New in RevealX: Identity-Based Threat Hunting, Detection Tuning Optimization, Deeper Integration with CrowdStrike, and High-Capacity NetFlow sensor

Every quarter, we have the pleasure of bringing you the latest and greatest developments in the ExtraHop RevealX platform. With the updates in this release, customers can fine-tune detections with a built-in optimization guide, gain extended device context by importing endpoint data from Crowdstrike Falcon, and enhance threat hunting with the ability to search records by user identity.

User Table for Search and Threat Hunting

New searchable user table within RevealX

The past several releases have included features that elevate the role of users and identities. Continuing these efforts, we're excited to announce a new User Table for search and threat hunting workflows. With the User Table, analysts can quickly gather detailed information regarding user activity on the network, derived from packet data.

Following the same intuitive design of other search functions in RevealX, the new table automatically surfaces multiple dimensions of information regarding user activity, like the number of detections associated with a given user, devices associated with users over time, the ability to pivot by records, and much more.

More Tuning Options and a Detection Optimization Guide

We've also been hard at work to enhance capabilities and user experience relating to detection tuning with two new features in this release.

First, analysts can tune database detections by table name or SQL method, and SMB detections by file name. These options allow customers to better accommodate their specific environment, cutting down on alert noise and driving more relevant detections.

In an effort to help customers better contextualize their existing tuning parameters and understand what further optimizations may be available, we’ve also launched our Detection Optimization Guide. This in-product, step-by-step guide explains advanced configuration options for improving security detections, helping both new and long-time customers understand the nuances of custom tuning with detailed recommendations.

Detection tuning and optimization guide within RevealX

Import Endpoint Metadata from CrowdStrike Falcon

We're also excited about new functionality for our widely-used integration with CrowdStrike Falcon. Customers who use both solutions tell us how much they appreciate the insights and context that endpoint and network data can provide when paired together, especially when performing confirmation and initial investigation.

This new release streamlines those workflows, giving users the ability to enhance device details in RevealX with endpoint metadata pulled from the Falcon agent.

Device detail window in RevealX showing endpoint metadata from CrowdStrike Falcon

Not only does this provide critical information in context during an investigation; it can also fill visibility gaps for situations where device information is unclear or unavailable using network telemetry alone. Administrators will need to opt-in to use the new ingest feature, which can be done using the integration tile under System Settings.

High-Capacity NetFlow Sensor

Along with this latest firmware release, we're also expanding our enterprise sensor portfolio. For scenarios where full packet capture is not feasible, customers can now deploy a high-capacity virtual NetFlow sensor—capable of handling a sustained 100,000 flows per second, with support for NetFlow v5, NetFlow v9, and IPFIX. This helps customers maintain visibility across disparate networks while still consolidating monitoring and management into a single console.

Designed for use with the Network Performance Monitoring (NPM) module, the sensor will collect and automatically summarize important flow data like response times, packet loss rates, protocol details, class of service, and more.

Visit us at RSAC 2025

ExtraHop will be at the 2025 RSAC Conference in San Francisco from April 28 to May 1. We invite you to come see us in booth N-6170 in the North expo hall to ask questions and discuss the new features in person!

Current customers can always reach out to their account managers for personalized walk-throughs of the latest release, check out release notes for more granular details, or join the customer community to discuss with peers.

And anyone who isn't a customer yet can get a demo today to discover how these new capabilities can transform your network and security operations.