icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading ExtraHop Add-On for Splunk
SHA256 checksum (extrahop-add-on-for-splunk_210.tgz) 47c7e739d25629208e6d9b9416e5447947186b397999afef5a995b61fdf6d348
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

ExtraHop Add-On for Splunk

Splunk Cloud
Overview
Details
The ExtraHop Add-On for Splunk enables you to export ExtraHop Reveal(x) network detection and response metrics and detections as Splunk events. You can export metrics about any activity group, device group, or application from Reveal(x). After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations.

OVERVIEW

The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any activity group, device group, or application from an ExtraHop Discover or Command appliance. After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations.

The ExtraHop Add-On for Splunk collects 30-second metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop source type.

  • Author - ExtraHop Networks
  • Version - 2.1.0
  • Vendor Products - ExtraHop Discover Appliance, ExtraHop Command Appliance
  • Creates Index - False
  • Prerequisites - This application requires appropriate credentials of Extrahop. For Details refer to Configuration > Add Account section.
  • Compatible with:
    • Splunk Enterprise version: 8.2.x, 8.1.x, and 8.0.x
    • OS: Linux and Windows
    • Browser: Safari, Chrome, and Firefox

RELEASE NOTES

VERSION 2.1.0

  • Added support for Extrahop Cloud. User can now configure On-Prem instance as well as Cloud instance from single TA.
  • Moved Hostname and API field from Inputs tab to Configuration tab.
  • Removed "Validate SSL Certificate" field from UI to make TA cloud compatible. Default value will be True for this field. To change, navigate to $SPLUNK_HOME/etc/apps/TA-extrahop_addon/local/ta_extrahop_addon_settings.conf and add validate_ssl_certificates = 0 under additional_parameters stanza.
  • Fixed proxy issue as the proxy was not being used while making the network calls.
  • Other minor changes to make TA Splunk cloud compatible.

VERSION 2.0.0

  • Code migrated to Python 3
  • Removed deprecated oidsearch command.
  • Fixed a bug in extrahop-detections transform
  • Added support for custom "cyclesize", allowing 5min or 1hr metric rollups
  • Added support for network metrics
  • Added support for summary metrics for activity groups and device groups; metrics are summed for the group for each metric cycle, instead of per-device for group members
  • Added settings for custom Splunk Management API hostname and port

VERSION 1.2.2

  • Added support for ExtraHop timestamp metrics.

VERSION 1.2.1

  • Fixed issue retrieving device group metrics from Command appliances

VERSION 1.2.0

  • Added support for ExtraHop detections

VERSION 1.1.1

  • Object IDs no longer incorrect in 'extrahop' events (since 1.1.0)
  • Data for ExtraHop devices and applications now retrieved at ingest time.

(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
)

VERSION 1.1.0

  • Added the ability to specify device objects in data input definitions
  • Metric names are no longer incorrectly converted to lowercase
  • Fixed overflow error on Windows systems when calculating time intervals

VERSION 1.0.9

  • Added support for topn_tset metrics

VERSION 1.0.8

  • Fixed issue in 'extrahop' modular input schema

VERSION 1.0.7

  • Fixed issue in ExtraHop App setup handler

VERSION 1.0.6

  • Fixed issue in Retrieve Device Information saved search command 'extrahopoid'

VERSION 1.0.5

  • Added option for SSL certificate validation on data inputs
  • Added proxy support for extrahopoid command

VERSION 1.0.2

  • Added Eventgen sample files

VERSION 1.0.1

  • Fixed issue with API key retrieval

VERSION 1.0.0

  • Initial release

RECOMMENDED SYSTEM CONFIGURATION

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

This app can be set up in two ways:

  1. Standalone Mode:
    • Install the ExtraHop Add-On for Splunk.
  2. Distributed Environment:
    • Install the ExtraHop Add-On for Splunk on the search head. User does not need to configure an account or create an input in ExtraHop Add-On for Splunk on search head.
    • Install only ExtraHop Add-On for Splunk on the heavy forwarder. User needs to configure account and needs to create data input to collect data from Extrahop platform.
    • User needs to manually create an index on the indexer (No need to install ExtraHop Add-On for Splunk on indexer).

INSTALLATION

ExtraHop Add-On for Splunk can be installed through UI using "Manage Apps" > "Install app from file" or by extracting tarball directly into $SPLUNK_HOME/etc/apps/ folder.

CONFIGURATION

Configure Account

To configure Extrahop account, navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to "Accounts" tab, click on "Add" button and fill in the details asked and click "Add". Field descriptions are as below:

Field Name Field Description
Account Name* Unique name for your account
Instance Type * Instance type for data collection
Hostname* Hostname of your Extrahop account
API Key API Key corresponding to your Extrahop On-Prem Account
Client ID Client ID corresponding to your Extrahop Cloud Account
Client Secret Client Secret corresponding to your Extrahop Cloud Account

Configure proxy settings

Navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to the "Proxy" tab, fill in the details asked and click "Save". Field descriptions are as below:

Field Name Field Description
Enable Enable/Disable proxy
Proxy Type* Type of proxy
Host* Hostname/IP Address of the proxy
Port* Port of proxy
Username Username for proxy authentication (Username and Password are inclusive fields)
Password Password for proxy authentication (Username and Password are inclusive fields)
Remote DNS resolution Check this box if you want to use Remote DNS resolution

Note: * denotes required fields

Install the ExtraHop App for Splunk

After you install the ExtraHop Add-On for Splunk, we recommend that you install the ExtraHop App for Splunk to help you configure the ExtraHop Add-On. The ExtraHop App creates default inputs to collect metrics about HTTP, DNS, and storage activity and builds dashboards to display that information.

For more information about the ExtraHop App for Splunk, see https://splunkbase.splunk.com/app/3939/.

Create metric inputs for the ExtraHop Add-On for Splunk

You must create data inputs that collect information from an ExtraHop appliance to retrieve wire data metrics.

  1. On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
  2. Click Inputs.
  3. Click Create New Input.
  4. In the Add ExtraHop Add-On for Splunk window, specify settings for the input
    Note: Each input can only collect metrics for a single metric category. If you want to collect metrics for multiple categories, you must create multiple inputs.
  5. Click Add.

Create a data input for detections

The ExtraHop Add-On for Splunk contains a sourcetype for ExtraHop detections. In order to receive detections in Splunk, you must configure a data input for ExtraHop detections and configure the ExtraHop Detection SIEM Connector on your ExtraHop Command or Discover appliance.

Configure a data input in Splunk

Detection data can be sent from a Command or Discover appliance to Splunk through the syslog protocol. Complete the procedure in the Splunk documentation to get data from a TCP or UDP port. You must set the source type value to extrahop-detection.

Configure the ExtraHop Detection SIEM Connector

Follow the instructions on the ExtraHop Detection SIEM Connector bundle page to configure your ExtraHop appliance to send detections data to Splunk.

UPGRADE TO V2.1.0

Follow the steps mentioned below in order to upgrade your ExtraHop Add-On for Splunk v2.1.0:

  • Disable all the existing inputs.
  • Install the ExtraHop Add-On for Splunk v2.1.0.
  • Restart the Splunk if prompt.
  • Navigate to ExtraHop Add-On for Splunk and Configure the Extrahop Account as mentioned here.
  • Edit all the inputs and select the configured account in the Global Account dropdown.
  • Enable the inputs.

USER GUIDE

Data types

This add-on provides the index-time and search-time knowledge for the following types of data from the ExtraHop system:

Extrahop wire data metrics

All ExtraHop wire data metrics have a sourcetype of extrahop.

Extrahop detections
All Extrahop detections have a sourcetype of extrahop-detection.

Lookups

The ExtraHop Add-On for Splunk contains 2 KV store lookups: the extrahop_deviceoid_lookup and the extrahop_appuuid_lookup.

The extrahop_deviceoid_lookup adds display names, MAC addresses, and IP addresses to ExtraHop events to Splunk.

  • File location: App KV Store
  • Lookup fields: oid,discovery_id,display_name,macaddr,ipaddr4,ipaddr6,otype,hostname
  • Lookup contents: Generated from data

The extrahop_appuuid_lookup saves ExtraHop appliance UUIDs for the ExtraHop App for Splunk

  • File location: App KV Store
  • Lookup fields: _key,uuid
  • Lookup contents: Generated from data

Splunk Event Generator

You can configure the Splunk Event Generator to create sample ExtraHop events through the ExtraHop Add-On for Splunk . Sample event generation is configured through the eventgen.conf file. Sample events retrieve data from the samples directory of the Splunk Event Generator package. For more information about the Splunk Event Generator, see see the Eventgen GitHub page.

OPEN SOURCE COMPONENTS AND LICENSES

Some of the components included in "ExtraHop Add-On for Splunk" are licensed under free or open source licenses. We wish to thank the contributors to those projects. Version 2.1.0 of the ExtraHop Add-On for Splunk incorporates the following third-party software or libraries:

TROUBLESHOOTING

Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

UNINSTALL & CLEANUP STEPS

Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

SUPPORT

Contact ExtraHop Support for assistance with this app at https://www.extrahop.com/support/

COPYRIGHT

Copyright ExtraHop Networks 2021

Release Notes

Version 2.1.0
July 16, 2021
  • Added support for Extrahop Cloud. User can now configure On-Prem instance as well as Cloud instance from single TA.
  • Moved Hostname and API field from Inputs tab to Configuration tab.
  • Removed "Validate SSL Certificate" field from UI to make TA cloud compatible. Default value will be True for this field. To change, navigate to $SPLUNK_HOME/etc/apps/TA-extrahop_addon/local/ta_extrahop_addon_settings.conf and add validate_ssl_certificates = 0 under additional_parameters stanza.
  • Fixed proxy issue as the proxy was not being used while making the network calls.
  • Other minor changes to make TA Splunk cloud compatible.
181
Installs
1,242
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.