Start Demo

The Platform

Solutions

Customers

Partners

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

ExtraHop
Reveal(x) 360

Cloud-native visibility, detection, and response
for the hybrid enterprise.

Learn More

How It Works

Competitive Comparison

Integrations and Automations

Cybersecurity Services

What is Network Detection and Response (NDR)?

Cloud-Native Security Solutions

Reveal(x) Enterprise: Self-Managed NDR
caret-left Back

Solutions

Learn More

Security

Cloud

IT Ops

Use Cases

Explore By Industry Vertical
caret-left Back

Customers

Customer resources, training,
case studies, and more.

Learn More

Customer Portal Login

Cybersecurity Services

Training

ExtraHop Support
caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Learn More

Channel Partners

Integrations and Automations

Partners
caret-left Back

Blog

Learn More
caret-left Back

About Us

News & Events

Careers

Resources

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

The ExtraHop Advantage

What Is Cloud-Native?

Contact Us

caret-left Back

News & Events

Get the latest news and information.

Learn More

Take the Hunter Challenge

Upcoming Webinars and Events

caret-left Back

Careers

We believe in what we're doing. Are you ready to join us?

Learn More

Careers at ExtraHop

Search Openings

Connect on LinkedIn

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories

Remote Access Resource Hub

Network Attack Library

Protocol Library

Documentation

Firmware

Training Videos

Back Arrow Bundle Library

ExtraHop Detection SIEM Connector

Supported Bundle

Description

The ExtraHop Detection SIEM Connector supports ExtraHop integrations with security information and event management systems (SIEMs) by formatting and transmitting detection data over syslog. This bundle sends messages in LEEF 2.0 or CEF formats and can be accepted by any SIEM or system that accepts syslog input.

Note that if you install this bundle on a Command appliance, you must configure ODS Syslog targets for each connected Discover appliance and modify the trigger included in the bundle.

This bundle is required for the following third-party applications: * ExtraHop App for QRadar (LEEF) * ExtraHop Data Connector for Azure Sentinel (CEF)

This bundle can optionally send detection information to Splunk through the ExtraHop Add-On for Splunk and the LEEF connector trigger.

Requirements

  • You must have an ExtraHop Discover or Command appliance with firmware version 7.8 or later with a user account that has Unlimited (administrator) privileges
  • You must have access to a SIEM system that accepts syslog input

Installation Instructions

Install the bundle

  1. Download the bundle on this page.
  2. Upload and apply the bundle.

Configure the ExtraHop appliance

  1. Log into the Admin UI on the Discover or Command appliance where you installed the bundle.
  2. Configure an open data stream for syslog with the following parameters:
    • Name: A name to identify the SIEM server.
    • Host: The hostname or IP address of your SIEM server.
    • Port: 514.
    • Protocol: TCP or UDP.
    • The Local Time checkbox should not be selected.

Configure the trigger

  1. In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon, and then click Triggers.
  2. In the list of triggers, click ExtraHop Detection SIEM Connector - CEF or ExtraHop Detection SIEM Connector - LEEF.
  3. Click the Editor tab.

  4. Change the default string value in the "ods_syslog_targets" array from "target1" to the name of the ODS target. If there are multiple configured ODS targets for this trigger, you can add them as a comma-delimited list of strings in the "ods_syslog_targets" array, similar to the following example:

    const ods_syslog_targets = ["myTarget", "myTarget2"];

  5. Type the hostname or IP address of the Command or Discover appliance into the "hostname" variable, similar to the following example:

    const hostname = "host.example.com";

  6. Click Save and Close.

  7. Select the checkbox next to the ExtraHop Detection SIEM Connector trigger you modified and then click Enable.

+

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More