ExtraHop decodes the following enterprise protocols with real-time fluency at the application layer. Protocol modules offer varying levels of analysis, starting with L7 classification, and Application Inspection Triggers allow you to create a custom metric.
* Add-on module (not included in base license)
Of particular interest to SecOps analysts, Reveal(x) analyzes application-layer metadata for databases, Active Directory, web, SSL, and storage systems:
Database: RDBMSs: Oracle, Microsoft SQL Server, MySQL, PostgreSQL, Informix, Sybase, and DB2. NoSQL databases: MongoDB, Memcached, Redis, Riak. Metadata extracted include transaction timing, table/user access patterns, query errors, SQL queries and responses, and system-level commands.
Identity and Access Management: Active Directory visibility, including NTLM, Kerberos, LDAP, MSRPC, WINRM, SMBv3, and DNS monitoring for privileged identities and service accounts allows you to improve detection and facilitate audits. Reveal(x) extracts metadata including user/computer account activity, invalid or expired passwords, new privileged access, privileged access errors, DNS SRV lookups, LDAP binds, plain-text HTTP authentications, unknown SPNs, and forged Kerberos ticket detection.
Storage: Metadata extraction for all NAS and SAN transactions (iSCSI, NFS, and CIFS) enables machine learning detections based on actual file details and equips security analysts to track file access patterns and detect ransomware activity by examining file extensions and WRITE operations.