Optimizing Your Splunk Enterprise Security With ExtraHop
Take your Splunk Enterprise Security Information and Event Management (SIEM) threat detection to the next level. Get more from your logs by adding rich context and previously inaccessible information from wire data streaming analytics provided by ExtraHop.
SIEM Needs Wire Data, But Not All Wire Data Solutions Are Created Equal
Wire data enriches your Splunk Enterprise Security with deeper, more comprehensive insight—but how you capture and forward wire data to Splunk determines whether it adds value or piles on stress.
ExtraHop ensures that only high-quality, actionable data gets indexed into Splunk, and that no data is lost. It also minimizes the delay before data is searchable without complicating your Splunk environment and maintenance requirements. With ExtraHop, you can:
- Stream wire data to Splunk Enterprise Security in a matter of minutes
- Gain rich visibility into black boxes like BYOD and IoT devices
- Access communication volume metrics and baselines that'll warn you of potential threats early on
ExtraHop lets you see and parse every packet first, then control precisely what gets sent to Splunk, with fully customizable triggers that also let you automate simultaneous actions—such as firing an alert or immediately blocking a firewall port via an external network access control platform.
Use ExtraHop to detect and capture the specific DNS packets that exhibit possible tunnelling behavior, then forward them to Splunk Enterprise Security for further analysis.
Use ExtraHop to capture data from unreported public SaaS or on-premises applications and forward to Splunk Enterprise Security for analysis.
Incident Response & Forensics
Forward a minimum required subset of data to Splunk Enterprise Security for analysis while preserving complete records on ExtraHop for incident response and forensics if needed.
Automated Security Investigation
Use ExtraHop triggers to initiate security response (e.g. quarantining malware-infected devices via a workflow orchestration platform).
Optimize Splunk Enterprise Security license and resource utilization by using ExtraHop to filter out low quality data in real time before it is sent to Splunk.
How It Works
ExtraHop requires no agents and integrates with Splunk Enterprise Security out of the box. Built for speed and scale, ExtraHop passively analyzes every packet that flows across your enterprise at a sustained 100 Gbps, decrypting, reassembling, filtering, and extracting actionable insights before streaming that information to Splunk. Extensive support for the most commonly used enterprise applications and protocols gives you maximum visibility and choice over what wire data you can send to Splunk Enterprise Security.