Reveal(x) 360 Setup and Administration Guide

After you receive your initial email from ExtraHop Networks, there are a few procedures you must complete before you can start analyzing your traffic. This guide provides procedures for basic setup and administration of the Reveal(x) 360 system.

Video:See the related training: Reveal(x) 360 Administration Overview

Activate your administrator account

The System and Access Administration privilege is granted to the email address that you provided during sign up.

  1. Open your Welcome to ExtraHop Reveal(x) 360 email.
  2. Click the URL link to your Reveal(x) 360 environment.
  3. At the login page, enter your email address and temporary password included in the email.
  4. Click Sign In.
  5. On the Change Password screen, enter a new password in both password fields and then click Send.
  6. From the Multi-Factor Authentication Setup page, scan the QR code or manually enter the code that appears into your authenticator app.
  7. Enter the code provided by your authentication app into the Code field and then click Complete Setup.
  8. On the Success page, click Continue.

Configure your firewall rules

If your ExtraHop system is deployed in an environment with a firewall, you must open access to ExtraHop Cloud Services. For Reveal(x) 360 systems that are connected to self-managed sensors, you must also open access to the ExtraHop Cloud Recordstore.

Open access to Cloud Services

For access to ExtraHop Cloud Services, your sensors must be able to resolve DNS queries for *.extrahop.com and access TCP 443 (HTTPS) from the IP address that corresponds to your sensor license:

  • 35.161.154.247 (Portland, U.S.A.)
  • 54.66.242.25 (Sydney, Australia)
  • 52.59.110.168 (Frankfurt, Germany)

Open access to Cloud Recordstore

For access to the ExtraHop Cloud Recordstore, your sensors must be able to access outbound TCP 443 (HTTPS) to these fully-qualified domain names:

  • bigquery.googleapis.com
  • bigquerystorage.googleapis.com
  • oauth2.googleapis.com
  • www.googleapis.com
  • www.mtls.googleapis.com
  • iamcredentials.googleapis.com

You can also review the public guidance from Google about computing possible IP address ranges for googleapis.com.

In addition to configuring access to these domains, you must also configure the global proxy server settings.

Add and manage users

  1. From the Reveal(x) 360 Overview page, click System Settings and then click All Administration.
  2. Click User Access.
  3. In the Users section, click View Users.
  4. Click Create.
  5. Enter the email address, first name, and last name of the new user.
  6. In the System Access section, select one of the following privileges.
    Privilege Description
    System and access administration Create and modify all objects and settings, including Administration pages, in Reveal(x) 360.
    System administration Create and modify objects and settings, excluding User Access and API Access on the Administration page.
    Full write Create and modify all objects and settings, excluding Administration pages.
    Limited write Create, modify, and share dashboards. Create and modify tuning rules. Create and modify detection and threat briefing notification rules.
    Personal write Create personal dashboards and modify dashboards shared with the logged-in user.
    Full read-only View objects in the ExtraHop system.
    Restricted read-only View dashboards shared with this user.
  7. In the NDR Module Access section, select one of the following privileges.
    Privilege Description
    Full access Access to network detections.
    No access No access to network detections.
  8. In the NPM Module Access section, select one of the following privileges.
    Privilege Description
    Full access Access to performance detections.
    No access No access to performance detections.
  9. In the Packet and Session Key Access section, select one of the following privileges:
    Privilege Description
    Packets and session keys Search and download packets and associated session keys.
    Packets only Search and download packets.
    Packet slices only Search and download the first 64 bytes of a packet.
    No access No access to packets.
  10. Click Save.
    The user is sent an email that includes the URL of the Reveal(x) 360 environment and their temporary password. The temporary password expires in 7 days.
  11. Click Done.

Change user settings

You can change the assigned privilege levels, reset the multi-factor authentication configuration, or delete the user.

Change user privileges

  1. In the Users section, click the name of the user you want to modify.
  2. In the left pane, select the new privilege level for the user and then click Save.

Reset multi-factor authentication

  1. In the Users section, click the name of the user you want to modify.
  2. Clear the Reset MFA configuration for this user.
    The user is required to configure multi-factor authentication the next time they log in to Reveal(x) 360.

Delete a user

  1. In the Users section, click the name of the user you want to modify.
  2. Click Delete.
  3. Select one of the following options:
    • Transfer dashboards, collections, and activity maps owned by <username> to the following user: and then select a new user from the drop-down list.
    • Delete all dashboards, collections, and activity maps owned by <username>
  4. Click Delete.

Manage global policies

Administrators can configure global policies that apply to all users who access the system.

  1. From the Overview page, click System Settings, and then click User Access.
  2. From the Global Policies section, specify one or more of the following options.
    Option Description
    Device Group Edit Control Select to control whether all users with limited write privileges can create and edit device groups. When this policy is selected, all limited write users can create device groups and add other limited write users as editors to their device groups.
    Default Dashboard Specify the dashboard that users see when they log in to the system. Only dashboards shared with all users can be set as a global default. Users can override this default setting from the command menu of any dashboard.
  3. Click Save Changes.

Configure an allow list

Configure a list of IPv4 addresses and CIDR blocks that are allowed to access Reveal(x) 360.

  1. From the Overview page, click System Settings and then click User Access.
  2. In the Allow List section click, Enable Allow List.
  3. Type a comma-separated list of the IPv4 addresses or CIDR blocks that are allowed to access the system. IPv6 addresses are not supported.
  4. Click Save. It can take several minutes for the allow list to become active.

Configure the system time

The System Time page displays the default system time settings and the default display time configured for your ExtraHop system.

Here are some considerations about system time settings in Reveal(x) 360:

  • You must have System Administrator privileges or better to make changes.
  • The default system time is a global time zone applied to your ExtraHop system.
  • The default display time for users is the time zone that all users see in the ExtraHop system unless a user manually changes their displayed time zone.
  1. From the Overview page, click System Settings and then click System Time.
  2. From the Default System Time drop-down list, select the time zone you want.
  3. From the Default Display Time for Users section, select one of the following options:
    • Browser time
    • System time
    • UTC
  4. Click Save Changes.

Device name precedence

Discovered devices are automatically named based on multiple sources of network data. When multiple names are found for a device, a default order of precedence is applied. You can change the order of precedence.

  1. Click the System Settings icon and then click All Administration.
  2. In the Console Settings section, click Device Name Precedence.
  3. Click and drag device names to create a new order of precedence.
  4. Click Save.
    Click Revert to Default to undo your changes.

Connect sensors

Add sensors to Reveal(x) 360 to monitor your network traffic.

ExtraHop-managed Reveal(x) sensors for AWS can be selected and deployed from within the Reveal(x) 360 console.

Self-managed sensors and packetstores can also be connected from within the Reveal(x) 360 console. Note that if you have an existing console, you must disconnect the console before connecting your self-managed sensors to Reveal(x) 360.

Multi-factor authentication

Multi-factor Authentication (MFA) is a security enhancement that requires you to provide two forms of credentials when you log in to your account. In addition to your ExtraHop credentials, you must supply credentials from a 3rd-party authenticator app.

Select and download an authentication application to your device and generate secure, six-digit codes when you log in to your Reveal(x) 360 system.

There are many authenticator apps to select from. The following steps are a general guideline, but you should also review the help documentation for the app you select.

  1. Choose a device, such as a computer or mobile device (phone or tablet), on which you can install apps.
  2. Download and install an authentication app on the device. Here are some popular options:
    • Android and iOS: Google Authenticator, Authy
    • Windows and macOS: 1Password, OTP Manager
    • Chrome extensions: Authenticator
  3. Open a new browser and sign in to your ExtraHop Reveal(x) 360 system.
  4. Follow the instructions to scan or enter the code that appears on the ExtraHop Multi-Factor Authentication setup screen, and then enter the credentials provided by your authenticator app.

Upgrade connected sensors in Reveal(x) 360

Administrators can upgrade sensors that are connected to Reveal(x) 360.

Before you begin

  • Your user account must have privileges on Reveal(x) 360 for System and Access Administration or System Administration.
Here are some considerations about upgrading sensors:
  • Sensors must be connected to ExtraHop Cloud Services
  • Notifications appear when a new firmware version is available
  • You can upgrade multiple sensors at the same time
  1. Log in to Reveal(x) 360.
  2. Click the System Settings icon and then click Sensors.
    Sensors that are eligible for upgrade display an up arrow in the Sensor Version field.
  3. Select the checkbox next to each sensor that you want to upgrade.
  4. In the Sensor Details pane, select the firmware version from the Available Firmware drop-down list.

    The drop-down list only displays versions that are compatible with the selected sensors.

    Only the selected sensors that have a firmware upgrade available appear in the Sensor Details pane.

  5. Click Install Firmware.

    When the upgrade completes, the Sensor Version field is updated with the new firmware version.

Active device count and limit

The Active Device Count and Limit chart on the main Administration page enables you to monitor whether your active device count has exceeded the licensed limit. For example, an ExtraHop system with a 20,000-50,000 devices band is allowed up to 50,000 devices.

Click System Settings and then click All Administration to view the chart.

The Active Device Count and Limit chart displays the following metrics:

  • The dashed red line represents the licensed device limit.
  • The solid black line represents the 95th percentile of active devices observed each day for the last 30 days.
  • The blue bars represent the maximum number of active devices observed each day for the last 30 days.

This page also displays the following metrics:

  • The licensed device limit for the previous day and for the last 30 days.
  • The number of active devices observed the previous day.
  • The 95th percentile of active devices observed over the last 30 days.
  • The utilization percentage of the licensed device limit for the previous day and for the last 30 days. Utilization is the active device count divided by the licensed limit.

You can create a system notification rule to warn you if utilization is near (exceeds 80%) or over (exceeds 100%) your licensed device limit. If you find that you are consistently approaching or over your licensed limit, we recommend that you work with your sales team to move to the next available capacity band.

Record ingest and capacity

The Record Ingest and Capacity chart on the main Administration page enables you to monitor the record ingest and capacity levels and confirm that the capacity limit is optimal for your environment.

The dashed red line on the chart represents the record capacity of your subscription, and the blue bars represent the amount of ingest each day up to the last 60 days.

You can create a system notification rule to warn you if recordstore ingest is near (exceeds 80%) or over (exceeds 100%) your daily record ingest capacity.

If you find that you are consistently over your allotted capacity, contact your ExtraHop sales representative.



Last modified 2024-01-26