Integration: Phantom

Automate and orchestrate rapid security investigation, response, and remediation workflows.

Rich Wire Data Insights Meet Simple, Powerful Automation

ExtraHop Reveal(x) provides a uniquely rich, real-time data source by turning unstructured packets into structured wire data and analyzing it in real-time. Based on this data, you can use Phantom to confidently automate security workflows and investigations and orchestrate precise, rapid responses to security threats more effectively than ever before.

Automate Investigations. Orchestrate Responses. Stop Threats Faster.

ExtraHop Reveal(x) automatically discovers and classifies all devices and their interactions in your environment, and uses machine-learning to develop a baseline of what's normal in your environment. This data can be an asset to enrich your existing security platforms and enhance your overall operational intelligence, and can enable new, more effective automated response workflows.

In Phantom, Reveal(x) can provide unique data and insights because of the breadth of visibility afforded by wire data, combined with ExtraHop's uniquely deep visibility into application layer (L7) communications. Phantom can use these insights to kick of workflows that quarantine infected clients, increase the level of monitoring on suspicious endpoints, or automatically investigate potential data breaches.

Use Cases

Automate Investigations

Reveal(x) detects anomalies, conducts real-time analytics, and captures full packets in a single workflow. With Phantom, you can kick off automated response workflows with the confidence that full forensic evidence is available at any time.

Encryption Compliance Enforcement

Detect systems using weak encryption like SSLv3 or TLSv1.0 on your environment and automatically cut off their communications until encryption is upgraded to a secure ciphersuite.

Monitor Critical Assets

Reveal(x) already monitors all your assets and focuses extra scrutiny on the most critical ones, but criticality of an asset can change. Via Phantom, you can automatically maintain visibility and respond to actions against your most critical assets.

What Reveal(x) Does

ExtraHop Reveal(x) analyzes wire data to discover and classify every asset communicating on your environment, and uses machine learning to develop a running baseline for what normal behavior looks like. Reveal(x) provides rich data about every asset, and can do even deeper analysis on assets defined as critical; things like databases, file servers, and anywhere sensitive data is stored or communicated. Reveal(x) sees who's acting on your critical assets, and what they're doing, right down to the DB queries or file manipulation commands they're executing.

When something abnormal happens that indicates a security threat, an anomaly is recorded and mapped to a step of the attack chain. These anomalies are easily accessible in the user interface, or can be delivered as alerts through the user's preferred channel. Every relevant transaction and even full packets related to any anomaly are captured and accessible with a click.

Reveal(x) Workflow

What Phantom Does

Phantom provides a simple, drag-and-drop (really!) interface for automating workflows for hundreds of services and thousands of systems. Reveal(x) provides wire data insights about your critical assets and potential attacks in progress on your environment. This data can be used to accelerate your current investigation processes, automate away slow, tedious steps, and automate rapid responses so that attacks can be stopped in action, or investigated soon enough to prevent further damage.

Extrahop and Phantom connect through simple, powerful REST APIs, making it simple to build and iterate new use cases to get the most value for the least effort, a vital capability for stretched-thin enterprise security teams.


Why Wire Data

Wire data provides an unbiased, complete, immutable, and detailed record of all communication in your environment in a way that log data cannot. Applications without logging enabled can still be monitored, and even where logging is configured, ExtraHop captures critical details not included in the logs. By supplementing your existing data sources with wire data, your SIEM can get complete visibility into everything communicating in your enterprise, enabling it to detect more threats and empowering your incident responders to discover root cause faster.

See The Power

Ready to See for Yourself?

Push to Start