New in RevealX: Packet Viewer, Detection Tuning Enhancements and Preview, and CrowdStrike Detection Integration

This quarter, we are excited to bring you the latest developments and capabilities focused on enhancing investigations within the ExtraHop RevealX platform.

This release introduces integrated packet analysis, detection tuning, and further integration with CrowdStrike, streamlining investigation workflows. These enhancements empower SOC teams by providing deeper forensic visibility into network packets for faster root cause analysis. They also enable precise detection tuning to reduce noise and focus on critical threats, while integrating with CrowdStrike to unify endpoint and network insights for a more comprehensive and efficient timeline view.

End-to-End Packet Analysis with New Packet Viewer

The new in-product packet viewer simplifies investigations, allowing analysts to view and analyze PCAPs directly within the platform. This reduces the need for third-party tools and manual downloads, streamlining workflows for faster, more efficient investigations, and incident response.

This enhancement benefits both network and security analysts, particularly those familiar with Wireshark and is designed to offer a seamless and intuitive transition, ensuring that they can leverage their existing expertise to troubleshoot network issues and potential threats faster. With the viewer, you can pinpoint the problem and respond swiftly to avoid downtime and address malicious behaviors—all without ever having to leave the ExtraHop platform.

The viewer empowers analysts to move adeptly from high-level metadata analysis to granular examination, allowing them to drill down directly into packets in only a few clicks. Precision L7 analysis provides a comprehensive understanding of network behavior, enabling quicker identification and resolution of complex problems. By keeping all necessary functionalities within a single, unified environment, the ExtraHop platform significantly enhances productivity and streamlines the entire investigative process.

The new packet viewer allows you to analyze and dissect packet data without leaving RevealX

Better Detection Efficacy with Tuning Preview Tuning

With the Tuning Preview feature, analysts can now test the impact of a tuning rule before it goes live, helping teams to improve detection efficacy and reduce false positives.

Detection tuning preview in ExtraHop

When creating or modifying a tuning rule to improve a detection, analysts simply click the “Preview” button to see the effect it will have in production and receive instant feedback, confirming if the tuning has achieved the desired results – without creating tuning rules that cause additional work for the SOC team or miss valuable detections.

The feature also adds notifications for the expiration of tuning rules, increasing transparency and eliminating the surprise of an expired tuning rule that could lead to a sudden increase in detections.

We’ve rolled out a new detector to further strengthen your defense of AD attacks with the Certsync Attack Tool Activity detection. This detection is designed to identify when an attacker is using certsync to steal NTLM hashes from an AD environment.

Finally, ExtraHop customers will start to see less noise for Ransomware Activity due to improvements in those detectors. What used to be 3 separate detectors: Ransomware File Extension Activity, Ransomware Note, and Ransomware Activity are now combined into a single Ransomware Activity detector with improved tuning capabilities and better annotations.

Correlated NDR and EDR Insights with the Detection Timeline

Expanding upon the long-time ExtraHop and CrowdStrike partnership, customers can now pull EDR-based detections from CrowdStrike into the ExtraHop platform for a correlated detection timeline view that drives more informed detections.

Device detail window in RevealX showing endpoint metadata from CrowdStrike Falcon

Not only does this provide critical context to accelerate an investigation; it can also fill visibility gaps for situations where device information is unclear or unavailable using network telemetry alone.

Visit us at Black Hat 2025

ExtraHop will be at Black Hat USA in Las Vegas from August 6 to August 7. We invite you to come see us in booth (#4346) in the expo hall to ask questions and demo the new features in person!

Current customers can always reach out to their account managers for personalized walk-throughs of the latest release, check out release notes for more granular details, or join the customer community to discuss with peers.

Get a demo today to discover how these new capabilities can transform your network and security operations.