OVERVIEW

The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any devices, device groups, applications, and networks from an ExtraHop Discover or Command appliance.
The ExtraHop Add-On for Splunk collects metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop source type.

• Author - ExtraHop Networks
• Version - 2.2.0
• Vendor Products - ExtraHop Discover Appliance, ExtraHop Command Appliance
• Creates Index - False
• Prerequisites - You must have an account on the ExtraHop system with the appropriate privileges. For details refer to Configuration > Add Account section.
• Compatible with:
  • Splunk Enterprise version: 8.2.x and 8.1.x, and Splunk Cloud
  • ExtraHop firmware version: 8.8 or later
  • OS: Linux and Windows
  • Browser: Safari, Chrome, and Firefox

RELEASE NOTES

VERSION 2.2.0

• Converted to a polled-mode integration to collect detections.
• Deprecated the ExtraHop Detection SIEM Connector configuration and bundle.
• Added UI for detections input.
• Removed Activity and Activity Groups object types for metrics input.
• Made general usability and performance improvements.

VERSION 2.1.0

• Added support for Extrahop Cloud. Users can now configure on-prem instances as well as cloud instances from a single TA.
• Moved Hostname and API field from the Inputs tab to the Configuration tab.
• Removed the "Validate SSL Certificate" field for TA cloud compatibility. The default value for this field is set to True. To change the default value, navigate to $SPLUNK_HOME/etc/apps/TA-extrahop_addon/local/ta_extrahop_addon_settings.conf and add validate_ssl_certificates = 0 under the additional_parameters stanza.
• Restored functionality to sending network calls through the proxy.
• Other minor changes to improve compatibility with TA Splunk cloud.

VERSION 2.0.0

• Code migrated to Python 3
• Removed deprecated oidsearch command.
• Resolved an issue with the extrahop-detections transform
• Added support for custom "cyclesize", which now allows 5 min or 1 hr metric rollups
• Added support for network metrics
• Added support for summary metrics for activity groups and device groups; metrics are summed for the group for each metric cycle, instead of per-device for group members
• Added settings for custom Splunk Management API hostname and port

VERSION 1.2.2

• Added support for ExtraHop timestamp metrics.

VERSION 1.2.1

• Resolved an issue with retrieving device group metrics from Command appliances

VERSION 1.2.0

• Added support for ExtraHop detections

VERSION 1.1.1

• Object IDs are now correct in 'extrahop' events (since 1.1.0)
• Data for ExtraHop devices and applications are now retrieved at ingest time.

(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
)

VERSION 1.1.0

• Added the ability to specify device objects in data input definitions
• Metric names are no longer incorrectly converted to lowercase
• Fixed overflow error on Windows systems when calculating time intervals

VERSION 1.0.9

• Added support for topn_tset metrics

VERSION 1.0.8

• Fixed issue in 'extrahop' modular input schema

VERSION 1.0.7

• Fixed issue in ExtraHop App setup handler

VERSION 1.0.6

• Fixed issue in Retrieve Device Information saved search command 'extrahopoid'

VERSION 1.0.5

• Added option for SSL certificate validation on data inputs
• Added proxy support for extrahopoid command

VERSION 1.0.2

• Added Eventgen sample files

VERSION 1.0.1

• Fixed issue with API key retrieval

VERSION 1.0.0

• Initial release

RECOMMENDED SYSTEM CONFIGURATION

• Standard Splunk configuration which can be found here: https://docs.splunk.com/Documentation/Splunk/latest/Capacity/Referencehardware
• The ExtraHop Add-On for Splunk requires the ExtraHop firmware version 8.8.0 or later

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

This app can be set up in two ways:

1. Standalone Mode:
   • Install the ExtraHop Add-On for Splunk.
2. Distributed Environment:
   • Install the ExtraHop Add-On for Splunk on the search head. User does not need to configure an account or create an input in ExtraHop Add-On for Splunk on search head.
   • Install only ExtraHop Add-On for Splunk on the heavy forwarder. User needs to configure account and needs to create data input to collect data from ExtraHop platform.
   • User needs to manually create an index on the indexer (No need to install ExtraHop Add-On for Splunk on indexer).

INSTALLATION

ExtraHop Add-On for Splunk can be installed through UI using "Manage Apps" > "Install app from file" or by extracting tarball directly into $SPLUNK_HOME/etc/apps/ folder.

CONFIGURATION

Configure Account

To configure ExtraHop account, navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to "Accounts" tab, click on "Add" button and fill in the details asked and click "Add". Field descriptions are as below:

Configure proxy settings

Navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to the "Proxy" tab, fill in the details asked and click "Save". Field descriptions are as below:

Note: * denotes required fields

Create metric inputs for the ExtraHop Add-On for Splunk

You must create data inputs that collect information from an ExtraHop appliance to retrieve wire data metrics.

1. On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
2. Click Inputs.
3. Click Create New Input.
4. Click Metrics.
5. In the Add ExtraHop Add-On for Splunk window, specify settings for the input
   Note: Each input can only collect metrics for a single metric category. If you want to collect metrics for multiple categories, you must create multiple inputs.
6. Click Add.

Create detection inputs for the ExtraHop Add-On for Splunk

You must create data inputs that collect information from an ExtraHop appliance to retrieve detections.

1. On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
2. Click Inputs.
3. Click Create New Input.
4. Select Detections.
5. In the Add ExtraHop Add-On for Splunk window, specify settings for the input
6. Click Add.

UPGRADE TO V2.2.0

Follow the steps mentioned below in order to upgrade your ExtraHop Add-On for Splunk v2.2.0:

• Install the ExtraHop Add-On for Splunk v2.2.0.
• Restart the Splunk if prompted.

USER GUIDE

Data types

This add-on provides the index-time and search-time knowledge for the following types of data from the ExtraHop system:

ExtraHop wire data metrics

All ExtraHop wire data metrics have a sourcetype of extrahop.

ExtraHop detections

All Extrahop detections have a sourcetype of extrahop:detection.

Lookups

The ExtraHop Add-On for Splunk contains a KV store lookup: the extrahop_deviceoid_lookup

The extrahop_deviceoid_lookup adds display names, MAC addresses, and IP addresses to ExtraHop events to Splunk.

• File location: App KV Store
• Lookup fields: oid,discovery_id,display_name,macaddr,ipaddr4,ipaddr6,otype,hostname
• Lookup contents: Generated from data

Splunk Event Generator

You can configure the Splunk Event Generator to create sample ExtraHop events through the ExtraHop Add-On for Splunk . Sample event generation is configured through the eventgen.conf file. Sample events retrieve data from the samples directory of the Splunk Event Generator package. For more information about the Splunk Event Generator, see see the Eventgen GitHub page.

OPEN SOURCE COMPONENTS AND LICENSES

Some of the components included in "ExtraHop Add-On for Splunk" are licensed under free or open source licenses. We wish to thank the contributors to those projects. Version 2.1.0 of the ExtraHop Add-On for Splunk incorporates the following third-party software or libraries:

• Splunk Add-On Builder 3.3.0 (https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/Overview)
• Python requests 2.18.4 (http://docs.python-requests.org/en/master/)

TROUBLESHOOTING

• Ensure that the KV store is enabled. You can check that by visiting: https://localhost:8089/servicesNS/nobody/TA-extrahop_addon/storage/collections/data/TA_extrahop_addon_checkpointer
• For any other unknown failure, please check the $SPLUNK_HOME/var/log/ta_extrahop_addon_*.log files to get more details on the issue. Same logs can be viewed in Search using index=_internal sourcetype="taextrahop:log"
• You can find answers to questions about the ExtraHop App for Splunk at https://forums.extrahop.com/.

Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

UNINSTALL & CLEANUP STEPS

• Remove $SPLUNK_HOME/etc/apps/TA-extrahop_addon/
• Remove $SPLUNK_HOME/var/log/ta_extrahop_addon_*.log
• To reflect the cleanup changes in UI, restart Splunk instance. Refer https://docs.splunk.com/Documentation/Splunk/latest/Admin/StartSplunk documentation to get information on how to restart Splunk.

Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

SUPPORT

Contact ExtraHop Support for assistance with this app at https://www.extrahop.com/support/

COPYRIGHT

Copyright ExtraHop Networks 2022