Integration: Splunk SIEM

Optimizing Your Splunk Enterprise Security With ExtraHop

Take your Splunk Enterprise Security Information and Event Management (SIEM) threat detection to the next level. Get more from your logs by adding rich context and previously inaccessible information from wire data streaming analytics provided by ExtraHop.

Splunk And Wire Data

SIEM Needs Wire Data, But Not All Wire Data Solutions Are Created Equal

Wire data enriches your Splunk Enterprise Security with deeper, more comprehensive insight—but how you capture and forward wire data to Splunk determines whether it adds value or piles on stress.

ExtraHop ensures that only high-quality, actionable data gets indexed into Splunk, and that no data is lost. It also minimizes the delay before data is searchable without complicating your Splunk environment and maintenance requirements. With ExtraHop, you can:

  • Stream wire data to Splunk Enterprise Security in a matter of minutes
  • Gain rich visibility into black boxes like BYOD and IoT devices
  • Access communication volume metrics and baselines that'll warn you of potential threats early on

ExtraHop lets you see and parse every packet first, then control precisely what gets sent to Splunk, with fully customizable triggers that also let you automate simultaneous actions—such as firing an alert or immediately blocking a firewall port via an external network access control platform.

Use Cases

DNS Exfiltration


Use ExtraHop to detect and capture the specific DNS packets that exhibit possible tunnelling behavior, then forward them to Splunk Enterprise Security for further analysis.

Shadow IT


Use ExtraHop to capture data from unreported public SaaS or on-premises applications and forward to Splunk Enterprise Security for analysis.

Incident Response & Forensics


Forward a minimum required subset of data to Splunk Enterprise Security for analysis while preserving complete records on ExtraHop for incident response and forensics if needed.

Automated Security Investigation


Use ExtraHop triggers to initiate security response (e.g. quarantining malware infected devices via a workflow orchestration platform.

SIEM Optimization


Optimize Splunk Enterprise Security license and resource utilization by using ExtraHop to filter out low quality data in real time before it is sent to Splunk.

How It Works

ExtraHop requires no agents and integrates with Splunk Enterprise Security out of the box. Built for speed and scale, ExtraHop passively analyzes every packet that flows across your enterprise at a sustained 40 Gbps, decrypting, reassembling, filtering, and extracting actionable insights before streaming that information to Splunk. Extensive support for the most commonly used enterprise applications and protocols gives you maximum visibility and choice over what wire data you can send to Splunk Enterprise Security.

How Splunk SIEM Works

 

Why Wire Data

Wire data provides an unbiased, complete, immutable, and detailed record of all communication in your environment in a way that log data cannot. Applications without logging enabled can still be monitored, and even where logging is configured, ExtraHop captures critical details not included in the logs. By supplementing your existing data sources with wire data, your SIEM can get complete visibility into everything communicating in your enterprise, enabling it to detect more threats and empowering your incident responders to discover root cause faster.

See The Power

Ready to See for Yourself?

Push to Start