icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading ExtraHop Add-On for Splunk
SHA256 checksum (extrahop-add-on-for-splunk_220.tgz) 7f89a67ecb375e9e2bf9805b7889dca568e5bd1e993653c454e6f0b3ae5071bb SHA256 checksum (extrahop-add-on-for-splunk_210.tgz) 47c7e739d25629208e6d9b9416e5447947186b397999afef5a995b61fdf6d348
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

ExtraHop Add-On for Splunk

Splunk Cloud
Overview
Details
The ExtraHop Add-On for Splunk enables you to export ExtraHop Reveal(x) network detection and response metrics and detections as Splunk events. You can export metrics about any devices, device groups, applications, and networks from from Reveal(x).

OVERVIEW

The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any devices, device groups, applications, and networks from an ExtraHop Discover or Command appliance.
The ExtraHop Add-On for Splunk collects metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop source type.

  • Author - ExtraHop Networks
  • Version - 2.2.0
  • Vendor Products - ExtraHop Discover Appliance, ExtraHop Command Appliance
  • Creates Index - False
  • Prerequisites - You must have an account on the ExtraHop system with the appropriate privileges. For details refer to Configuration > Add Account section.
  • Compatible with:
    • Splunk Enterprise version: 8.2.x and 8.1.x, and Splunk Cloud
    • ExtraHop firmware version: 8.8 or later
    • OS: Linux and Windows
    • Browser: Safari, Chrome, and Firefox

RELEASE NOTES

VERSION 2.2.0

  • Converted to a polled-mode integration to collect detections.
  • Deprecated the ExtraHop Detection SIEM Connector configuration and bundle.
  • Added UI for detections input.
  • Removed Activity and Activity Groups object types for metrics input.
  • Made general usability and performance improvements.

VERSION 2.1.0

  • Added support for Extrahop Cloud. Users can now configure on-prem instances as well as cloud instances from a single TA.
  • Moved Hostname and API field from the Inputs tab to the Configuration tab.
  • Removed the "Validate SSL Certificate" field for TA cloud compatibility. The default value for this field is set to True. To change the default value, navigate to $SPLUNK_HOME/etc/apps/TA-extrahop_addon/local/ta_extrahop_addon_settings.conf and add validate_ssl_certificates = 0 under the additional_parameters stanza.
  • Restored functionality to sending network calls through the proxy.
  • Other minor changes to improve compatibility with TA Splunk cloud.

VERSION 2.0.0

  • Code migrated to Python 3
  • Removed deprecated oidsearch command.
  • Resolved an issue with the extrahop-detections transform
  • Added support for custom "cyclesize", which now allows 5 min or 1 hr metric rollups
  • Added support for network metrics
  • Added support for summary metrics for activity groups and device groups; metrics are summed for the group for each metric cycle, instead of per-device for group members
  • Added settings for custom Splunk Management API hostname and port

VERSION 1.2.2

  • Added support for ExtraHop timestamp metrics.

VERSION 1.2.1

  • Resolved an issue with retrieving device group metrics from Command appliances

VERSION 1.2.0

  • Added support for ExtraHop detections

VERSION 1.1.1

  • Object IDs are now correct in 'extrahop' events (since 1.1.0)
  • Data for ExtraHop devices and applications are now retrieved at ingest time.

(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
)

VERSION 1.1.0

  • Added the ability to specify device objects in data input definitions
  • Metric names are no longer incorrectly converted to lowercase
  • Fixed overflow error on Windows systems when calculating time intervals

VERSION 1.0.9

  • Added support for topn_tset metrics

VERSION 1.0.8

  • Fixed issue in 'extrahop' modular input schema

VERSION 1.0.7

  • Fixed issue in ExtraHop App setup handler

VERSION 1.0.6

  • Fixed issue in Retrieve Device Information saved search command 'extrahopoid'

VERSION 1.0.5

  • Added option for SSL certificate validation on data inputs
  • Added proxy support for extrahopoid command

VERSION 1.0.2

  • Added Eventgen sample files

VERSION 1.0.1

  • Fixed issue with API key retrieval

VERSION 1.0.0

  • Initial release

RECOMMENDED SYSTEM CONFIGURATION

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

This app can be set up in two ways:

  1. Standalone Mode:
    • Install the ExtraHop Add-On for Splunk.
  2. Distributed Environment:
    • Install the ExtraHop Add-On for Splunk on the search head. User does not need to configure an account or create an input in ExtraHop Add-On for Splunk on search head.
    • Install only ExtraHop Add-On for Splunk on the heavy forwarder. User needs to configure account and needs to create data input to collect data from ExtraHop platform.
    • User needs to manually create an index on the indexer (No need to install ExtraHop Add-On for Splunk on indexer).

INSTALLATION

ExtraHop Add-On for Splunk can be installed through UI using "Manage Apps" > "Install app from file" or by extracting tarball directly into $SPLUNK_HOME/etc/apps/ folder.

CONFIGURATION

Configure Account

To configure ExtraHop account, navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to "Accounts" tab, click on "Add" button and fill in the details asked and click "Add". Field descriptions are as below:

Field Name Field Description
Account Name* Unique name for your account
Instance Type * Instance type for data collection
Hostname* Hostname of your ExtraHop account
API Key API Key corresponding to your ExtraHop On-Prem Account
Client ID Client ID corresponding to your ExtraHop Cloud Account
Client Secret Client Secret corresponding to your ExtraHop Cloud Account

Configure proxy settings

Navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to the "Proxy" tab, fill in the details asked and click "Save". Field descriptions are as below:

Field Name Field Description
Enable Enable/Disable proxy
Proxy Type* Type of proxy
Host* Hostname/IP Address of the proxy
Port* Port of proxy
Username Username for proxy authentication (Username and Password are inclusive fields)
Password Password for proxy authentication (Username and Password are inclusive fields)
Remote DNS resolution Check this box if you want to use Remote DNS resolution

Note: * denotes required fields

Create metric inputs for the ExtraHop Add-On for Splunk

You must create data inputs that collect information from an ExtraHop appliance to retrieve wire data metrics.

  1. On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
  2. Click Inputs.
  3. Click Create New Input.
  4. Click Metrics.
  5. In the Add ExtraHop Add-On for Splunk window, specify settings for the input
    Note: Each input can only collect metrics for a single metric category. If you want to collect metrics for multiple categories, you must create multiple inputs.
  6. Click Add.

Create detection inputs for the ExtraHop Add-On for Splunk

You must create data inputs that collect information from an ExtraHop appliance to retrieve detections.

  1. On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
  2. Click Inputs.
  3. Click Create New Input.
  4. Select Detections.
  5. In the Add ExtraHop Add-On for Splunk window, specify settings for the input
  6. Click Add.

UPGRADE TO V2.2.0

Follow the steps mentioned below in order to upgrade your ExtraHop Add-On for Splunk v2.2.0:

  • Install the ExtraHop Add-On for Splunk v2.2.0.
  • Restart the Splunk if prompted.

USER GUIDE

Data types

This add-on provides the index-time and search-time knowledge for the following types of data from the ExtraHop system:

ExtraHop wire data metrics

All ExtraHop wire data metrics have a sourcetype of extrahop.

ExtraHop detections

All Extrahop detections have a sourcetype of extrahop:detection.

Lookups

The ExtraHop Add-On for Splunk contains a KV store lookup: the extrahop_deviceoid_lookup

The extrahop_deviceoid_lookup adds display names, MAC addresses, and IP addresses to ExtraHop events to Splunk.

  • File location: App KV Store
  • Lookup fields: oid,discovery_id,display_name,macaddr,ipaddr4,ipaddr6,otype,hostname
  • Lookup contents: Generated from data

Splunk Event Generator

You can configure the Splunk Event Generator to create sample ExtraHop events through the ExtraHop Add-On for Splunk . Sample event generation is configured through the eventgen.conf file. Sample events retrieve data from the samples directory of the Splunk Event Generator package. For more information about the Splunk Event Generator, see see the Eventgen GitHub page.

OPEN SOURCE COMPONENTS AND LICENSES

Some of the components included in "ExtraHop Add-On for Splunk" are licensed under free or open source licenses. We wish to thank the contributors to those projects. Version 2.1.0 of the ExtraHop Add-On for Splunk incorporates the following third-party software or libraries:

TROUBLESHOOTING

Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

UNINSTALL & CLEANUP STEPS

Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

SUPPORT

Contact ExtraHop Support for assistance with this app at https://www.extrahop.com/support/

COPYRIGHT

Copyright ExtraHop Networks 2022

Release Notes

Version 2.2.0
March 21, 2022
  • Converted to a polled-mode integration to collect detections.
  • Deprecated the ExtraHop Detection SIEM Connector configuration and bundle.
  • Added UI for detections input.
  • Removed Activity and Activity Groups object types for metrics input.
  • Made general usability and performance improvements.
Version 2.1.0
July 16, 2021
  • Added support for Extrahop Cloud. User can now configure On-Prem instance as well as Cloud instance from single TA.
  • Moved Hostname and API field from Inputs tab to Configuration tab.
  • Removed "Validate SSL Certificate" field from UI to make TA cloud compatible. Default value will be True for this field. To change, navigate to $SPLUNK_HOME/etc/apps/TA-extrahop_addon/local/ta_extrahop_addon_settings.conf and add validate_ssl_certificates = 0 under additional_parameters stanza.
  • Fixed proxy issue as the proxy was not being used while making the network calls.
  • Other minor changes to make TA Splunk cloud compatible.

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.