two devices, the sources are automatically combined into an ad hoc source group as you drill down. You cannot deselect the Combine Sources checkbox. To view drill-down metrics for each source, you must remove a source from the metric set and then click Add Source to create a new metric set.
    If detail metric data for a common key is available for all of the metrics in a metric set, the key for the detail metric automatically appears in the drop-down list, as shown in the following figure. If a key in the list is grayed out, the detail metric associated with that key is unavailable for all of the metrics in that metric set above. For example, client, server, and URI data are available for both HTTP Requests and HTTP Responses metrics in the metric set.

  6. You can filter keys with an approximate match, regular expression (regex), or exact match through one of the following steps:
    • In the Filter field, select the operator to display keys by an approximate match or with regex. You must omit forward slashes with regex in the approximate match filter.
      Note:The filter option to exclude results is only available on detail pages. If you want to exclude results in a dashboard chart, create a regular expression (regex).
    • In the Filter field, select the = operator to display keys by an exact match.
  7. (Optional): In the top results field, enter the number of keys that you want to display. These keys will have the highest values.
  8. To remove a drill-down selection, click the x icon.
    Note:You can display an exact key match per metric, as shown in the following figure. Click the drill-down metric name (such as All Methods) to select a specific drill-down metric key (such as GET) from the drop-down list. If a key appears gray (such as PROPFIND), drill-down metric data is unavailable for that specific key. You can also type a key that is not in the drop-down list.

Display a rate or count in a chart

You can visualize errors, responses, requests, and other count metric data in a chart as a per second rate or as a total number of events over time. For high-precision Network Bytes and Network Packets metrics, you have the additional options to view the maximum, minimum, and average rate per second in a chart.

When editing a chart in the Metric Explorer, you can select a count or rate by clicking the drop-down link below the metric name, as shown in the following figure.

In addition, you can select from the following options for displaying rates and counts. Note that the type of metric you select affects which rate or count is automatically displayed.

Average rate
Calculates the average metric value per second for the selected time interval. For network-related metrics, such as Response L2 Bytes or NetFlow Bytes, the average rate per second is automatically displayed.
Count
Displays the total count of events for the selected time interval. For the majority of count metrics, such as errors, requests and responses, the count is automatically displayed.
Rate summary
Calculates the maximum, minimum, and average metric value per second. For high-precision metrics, such as Network Bytes and Network Packets, these three rates are automatically displayed in the chart as a summary. You can also select to view only the maximum, minimum, or average rate in a chart. High-precision metrics are collected with a 1-second level of granularity and are only available when you configure your chart with a network capture or device source.

Display the average rate in a chart

If you configured a chart with an error, response, request, or other type of count metric, then the total number of events over time is automatically displayed. You can further edit the chart to display an average rate per second for your data.

Before you begin

Create a chart and select a count metric, such as errors, requests, or responses, as your source. Save your chart to a dashboard.
The following steps show you how to add an average rate to an existing dashboard chart:
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  4. Click Count below the metric name.
  5. Select Average Rate from the drop-down list.
    The unit "/s" is applied to metric units. You can toggle back to the count at any time.
  6. Click Save to close the Metric Explorer.
    Tip:When you select more than one count metric in a chart, avoid displaying rates and counts together in the same chart. It can skew the scale of the y-axis. The y-axis will include a "/s" on tick labels only if all metrics are displaying rates.

Display the maximum rate in a chart

To display a maximum rate per second of a metric in a chart, you must configure a chart with a high-precision metric.

The following steps show you how to configure a chart that displays a maximum rate:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Complete one of the following steps:
    • To create a new chart, click the command menu in the upper right corner of the page and then select Create chart.
    • To edit an existing chart, click Dashboards at the top of the page. Select a dashboard containing the chart that you want to edit. Click the chart title and select Edit.
  3. Click Add Source and select one of the following sources:
    • A network capture that is not a flow network.
    • A device, such as a server or client.
  4. Search for and select one of the following metrics:
    For a network capture source
    • Network Bytes (total throughput)
    • Network Packets (total packets)
    For a device source
    • Network Bytes (combined inbound and outbound throughput by device)
    • Network Bytes In (inbound throughput by device)
    • Network Bytes Out (outbound throughput by device)
    • Network Packets (combined inbound and outbound packets by device)
    • Network Packets In (inbound packets by device)
    • Network Packets Out (outbound packets by device)
  5. Select a chart type that is compatible with count metrics (includes line, value, column, bar, pie, and list charts).
    The default display for a high-precision metric is a rate summary that automatically displays the maximum, average, and minimum rate.
  6. Click Rate Summary below the metric name.
  7. Select Maximum Rate from the drop-down menu.
  8. Click Save to close the Metric Explorer.

Display percentiles or a mean in a chart

If you have a set of servers that are critical to your network, viewing the 95th percentile of server processing time in a chart can help you gauge how much servers are struggling. Percentiles are statistical measures that can show you how a data point compares to a total distribution over time.

You can only display percentile value and mean (average) calculations in charts that contain dataset or sampleset metrics. Dataset metrics are associated with timing and latency, such as server processing time and round trip time metrics. Sampleset metrics provide summaries of detail timing metrics, such as server processing time broken down by server, method, or URI.

When editing a chart in the Metric Explorer, you can select percentiles or the mean by clicking the drop-down link below the dataset or sampleset metric name, as shown in the following figure.

The Metric Explorer provides the following calculations for displaying percentiles and the mean.

Summary

For dataset metrics, the Summary is a range that includes the 95th, 75th, 50th, 25th, and 5th percentile values.

For example, each line in a candlestick chart contains five data points. If Summary is selected, the main body of the line represents the range from the 25th percentile to the 75th percentile. The middle tick mark represents the 50th percentile (median). The upper shadow above the body line represents the 95th percentile. The lower shadow represents the 5th percentile.

For sampleset metrics, the Summary displays the +/-1 standard deviation and the mean values. In the candlestick chart, the vertical tick mark in the line represents the mean, and the upper and lower shadows represent the standard deviation values.

Mean
The calculated average of data.
Median
The 50th percentile value of a dataset metric.
Maximum
The 100th percentile value of a dataset metric.
Minimum
The 0th percentile value of a dataset metric.
Percentile
A custom range of three or five percentile values for a dataset metric.

Display a custom range of percentiles

You can display a custom range of three or five percentile values for server processing time or round trip time metrics. You cannot display custom percentiles in a pie or status chart.

The following steps show you how to add a custom percentile range to an existing dashboard chart:

Before you begin

Create a chart and select a dataset or sampleset metric, and save it to a dashboard.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. at the top of the page, click Dashboards.
  3. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart you want to edit.
    2. Click the chart title and select Edit.
  4. Click Summary below the metric name.
  5. Select Percentile... from the drop-down list.
  6. In the Set Percentiles field, type a number for each percentile value, separated by a comma. For example, to view the 10th, 30th, and 80th percentiles, type 10, 30, 80.
  7. Click Save. Your custom range is now displayed in the chart. You can toggle between your custom range and other percentile selections, such as Summary or Maximum, at any time.
  8. Click Save again to close the Metric Explorer.

Filter outliers in histogram or heatmap charts

Histogram and heatmap charts display a distribution of data. However, outliers can skew how the distribution displays in your chart, making it difficult to notice patterns or average values. The default filter option for these charts excludes outliers from the data range and displays the 5th-95th percentiles. You can change the filter to view the full range of data (minimums to maximums), including outliers, in your chart by completing the following procedure.

  1. Click the chart title and then select Edit to launch the Metric Explorer.
  2. Click the Options tab.
  3. From the Default filter drop-down list in the Filters section, select Min to Max.
  4. Click Save to close the Metric Explorer.

Edit metric labels in a chart legend

You can change the default metric label in a chart to a custom label. For example, you can change the default label, "Network Bytes," to a custom label such as "Throughput."

Custom labels only apply to individual charts. A custom label for a metric will persist if you copy the chart to another dashboard, share a dashboard with another user, or add new metrics to your chart.

However, if you make changes to the original metric, such as updating the data calculation (from median to 95th percentile, for example) or drilling down on the metric, the custom label will automatically clear. The label clears to prevent mislabeling or potential inaccuracy of the custom label when metric data changes.

Here are some considerations about changing the label of a chart legend:

  • For detail metrics, a custom label is automatically appended to all the keys displayed in the chart. However, you can change the order of the key in the label by including the variable, $KEY:
    • Type $KEY errors to display 172.21.1.1 errors
    • Type [$KEY] errors to display [172.21.1.1] errors
  • You cannot change labels in the box plot, candlestick, heatmap, table, or status charts.
  • You cannot rename metric delta or dynamic baseline labels.

Before you begin

Create a chart and select a metric.

The following steps show you how to change metric labels in an existing dashboard chart:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  4. In the preview pane of the Metric Explorer, click the metric label.
  5. Select Rename from the drop-down menu.
  6. In the Display custom label field, type a new label.
    The label must be unique from other labels in the chart.
  7. Click Save, and then click Save again to close the Metric Explorer.
    The new label appears in your chart.

Add a dynamic baseline to a chart

Dynamic baselines help distinguish between normal and abnormal activity in your chart data. Baselines are only supported in the area, candlestick, column, line, and line & column charts.

The ExtraHop system calculates dynamic baselines based on historical data. To generate a new data point on a dynamic baseline, the system calculates the median value for a specified period of time.

Warning:Deleting or modifying a dynamic baseline can delete baseline data from the system. If a dynamic baseline is not referenced by any dashboards, the data will be deleted from the system to free unused system resources. You cannot recover a dynamic baseline after it is deleted.

Select a baseline type that best fits your environment. For example, if you regularly see dramatic changes from one day to another, select an hour-of-week baseline that compares activity seen on specific days of the week. If HTTP activity spikes on Saturdays, the hour-of-week baseline can help you compare the current spike in HTTP activity with the level seen on other Saturdays at the same hour. The following table describes how each type of baseline is calculated:

Baseline type Historical data What the baseline compares New baseline data points added
Hour of day 10 days Metric values from a given hour of a day. For example, every day at 2:00 PM. Every hour
Hour of week 5 weeks Metric values for a given hour on a specific day of the week. For example, every Wednesday at 2:00 PM. Every hour
Short-term trend 1 hour Metric values from each minute in one hour. Every 30 seconds

Here are some important considerations about adding a baseline to a chart:

  • Dynamic baselines calculate and store baseline data. Therefore, creating a baseline consumes system resources, and configuring too many baselines might degrade system performance.
  • Deleting or modifying a dynamic baseline can delete dynamic baseline data from the system.
  • Detail metrics, also referred to as topnsets, are unsupported. Sampleset, maximum rate, and minimum rate metrics are also unsupported. If any of these types of metrics are selected in your chart, you will be unable to generate a dynamic baseline for this data.
  • The system can begin building a dynamic baseline only if the necessary amount of historical data is available. For example, an Hour of day baseline requires 10 days of historical data. If the system has only been collecting data for six days, the baseline does not begin plotting until it has four more days worth of data.
  • The system does not retroactively plot a dynamic baseline for historical data. The system only plots a dynamic baseline for new data.
  • If two identical dynamic baselines exist in separate dashboards, the dashboards reuse the baseline data; however, the baselines must be identical. If you select a new baseline type, the new dynamic baseline will not share data with the previous dynamic baseline.

The following steps show you how to add a dynamic baseline to an existing dashboard chart:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and then select Edit.
  4. Click the Analysis tab.
  5. In the Dynamic Baselines section, select one of the following dynamic baseline type options:
    Option Description
    Hour of day Displays the median value for a given hour of the day. This option is most useful if activity in your environment usually follows a consistent daily pattern. If you regularly see dramatically different levels of activity on different days of the week, this option is less useful because the baseline usually does not match the current values.
    Hour of week Displays the median value for a given hour on a specific day of the week. This option is most useful if you regularly see significantly different levels of traffic during each day of the week.
    Short-term trend Displays the median value for the last hour. This option is useful for smoothing chart data to reveal short-term trends.
  6. Click Save to close the Metric Explorer and return to the dashboard.
    The ExtraHop system will begin calculating the dynamic baseline. New baseline data points are added every hour or 30 seconds, as shown in the following figure.

Add a static threshold line to a chart

Displaying a static threshold line in a chart can help you determine which data points are either below or above a significant value.

For example, you can create a line chart for server processing time to help you monitor the performance of an important database in your network environment. By adding a threshold line that defines a service level agreement (SLA) boundary of acceptable processing time, you can see when database performance is slowing down and address the issue.

You can add one or more threshold lines as you edit a chart with the Metric Explorer. These lines are local to the chart and not associated with other widgets or alerts. Threshold lines are only available for area, candlestick, column, line, line & column, and status charts.

The following steps show you how to add a static threshold line to an existing dashboard chart:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards.
  3. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and then select Edit.
  4. Click the Analysis tab.
  5. In the Static Thresholds section, click Add Threshold Line.
  6. In the Value field, type a number that indicates the threshold value for the line. This value determines where the line appears on the y-axis of your chart.
    Note:For charts that display only count metrics (such as bytes, errors, and responses), the value of the threshold line automatically scales based on whether data is displayed as a rate or count. When data is only displayed as a count, the threshold line value automatically scales to the roll up period (either 30 seconds, 5 minutes, 1 hour, or 1 day). The data roll up period is determined by the time interval you select.
  7. In the Label field, type a name for your threshold line.
  8. In the Color field, select a color (gray, red, orange, or yellow) for your threshold line.
  9. Click Save to close the Metric Explorer.

Display device group members in a chart

If you have a chart that displays a device group, you can view metrics by top devices in the group, instead of viewing a single value for the entire device group. Drilling down by group member in the Metric Explorer lets you view up to 20 devices in the chart.

If you see fewer groups members in a chart than the number of results you specified, this could be because you selected a built-in device group with a small number of devices. For built-in device groups, devices are dynamically placed into a group based on the type of protocol traffic they are associated with or the role they are assigned.

Before you begin

Create a chart that contains a device group as the selected source. Save the chart to a dashboard.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Dashboards .
  3. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  4. In the Details field, click Drill down by <None>, where <None> is the name of the detail metric currently displayed in your chart. Then, select Group Member.
  5. In the top results field, enter the number of group members that you want to display. These devices will have the highest metric values. You can display up to 20 group members.
  6. Click Save to close the Metric Explorer.
    Note:If you drill down by group member, you cannot perform additional drill downs to see detail metrics for each device by a key. To see detail metrics by key for a device, we recommend creating another chart with specific devices selected as the source.

Regular expression filters

Filter your search results by writing regular expression (regex) strings in certain search fields throughout the ExtraHop Web UI. For example, you can filter for parameters in a detail metric key, such as a number within an IP address. You can also filter by excluding specific keys or combination of keys from charts.

Regex-capable search fields have visual indicators throughout the system and accept standard syntax. If you want to configure record relationships for a custom detail metric, the regex syntax has advanced requirements. For more information, see the section on Additional Filters.
Search fields with an asterisk
Click the asterisk in the field to enable regex strings.

This type of field is available from the following system pages:
  • Filtering a table of devices
  • Creating filter criteria for a dynamic device group
Certain search fields with a trifield operator
Click the operator drop-down to see the regex option.

This type of field is available from the following system page:
  • Editing a chart in Metric Explorer
Certain search fields with a tooltip
Hover over the tooltip in the field to see the regex option.

This type of field is available from the following system page:
  • Creating a threshold alert

The following table includes examples of standard regex syntax.

Chart Scenario Regex filter How it works
Compare HTTP status codes 200 to 404. (200|404) Matches 200 and 404 codes where the | symbol serves as an OR function.
Display any HTTP status code that contains a 4. [4] Matches any value that contains a 4. For example, this filter can return 204 and 400 status codes.
Display all 500-level HTTP status codes. ^[5] Matches any value that begins with a 5. For example, this filter can return 500 and 502 status codes.
Display all 400 and 500-level HTTP status codes. ^[45] Matches all values that begin with a 4 or 5. For example, this filter can return 400, 403, and 500 status codes.
Display any HTTP status codes except 200-level status codes. ^(?!2) Matches all values except values beginning with a 2, where ^(?!) specifies the range of results to exclude. For example, this filter can return 400, 500, and 302 status codes.
Display any IP address with a 187. 187. Matches 1, 8, and 7 characters in the IP address.
Review all IP addresses containing 187.18. 187\.18\. Matches 187 and the character . that follows the 187. For example, this filter returns results for 187.18.0.0.0, 180.187.0.0.0, or 187.180.0.0.0/16.
Display any IP address except 187.18.197.150. [^187.18.197.150] Matches anything except 187.18.197.150, where [^] specifies the exact value to exclude.
Exclude a list of specific IP addresses [^187.18.197.150|187.18.197.151|187.18.197.152] Matches anything except 187.18.197.150, 187.18.197.151, and 187.18.197.152, where the | symbol serves as an OR function and [^] specifies the exact values to exclude.

Additional filters

When you create a custom detail metric from the Metric Catalog, you can add advanced regex syntax to the Additional Filters search field in the Record Relationships section.

The tooltip appears after you select Detail Metric and is not available when Base Metric is selected.

The regex syntax in this field must meet the following requirements:
  • If your key contains multiple values, your regex syntax must include a single capture group. A capture group is designated by parenthesis. Your capture group determines the filter value.

  • If you want to return a specific value from a detail metric key that contains multiple record field values, the regex must follow this syntax:

    $KEY:/<regex>/

    For example, if your detail metric key is ipaddr:host:cipher and you only want to return the IP address value, you would type the following:

    $KEY:/^([^:]+):.+/

  • If your key contains multiple record field values, the values are separated by a delimiter that is specified in the trigger that is generating the key. The placement of the delimiters in your regex syntax must match the delimiters in the detail key. For example, if you have a key with three values that are separated by a delimiter that is a colon, the three values for the key in your regex syntax must be separated by two colons.
Tip:If you want to return all record field values in a detail metric key, type $KEY. For example, if your detail metric key is ipaddr:host:cipher, type $KEY in the search field to return all three of those field record values (IP address, hostname, and SSL cipher suite).

Find all devices talking to external IP addresses

The following steps show you how to find all of the external IP addresses that your internal devices are talking to. You can then see if any devices are making or receiving unauthorized connections from other devices outside of your network.

Tip:By default, any device with an RFC1918 IP address (included in a 10/8, 172.16/12, or 192.168/16 CIDR block) that the ExtraHop system automatically discovers is classified as an internal device. Because some network environments include non-RFC1918 IP addresses as part of their internal network, you can specify the locality of an IP address on the Network Localities page.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click Assets at the top of the page.
    The Devices page appears, which lists all the protocols with traffic in the selected time interval.
  3. From Devices by Protocol Activity, click the number of TCP devices.
    At the top of the page, the External Accepted and External Connected metrics display how many IP addresses outside of your internal network are actively connected to all of your network devices.
  4. Click the blue metric value for either metric.
  5. In the Drill Down by… section, select Group Member. A detail metric page appears and shows all of the names of your network devices and the number of connections to external IP addresses.
  6. Click on a device name that you want to investigate. A protocol page for that device appears, which contains metrics related to the device.

Monitor a device for external IP address connections

If you have an authentication server or database that should not connect to IP addresses outside of your internal network, you can create a value chart in a dashboard that tracks External Accepted and External Connected metrics. From your dashboard, you can then monitor the number of external connections for a specific device.

Tip:By default, any device with an RFC1918 IP address (included in a 10/8, 172.16/12, or 192.168/16 CIDR block) that the ExtraHop system automatically discovers is classified as an internal device. Because some network environments include non-RFC1918 IP addresses as part of their internal network, you can specify the locality of an IP address on the Network Localities page.

The following steps show you how to create a value chart for these TCP metrics and then add the chart to a dashboard.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click Assets at the top of the page.
  3. Click Devices in the left pane.
  4. Find a device and then click the device name.
  5. Click TCP in the left pane. In the Total Connections chart in the upper left corner, the External Accepted and External Connected metrics display how many IP addresses outside of your internal network are connected to the device.
  6. Click the Total Connections chart title.
  7. From the drop-down menu, select Create chart from…. The Metric Explorer opens with the device and TCP metrics already selected in the chart.
  8. At the bottom of the Metric Explorer, click the Value chart.
  9. In the left pane in the Metric section, click the x icon to delete each TCP metric that you do not want to view in the chart, as shown in the following figure.


    Your dashboard now contains metrics that help you track the ratio of all accepted connections to external accepted connections, and the ratio of all initiated connections to external initiated connections.
  10. (Optional): Make additional edits to the chart with the Metric Explorer.
  11. Click Add to Dashboard and complete one of the following options:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.
  12. (Optional): Make additional edits to the dashboard layout.
  13. Click Exit Layout Mode. Your dashboard is complete.

Compare time intervals to find the metric delta

Comparing metric data between two time intervals helps you see the difference, or the delta, in metric data side-by-side in the same chart. If you create a comparison and navigate to another area of the Discover appliance, the comparison is disabled temporarily. When you return to your original page, the comparison you saved is enabled again.

  1. Find a chart with the metrics that you want to compare.
  2. In the upper left hand corner of the navigation bar, click the time interval.
  3. In the Time Interval tab, click Compare.
  4. In the Previous Interval (Comparison) section, select the time interval to compare with the current time interval.
  5. Click Save. New metric data from the comparison time interval is placed on the original chart.
  6. To remove the comparison, complete the following steps:
    1. Click the time interval.
    2. Click Remove Comparison.
    3. Click Save.
    Note:Dynamic baselines will not appear on a chart when you are comparing time intervals.

Sort metrics

On an application protocol page, if a metrics section on a protocol page contains a gear icon in the upper right corner, the metrics in that section can be sorted by key or value.

  1. Navigate to a protocol page by clicking Assets and then select an application.
  2. Click the gear icon.
  3. Select Sort by Key or Sort by Value.

Create a chart from a protocol page

Protocol pages contain a large amount of metrics and data. While you cannot modify the charts on protocol pages, you can create a copy of an interesting chart on a protocol page and then add the copied chart to a dashboard. Your dashboard can be then modified and shared with other team members.

  1. Click Assets and then select a source in the left pane.
  2. Find the chart that you want to copy. Click the chart title and select Create Chart. The Metric Explorer opens with the source and metric selected.
    Note:If you find a chart on an Application or Network Capture page, click Create Chart in the upper right corner of the page.
  3. Edit the chart as needed.
  4. Click Add to Dashboard:
    • Select Create Dashboard to create a dashboard, and then click Create.
    • Select an existing dashboard from the list, and then click Close.

Assets

All of the metric activity collected from the wire data on your network is logically grouped into sections on the Assets page, where you can navigate to find the data you need.

Devices

Devices, also known as assets and endpoints, are objects on your network with a MAC address or IP address that have been automatically discovered and classified by the ExtraHop system. Assign any device to a chart, alert, or trigger as a metric source. Learn more about Devices.

Device Groups

Device groups are user-defined sets of devices that can be collectively assigned as a metric source to a chart, alert, or trigger. You can create a dynamic device group that adds devices that matches your specified criteria or you can create a static device group and manually add or remove devices. The ExtraHop system also includes built-in dynamic device groups by role and by protocol activity that you can assign as a metric source. Click a role or protocol link from the Devices page to view metrics for a built-in device group.

Users

The Users page displays a list of all active users found on your network and the devices the user logged in to. The user name is extracted from the authentication protocol, such as LDAP or Active Directory. Search for devices accessed by a specific user.

Note:These users are not associated with user accounts for the ExtraHop system.

Applications

Applications are user-defined containers that represent distributed systems on your network. Create an application to view all of the metric activity associated with your website traffic—web transactions, DNS requests and responses, and database transactions. See the Applications FAQ.

Basic applications that filter built-in metrics by protocol activity can be created through the Web UI. Complex applications that collect custom metrics or metrics from non-L7 traffic must be created through a trigger, which requires JavaScript code. Learn more about building Triggers.

Networks

Networks are the wire network or flow network data feeds to the ExtraHop system. Click an entry to see the VLANs associated with a wire data capture, or click an entry to see the interfaces associated with a flow network.

Devices

The ExtraHop system automatically discovers and classifies devices, also known as endpoints, that are actively communicating over the wire, such as clients, servers, routers, load balancers, and gateways. Each device receives the highest level of analysis available, based on your system configuration.

The ExtraHop system can discover and track devices by their MAC address (L2 Discovery) or by their IP addresses (L3 Discovery). Enabling L2 Discovery offers the advantage of tracking metrics for a device even if the IP address is changed or reassigned through a DHCP request. If L3 Discovery is enabled, it is important to know that devices might not have a one-to-one correlation to the physical devices in your environment. For example, if a single physical device has multiple active network interfaces, that device is identified as multiple devices by the ExtraHop system.

After a device is discovered, the ExtraHop system begins to collect metrics based on the analysis level configured for that device. The analysis level determines the types of metrics that are generated and which features are available for organizing metric data.

Click Assets from the top menu and then click Devices to display the following charts that provide insight about the active devices discovered on your network during the selected time interval:

Active Devices
Displays the total number of devices that have been discovered by the ExtraHop system. Click the number to view a list of all discovered devices. From the Active Devices list, you can search for specific devices or click a device name to view device details on the device Overview page.
New Devices
Displays the number of devices that have been discovered within the past month and the percentage rate of change. Click the number to view a list of all of these devices.
Devices by Role
Displays each device role and the number of devices assigned to each role that is active during the specified time interval. Click a device role to see a built-in Overview page that includes metric data, peer IPs, and protocol activity for that group of devices. You can also add additional filter criteria and save the group as a new dynamic device group.
Devices by Protocol Activity
Displays a list of protocol activity found on your network. Click a protocol name or device count to see a built-in Overview page with specific metric charts about that protocol activity. Click an activity map to see all device-to-device connections. You can also add additional filter criteria and save the group as a new dynamic device group.

Device Overview page

By clicking on a device name, you can view all of the information discovered about the device by the ExtraHop system on the device Overview page. The device Overview page is divided into three sections: a top-level summary, a properties panel, and an activity panel.

Device summary

The device summary provides information such as the device name, the current IP address or MAC address, and the role assigned to the device. If viewing from a Command appliance, the name of the Discover appliance is displayed.

  • Click Records to start a record query that is filtered by this device.
  • Click Packets to start a packet query that is filtered by this device.
Device properties

The device properties section provides the following known attributes and assignments for the device.

Critical Device
A critical device icon is displayed if the device is observed to provide authentication or is critical to essential services.
IP Addresses
A list of IP addresses observed on the device at any time during the selected time interval. If L2 Discovery is enabled, the list might display both IPv4 and IPv6 addresses that are simultaneously observed on the device, or the list might display multiple IP addresses assigned through DHCP requests at different times. A timestamp indicates when the IP address was last observed on the device. Click an IP address to view other devices where the IP address has been seen.
Associated IP Addresses
A list of IP addresses, usually outside of the network, that are associated with the device at any time during the selected time interval. For example, a VPN client on your network might be associated with an external IP address on the public internet. A timestamp indicates when the IP address was last associated with the device. Click an associated IP address to view details such as the geographic location and other devices the IP address has been associated with.
Cloud Instance Properties
The following cloud instance properties appear for the device when you configure the properties through the REST API:
  • Cloud Account
  • Cloud Instance Type
  • Virtual Private Cloud (VPC)
  • Subnet
  • Cloud Instance Name (displayed in the Known Alias property)

See Add cloud instance properties through the ExtraHop API Explorer for more information.

Users
A list of authenticated users logged into the device. Click a user name to go to the Users page and view which other devices the user is logged into.
Known Aliases
A list of alternative device names and the source program or protocol.
Note:Multiple DNS names are supported.
Hardware and Software
The hardware or vendor make and model of the device and any operating systems running on the device.
Tags
The tags assigned to the device. Click a tag name to view the other devices that the tag is assigned to.
First and Last Seen
The timestamps from when the device was first discovered and when activity was last observed on the device. NEW is displayed if the device was discovered within the last five days
Analysis
The level of analysis that this device receives.

Here are some ways you can view and modify device properties:

  • Click View Groups to view the device group membership for the device.
  • Click Edit Properties to view or modify device properties such as device role, device group memberships, or device tags.
  • Click Edit Assignments to view or modify which alerts and triggers are assigned to the device.
Device activity

The device activity section provides information about how the device is communicating with other devices and which detections and alerts are associated with the device.

  • Click Traffic to view charts for protocol and peer data, and then drill down on metrics in traffic charts.
    Note:Traffic charts are not available if the device analysis level is Discovery Mode. To enable traffic charts for the device, elevate the device to Advanced Analysis or Standard Analysis.
  • Click Detections to view a list of detections, and then click a detection name to view detection details.
  • Click Alerts to view a list of alerts, and then click an alert name to view alert details.
  • Click Peer Devices to view an activity map, which is visual representation of the L4-L7 protocol activity between devices in your network. To modify the activity map with additional filters and steps, click Open Activity Map.
Tip:You can bookmark the device Overview page to a specific activity view by setting the tab URL parameter to one of the following values:
  • tab=traffic
  • tab=detections
  • tab=alerts
  • tab=peers

For example, the following URL always displays detection activity for the specified device:

https://example-eda/extrahop/#/metrics/devices//0026b94c03810000/overview/&tab=detections

Device metrics

Metrics are real-time measurements of your network traffic that the ExtraHop system calculates from wire or flow data. Metrics collected from device traffic can be viewed in built-in charts and graphs from a device page.

Click a built-in metric page from the left pane to view top-level device metrics or client and server metrics by protocol. Click a chart to drill down to detail metric pages, which display metric values for a specific key (such as a client or server IP address).

In addition to network and TCP built-in pages, devices display built-in metric pages for associated cloud services if data is available. See the Protocol Metrics Reference for more information about what data is available on built-in device pages.

The ExtraHop system provides thousands of built-in metrics. Here are some ways you can gain further insight about your devices

IP address details

Type an IP address in the global search field or click an IP address link from a device Overview page to view details about an IP address.

The following information appears for an IP address seen on a device:

  • Each device where the IP address is currently observed, regardless of the selected time interval.
  • Each device where the IP address was previously observed within the selected time interval, including the timestamp from when the IP address was last seen on the device.

If L2 Discovery is enabled, both IPv4 and IPv6 addresses might be simultaneously observed on the device, or different IP addresses might be assigned to the device by DHCP over time.

The following information appears for an IP address associated with a device:

  • The geolocation of the IP address and links to the ARIN Whois website.
  • Each device where the associated IP address was seen outside of the network at any time during the selected time interval. For example, a VPN client on your network might be associated with an external IP address on the public internet.
  • Any cloud services associated with the IP address.
  • The IP address of the device as seen by the ExtraHop system on your network.
  • The timestamp when the associated IP address was last seen on the device.

Here are some ways you can view additional IP address and device information:

  • Hover over a device name to view device properties.
  • Click a device name to view the device Overview page.
  • Click Search for Records to start a record query that is filtered by the IP .
  • Click Search for Packets to start a packet query that is filtered by this device.

Grouping devices

Both custom devices and device groups are ways that you can aggregate your device metrics. Custom devices are user-created devices that collect metrics based on specified criteria, while device groups gather metrics for all of the specified devices in a group. With device groups, you can still view metrics for each individual device or group member. The metrics for a custom device are collected and displayed as if for a single device—you cannot view individual device metrics.

Both device groups and custom devices can dynamically aggregate metrics based on your specified criteria. We recommend selecting reliable criteria, such as the device IP address, MAC address, VLAN, tag, or type. While you can select devices by their name, if the DNS name is not automatically discovered, the device is not added.

  Device Groups Custom Devices
Criteria
  • Device names and aliases
  • IP address, MAC address, subnet
  • Source and destination port
  • Discovery time
  • Device criticality
  • Device role
  • Protocol activity
  • Vendor, model, software
  • Cloud instance properties
  • VLAN
  • Device tags
  • IP address
  • Source port
  • Destination port
  • VLAN
Performance cost Comparatively low. Because device groups only combine metrics that have already been calculated, there is a relatively low effect on metric collection. However, a high number of device groups with a large number of devices and complex criteria will take more time to process. Comparatively high. Because the metrics for custom devices are aggregated based on user-defined criteria, large numbers of custom devices, or custom devices with extremely broad criteria, require more processing. Custom devices also increase the number of system objects to which metrics are committed.
View individual device metrics Yes No
Best practices Create for local devices where you want to view and compare the metrics in a single chart. Device groups can be set as a metric source. Create for devices that are outside of your local network, or for types of traffic that you want to organize as a single source. For example, you might want to define all physical interfaces on a server as a single custom device to better view metrics for that server as a whole.

Custom devices

Custom devices enable you to collect metrics for devices that are outside of your local network or when you have a group of devices that you want to aggregate metrics for as a single device. These devices can even be different physical interfaces that are located on the same device; aggregating the metrics for these interfaces can make it easier to understand how heavily taxed your physical resources are as a whole, rather than by interface. You might create a custom device to track individual devices outside of your local broadcast domain or to collect metrics for several known IP addresses or CIDR blocks for a remote site or cloud service.

After you create a custom device, all of the metrics associated with the IP addresses and ports are aggregated into a single device that collects L2-L7 metrics. A single custom device counts as one device towards your licensed capacity for Advanced Analysis or Standard Analysis, which enables you to add a custom device to the watchlist. Any triggers or alerts are also assigned to the custom device as a single device.

While custom devices aggregate metrics based on their defined criteria, the metric calculations are not treated the same as for discovered devices. For example, you might have a trigger assigned to a custom device that commits records to a recordstore. However, the custom device is not shown as either a client or a server in any transaction records. The ExtraHop system populates those attributes with the device that corresponds to the conversation on the wire data.

Custom devices can affect the overall system performance, so you should avoid the following configurations:

  • Avoid creating multiple custom devices for the same IP addresses or ports. Custom devices that are configured with overlapping criteria might degrade system performance.
  • Avoid creating a custom device for a broad range of IP addresses or ports, which might degrade system performance.

If a large number of custom devices is affecting your system performance, you can delete or disable a custom device. The unique Discovery ID for the custom device always remains in the system. See Create a custom device to monitor remote office traffic to familiarize yourself with custom devices.

Device groups

A device group is a user-defined collection that can help you track metrics across multiple devices that are typically grouped by shared attributes such as protocol activity.

You can create a static device group that requires you to manually add or remove a device from the group. Or, you can create a dynamic device group that includes criteria that determines which devices are automatically included in the group. For example, you can create a dynamic device group based on the device discovery time that adds devices that are discovered during a specific time interval.

By default, the Device Group page includes the following dynamic device groups that you can overwrite or delete:

New Devices (Last 24 Hours)
Includes assets and endpoints that were first seen by the ExtraHop system over the last 24 hours.
New Devices (Last 7 Days)
Includes assets and endpoints that were first seen by the ExtraHop system over the last 7 days.

The ExtraHop system also includes built-in dynamic device groups by role and by protocol. You can assign built-in device groups as a metric source for objects such as charts, alerts, triggers, and activity maps. You cannot overwrite or delete a built-in device group, but you can add filter criteria and save it as a new device group.

From the Devices page, click a device count for a role or protocol, such as Domain Controller or CIFS clients, to view the group Overview page. Clicking the filter at the top of the page enables you to add additional criteria and update the page data on demand instead of requiring you to create a device group.

There is no performance impact to collecting metrics with device groups. However, we recommend that you prioritize these groups by their importance to make sure that the right devices receive the highest level of analysis.

Device groups are a good choice when you have devices that you want to collectively apply as a source. For example, you could collect and display metrics for all of your high-priority production web servers in a dashboard.

By creating a device group, you can manage all of those devices as a single metric source instead of adding them to your charts as individual sources. However, note that any assigned triggers or alerts are assigned to each group member (or individual device).

Device names and roles

After a device is discovered, the ExtraHop system tracks all of the wire data traffic associated with the device to determine the device name and role.

Device names

The ExtraHop system discovers device names by passively monitoring naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol (CDP).

A device can be identified by multiple names, which appear as Known Aliases on the device Overview page. If a device has multiple names, the order of priority for the default display name is the custom name followed by the cloud instance name, the DHCP name, the public DNS name, and then other naming protocols. You can search by any name to find a device.

If a name is not discovered through a naming protocol, the default name is derived from device attributes, such as MAC addresses and IP addresses. You can also create a custom name or set a cloud instance name for a device.

Note:If a device name does not include a hostname, the ExtraHop system has not yet observed naming protocol traffic associated with that device. The ExtraHop system does not perform DNS lookups for device names.

Device roles

Based on the type of traffic associated with the device or the device model, the ExtraHop system automatically assigns a role to the device, such as a gateway, file server, database, or load balancer. The Other role gets assigned to devices that cannot be identified.

A device can only be assigned one role at a time. You can manually change a device role, or the ExtraHop system might re-assign a different role if observed traffic and behavior changes. For example, if a PC has been repurposed into a Web server, you might change the role immediately, or the change might be observed over time and the role updated by the system.

The ExtraHop system identifies the following roles:

Icon Role Description
Custom Device A user-created device that collects metrics based on specified criteria. The ExtraHop system automatically assigns this role when you create a custom device. You cannot manually assign the Custom role to a device.
Database A device that primarily hosts a database instance.
DHCP Server A device that primarily processes DHCP server activity.
DNS Server A device that primarily processes DNS server activity.
Domain Controller A device that acts as a domain controller for Kerberos, CIFS, and MSRPC server activity.
File Server A device that responds to read and write requests for files over NFS and CIFS/SMB protocols.
Firewall A device that monitors incoming and outgoing network traffic and blocks traffic according to security rules. The ExtraHop system does not automatically assign this role to devices.
Gateway A device that acts as a router or gateway. The ExtraHop system looks for devices associated with a large amount of unique IP addresses (past a certain threshold) when identifying gateways. Gateway device names include the router name such as Cisco B1B500. Unlike other L2 parent devices, you can add a gateway device to the watchlist for Advanced Analysis.
IP Camera A device that sends image and video data through the network. The ExtraHop system assigns this role based on the device model.
Load Balancer A device that acts as a reverse proxy for distributing traffic across multiple servers.
Medical Device A device designed for healthcare needs and medical environments. The ExtraHop system might assign this role if a device is a known medical make and model or if the device processes DICOM traffic.
Mobile Device A device that has a mobile operating system installed, such as iOS or Android.
PC A device such as a laptop, desktop, Windows VM, or macOS device that processes DNS, HTTP, and SSL client traffic.
Printer A device that enables users to print text and graphics from other connected devices.The ExtraHop system assigns this role based on the device model or on traffic observed over mDNS (multicast DNS).
VoIP Phone A device that manages voice over IP (VoIP) phone calls.
VPN Client An internal device that communicates with a remote IP address. If VPN client discovery is enabled, the ExtraHop system automatically assigns this role to internal devices communicating with remote IP addresses through a VPN gateway. You cannot manually assign the VPN Client role to a device.
VPN Gateway A device that connects two or more VPN devices or networks together to bridge remote connections. The ExtraHop system assigns this role to devices with a large number of external VPN peers.
Vulnerability Scanner A device that runs vulnerability scanner programs.
Web Proxy Server A device that processes HTTP requests between a device and another server.
Web Server A device that primarily hosts web resources and responds to HTTP requests.
Wi-Fi Access Point A device that creates a wireless local area network and projects a wireless network signal to a designated area. The ExtraHop system assigns this role based on the device model.

Find a device

The ExtraHop system automatically discovers devices such as clients, servers, routers, load balancers, and gateways that are actively communicating with other devices over the wire. You can search for a specific device on the system and then view traffic and protocol metrics on a protocol page.

You can search for devices from the global search field at the top of the page. Global search compares a search term to multiple device properties such as the hostname, IP address, known alias, vendor, tag, description, and device group. For example, if you search for the term vm, the search results might display devices that include vm in the device name, device vendor, or device tag.

  1. Type a search term in the global search field at the top of the page.
  2. Click Any Type and then select Devices.
    The search results are displayed in a list below the search field. Click More Results to scroll through the list.

    Matching devices with no activity during the specified time interval have an Inactive label.

    Tip:Devices inactive for more than 90 days are excluded from global search results. However, you can immediately exclude all devices that have been inactive for fewer than 90 days through the Administration UI.
  3. Click a device name to open the device Overview page and view device properties and metrics.

Search for a device by details

You can search for devices by information observed over the wire, such as IP address, MAC address, hostname, or protocol activity. You can also search for devices by customized information such as device tags.

The trifield search filter enables you to search by multiple categories at once. For example, you can add filters for device name, IP address, and role to view results for devices that match all of the specified criteria.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Assets.
  3. Click Devices in the left pane, and then click the Active Devices chart.
  4. In the trifield filter, click Name and select one of the following categories:
    Option Description
    Name Filters devices by the discovered device name. For example, a discovered device name can include the IP address or hostname.
    MAC Address Filters devices by the device MAC address.
    IP Address Filters devices by IP address in IPv4, IPv6, or CIDR block formats.
    Site Only available on a Command Console.

    Filters devices associated with a connected site.

    Discovery Time Filters devices automatically discovered by the ExtraHop system within the specified time interval. For more information, see Create a device group based on discovery time.
    Model Filters devices by models and model sets, which are logical groupings of device models. Model sets common on your network are suggested until you filter a specific string.
    Activity Filters devices by protocol activity associated with the device. For example, selecting HTTP Server returns devices with HTTP server metrics, and any other device with a device role set to HTTP Server.
    Cloud Account Filters devices by the cloud service account associated with the device.
    Cloud Instance ID Filters devices by the cloud instance ID associated with the device.
    Cloud Instance Type Filters devices by the cloud instance type associated with the device.
    Critical Filters devices that are considered critical because they provide authentication services or support essential services on your network.
    Role Filters devices by the assigned device role, such as gateway, firewall, load balancer, and DNS Server.
    Software Filters devices by operating system software detected on the device.
    Subnet Filters devices by the subnet associated with the device.
    Tag Filters devices by user-defined device tags.
    Virtual Private Cloud Filters devices by the VPC associated with the device.
    Vendor Filters devices by the device vendor name, as determined by the Organizationally Unique Identifier (OUI) lookup.
    VLAN Filters devices by the device VLAN tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.

    Only available if the devices_accross_vlans setting is set to False in the Running Config file.

    CDP Name Filters devices by the CDP name assigned to the device.
    Cloud Instance Name Filters devices by the cloud instance name assigned to the device.
    Custom Name Filters devices by the custom name assigned to the device.
    DHCP Name Filters devices by the DHCP name assigned to the device.
    DNS Name Filters devices by any DNS name assigned to the device.
    NetBIOS Name Filters devices by the NetBIOS name assigned to the device.
  5. Select one of the following operators; the operators available are determined by the selected category:
    Option Description
    = Filters devices that are an exact match of the search field for the selected category.
    Filters devices that do not exactly match the search field.
    Filters devices that include the value of the search field for the selected category.
    ≈/ Filters devices that exclude the value of the search field for the selected category.
    starts with Filters devices that start with the value of the search field for the selected category.
    exists Filters devices that have a value for the selected category.
    does not exist Filters devices that do not have a value for the selected category.
  6. In the search field, type the string to be matched, or select a value from the drop-down list. The input type is based on the selected category.
    For example, if you want to find devices based on Name, type the string to be matched in the search field. If you want to find devices based on Role, select from the drop-down list of roles.
    Tip:Depending on the selected category, you can click the Regex icon in the text field to enable matching by regular expression.

  7. Click Add Filter.
    The devices list is filtered to the specified criteria.

Next steps

  • Click a device name to view device properties and metrics on the device Overview page.
  • Click Create Dynamic Group from the upper right corner to create a dynamic device group based on the filter criteria.
  • Click the command menu and then select PDF or CSV to export the device list to a file.

Search for devices by protocol activity

The Devices page displays all protocols that are actively communicating over the wire during the selected time interval. You can quickly locate a device that is associated with a protocol, or discover a decommissioned device that is still actively communicating over a protocol.

In the following example, we show you how to search for a web server within the group of HTTP servers.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Assets.
  3. From the Devices by Protocol Activity chart, click the number of HTTP servers, as shown in the following figure.
    Note:If you do not see the protocol you want, the ExtraHop system might not have observed that type of protocol traffic over the wire during the specified time interval, or the protocol might require a module license. For more information, see the I don't see the protocol traffic I was expecting? section in the License FAQ.
    The page displays traffic and protocol metrics associated with the group of HTTP servers.
  4. At the top of the page, click Group Members.
    The page displays a table that contains all of the devices that sent HTTP responses over the wire during the selected time interval.
  5. From the table, click a device name.
    The page displays traffic and protocol metrics associated with that device, similar to the following image.

Search for devices accessed by a specific user

From the Users page, you can see active users and the devices they have logged in to during the specified time interval.

Tip:You can also search for users from the global search field at the top of the page.

This procedure shows you how to perform a search from the Users page.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Assets.
  3. Click Users in the left pane.
  4. From the search bar, select one of the following categories from the drop-down list:
    Option Description
    User Name Search by user name to learn which devices the user has accessed. The user name is extracted from the authentication protocol, such as LDAP or Active Directory.
    Device Name Search by device name to learn which users have accessed the device.
  5. Select one of the following operators from the drop-down list:
    Option Description
    = Search for a name or device that is an exact match of the text field.
    Search for names or devices that do not exactly match the text field.
    ≈ (default) Search for a name or device that includes the value of the text field.
    ≈/ Search for a name or device that excludes the value of the text field.
  6. In the text field, type the name of the user or device you want to match or exclude.
    The Users page displays a list of results similar to the following figure:

  7. Click the name of a device to open the device Overview page and view all of the users that have accessed the device during the specified time interval.

Search for peer devices

If you want to know which devices are actively talking to each other, you can drill down by Peer IPs from a device or device group protocol page.

When you drill down by Peer IP address, you can investigate a list of peer devices, view performance or throughput metrics associated with peer devices, and then click on a peer device name to view additional protocol metrics.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Assets and then select Device or Device Group in the left pane.
  3. Search for a device or device group, and then click the name from the list of results.
  4. On the Overview page for the selected device or device group, click one of the following links:
    Option Description
    For devices Click View More Peer IPs, located at the bottom of the Top Peers chart.

    For device groups Click Peer IPs, located in the Details section near the upper right corner of the page.

    A list of peer devices appears, which are broken down by IP address. You can investigate network bytes and packets information for each peer device, as shown in the following figure.

Change a device name

The ExtraHop system automatically names devices by passively monitoring naming protocol traffic (DNS, DHCP, NETBIOS, CDP). If naming protocol traffic is not observed for a device, the device name displays either the IP address or the MAC address. In either condition, you can change the automatic device name to a custom name. The custom name will appear throughout the ExtraHop system.

Here are some important considerations about device names:
  • Custom names are not synchronized between Command and Discover appliances.
  • The ExtraHop system does not perform DNS lookups for device names. The ExtraHop system derives the DNS name for a device by observing DNS traffic over wire data. For more information, see Device discovery.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Assets.
  3. Click Devices in the left pane, and then click the Active Devices chart.
  4. Filter the device list to find the device you want and then click the device name.
    The Overview page appears, which displays traffic and protocol activity for the selected device.
  5. Click Edit Properties.
  6. Click Display custom name.
  7. Type a custom name in the field.
  8. Click Done.

Change a device role

The ExtraHop system automatically discovers and classifies devices on your network based on the protocol activity or device model and assigns a role to each device, such as a gateway, file server, database, or load balancer. You can change the role assigned to a device at anytime.

Note:After you change the device role, the device might be removed from or added to dynamic device groups that include a device role as criteria.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Assets.
  3. Click Devices in the left pane, and then click the Active Devices chart.
  4. Filter the device list to find the device you want and then click the device name.
    The Overview page appears, which displays traffic and protocol activity for the selected device.
  5. Click Edit Properties .
  6. In the Device Role section, click the drop-down list, and then click one of the following roles:
    Role Description
    Auto Assign the role that the ExtraHop system identified for the device, which appears in parentheses.
    Database Assign to a device that hosts a database instance.
    DHCP Server Assign to a device whose main function is processing DHCP server activity.
    DNS Server Assign to a device whose main function is processing DNS server activity.
    Domain Controller Assign to a device that acts as a domain controller for Kerberos, CIFS, and MSRPC server activity.
    File Server Assign to a device that responds to read and write requests for files over NFS and CIFS/SMB protocols.
    Firewall Assign to a device that monitors incoming and outgoing network traffic and blocks traffic according to security rules.
    Gateway Assign to a device that acts as a router or gateway.
    IP Camera

    Assign to a device that sends image and video data through the network, such as security cameras.

    Load Balancer Assign to a device that acts as a reverse proxy for distributing traffic across multiple servers.
    Medical Device Assign to a device that is specifically designed for healthcare needs and medical environments.
    Mobile Device Assign to a device that has a mobile operating system installed, such as iOS or Android.
    PC Assign to a device such as a laptop, desktop, Windows VM, or macOS device.
    Printer Assign to a device that enables users to print text and graphics from other connected devices.
    VoIP Phone Assign to a device that manages voice over IP (VoIP) phone calls.
    VPN Gateway Assign to a device that connects two or more VPN devices or networks together to bridge remote connections.
    Vulnerability Scanner Assign to a device that runs vulnerability scanner programs.
    Web Proxy Server Assign to a device that processes HTTP requests between a device and another server.
    Web Server Assign to a device that hosts web resources and responds to HTTP requests.
    Wi-Fi Access Point Assign to a device that creates a wireless local area network and projects a wireless network signal to a designated area.
    Other Assign to a device when the device activity does not clearly identify a single role.
  7. Click Save.

Create a device tag

Tags are user-defined labels that you can attach to a device. Tags can help differentiate devices in the ExtraHop system that share a common attribute or characteristic. You can then search for devices or create dynamic device groups based on the device tag.

Note:You cannot rename a device tag after it is created.
Note:You can also automate this task through the REST API.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Tags.
  3. Click Create.
  4. In the Name field, type a unique name for the tag.
  5. (Optional): To immediately add the new tag to a device, complete the following steps:
    1. Click Select a device.
    2. Type a device name, IP address, MAC address, or hostname.
    3. Select the device from the search results.
      The device name appears in the window, indicating that the new tag will be added to this device.
  6. Click Save.
    The new tag appears in the Manage Tags window.
  7. Click Done to close the window.
    Tip:You can also add a tag from a device Overview page. Find a device and then click the device name. From the device Overview page, click Edit Properties, and then click Tags.

Create a device group

You can create both dynamic and static device groups. Dynamic groups automatically add all devices that match specified criteria to the group, while static groups require you to manually add each device.

Create a dynamic device group

You can create dynamic device groups with complex filters, which enable you to specify multiple criteria and create nested groups of criteria.
Tip:You can quickly create a dynamic device group from a filtered list of devices on the Devices page. Click Create Dynamic Group from the upper right corner.

You can also create a dynamic device group from a built-in device group. From the Devices page, click a role or protocol, update the filter criteria, and then click the Save icon from the upper right corner.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. From the top menu, click Assets and then click Device Groups in the left pane.
  3. Click Create Device Group.
  4. In the Group Name field, type a descriptive name to identify the group
  5. (Optional): In the Description field, add information about this device group.
  6. In the Group Type section, click Dynamic.
  7. In the Filter Criteria section, click Match All and then select one of the following match operators from the drop-down list:
    Option Description
    Match All Filters only devices that match all of the specified criteria.
    Match Any Filters devices that matches any of the specified criteria.
    Match None Filters devices that do not match any of the specified criteria.
  8. Click Name and select one of the following categories from the drop-down list:
    Option Description
    Name Filters devices by the discovered device name. For example, a discovered device name can include the IP address or hostname.
    MAC Address Filters devices by the device MAC address.
    IP Address Filters devices by IP address in IPv4, IPv6, or CIDR block formats.
    Site Only available on a Command Console.

    Filters devices associated with a connected site.

    Discovery Time Filters devices automatically discovered by the ExtraHop system within the specified time interval. For more information, see Create a device group based on discovery time.
    Model Filters devices by models and model sets, which are logical groupings of device models. Model sets common on your network are suggested until you filter a specific string.
    Activity Filters devices by protocol activity associated with the device. For example, selecting HTTP Server returns devices with HTTP server metrics, and any other device with a device role set to HTTP Server.
    Cloud Account Filters devices by the cloud service account associated with the device.
    Cloud Instance ID Filters devices by the cloud instance ID associated with the device.
    Cloud Instance Type Filters devices by the cloud instance type associated with the device.
    Critical Filters devices that are considered critical because they provide authentication services or support essential services on your network.
    Role Filters devices by the assigned device role, such as gateway, firewall, load balancer, and DNS Server.
    Software Filters devices by operating system software detected on the device.
    Subnet Filters devices by the subnet associated with the device.
    Tag Filters devices by user-defined device tags.
    Virtual Private Cloud Filters devices by the VPC associated with the device.
    Vendor Filters devices by the device vendor name, as determined by the Organizationally Unique Identifier (OUI) lookup.
    VLAN Filters devices by the device VLAN tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.

    Only available if the devices_accross_vlans setting is set to False in the Running Config file.

    CDP Name Filters devices by the CDP name assigned to the device.
    Cloud Instance Name Filters devices by the cloud instance name assigned to the device.
    Custom Name Filters devices by the custom name assigned to the device.
    DHCP Name Filters devices by the DHCP name assigned to the device.
    DNS Name Filters devices by any DNS name assigned to the device.
    NetBIOS Name Filters devices by the NetBIOS name assigned to the device.
  9. Select one of the following operators from the drop-down list; the operators available are based on the selected category:
    Option Description
    = Filters devices that are an exact match of the search field for the selected category.
    Filters devices that do not exactly match the search field.
    Filters devices that include the value of the search field for the selected category.
    ≈/ Filters devices that exclude the value of the search field for the selected category.
    starts with Filters devices that start with the value of the search field for the selected category.
    exists Filters devices that have a value for the selected category.
    does not exist Filters devices that do not have a value for the selected category.
  10. In the search field, type the string to be matched, or select a value from the drop-down list. The input type is determined by the selected category.
    For example, if you want to find devices based on Name, type the string to be matched in the search field. If you want to find devices based on Role, select from the drop-down list of roles.

    Tip:Depending on the selected category, you can click the Regex icon in the text field to enable matching by regular expression.

  11. (Optional): Click Add Filter to add more filter criteria.
  12. (Optional): Click Add Filter Group to add filter criteria to the results of the original filter.
    For example, if you filter for devices names that start with "acct", you can add a new group of criteria that filters for a certain role or tag within the group of devices that start with "acct".
  13. Click Save.
You can change the criteria by clicking the group you want to modify from the Device Groups page, and then clicking Properties.

Create a static device group

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click Assets and then click Device Groups.
  3. Click Create Device Group.
  4. In the Name field, type a name for the new group.
  5. In the Group Type section, select Static.
  6. (Optional): In the Description field, add information about this device group.
  7. Click Save.
    Your device group is now created. Next, assign devices to your group.
  8. Add devices to your group.
    1. Click Devices in the left pane.
    2. Find a device and then select the checkbox next to the devices you want to add to your group.
    3. At the top of the device table, click Assign to Group.
    4. Select a device group from the Group drop-down list.
    5. Click Add to Group.

Next steps

Remove devices from a group by selecting the checkbox next to the device name and clicking Remove from Group in the upper right corner.

Create a custom device

Collect metrics for a segment of traffic across multiple IP addresses and ports by creating a custom device. Custom devices are useful for monitoring traffic outside of your local broadcast domain, such as branch offices, stores, or clinics.

Here are some important considerations about custom devices:

  • Full system or full write privileges are required to create or delete a custom device.
  • Custom devices only appear in the ExtraHop system after traffic that matches your specified criteria is observed.
  • Avoid creating multiple custom devices for the same IP addresses or ports. Custom devices that are configured with overlapping criteria might degrade system performance.
  • Avoid creating a custom device for a broad range of IP addresses or ports, which might degrade system performance.
  • A single custom device counts as one device towards your licensed capacity for Advanced Analysis and Standard Analysis.
Note:You can also automate this task through the REST API.

The following steps show you how to create a custom device:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Custom Devices.
  3. Click Create Custom Device.
  4. In the Name field, type a unique name for the custom device.
  5. In the Discovery ID field, type a unique identifier.
    If this field is left blank, a Discovery ID is generated from the custom device name. The Discovery ID cannot contain spaces and cannot be changed after the custom device is saved.
  6. (Optional): Click the Custom Device Enabled checkbox to specify whether the custom device is enabled or disabled.
  7. (Optional): In the Description field, add information about the custom device.
  8. (Command appliance only) From the Appliance drop-down list, select the Discover appliance that you want to associate with the custom device.
  9. Click Add Criteria to specify the IP addresses, port ranges, and VLAN ranges that you want to collect metrics for.
    You can provide a combination of criteria to collect metrics across multiple devices or for a single device. You do not need to complete each field.
    • In the IP Address field, type an IP address or a CIDR notation.
    • In the Destination Port Range fields, type a minimum and a maximum destination port number.
    • In the Source Port Range fields, type a minimum and a maximum source port number.
    • In the VLAN Range fields, type a minimum and a maximum VLAN ID.
  10. (Optional): Click Add Criteria to configure an additional IP address, port range, or VLAN range.
  11. Click Save Changes.
    Tip:Click Save All Changes to save all custom devices that have unsaved configuration changes.

Delete or disable a custom device

Custom devices are manually created on an ExtraHop system to collect metrics for traffic observed across multiple IP addresses and ports. If a large number of custom devices is affecting your system performance, you can delete or disable a custom device.

Before you begin

Full system or full write privileges are required to create or delete a custom device.
When you delete or disable a custom device, the device becomes inactive, which means that the system stops collecting metrics for that device. The unique Discovery ID for the custom device always remains in the system.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Custom Devices.
  3. (Optional): From the filter text box, search for the custom device.
    The filter text box supports substring matching by custom device name, description, status, appliance, and Discovery ID.
  4. From the table, select the custom device that you want, and then complete one of the following steps:
    • From the configuration options, clear the Custom Device Enabled checkbox. The selected device becomes inactive and is removed from the full analysis device count. You can still access custom device data from previous time intervals until the datastore becomes full.
    • From the top of the page, click Delete Device, and then click Delete Custom Device from the confirmation window. The selected custom device is permanently removed from the ExtraHop system and cannot be restored.

Specify the locality for IP addresses

By adding a CIDR block to the Network Localities page, you can classify traffic from these IP addresses as internal or external to your network.

Here are some important considerations:

  • You must have full-write privileges to change the locality of IP addresses.
  • You must enter a unique range of IP addresses.
  • On Reveal(x) 360 systems, configure network localities on the Command Console only. For all other ExtraHop systems, you must configure network localities on each sensor, and on any connected Command Console.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Network Localities.
  3. Click Add a CIDR Block.
  4. In the Network field, type a single IP address or CIDR block.
  5. Select Internal or External, based on which classification you want to apply to the CIDR block.
  6. (Optional): In the Description field, type information about why you are configuring the locality of this CIDR block.
  7. Click Save.
  8. To add more entries, click Add CIDR.

Next steps

Verify that the ExtraHop system no longer classifies an IP address as an external or internal by completing the following steps:
  1. Click Assets at the top of the page. The Devices page appears, which lists all the protocols with traffic in the selected time interval.
  2. From Devices by Protocol Activity, click the device count for TCP. A protocol page appears that displays metrics for every device on your network with TCP activity.
  3. In the TCP Connections section, look for changes in the number of External Accepted and External Connected metrics. For example, if you classified a large CIDR block for a remote office as Internal, then the number of external connections should be lower.

Filter IP addresses by locality

You can filter detail metric data by internal or external IP addresses.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Drill down on a metric from a dashboard or protocol page by client, server, or IP address.
    A detail metric page appears that displays metric data listed by IP address.
  3. In the trifield filter, click Any Field and then click Network Locality, as shown in the following figure.


  4. Click All Locations and then select Internal or External.
  5. Click Add Filter.
Detail metric data for internal or external devices is displayed.

Analysis priorities

The ExtraHop system analyzes traffic and collects data from all discovered devices on a single sensor. Each discovered device receives one of four analysis levels that determine what data and metrics are collected for a device. Analysis priorities determine which analysis level a device receives.

Important:Analysis priorities can be centrally managed from a Command Console for multiple sites. Learn how to manage analysis priorities from a Command Console.

Prioritizing devices and groups

The ExtraHop system can analyze hundreds of thousands of devices and automatically determine which analysis level each device receives, but you can control which devices are prioritized for Advanced and Standard Analysis.

Most devices can be added to a watchlist to ensure Advanced Analysis or you can add device groups to an ordered list to prioritize them for Advanced Analysis and Standard Analysis.

Here are some important considerations about prioritizing devices through the watchlist:

  • Devices remain on the watchlist even when they are inactive, but metrics are not collected for inactive devices.
  • The number of devices in the watchlist cannot exceed your Advanced Analysis capacity.
  • Devices can only be added to the watchlist from a device properties page or the device list page. You cannot add devices to the watchlist from the Analysis Priorities page.
  • If you want to add several devices to the watchlist, we recommend that you create a device group and then prioritize that group for Advanced Analysis.
  • Devices receiving L2 Parent Analysis cannot be added to the watchlist.

Here are some important considerations about prioritizing devices groups:

  • Order device groups from the highest to lowest priority in the list.
  • Click-and-drag groups to change their order in the list.
  • Make sure that each device in the group is active; groups that contain a large number of devices take up capacity and inactive devices do not generate metrics.

By default, the ExtraHop system automatically fills Advanced and Standard Analysis levels to maximum capacity. Here are some important considerations about capacity levels and the automatic fill option:

  • Devices prioritized in the watchlist or through a prioritized group fill the higher analysis levels first, and then by the earliest-discovered devices.
  • Devices are prioritized for Advanced Analysis if the device is a recent victim of certain detections.
  • Device properties such as the role, hardware and software, protocol activity, detection history, and device criticality can also determine analysis levels.
  • The Automatically Fill option is enabled by default. If disabled, all devices that are not in prioritized groups or in the watchlist are removed and the ExtraHop system sets the priority for each device.
  • Your ExtraHop platform and license determine maximum capacity levels.

See the Analysis Priorities FAQ to learn about analysis level capacities.

Compare analysis levels

Analysis Level Features How to Receive this Level
Discovery Mode
  • Detections
  • Observed protocols
  • IP addresses
  • Authenticated users
  • Software
  • Hardware make and model
Devices automatically receive Discovery Mode if not in Standard, Advanced, or L2 Parent Analysis.
Standard Analysis
  • L2-L3 metrics
  • Activity maps
  • Detections
  • Observed protocols
  • IP addresses
  • Authenticated users
  • Software
  • Hardware make and model
Prioritize device groups for Standard Analysis.
Advanced Analysis
  • L2-L7 metrics
  • Custom metrics
  • Activity maps
  • Detections
  • Observed protocols
  • IP addresses
  • Authenticated users
  • Software
  • Hardware make and model
Prioritize device groups for Advanced Analysis or add individual devices to the watchlist.
L2 Parent Analysis

(Only applicable if L3 Discovery is enabled)

  • L2-L3 metrics
  • Activity maps
L2 parent devices automatically receive L2 Parent Analysis, except for gateways and routers.

Transfer management of analysis priorities for a Discover appliance

By default, the Discover appliance manages its own analysis priorities, which determine which devices receive Advanced Analysis or Standard Analysis. If your Discover appliance is connected to a Command appliance, you can transfer priority management to that Command appliance. Then, instead of configuring rules on each Discover appliance, you can manage all of your analysis priorities from one Command appliance.

Here are some important considerations about transferring management:

  • You must have full write privileges to edit analysis priorities.
  • After transferring management to a Command appliance, any changes you make on the Discover appliance will be inactive.

The following steps show you how to transfer priority management:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Analysis Priorities.
  3. At the top of the page, click the Appliance drop-down list and select appliance that you want to transfer management to.
  4. Click Transfer.
Tip:To avoid analysis disruptions when transferring management to a Command appliance, first draft analysis priorities for your Discover appliance on the Command appliance and then save those settings. These inactive settings will not be synced to the Discover appliance until you transfer management to the Command appliance.

Prioritize groups for Advanced Analysis

The ExtraHop system classifies every device it discovers on your network. Your platform license specifies how much of your total analysis capacity is available for endpoints and critical assets to receive Advanced Analysis. On the Analysis Priorities page, you can target specific device groups for Advanced Analysis as needed, based on their importance to your network. Groups are ranked in an ordered list, so you can let the ExtraHop system know which devices are the most important to you.

Here are some important considerations about analysis priorities for Advanced Analysis:

  • Devices on the watchlist are guaranteed Advanced Analysis. If you have devices on the watchlist and prioritized groups, the devices on the watchlist receive Advanced Analysis first.
  • Devices within a device group that are inactive do not affect Advanced Analysis capacity.
  • Custom metrics are only available in Advanced Analysis. If you want to see custom metrics for a specific device, prioritize a group containing the device or add the device to the watchlist.
  • You must have full write privileges to edit analysis priorities.

The following steps show you how to prioritize groups with critical assets, such as HTTP servers and DNS servers, for Advanced Analysis:

Note:You can manage these settings centrally from a Command appliance.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Analysis Priorities.
  3. If you are managing analysis priorities from a Command appliance, find the Discover appliance with the critical assets you want to prioritize in the Manage Priorities from this Command Appliance section, and then click Edit Priorities in the row that contains the Discover appliance.
  4. Prioritize groups by completing the following steps:
    1. In the For Advanced Analysis section, click adding a group to add the initial group or Add Group to add additional groups.




    2. In the Group drop-down list, type the name of a device group and then click the group name from the search results. For example, type HTTP servers and select the HTTP Servers device group.
    3. (Optional): In the Note field, type information about the group such as why this group is a priority for Advanced Analysis.
  5. In the Automatically Fill section, make sure On is selected.
    Note:If your system is having performance issues, then click Off. This selection will remove devices and make sure that only devices in prioritized groups or on the watchlist receive Advanced Analysis.
  6. At the top of the page, click Save.

Next steps

Here are some additional ways to manage and refine groups receiving Advanced Analysis:

  • If you add multiple groups, the groups are prioritized from top to bottom. Click the upper left icon next to Group, and then drag the group to another position in the ordered list.

  • Click the check icon to collapse the group. Click the pencil icon to expand the group again, as shown in the following figure.

  • Click the go to icon next to a group name to navigate to the device group page. The device group page displays which devices and how many devices are in the group. The icon is only available when the group is collapsed.
  • Click the x icon to remove a group from the list, as shown in the following figure.

Prioritize groups for Standard Analysis

The ExtraHop system classifies every device it discovers on your network. Your platform determines the total analysis capacity, which is the number of devices, or endpoints, that can receive Standard Analysis. On the Analysis Priorities page, you can target specific device groups for Standard Analysis as needed, based on their importance to your network. Groups are ranked in an ordered list, so you can let the ExtraHop system know which devices are the most important to you.

Here are some important considerations about Standard Analysis:

  • If there is still room in Advanced Analysis, devices in the top-most groups in the Standard Analysis section will receive Advanced Analysis.
  • You must have full write privileges to edit analysis priorities.

The following steps show you how to prioritize devices, such as HTTP servers and DNS servers, for Standard Analysis:

Note:You can manage these settings centrally from a Command appliance.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Analysis Priorities.
  3. If you are managing analysis priorities from a Command appliance, find the Discover appliance with the devices you want to prioritize in the Manage Priorities from this Command Appliance section, and then click Edit Properties in the row that contains the Discover appliance.
  4. Prioritize groups by completing the following steps:
    1. In the For Standard Analysis section, click adding a group to add the initial group or Add Group to add additional groups.




    2. In the Group drop-down list, type the name of a device group and then click the group name from the search results. For example, type HTTP servers and select the HTTP Servers device group.
    3. (Optional): In the Note field, type information about the group such as why this group is a priority for Standard Analysis.
  5. In the Automatically Fill section, make sure On is selected.
    Note:If your system is having performance issues, then click Off. This selection will remove devices and make sure that only devices in prioritized groups receive Standard Analysis.
  6. At the top of the page, click Save.

Next steps

Here are some additional ways to manage and refine groups receiving Standard Analysis:

  • If you add multiple groups, the groups are prioritized from top to bottom. Click the upper left icon next to Group, and then drag the group to another position in the ordered list.

  • Click the check icon to collapse the group. Click the pencil icon to expand the group again, as shown in the following figure.
  • Click the go to icon next to a group name to navigate to the device group page. The device group page displays which devices and how many devices are in the group. The icon is only available when the group is collapsed.
  • Click the x icon to remove a group from the list, as shown in the following figure.

Add a device to the watchlist

To guarantee that an asset, such as an important server, database, or laptop, receives Advanced Analysis, you can add that device to the watchlist.

Tip:Instead of adding several devices to the watchlist, create a device group and then prioritize that group for Advanced Analysis.

Here are important considerations about the watchlist:

  • The watchlist only applies to Advanced Analysis.
  • The watchlist can contain as many devices as allowed by the Advanced Analysis capacity, which is determined by your license.
  • A device stays on the watchlist whether it is inactive or active. A device has to be active for the ExtraHop system to collect Advanced Analysis metrics.
  • You can add a custom device to the watchlist. You cannot add an L2 parent device to the watchlist, unless the device is a gateway or router.

The following steps show you how to add a device to the watchlist from device properties:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click Assets at the top of the page and then click Devices in the left pane.
  3. Search for the device you want and then click the device name. The Overview page appears, which displays traffic and protocol metrics associated with the device.
  4. Click Edit Properties.
  5. Click Add this device to the watchlist.
  6. Click Done.
Your device is now on the watchlist. Visit the Watchlist page to remove a device from the watchlist .
Note:

You can also add multiple devices to the watchlist from the Device list page. Click the checkbox next to one or more devices and then click the Add to Watchlist icon in the upper right corner.

Remove a device from the watchlist

You can remove a device from the watchlist if it no longer requires Advanced Analysis.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Analysis Priorities.
  3. If you are managing analysis priorities from a Command appliance, find the Discover appliance with the critical assets that you want to remove from the watchlist in the Manage Priorities from this Command Appliance section. Click Edit Properties in the row that contains the Discover appliance.
  4. At the top of page in the Advanced Analysis Watchlist section, click View the Watchlist. The Watchlist page appears displaying all the devices on the watchlist.
  5. To remove devices from the watchlist, complete the following steps:
    1. Select the checkbox next to the device name.
    2. Click Remove Devices.
  6. Click Save.
Note:It is possible to add devices to a blocklist, based on their unique MAC addresses, by modifying the running configuration file on the Discover appliance. Contact your ExtraHop administrator to add devices to a blocklist.

Activity maps

An activity map is a dynamic visual representation of the L4-L7 protocol activity between devices in your network. You can see a 2D or 3D layout of device connections in real-time to learn about the traffic flow and relationships between devices.

Activity maps can help you with the following use cases:

Complete a data center or cloud migration
As part of your migration strategy, you must determine which services can be turned off and when. An activity map helps you identify which devices are still connected so you can prevent unexpected service disruptions during the migration process. For more information, see the Plan and monitor your migration with activity maps walkthrough.
Identify the root cause behind a slow application
Applications often depend on multiple tiers of services within a network. An activity map can help you identify the delivery chain of traffic to your slow application server. Click a device to investigate related metrics, which can shed more light onto the root cause of the slow-down.
Track suspicious devices or unexpected connections
During a security event, an activity map can help you identify affected devices by tracking the real-time east-west traffic associated with a suspicious device. As part of a daily security monitoring strategy, you can create an activity map to confirm that devices are not making unexpected connections with other devices.

Here are some important considerations about activity maps:

  • You can create activity maps for devices in Advanced, Standard, and L2 Parent Analysis. You cannot create an activity map for devices in Discovery Mode. For more information, see Analysis priorities.
  • If you create an activity map for a device or device group that has no protocol activity during the selected time interval, the map appears without any data. Change the time interval or your origin selection and try again.
  • You can create an activity map in a Command Console to view device connections across all of your sensors. However, connected sensors must be upgraded to firmware version 7.0 or later.
  • You can save and share an activity map , granting view or edit access to other system users or groups. You can also load a saved activity map to modify map properties.

For more information about activity maps, see the Activity Maps FAQ.

After creating an activity map, you can start investigating data. The following sections provide details about how to interact with an activity map and find information about the data you are viewing.

Layout

Devices are represented by circles and connections are represented by lines.

The placement of devices is optimized to display information. The layout can change as data about device activity is updated in real-time. For example, the layout is updated as new connections are observed or devices become inactive.

Note:When the time interval in the upper left corner of the page is set to Last 30 minutes, Last 6 hours, or Last day, activity map data continually updates every minute with real-time data. Set a custom time interval with a specific start and end time to stop real-time layout updates.
2D or 3D layout

By default, activity maps are displayed in a 2D layout, but you can click 3D to change the display to a rotating 3D model. For example, you might want to showcase 3D maps on a large screen in a network or security operations center.



Reposition, rotate, and zoom

Zoom in and out of a map with controls located in the bottom right corner of the page or zoom with your mouse wheel. Click-and-drag your mouse to reposition a 2D map or rotate a 3D map.

Hold focus

Click any device and select Hold Focus. You can then reposition or rotate, depending on your layout, and zoom in and out of the map while focusing on the selected device and its immediate peers.



View device list

Click Devices in Activity Map at the bottom of the page to view a list of all devices, their names, IP addresses, and MAC addresses. Click a device name to navigate to the device page.

Labels and icons

Circle labels contain details such as the device hostname, IP address, or MAC address.

Line labels contain protocol names associated with the device connection and the direction of traffic flowing between the devices, which is displayed as animated pulses. Specific device roles are represented by an icon.

To optimize the display of information, not every label is displayed. Hover over any circle or line to display its label, as shown in the following figure.



Note:Device roles are automatically assigned to a device based on the type of traffic the ExtraHop system observes for that device. For more information, see Change a device role.

Circle and line size

The size of objects in the map corresponds with a metric value, which helps to highlight areas of increased activity, such as the number of bytes, or traffic volume, associated with a device connection.

At the bottom of the left pane, you can select a different metric for map elements:

Bytes: See all of the devices transmitting or receiving data during the time interval.

Connections: See only the devices that have established a new connection at least once during the time interval.

TCP Turns: See only the devices that switched between transmitting and receiving data at least once during the time interval.

Color

Blue and gray are default colors for circles and lines. These default colors are optimized to display information in a map. However, you can apply different colors to your map to highlight the severity level of an alert or show when a device connection was established.

Detections

Detections associated with a device on the map appear around the circle as animated pulses, known as detection markers. The color of the pulse is red if the device is the offender and teal if the device is the victim of the detection. The participant status also appears on the device label.

Note:Machine learning detections require a connection to ExtraHop Cloud Services.

Click a circle with a detection marker to view and navigate to associated detections or the device Overview page. Risk scores appear on Reveal(x) systems only.

If detection markers do not appear on your activity maps as expected, detection markers might be disabled. You can enable or disable detection markers from the User menu.

Alert status

To see the severity level of an alert for a device in your map, select Display alert status in the lower left corner or the page, as shown in the following figure. The circle color then corresponds to the most severe status for all alerts assigned to a device during the time interval. If there is no alert assigned to a device or the alert level is informational, the default circle color is green.

To investigate the alert, click the circle and then select the device name in the Go to Device… section. On the device's protocol page, scroll down to view the Alerts page.



Time interval comparison
When you compare two time intervals to find metric deltas, different colors in the map help you determine when device connections were established or when the protocol activity for a device changed. For example, after creating a comparison between Yesterday and the Last 30 minutes, new device connections or activity that only appear in the more recent time interval appear green. Previous device connections or activity that only appear in the earlier time interval are red. Devices connections that did not change between time intervals are blue. In the following figure, new connections that were established in the last thirty minutes are represented by green circles and lines.

Note: If all the devices are a single color, such as green, this means that the query did not produce results in the earlier time interval. For example, the origin device did not have any protocol activity in the earlier time interval.

Add steps and filters to a map

A step is a level of connections between devices. Devices in each step have a relationship to devices in previous step. These relationship are defined by their protocol activity.

Add a new step to an activity map to add another layer of information to your map. Click the drop-down list for a particular step, and then select a protocol activity.



You can also filter devices in a step by their group membership. For example, if you select HTTP Servers but only want to see your test servers in the map, you can filter HTTP Servers by a device group, such as My Test Servers.

For more information on how to add steps and filters to a map, see Create an activity map.

Manage activity maps

The following options for managing your activity map are available from the command menu in the upper right corner:

Best practices for investigating activity map data

If you find a device on your map that is worth investigating, you have several options to gather more information about that device.

Find recently-connected devices

Click the time interval in the top left corner of the page and click Compare. You can see how device connections changed between two different time intervals.

For more information, see Time interval comparison.

Navigate to protocol pages to find related metric activity

Click a circle or line to access a drop-down menu as shown in the following figure.



Select the device name from the menu to navigate to the Overview protocol page for that device. The protocol page contains a summary of important protocol metrics that were observed and associated with the device. From a protocol page, you can find related metrics such as errors, requests, responses, and server processing time. You can also drill down on a metric from a protocol page to view metric details, such as server IP address, client IP address, status codes, methods, and URIs.

Navigate to detections identified on the device
Devices on an activity map that have associated detections are displayed as animated pulses around the circle label. Click a circle with this detection marker to access a drop-down menu, as shown in the following figure.
Note:For ExtraHop Reveal(x) only, the risk score of each detection is displayed to help you prioritize which detections to investigate.

Select a detection name from the menu to navigate to the detail page for that detection. The detail page contains information about the type of detection that occurred and what it means, as well as when the detection occurred and the duration of the issue. For more information, see Detection detail page.

Search for transaction records associated with a connection (Requires an Explore appliance or other supported recordstore)
Click a circle or line to access the drop-down menu. Click Records. A records query page opens and displays all the records from each connected device, including all record types associated with the device connection protocols.

Create an activity map

An activity map is an interactive 2D or 3D display of real-time device connections based on protocol activity between devices. Activity maps help you visualize traffic flows and kick off troubleshooting based on an interesting data point in a map.

You can create an activity map for an active single device or a device group. After generating a basic map, you can then filter devices and connections in your map.

Note:You can create activity maps for devices in Advanced, Standard, and L2 Parent Analysis. You cannot create an activity map for devices in Discovery Mode. For more information, see Analysis priorities.

Create a basic activity map

A basic activity map shows you a single step, or level, of device connections between origin devices and peer devices on your network.

Note:You can only create activity maps for devices in Standard Analysis and Advanced Analysis.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Assets.
  3. Complete one of the following steps based on the origin type of the activity map:
    Option Description
    For a device Click Devices in the left pane and then click an individual device name.
    For a device group Click Device Groups in the left pane and then click a device group name.
    For a device group by protocol activity Click Activity in the left pane and then click the group of clients, servers, or devices for the protocol you want.
  4. Click one of the following links to create the activity map:
    Option Description
    For a device Click Peer devices, located at the top of the page.
    For a device group Click Activity Map, located near the upper right corner of the page.
    Note:If the device or device group has no protocol activity during the specified time interval, the activity map appears without any data. Change the time interval or your origin selection and try again.
  5. From the activity map, filter connections by protocol activity by completing the following steps:
    1. Click the drop-down list in the Step 1 section of the left pane, as shown in the following figure.


    2. At the top of the drop-down list, search for and select a protocol activity and role. You can make more than one selection.
    3. Click anywhere outside of the drop-down list.
  6. (Optional): Change the primary origin device by completing the following steps:
    1. In the Start from section in the left pane, click the device or group name. A drop-down list appears.


    2. Search for and select another device or group to dynamically update the map origin for the map you are viewing.
  7. (Optional): Create an ad hoc group of sources to quickly investigate traffic originating from multiple devices in the same map. Click Add Source.


Add connections and filter devices in your map

To better understand the path of traffic from origin devices to downstream devices, you can add more steps to your map. You can also create filters to include or exclude devices from the map. The following figure shows you how to add steps and create filters.

Add another level of device connections

A step defines a level of connection between devices in a map. Devices in each step have a relationship to the devices in the previous step. These relationships are defined by their protocol activity. You can add up to 5 steps to see how traffic flows from one device to another.

  1. Click Add Step, as shown in the following figure. All Peers is selected by default.


  2. At the top of the drop-down list, search for and select a protocol activity and role. You can make more than one selection.


  3. Click anywhere outside of the drop-down list.
Include or exclude devices

You can filter devices within a step by their device group membership.

  1. Click Add Group Filter.


  2. Click a drop-down list to search for and select a device group.
  3. Click anywhere outside of the filter menu to apply your filters.
  4. To remove or change a filter, complete the following steps:
    1. Click the device group name.


    2. Change the filter by clicking the drop-down list and then selecting another device group.
    3. Remove the filter by clicking the x icon, as shown in the following figure.


    4. Click anywhere outside of the filter menu to apply your filter updates.

Save and share an activity map

You can save an activity map and share it with others. By default, all activity maps that you create are private, which means that no ExtraHop users can view or edit your map. However, you can share your map when you save it by granting view or edit access to other ExtraHop users and groups.

Here are some important considerations about sharing activity maps:

  • How a user interacts with an activity map and the information they can view in the ExtraHop system is determined by user privileges, which are assigned by the ExtraHop administrator. For more information, see the User privileges section in the ExtraHop Admin UI Guide.
  • When you grant a user edit access, that user can modify and share the activity map with others. However, other users cannot delete the activity map. Only the map owner can delete an activity map.
  • Group information is imported into the ExtraHop system from LDAP (such as OpenLDAP or Active Directory). User information is available after an ExtraHop user logs in to their account.
  • If you are deleting a user, you will have the option to transfer their activity maps to another user.

The following steps show you how to save and share an activity map:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Create an activity map.
  3. Click the Save icon in the upper right corner of the page.
  4. Type a name for your map. The name must be unique.
  5. (Optional): Type a description.
  6. (Optional): Change the permalink shortcode to a user-friendly name.
    For example, you can configure a map to display alert statuses and append "/alerts" to the shortcode to let users know that the saved map displays alerts by default.
    Note:The shortcode cannot contain spaces and the shortcode must be unique.
  7. Share your activity map by completing the following steps:
    1. Type a username or group.
    2. Make one of the following selections:
      Type of Access Selection
      ExtraHop users can view Select Can view and then click Add.
      ExtraHop users can both view and edit Click Can view and then click Can edit. Click Add.
  8. Click Save.
    Tip:You can also modify the properties for a saved map by clicking the command menu and then clicking Map Properties. To quickly modify share permissions, click the command menu and then click Share.

Next steps

Remove or change access to an activity map

You can remove or modify access to an activity map that you granted to users and groups. You must first create an activity map to access options to modify saved activity maps.

  1. Create an activity map, and then click the Open icon in the upper right corner of the page.
  2. Click the activity map name.
  3. In the Sharing section, complete one of the following steps:
    • To remove access for users or groups, click the red delete x icon next to the user or group name.
    • To change access for an existing user or group, click Can view or Can edit, and make a different selection.
    • To add a new user or group, search for and click the user name. Click Can view or Can edit, and then click Add.
  4. Click Save.

Load and manage a saved activity map

You can view, update, or delete saved activity maps. First, you must first create a new map to access a list of saved and shared maps.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Create an activity map, and then click the Open icon in the upper right corner of the page.
  3. Choose one of the following activity map options:
    • To load a map, click the map name. If you want to modify and then re-save the map, make your changes and then click the Save icon.
      Tip:You can also modify the properties for a saved map by clicking the command menu and then clicking Map Properties.
    • To delete a map, click Delete next to the map name.
    Note:Users must have privileges to view or interact with activity maps. See User privileges in the ExtraHop Admin UI Guide.

Detections

The ExtraHop system applies machine learning techniques and rule-based monitoring to your wire data to identify unusual behaviors and potential risks to the security and performance of your network.

Before you begin

Users must be granted privileges to view detections.

When anomalous behavior is identified, the ExtraHop system generates a detection and displays the available data and investigative options. Controls on the Detections page help you group, filter, and sort your view of detections, so you can quickly triage issues with critical systems first and begin investigating potential security risks.

Detections can help you defend your network in the following ways:
  • Collect high-quality, actionable data to find the root causes behind network issues.
  • Find unknown issues with performance, security, or infrastructure.
  • Identify malicious behavior that is associated with different attack categories or MITRE techniques.
  • Connect related detections to track prolonged attack campaigns.
  • Flag suspicious IP addresses, hostnames, and URIs identified by threat intelligence.
Important:Although detections can inform you about security risks and performance issues, detections do not replace decision-making or expertise about your network. Always investigate security and performance detections to determine the root cause of unusual behavior and when to take action.

Detection cards appear in a sortable list that can be further grouped and filtered by multiple criteria on the main Detections page. Click any detection card to navigate to the detection detail page.

Detection cards

Each detection card identifies the cause of the detection, the detection category, when the detection occurred, and the victim and offender participants. Security detections include a risk score.

Risk score
Measures the likelihood, complexity, and business impact of a security detection. This score provides an estimate based on factors about the frequency and availability of certain attack vectors against the necessary skill levels of a potential hacker and the consequences of a successful attack. The icon is color coded by severity as red (80-99), orange (31-79), or yellow (1-30).
Participants
Identifies each participant (offender and victim) involved in the detection by hostname or IP address. Hover over a participant to view basic details and access links. Internal endpoints display a link to the device overview page; external endpoints display the geolocation of the IP address and links to the ARIN Whois website and IP address detail page.

When grouping the Detection page by Types, a participant summary appears under the detection type that breaks down detections by offender and victim and enables you to quickly apply participant filters.

When grouping the Detection page by Sources, internal device role icons are highlighted red if the device was an offender in a detection and teal if the device was a victim. You can click Details under the source name to view a summary of detections where that source was a participant. These device details are displayed next to the detection card on wide screens (1900 pixels or greater).

Duration
Identifies how long the unusual behavior was detected or displays ONGOING if the behavior is currently occurring. The minimum duration of a detection is 30 seconds.
Metric data
Identifies additional metric data when the unusual behavior is associated with a specific metric or key. If metric data is unavailable for the detection, the type of anomalous protocol activity appears.

You can hide or acknowledge the detection or click Investigate This Detection to navigate to the detection detail page.

Detection detail page

Most of the data that you need to understand, validate, and investigate a detection appears on the detection detail page: tables of relevant metric data, record transactions, and links to raw packets.

The detection card information is followed by all available sections for the detection. These sections vary depending on the type of the detection.

Related detections
Provides a timeline of detections related to the current detection that can help you identify a larger attack campaign. Related detections include the participant role, duration, timestamp, and any role changes if the offender in one detection becomes the victim in a different detection. Click any related detection in the timeline to view the details page for that detection.

Activity map

Provides an activity map that highlights the participants involved in the detection. The activity map displays east-west traffic of the protocol associated with the detection to help you investigate the scope of malicious activity. Click the victim or offender to access a drop-down menu with links to the device overview page and other detections where the device is a participant.



Compare behaviors

Provides a chart that displays the activity of the offender next to the activity of similar devices over the time period when the detection occurred. The chart appears for detections related to unconventional activity by a device, and highlights unexpected behavior by displaying it next to the behavior of devices on the network with similar properties.



Investigative data and links
Provides all available data about the detection, such as metrics from the targeted servers and clients and their record transactions. Click the icon to view the raw packets associated with the detection.
Detection details
Provides an expanded description of the detection, such as associated MITRE techniques, risk factors, attack backgrounds and diagrams, mitigation options, and reference links to security organizations such as MITRE.

These details are displayed next to the detection card on wide screens (1900 pixels or greater), or you can access them by clicking Details under the detection title when grouping the Detection page by Types.



Tip:You can share detection detail pages with other ExtraHop users.

Grouping, filtering, and sorting detections

By default, detections are grouped by Types and sorted by risk on the Detections page. There are three types of controls at the top of the page that modify your page view: groups, filters, and sort.

Grouping detections

You can group detections to organize the page by Types of detection (such as Spike in SSH Sessions), by detection Sources (offender or victim hostname or IP address), by MITRE Techniques (a common attack classification framework), or show All detections for the current time interval.



When grouping by Techniques, you see attack techniques organized in a matrix according to the MITRE ATT&CK® Matrix for Enterprise. Each tile in the matrix represents a MITRE technique. If a tile is highlighted, that means that a detection associated with that technique occurred during the selected time interval. Click on any tile to see detections that match that technique.

Timeline
When you group by All on the Detections page, a timeline chart displays the total number of detections identified within the selected time interval. Each horizontal bar in the chart represents the duration of a single detection and is color-coded according to the risk score.
  • Click and drag to highlight an area on the chart to zoom in on a specific time range. Detections are listed for the new time interval.
  • Hover over a bar to view the detection title.
  • Click a bar to navigate directly to the detection detail page.
Security
Most network attacks tend to follow familiar patterns or phases. All security detections are assigned an attack category that corresponds with one of these phases.

When you group by All on the Detections page, a flow chart displays the number of detections that are associated with each attack category. Categories are assembled into an attack chain that characterizes the progression of steps an attacker takes to ultimately achieve their objective, such as stealing sensitive data.

Filtering detections

You can filter the Detections page to display only the detections that match your specified criteria. For example, you might only be interested in exfiltration detections that occur over HTTP, or detections associated with participants that are critical servers.

Attack

Show only detections that are associated with an attack category. Combine this filter with the Category filter to only show detections from a specific attack category.

Operations

Show only detections that are associated with network, application, and infrastructure problems. Combine this filter with the Category filter to show only detections within a specific performance or IT operations category.

Any

Shows detections from both Attack and Operations filters.

Category

Attack and Operations detections have categories that can further refine your view of the Detections page.

Attack detections include the following categories that match phases of the attack chain.

Command & Control
An external server that has established and maintained connection to a compromised device on your network. C&C servers can send malware, commands, and payloads to support the attack. These detections identify when an internal device is communicating with a remote system that appears to be acting as a C&C server.
Reconnaissance
An attacker is seeking high-value targets and weaknesses to exploit. These detections identify scans and enumeration techniques.
Note:Detections might identify a known vulnerability scanner such as Nessus and Qualys. Click the device name to confirm if the device is already assigned a Vulnerability Scanner role in the ExtraHop system. To learn how to hide detections related to these devices, see Create a detection rule.
Exploitation
An attacker is taking advantage of a known vulnerability on your network to actively exploit your assets. These detections identify unusual and suspicious behaviors associated with exploitation techniques.
Lateral Movement
An attacker has infiltrated your network and is moving from device to device in search of higher-value targets. These detections identify unusual device behavior associated with east-west corridor data transfers and connections.
Actions on Objective
The attacker is close to achieving their objective, which can vary from stealing sensitive data to encrypting files to ransom. These detections identify when an attacker is close to completing a campaign objective.

Operation detections include the following categories.

Caution
Highlight security policies and standards that should be enforced to mitigate risk. These detections identify areas of risk on your network that might require attention, such as expiring certificates or software that should be patched.
Authentication & Access Control
Highlight unsuccessful attempts by users, clients, and servers to log in or access resources. These detections identify potential WiFi issues over authentication, authorization, and audit (AAA) protocols, excessive LDAP errors, or uncover resource-constrained devices.
Database
Highlight access problems for applications or users based on analysis of database protocols. These detections identify database issues, such as database servers that are sending an excessive number of response errors that might cause slow or failed transactions.
Desktop & App Virtualization
Highlight long load times or poor quality sessions for end users. These detections identify application issues, such as an excessive number of Zero Windows, which indicates that a Citrix server is overwhelmed.
Network Infrastructure
Highlight unusual events over the TCP, DNS, and DHCP protocols. These detections might show DHCP issues that are preventing clients from obtaining an IP address from the server, or reveal that services were unable to resolve hostnames due to excessive DNS response errors.
Service Degradation

Highlight service issues or performance degradation associated with Voice over IP (VoIP), file transfer, and email communications protocols. These detections might show service degradations where VoIP calls have failed and provide the related SIP status code, or show that unauthorized callers have attempted to make several call requests.

Storage
Highlight problems with user access to specific files and shares found when evaluating network file system traffic. These detections might show that users were prevented from accessing files on Windows servers due to SMB/CIFS issues, or that network-attached storage (NAS) servers could not be reached due to NFS errors.
Web Application
Highlight poor web server performance or issues observed during traffic analysis over the HTTP protocol. These detections might show that internal server issues are causing an excessive number of 500-level errors, preventing users from reaching the applications and services they need.
Technique

Highlight detections that match specific MITRE technique IDs. The MITRE framework is a widely recognized knowledgebase of attacks.

Offender and Victim

The offender and victim endpoints associated with a detection are known as participants. You can filter your detection list to only show detections for a specific participant, such as an offender that is an unknown remote IP address, or a victim that is a critical server.

When grouping the Detection page by Types, the participant summary appears under the detection type. You can click filters in the summary title and select a single participant, or apply multiple participant filters by clicking the plus (+) icon.



Acknowledgement

Show detections that have been acknowledged or that are unacknowledged.

More Filters
You can also filter your detections by the following criteria:

Sorting detections

You can sort detections to organize the grouped and filtered list by either the highest risk score or most recent occurrence. Click the sort icon to the far right to select an option.

Finding detections in the ExtraHop system

While the Detections page provides quick access to all detections, there are indicators and links to detections throughout the ExtraHop system.

  • From the Activity page, click a detections link to go to the Detections page. The detections list is filtered to the associated protocol.
  • From a device Overview page, click Detections to view a list of associated detections. Click the link for an individual detection to view the detection details page.
  • From a device group Overview page, click the Detections link to go to the Detections page. The detections list is filtered to the device group as the source.
  • From a device or device group protocol page, click the Detections link to go to the Detections page. The detections list is filtered to the source and protocol.
  • On an activity map, click a device that displays animated pulses around the circle label to view a list of associated detections. Click the link for an individual detection to view detection details.
  • From a chart on a dashboard or protocol page, hover over a detection marker to display the title of the associated detection or click the marker to view detection details.

Manage detections

You can acknowledge or hide detections directly from any detection card displayed on the main Detections page.

Acknowledge detections

Acknowledgements provide a visual way to identify that a detection has been seen. You can acknowledge a detection to let team members know that you are investigating a ticket or that the issue has been triaged and should be prioritized for follow-up. You can also filter your view of detections to show only unacknowledged detections.

Here are important considerations about acknowledging detections:
  • An acknowledgement does not hide the detection.
  • After a detection is acknowledged, a timestamp and the username of person who acknowledged the detection is displayed.
  • Users must have limited-write or higher privileges to acknowledge a detection or clear an acknowledgement.
  • An acknowledgement can be cleared by any user, even if they are not the user that originally acknowledged the detection.

To acknowledge a detection, complete the following steps:

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Detections.
  3. Click Acknowledge from the lower-left corner of the detection card.
    The detection displays the username and timestamp. Click Reset to clear an acknowledgement.

Hide detections

Hidden detections are removed from throughout the system where detections are displayed. By creating a detection rule, you can hide low-priority detections and increase the discoverability of important detections. For example, you might want to hide a vulnerability scanner detection that is expected, but occurs frequently. Or, you might want to hide detections about expiring certificates because that issue is handled by a different team.

When a rule is enabled, detections that match the specified criteria are hidden from view and also affect the following areas:

  • Triggers and alerts associated with hidden detections do not run while the rule is enabled.
  • Detection markers for hidden detections are not displayed on charts.
  • Hidden detections do not appear on activity maps.
  • Detection counts on related Web UI pages, such as the Device Overview page or the Activity page, do not include hidden detections.

You can view detection rules by clicking Manage Detection Rules from the lower-left corner of the Detections page.

From the Manage Detection Rules table, you can extend the duration of a rule, re-enable a rule, and disable or delete a rule.

After you disable or delete a rule, the rule expires immediately and associated triggers and alerts resume. After you disable a rule, previously hidden detections remain hidden; ongoing detections appear. Deleting a rule displays previously hidden detections.

You can temporarily show hidden detections on the Detections page by selecting the Show Hidden Detections checkbox, without disabling the detection rules. Each hidden detection includes a link to the associated detection rule, and displays the username of the user that created the rule, similar to the following figure:

Create a detection rule

Before you begin

You must have full-write or higher privileges to create and manage detection rules.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Detections.
  3. From a detection card, click Hide.
    A dialog box appears and automatically displays the title, offender, and victim from the selected detection.
  4. From the Offender drop-down list, select one of the following options:
    • An original offender device
    • A device group that contains the original offenders, if available
    • Any device
  5. From the Victim drop-down list, select one of the following device options:
    • An original victim device
    • A device group that contains the original victims, if available
    • Any device
  6. Select the detection type you want to hide:
    • Hide only the specified detection type
    • Hide all detection types
  7. From the Rule Expiration drop-down list, select the duration to hide the detection.
    Select Never to create a rule that never expires.
  8. (Optional): Type a description of the rule.
  9. (Optional): Select the Hide matching past detections checkbox to hide past detections that match the rule criteria.
  10. Click Create.
    The rule is displayed in the Manage Detection Rules table.

Specify custom parameters for detections

By providing information about your network environment, you can help improve the quality and accuracy of rules-based detections, which are authored by ExtraHop. Some rules-based detections rely on custom parameters and these detections are not generated if the custom parameters are left empty.

If your ExtraHop deployment includes a Command appliance, we recommend that you configure these settings on the Command appliance, and then transfer management from connected Discover appliances to the Command appliance.
Note:Parameter fields on this page might be added, deleted, or modified over time by ExtraHop.
Note:You can manage these settings centrally from a Command appliance.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Custom Parameters.
  3. Specify values for any of the following parameters available on the page.
    Option Description
    Gateway Devices By default, gateway devices are ignored by rules-based detections because they can result in redundant or frequent detections.

    Select this option to identify potential issues with gateway devices like your firewalls or routers.

    Inbound Tor Nodes By default, inbound connections from known Tor nodes are ignored by rules-based detections because they can result in low-value detections in environments with minimal Tor traffic.

    Select this option to identify detections on inbound connections from known Tor nodes if your environment observes substantial incoming Tor traffic.

    Outbound Tor Nodes By default, outbound connections to known Tor nodes are ignored by rules-based detections because they can result in low-value detections in environments with minimal Tor traffic.

    Select this option to identify detections on outbound connections to known Tor nodes if your environment observes substantial outgoing Tor traffic.

    Related Records By default, transactions that directly result in a rules-based detection are committed as records that you can investigate. However, transactions related to the detection that might provide context and deeper insight are not committed.

    Select this option to commit records for transactions related to rules-based detections. Note that this can significantly increase the number of records committed.

    Approved Public DNS Servers Specify public DNS servers allowed in your environment that you want rules-based detections to ignore.

    Specify a valid IP address or CIDR block.

    If you do not specify a value for this parameter or for Approved Internal DNS Servers, detections that rely on this parameter might not be generated.

    Approved Internal DNS Servers Specify internal DNS servers allowed in your environment that you want rules-based detections to ignore.

    From the drop-down list, start typing the name of the device, and then select a device from the filtered list.

    If you do not specify a value for this parameter or for Approved Public DNS Servers, detections that rely on this parameter might not be generated.

    Approved External Database Servers Specify external database servers allowed in your environment that you want rules-based detections to ignore.

    Specify a valid IP address or CIDR block.

    If you do not specify a value for this parameter, detections that rely on this parameter might not be generated.

    Allowed HTTP CONNECT Targets Specify URIs that your environment can access through the HTTP CONNECT method.

    URIs must be formatted as <hostname>:<port number>. Wildcards and Regex are not supported.

    If you do not specify a value, detections that rely on this parameter are not generated.

    Approved HTTP Ports Specify non-standard server ports in your environment that you want rules-based detections to ignore when HTTP traffic is observed on these ports.

    Type a single HTTP port number per field.

    If you do not specify a value, detections that rely on this parameter are not generated.

    Approved SSH Ports Specify non-standard server ports in your environment that you want rules-based detections to ignore when SSH traffic is observed on these ports.

    Type a single SSH port number per field.

    If you do not specify a value, detections that rely on this parameter are not generated.

    Approved User Agents Specify HTTP user agents in your environment that you want rules-based detections to ignore.

    Type a single user agent per field.

  4. Click Save.

Next steps

Click Detections from the top navigation menu to view detections.

Investigate security detections

When an interesting detection appears, you should investigate whether the detected behavior points to a low-priority issue or a potential security risk. You can start your investigation directly from the detection card, which provides links to data across the ExtraHop system.

There are a number of tools that can help you filter your view to see the detections that you want to prioritize for investigation. Look for the following trends to get started:
  • Did any detections occur at unusual or unexpected times, such as user-activity on weekends or after hours?
  • Are any detections appearing in large clusters on the timeline?
  • Are there detections appearing for critical assets or high-value endpoints?
  • Are there detections that have high risk scores?
  • Are devices in the detection also participants in other detections?
  • Are indicators of compromise identified from a threat collection associated with the detection?

Start your investigation

Review the detection title and summary to learn what caused the detection.



Refine your investigation

Detection detail cards present related data about the detection. The availability of the data depends on the devices and metrics associated with the detection. After you click a link, you can return to the detection card by clicking the detection name in the navigation path. Each investigation option is described in the sections below.

Review investigative data

Most of the data that you need to understand, validate, and investigate a detection is displayed on the detection detail page: tables of relevant metric data, record transactions, and links to raw packets.

Click a host name to navigate to the device overview, or right-click to create a chart with that device as the source and the relevant metrics.



Device name

Click a device name to navigate to a protocol page, which contains all of the protocol metrics associated with the device. A protocol page gives you a complete picture of what the device was doing at the time of the detection. Click Overview in the left pane to see the role, users, and tags associated with the device.

For example, if you get a reconnaissance scan detection, you can learn if the device associated with the scan is assigned the Vulnerability Scanner role.



Availability
Device name links are only available for devices that have been automatically discovered by the ExtraHop system. Remote devices that are located outside of your network are represented by their IP addresses.
Activity map

Click the Activity Map icon next to a device name to see device connections by protocol during the time of the detection. For example, if you get a lateral movement detection, you can learn if the suspicious device established connections over a remote control protocol with other clients, IT servers, or domain controllers on your network.

Availability
An activity map is available when a single client or server is associated with unusual L7 protocol activity, such as a high number of HTTP errors or DNS request timeouts.
Detail metric drill down

Click a detail metric link to drill down on a metric value. A detail metric page appears, which lists metric values by a key, such as client IP address, server IP address, method, or error. For example, if you get a reconnaissance scan detection, drill down to learn which client IP addresses were associated with the unusually high number of 404 status codes during the detection.



Availability
The drill-down option is available for detections associated with topnset detail metrics.
Sparkline

Click the sparkline to create a chart that includes the source, time interval, and drill-down details from the detection, which you can then add to a dashboard for monitoring. For example, if you get a detection about an unusual number of remote sessions, create a chart with SSH sessions for that server and then add that chart to a dashboard about session management.



Availability
The sparkline option is available for detections that were associated with metrics and had a duration over one-hour. For 1-second metrics, a sparkline is available when the duration was over 30-seconds.

Click a related detections to find insight about suspicious behavior and emerging attacks across multiple detections with shared participants. For example, a victim in the current detection that participates as an offender in a later detection might indicate that the device is compromised. You can view related detection details to determine if the detection events are similar and to see which other devices are involved.

Availability
The related detections timeline is available if there are detections that share the same victim or offender participants with the current detection. Related detections might have occurred before or after the current detection.
Threat Intelligence

Click a red camera icon to access detailed threat intelligence about an indicator of compromise.

Threat intelligence provides known data about suspicious IP addresses, hostnames, and URIs that can help identify risks to your organization. These data sets, called threat collections, are available by default in your Reveal(x) system and from free and commercial sources in the security community.

Availability
Threat intelligence must be enabled on your Reveal(x) Premium and Ultra systems before you can see these indicators.

Investigate performance detections

When an interesting detection appears, you should investigate whether the detected behavior points to a low-priority issue or to a potential problem. You can start your investigation directly from the detection card, which provides links to data across the ExtraHop system.

There are a number of tools that can help you filter your view to see the detections that you want to prioritize for investigation. Look for the following trends to get started:
  • Did any detections occur at unusual or unexpected times, such as user-activity on weekends or after hours?
  • Are any detections appearing in large clusters on the timeline?
  • Are there detections appearing for critical assets or high-value endpoints?
  • Are devices in the detection also participants in other detections?

Start your investigation

Review the detection title and summary to learn what caused the detection.

Refine your investigation

Detection detail cards present related data about the detection. The availability of the data depends on the devices and metrics associated with the detection. After you click a link, you can return to the detection card by clicking the detection name in the navigation path. Each investigation option is described in the sections below.

Review investigative data

Most of the data that you need to understand, validate, and investigate a detection is displayed on the detection detail page: tables of relevant metric data, record transactions, and links to raw packets.

Click a host name to navigate to the device overview, or right-click to create a chart with that device as the source and the relevant metrics.



Device name

Click a device name to navigate to a protocol page, which contains all of the protocol metrics associated with the device. A protocol page gives you a complete picture of what this device was doing at the time of the detection. Click Overview in the left pane to see the role, users, and tags associated with that device.

For example, if you get a detection about database transaction failures, you can learn about other activity associated with the server hosting the database instance.



Availability
Device name links are only available for devices that have been automatically discovered by the ExtraHop system. Remote devices that are located outside of your network are represented by their IP addresses.
Activity map

Click the Activity Map icon next to a device name to see device connections by protocol during the time of the detection. For example, if you get a detection about LDAP authentication errors, you can create an activity map to learn which devices were connected to an LDAP server during the detection.

Availability
An activity map is available when a single client or server is associated with unusual L7 protocol activity, such as a high number of HTTP errors or DNS request timeouts.
Detail metric drill down

Click a detail metric link to drill down on a metric value. A detail metric page appears, which lists metric values by a key, such as client IP address, server IP address, method, or error. For example, if you get an authentication detection about an LDAP server, drill down to learn which client IP addresses submitted the invalid credentials that contributed to the total number of LDAP errors.



Availability
The drill-down option is available for detections associated with topnset detail metrics.
Sparkline

Click the sparkline to create a chart that includes the source, time interval, and drill-down details from the detection, which you can then add to a dashboard for additional monitoring. For example, if you get a detection about web server issues, you can create a chart with the 500 status codes sent by the web server and then add that chart to a dashboard about website performance.



Availability
The sparkline option is available for detections that were associated with metrics.

Click a related detection to find insight about network, application, and infrastructure problems across multiple detections with shared participants. For example, a device identified as an offender is the likely source of an issue, such as a database server sending an excessive number of response errors. A device identified as a victim is usually negatively affected by the issue, such as clients experiencing slow or failed database transactions. You can view related detection details to determine if the detection events are similar, see which other devices are involved, and to view metric data.

Availability
The related detections timeline is available if there are detections that share the same victim or offender participants with the current detection. Related detections might have occurred before or after the current detection.

Share a detection

You can send the URL from a detection detail page to other ExtraHop system users.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Detections.
  3. Find the detection that you want to share, and then click the detection title.
  4. At the top of the browser, copy the entire URL.

Next steps

Configure ticket tracking for detections

Ticket tracking enables you to connect tickets, alarms, or cases in your work-tracking system to ExtraHop detections. Without leaving the ExtraHop Web UI, you can see who is working on a specific detection, as well as the status and outcome of that investigation. Any third-party ticketing system that can accept Open Data Stream (ODS) requests, such as Jira or Salesforce, can be linked to ExtraHop detections.

Before you begin

  • You must have access to an ExtraHop system with a user account that has unlimited privileges.
  • You must be familiar with writing ExtraHop Triggers. See Triggers and the procedures in Build a trigger.
  • You must create an ODS target for your ticket tracking server. See the following topics about configuring ODS targets: HTTP, Kafka, MongoDB, syslog, or raw data.
  • You must be familiar with writing REST API scripts and have a valid API key to complete the procedures below. See Generate an API key.

Enable ticket tracking and specify a URL template

You must enable ticket tracking before REST API scripts can update ticket information on the ExtraHop system. Optionally, specify a URL template that adds an HTML link in the detection card to the ticket in your ticketing system.

  1. Log in to the Administration page on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
  2. In the System Configuration section, click Ticket Tracking.
  3. Select the Enable ticket tracking checkbox.
  4. (Optional): In the URL field, specify the URL template for your ticketing system and add the $ticket_id variable at the appropriate location. For example, type a complete URL such as https://jira.example.com/browse/$ticket_id. The $ticket_id variable is replaced with the ticket ID associated with the detection.

Write a trigger to create and update tickets about detections on your ticketing system

This example shows you how to create a trigger that performs the following actions:

  • Create a new ticket in the ticketing system every time a new detection appears on the ExtraHop system.
  • Assign new tickets to a user named escalations_team in the ticketing system.
  • Run every time a detection is updated on the ExtraHop system.
  • Send detection updates over an HTTP Open Data Stream (ODS) to the ticketing system.

The complete example script is available at the end of this topic.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Triggers.
  3. Click New.
  4. Specify a name and optional description for the trigger.
  5. From the Events list, select DETECTION_UPDATE.
    The DETECTION_UPDATE event runs every time that a detection is created or updated in the ExtraHop system.
  6. In the right pane, specify Detection class parameters in a JavaScript object. These parameters determine the information that is sent to your ticketing system.
    The following example code adds the detection ID, description, title, categories, MITRE techniques and tactics, and risk score to a JavaScript object called payload:
    const summary = "ExtraHop Detection: " + Detection.id + ": " + Detection.title;
    const description = "ExtraHop has detected the following event on your network: " + Detection.description 
    const payload = {
        "fields": {
            "summary": summary,
            "assignee": {
                "name": "escalations_team"
            },
            "reporter": {
                "name": "ExtraHop"
            },
            "priority": {
                "id": Detection.riskScore
            },
            "labels": Detection.categories,
            "mitreCategories": Detection.mitreCategories,
            "description": description
        }
    };
  7. Next, define the HTTP request parameters in a JavaScript object below the previous JavaScript object.
    The following example code defines an HTTP request for the payload described in the previous example: defines a request with a JSON payload:
    const req = {
        'path': '/rest/api/issue',
        'headers': {
            'Content-Type': 'application/json'
        },
        'payload': payload
    };

    For more information about ODS request objects, see Open data stream classes.

  8. Finally, specify the HTTP POST request that sends the information to the ODS target. The following example code sends the HTTP request described in the previous example to an ODS target named ticket-server:
    Remote.HTTP('ticket-server').post(req);
The complete trigger code should look similar to the following example:
const summary = "ExtraHop Detection: " + Detection.id + ": " + Detection.title;
const description = "ExtraHop has detected the following event on your network: " + Detection.description 
const payload = {
    "fields": {
        "summary": summary,
        "assignee": {
            "name": "escalations_team"
        },
        "reporter": {
            "name": "ExtraHop"
        },
        "priority": {
            "id": Detection.riskScore
        },
        "labels": Detection.categories,
        "mitreCategories": Detection.mitreCategories,
        "description": description
    }
};

const req = {
    'path': '/rest/api/issue',
    'headers': {
        'Content-Type': 'application/json'
    },
    'payload': payload
};

Remote.HTTP('ticket-server').post(req);

Send ticket information to detections through the REST API

After you have configured a trigger to create tickets for detections in your ticket tracking system, you can update ticket information on your ExtraHop system through the REST API.

Ticket information appears in detections on the Detections page in the ExtraHop Web UI. For more information, see the Detections topic.

The following example Python script takes ticket information from a Python array and updates the associated detections on an ExtraHop system.

#!/usr/bin/python3

import json
import requests
import csv

API_KEY = '123456789abcdefghijklmnop'
HOST = 'https://extrahop.example.com/'

# Method that updates detections on an ExtraHop system
def updateDetection(detection):
    url = HOST + 'api/v1/detections/' + detection['detection_id']
    del detection['detection_id']
    data = json.dumps(detection)
    headers = {'Content-Type': 'application/json',
               'Accept': 'application/json',
               'Authorization': 'ExtraHop apikey=%s' % API_KEY}
    r = requests.patch(url, data=data, headers=headers)
    print(r.status_code)
    print(r.text)

# Array of detection information
detections = [
                 {
                     "detection_id": "1",
                     "ticket_id": "TK-16982",
                     "status": "new",
                     "assignee": "sally",
                     "resolution": None,
                 },
                 {
                     "detection_id": "2",
                     "ticket_id": "TK-2078",
                     "status": None,
                     "assignee": "jim",
                     "resolution": None,
                 },
                 {
                     "detection_id": "3",
                     "ticket_id": "TK-3452",
                     "status": None,
                     "assignee": "alex",
                     "resolution": None,
                 }
             ]

for detection in detections:
    updateDetection(detection)
Note:If the script returns an error message that the SSL certificate verification failed, make sure that a trusted certificate has been added to your ExtraHop system. Alternatively, you can add the verify=False option to bypass certificate verification. However, this method is not secure and is not recommended. The following code sends an HTTP GET request without certificate verification:
requests.get(url, headers=headers, verify=False)
After ticket tracking is configured, ticket details are displayed in the left pane of the detection details, similar to the following figure:
Status
The status of the ticket associated with the detection. Ticket tracking supports the following statuses:
  • New
  • In Progress
  • Closed
  • Closed with Action Taken
  • Closed with No Action Taken
Ticket ID
The ID of the ticket in your work-tracking system that is associated with the detection. If you have configured a template URL, you can click the ticket ID to open the ticket in your work-tracking system.
Assignee
The username assigned to the ticket associated with the detection. Usernames in gray indicate a non-ExtraHop account.

Threat intelligence

Threat intelligence provides known data about suspicious IP addresses, hostnames, and URIs that can help identify risks to your organization. These data sets, called threat collections, are available by default in your Reveal(x) system and from free and commercial sources in the security community.

Threat collections

The Reveal(x) system includes threat collections that help identify suspicious IP addresses, hostnames, and URIs.

Before you begin

  • You must enable these collections in the system to display threat intelligence in system charts and records.
  • You can directly upload threat collections to Reveal(x) 360 systems for self-managed sensors. Contact ExtraHop Support to upload a threat collection to ExtraHop-managed sensors.
The security community also offers free and commercial threat collections, which can be uploaded to your Reveal(x) system as a custom threat collection. Custom threat collections must be formatted in Structured Threat Information eXpression (STIX) as TAR or TAR.GZ files. Reveal(x) currently supports STIX version 1.0 - 1.2. Learn more about uploading STIX files through the REST API.
Note:Because cyber threat intelligence is community-driven, there are many external sources for threat collections. Data from these collections can vary in quality or relevance to your environment. To maintain accuracy and reduce noise, we recommend that you limit your uploads to high-quality threat intelligence data that focus on a specific type of intrusion, such as one collection for malware and another collection for botnets.

When the Reveal(x) system observes activity that matches an entry in a threat collection (called an indicator of compromise), the suspicious IP address, hostname, or URI is marked with a red camera icon or other visual cue.

Investigating threats

Reveal(x) displays threat intelligence throughout the system, so you can investigate indicators of compromise directly from the tables and charts you are viewing.

  • If the threat collection is added or updated after the system has observed the suspicious activity, threat intelligence is not applied to that IP address, hostname, or URI until the suspicious activity occurs again.
  • If you disable or delete a threat collection, all indicators are removed from the related metrics and records in the system.

Here are some places in the Reveal(x) system that show the indicators of compromise found in your threat collections:

Security Dashboard

The Threat Intelligence region contains metrics for suspicious activity that matches the data in your threat collections. By clicking any metric, such as HTTP Requests with Suspicious Hosts, you can drill down on the metric for details or query records for related transactions.

Perimeter Overview

In the halo visualization, any endpoints that match threat collection entries are highlighted in red.

Detections

A detection appears when an indicator of compromise from a threat collection is identified in network traffic.

Records

The Records page enables you to directly query for transactions that match threat collection entries.
  • Under the Suspicious facet, click True to filter for all records with transactions that match suspicious IP addresses, hostnames, and URIs.
  • Create a filter by selecting Suspicious, Suspicious IP, Suspicious Domain, or Suspicious URI from the trifield drop-down, an operator, and a value.
  • Click the red camera icon to view threat intelligence details.

Manage threat collections

ExtraHop Reveal(x) includes curated threat collections that identify suspicious hostnames, IP addresses, and URIs in charts and tables throughout the system. You must enable these threat collections before threat intelligence is applied to your network activity. In addition, you can upload threat collections from free or commercial sources as a custom threat collection.

Before you begin

Here are some important considerations about adding threat collections:

  • ExtraHop currently supports STIX versions 1.0 - 1.2.
  • The maximum number of observables that a threat collection can contain depends on your platform and license. Contact your ExtraHop representative for more information.
  • You can directly upload threat collections to Reveal(x) 360 systems for self-managed sensors. Contact ExtraHop Support to upload a threat collection to ExtraHop-managed sensors.
  1. Log into the Web UI on your Discover or Command appliance.
    Threat intelligence files are applied only to the local appliance and are not synced between appliances. If you manage your Reveal(x) system through a Command appliance, upload the threat collection to the Command appliance and to each connected Discover appliance.
  2. Click the System Settings icon and then click Threat Intelligence.
  3. Click Upload New Collection.
  4. Type a unique collection ID in the Collection ID field. The ID can only contain alphanumeric characters. Spaces are not allowed.
  5. Type a display name in the Display Name field.
  6. Click Choose file and select a .tgz file that contains a STIX file.
  7. Click Save.
After the upload completes, the new threat collection appears in the table. You can now view threat intelligence metrics on the Security dashboard.

Enable ExtraHop-curated threat collections

Enable the ExtraHop threat collection to display suspicious hostnames, IP addresses, and URIs in system charts and records.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Threat Intelligence.
  3. In the ExtraHop Threat Intelligence table, select the Enabled checkbox in the Status column

Upload a threat collection

Upload threat collections from free and commercial sources to identify suspicious hosts, IP addresses, and URIs in system charts and records. Because threat intelligence data is updated frequently (sometimes daily), you might need to update a threat collection with the latest data. When you update a threat collection with new data, the collection is deleted and replaced, and not appended to an existing collection.

Tip:Upload STIX files through the REST API.

Custom threat collections must be formatted in Structured Threat Information eXpression (STIX) as TAR.GZ files. Reveal(x) currently supports STIX version 1.0 - 1.2.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Threat Intelligence.
  3. Click Manage custom collections.
  4. Click Upload New Collection.
  5. In the Collection ID field, type a unique collection ID. The ID can only contain alphanumeric characters and spaces are not allowed.
  6. Click Choose file and select a .tgz file that contains a STIX file.
  7. Type a display name in the Display Name field.
  8. Click Upload Collection.

Alerts

Alerts make it easy to learn when important events occur, such as security detections on critical devices or Software License Agreement (SLA) violations. Configured alert conditions determine when an alert is generated.

Alert conditions are a combination of settings, such as a time interval, metric value, and metric calculations that occur on assigned data sources. Threshold or trend alerts are based on the value of the monitored metric. Detection alerts are based on specified protocols and detection categories.

Configuring alerts

Configure an alert to monitor for certain conditions and generate alerts when those conditions are met on the assigned data sources.

Threshold alerts
Threshold-based alerts are generated when a monitored metric crosses a defined value within a specified time interval.

Create a threshold alert to monitor occurrences such as error rates that surpass a comfortable percentage or SLA-violations. Learn how to configure a threshold alert.

Trend alerts
Trend-based alerts are generated when a monitored metric deviates from the normal trends observed by the system. Trend alerts are more complex than threshold alerts and are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup.

Create a trend alert to monitor when a metric deviates from normal behavior and where thresholds are difficult to define. Learn how to configure a trend alert.

Detection alerts
Detection alerts are generated when a detection on a specified protocol or detection category occurs. Detections are unexpected deviations from normal patterns in device or application behavior or notable activity in your environment. See Detections for more information.

Create a detection alert to monitor when detections occur in higher risk categories such as actions on objective or exfiltration. Learn how to configure a detection alert.

In addition, you can configure an alert with the following options:

Viewing alerts

The Alerts page displays a list of all alerts generated during the specified time interval. Select from the filters at the top of the page to adjust the list or click an alert name to view details about the alert.

The Alerts page displays the following information about each alert:

Severity
A color-coded indicator of the alert severity level. You can set the following severity levels: Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
Alert name
The name of the configured alert. Click the alert name to view alert details.
Source
The name of the data source on which the alert conditions occurred. Click the source name to navigate to the source Overview page.
Time
The time of the most recent occurrence of the alert conditions.
Alert type
Indicates a trend, threshold, or detection alert.

For more information about viewing alerts, see the following topics

Configure a threshold alert

Configure a threshold alert to monitor when a specific metric crosses a defined boundary. For example, you can configure an alert to generate when an HTTP 500 status code is observed more than 100 times during a ten minute period.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Alerts.
  3. Click Create.
  4. Type a unique name for the alert configuration in the Name field.
  5. In the Description field, add information about the alert.
    Tip:Alert descriptions support Markdown, which is a simple formatting syntax that converts plain text into HTML. For more information, see the Alerts FAQ.
  6. In the Alert Type section, click Threshold Alert.
  7. In the Assigned Sources field, type the name of a device, device group, or application and then select from the search results.
    To search for a wire network, flow network, or flow interface, select that source type from the drop-down menu at the top of the search results.
  8. (Optional): Click Add Source to assign the alert to multiple sources. Multiple sources must be of the same type, such as only devices and device groups or only applications.
    Tip:Assign an alert to a device group to efficiently manage assignments to multiple devices.
  9. In the Monitored Metric field, type the name of a metric and then select from the search results.
    The metric must be compatible with the assigned sources. For example, if you assign the alert to an application, you cannot select a device metric.
    Note:If you select a detail metric, you can specify a key value. For example, you might select HTTP - Responses by Status Code and then specify 404 as the key value. An alert is generated only when HTTP responses with 404 status codes occur.

  10. (Optional): To monitor the value of a metric divided by a secondary metric, click Ratio and then select a secondary metric.
    For example, you can monitor the percentage of HTTP errors occurring on responses by dividing HTTP response errors by HTTP responses.

  11. In the Alert Condition section, specify conditions for generating an alert.


    1. Select a metric calculation to specify how to calculate the metric value within the time interval. The options available depend on the data type.
      Count
      • Count
      • Rate per second
      • Rate per minute
      • Rate per hour
      Dataset
      • Minimum
      • 25th percentile
      • Median
      • 75th percentile
      • Maximum
      Sampleset
      • Mean
      • +1 to +7 standard deviations
      • -1 to -7 standard deviations
      Maximum, Snapshot No measurement; the operator compares the actual metric value.
    2. Select an operator to specify how to compare the metric calculation to the metric value.
    3. Specify the metric value to be compared to the metric calculation.
    4. Select the time interval over which the metric value is observed and metric data is aggregated, or rolled up. You can select a time interval from 30 seconds up to 30 minutes.
    For example, to generate an alert when more than 300 HTTP response errors occur within 5 minutes, specify the following conditions:
    • Metric Calculation: Count
    • Operator: >
    • Metric Value: 300
    • Time Interval: 5m rollup
  12. (Optional): In the Notifications section, add an email notification to an alert to receive emails or SNMP traps when an alert is generated.
  13. In the Status section, click an option to enable or disable the alert.
  14. (Optional): Add an exclusion interval to suppress alerts during specific times.
  15. Click Save.

Configure a trend alert

Configure a trend alert to monitor when a specific metric deviates from normal trends. Trend alerts are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup. For example, you can configure a trend alert that generates alerts when a spike (75th percentile) in HTTP web server processing time lasts longer than 10 minutes, and where the metric value of the processing time is 100% higher than the trend.

  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. Click the System Settings icon and then click Alerts.
  3. Click Create.
  4. Type a unique name for the alert configuration in the Name field.
  5. In the Description field, add information about the alert.
    Tip:Alert descriptions support Markdown, which is a simple formatting syntax that converts plain text into HTML. For more information, see the Alerts FAQ.
  6. In the Alert Type section, click Trend Alert.
  7. In the Assigned Sources field, type the name of a device, device group, or application and then select from the search results.
    To search for a wire network, flow network, or flow interface, select that source type from the drop-down menu at the top of the search results.
  8. (Optional): Click Add Source to assign the alert to multiple sources. Multiple sources must be of the same type, such as only devices and device groups or only applications.
    Tip:Assign an alert to a device group to efficiently manage assignments to multiple devices.
  9. In the Monitored Metric field, type the name of a metric and then select from the search results.
    The metric must be compatible with the assigned sources. For example, if you assign the alert to an application, you cannot select a device metric.

    If you select a dataset metric such as HTTP Server Processing Time, you must specify one of the following data aggregation methods:

    Merge Aggregate all the metric dataset values and apply the trend weighting model to one superset of data.

    For example, a 30-second aggregated rollup, or metric cycle, contains a single dataset for each 30-second interval. Therefore, a 30-minute interval has 60 datasets.

    Mean Aggregate the mean of each metric dataset.
    Percentile Aggregate the percentile of each metric dataset based on the value you specify for Percentile.
    Absolute Standard Deviation Aggregate the metric dataset to its standard deviation as a constant.
    Relative Standard Deviation Aggregate the metric dataset to its standard deviation relative to the mean.
  10. (Optional): To monitor the value of a metric divided by a secondary metric, click Ratio and then select a secondary metric.
    For example, divide HTTP response errors by HTTP responses to monitor trends in the percentage of HTTP errors.

  11. In the Trend Definition section, specify how the trend is calculated:
    1. From the Trend Weighting Model drop-down list, select a model. The weighting model aggregates historical metric values to calculate a trend.
      Mean Calculate a trend by averaging all metric values, weighted equally.
      Minimum Value Calculate a trend from the lowest value metrics.
      Median Value Calculate a trend from the median historical metric values.
      Maximum Value Calculate a trend from the highest value metrics.
      Percentile Calculate a trend from the percentile of each metric based on the value you specify for Percentile Value.
      Absolute Standard Deviation Calculate a trend by comparing the standard deviation as a constant value to the current trend.

      From the Deviation Type drop-down list, select a type:

      • Sample-based
      • Population-based
      Relative Standard Deviation Calculate a trend by comparing the standard deviation as a value relative to the mean of the current trend.

      From the Deviation Type drop-down list, select a type:

      • Sample-based
      • Population-based
      Linear Regression Calculate a linear trend based on previous metric values.
      2nd Degree Polynomial Regression Calculate a quadratic trend by projecting a curve with the following equation: y=ax^2+bx+c
      Single Exponential Mean Calculates a trend by averaging weight-based metric values.

      In the Recent Value Weight Calculation field, specify a large number to give more weight to the most recent metric values or specify a small number to give more weight to the oldest metric values.

      Double Exponential Mean Calculates a trend by averaging weight-based metric values.

      In the Recent Value Weight Calculation field,