back caretBlog

Who's Within Your Firewall?

Use ExtraHop Reveal(x) with Palo Alto Networks to detect and contain late stage attacks

While opportunistic attacks are easily blocked, targeted and advanced attacks need multiple indicators to contain and disposition confidently. Identifying activities across systems, segments, applications, and users takes skill and time, usually more time than the attack's own successful execution.

This week at Palo Alto Ignite, we're excited to demonstrate a new integration that shows the power of network prevention, detection, and response working together in an integrated workflow. As part of the Palo Alto Networks Application Framework, ExtraHop's forthcoming Palo Alto integration takes advantage of Palo Alto's cloud-based Application Framework to capture firewall and threat events with a high risk score and hand off for contextual analysis in ExtraHop Reveal(x). This integration will provide a short-cut for investigations and short-circuit attacks throughout the attack chain.

With ExtraHop metrics and records correlated with firewall and threat data, users have access to rich and real-time data about activities within the network during the later stages of an attack. Unlike the limitations of the L2-L4 connection logs that the Security Operations Center (SOC) would typically get from a firewall, Reveal(x) captures, decodes, reassembles, structures, and indexes L2-L7 data for more than 50 protocols, showing an entire session with its component transactions within one record. This context of interactions – methods used, files accessed, systems involved – provides unique visibility to support live investigation and threat hunting:

Palo Alto High Severity Events in ExtraHop Click image to zoom

For example, a device making calls to known bad websites or communicating on unusual ports might be quarantined by the Palo firewall. A log for the event is passed to ExtraHop Reveal(x) to spark an analyst to explore East-West activities, such as connections to databases, application interactions, port scans, and lateral movement. By identifying the host's other actions, the analyst can scope out the progress and intent of the attack and identify other systems that may have also been compromised:

Palo Alto Events by Device/Group in ExtraHop Click image to zoom

Response activities can feed directly back to Palo Alto systems, to ticketing and case management systems, or into an orchestration. At Palo Alto Ignite, ExtraHop is also demonstrating integration and containment using Phantom and the Palo Alto Phantom app.

Here's ExtraHop's Chase Snyder talking about the power of Palo Alto and ExtraHop Reveal(x):


For more information, visit ExtraHop in the Palo Alto Ignite Innovation Sandbox at the Anaheim Convention Center, or contact your sales engineer.

With unprecedented visibility at scale, high-fidelity machine learning, and an automated investigation workflow, ExtraHop is already in use by many of the world's leading enterprises to intelligently secure their businesses and customer data. Our open approach facilitates integrations with leaders such as Palo Alto Networks, Splunk, ServiceNow, and Phantom, as well as customized integrations to adapt to each enterprise infrastructure.

The Open Data Stream allows organizations to easily export wire data from ExtraHop into other analytics platforms, and our Open Data Context API, which pulls data from third-party sources into the ExtraHop platform, supports contextual, 360 degree visibility across the hybrid enterprise environment.

You can learn about more options for integration at

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed