Start Demo

Products

Solutions

Customers

Resources

Company

Blog

Start the Democaret-right

Contact Uscaret-right
caret-left Back

Products

Security

Cloud

Performance

The ExtraHop Differencecaret-right

Machine Learningcaret-right

Competitive Comparisoncaret-right

Professional Servicescaret-right

Integration and Automationcaret-right
caret-left Back

Solutions

Security Operations

Cloud-Native Security

Application Analytics

Network Performance

caret-left Back

Customers

Community

Partners

Support

Training

caret-left Back

Resources

Customer Stories

Resources

Integrations

Partner Programcaret-right

Protocol Librarycaret-right

Documentationcaret-right

Firmwarecaret-right

Training Videoscaret-right
caret-left Back

Company

About Us

Careers

Newsroom

Eventscaret-right

Leadershipcaret-right

Boardcaret-right

Investorscaret-right

Partnerscaret-right
caret-left Back

Security Operations

Secure your hybrid attack surface with complete visibility, real-time detection, and intelligent response.

Learn More

Threat Detection and Response

Secure Decryption

NOC/SOC Integration

Hygiene and Compliance
caret-left Back

Cloud-Native Security

Manage risk and drive growth in AWS with an agile, cloud-native approach to cybersecurity.

Learn More

Security for AWS

Security for Azure

Security for Google Cloud Platform

Cloud Migration
caret-left Back

Application Analytics

Ensure the availability and performance of your enterprise from the cloud, to the data center, to the customer.

Learn More

Commercial Application Visibility

Customer Experience Monitoring

Application Upgrade & Cloud Migration

Edge Devices & IoT
caret-left Back

Network Performance

Take control of SDN, the cloud, and more with complete visibility, real-time detection, and intelligent response.

Learn More

Remote Site Visibility

Infrastructure Refresh

Triage & Troubleshooting

SDN & Virtualization
caret-left Back

Community

Learn about the innovative ways our customers are succeeding with ExtraHop, plus the latest news from R&D.

Learn More

Customer Stories

Solution Bundles Gallery

Community Forums

Customer Portal
caret-left Back

Partners

Explore the Panorama Partner Program, meet our channel partners, or search for a technology partner.

Learn More

Partner Portal

Channel Partners

Technology Partners
caret-left Back

Support

Compare support packages, check out our Professional Services offerings, or log into the Customer Portal.

Learn More

Support Overview

Professional Services

Documentation

Policies
caret-left Back

Training

Watch free training videos and courses, or schedule a visit from an ExtraHop expert for specialized training.

Learn More

Training Overview

Training Sessions

Back Arrow Bundle Library

ExtraHop Detection SIEM Connector

Supported Bundle

Description

The ExtraHop Detection SIEM Connector supports ExtraHop integrations with security information and event management systems (SIEMs) by formatting and transmitting detection data over syslog. This bundle sends messages in LEEF 2.0 or CEF formats and can be accepted by any SIEM or system that accepts syslog input.

Note that if you install this bundle on a Command appliance, you must configure ODS Syslog targets for each connected Discover appliance and modify the trigger included in the bundle.

This bundle is required for the following third-party applications: * ExtraHop App for QRadar (LEEF) * ExtraHop Data Connector for Azure Sentinel (CEF)

This bundle can optionally send detection information to Splunk through the ExtraHop Add-On for Splunk and the LEEF connector trigger.

Requirements

  • You must have an ExtraHop Discover or Command appliance with firmware version 7.8 or later with a user account that has Unlimited (administrator) privileges
  • You must have access to a SIEM system that accepts syslog input

Installation Instructions

Install the bundle

  1. Download the bundle on this page.
  2. Upload and apply the bundle.

Configure the ExtraHop appliance

  1. Log into the Admin UI on the Discover or Command appliance where you installed the bundle.
  2. Configure an open data stream for syslog with the following parameters:
    • Name: A name to identify the SIEM server.
    • Host: The hostname or IP address of your SIEM server.
    • Port: 514.
    • Protocol: TCP or UDP.
    • The Local Time checkbox should not be selected.

Configure the trigger

  1. In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon, and then click Triggers.
  2. In the list of triggers, click ExtraHop Detection SIEM Connector - CEF or ExtraHop Detection SIEM Connector - LEEF.
  3. Click the Editor tab.

  4. Change the default string value in the "ods_syslog_targets" array from "target1" to the name of the ODS target. If there are multiple configured ODS targets for this trigger, you can add them as a comma-delimited list of strings in the "ods_syslog_targets" array, similar to the following example:

    const ods_syslog_targets = ["myTarget", "myTarget2"];

  5. Type the hostname or IP address of the Command or Discover appliance into the "hostname" variable, similar to the following example:

    const hostname = "host.example.com";

  6. Click Save and Close.

  7. Select the checkbox next to the ExtraHop Detection SIEM Connector trigger you modified and then click Enable.

+

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More