The ExtraHop Detection SIEM Connector supports ExtraHop integrations with security information and event management systems (SIEMs) by formatting and transmitting detection data over syslog. Messages are sent in LEEF 2.0 format and can be accepted by any SIEM or system that accepts syslog input. This bundle can be installed on either a Command appliance or Discover appliance.
Note that if you install this bundle on a Command appliance, you must configure ODS targets for each connected Discover appliance and modify the trigger included in the bundle.
- You must have an ExtraHop Discover or Command appliance with firmware version 7.5 or later and a user account that has Unlimited (administrator) privileges
- You must have access to a SIEM system that accepts syslog input
Install the bundle
- Download the bundle on this page.
- Upload and apply the bundle.
Configure the ExtraHop appliance
- Log into the Admin UI on the Discover or Command appliance where you installed the bundle.
- Configure an open data stream for syslog with the following parameters: a. Name: A name to identify the SIEM server. b. Host: The hostname or IP address of your SIEM server. c. Port: 514. d. Protocol: TCP or UDP. e. The Local Time checkbox should not be selected.
Configure the trigger
- In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon, and then click Triggers.
- In the list of triggers, click ExtraHop Detection SIEM Connector.
- Click the Editor tab.
- Change the default string value in the "ods_syslog_targets" array from "target1" to the name of the ODS target. If there are multiple configured ODS targets for this trigger, you can add them as a comma-delimited list of strings in the "ods_syslog_targets" array, similar to the following example:
const ods_syslog_targets = ["myTarget", "myTarget2"];
- Type the hostname or IP address of the Command or Discover appliance into the "hostname" variable, similar to the following example:
const hostname = "host.example.com";
- Click Save and Close.
- Select the checkbox next to the ExtraHop Detection SIEM Connector trigger and then click Enable.