Professional Services Highlights

On-site Advanced Training utilizes live customer data. It provides a deep dive into relevant ExtraHop protocol metrics, including TCP, and covers hands-on creation of multi-tiered application dashboards. It focuses on customizations that extend the platform such as alternative device discovery, trend alerts and multi-criteria triggers (including integrating ExtraHop data with external sources) and demonstrates how to utilize and create solution bundles. Advanced Training includes an overview of best configuration practices, administration and maintenance of the ExtraHop ecosystem.

This session provides an in-depth look at one protocol relevant to your environment. Different pivots on the metrics (apps vs Groups). We review the metrics ExtraHop collects and what they mean in the context of your environment. We discuss correlation between metrics and how to diagnose a problem or identify an improvement opportunity based on the data. We pivot on different views into the protocol (groups vs application containers) and create dashboards to show how best to visualize the health and performance of that protocol in your environment.

ExtraHop automatically discovers and classifies devices it sees communicating on the wire. In this session we explain ExtraHop's default device discovery process and the properties associated with a device. We explore which peers a device is communicating with, what protocols are in use, when a device acts as a client or a server and whether the device activity is normal or not. We demonstrate how to interpret the L2-L7 metrics and charts to help you determine if a device is having an issue, or if it is an application or network problem. We view the default device groups ExtraHop creates based on role or L7 protocol, and we create custom device groups based on a narrower scope, such devices that support one business application. We extend the discussion to customizing devices, such as changing device properties, creating custom devices and remote networks, and explain device limits and whitelisting.

Records are structured information about transaction, message, and network flows. This training provides a comprehensive review of accessing and searching records. We demonstrate how to view records, change record types, sort and group information and switch views. We show how to utilize the Visual Query Language to easily scope and filter results.

Application Inspection Triggers are the primary way of extending the ExtraHop platform. This session will cover the basics of planning and creating triggers. We will discuss when to write a trigger, view trigger resources and create a basic trigger. We will gradually build on that trigger to illustrate how to build application containers, add multiple criteria and events to the trigger and optimize the performance of the trigger. We will also discuss how to generate a packet capture, populate EXA records and how to use Open Data Stream (ODS) to integrate with third-party systems.

Overview pages enable you to quickly evaluate the scope of suspicious activity on your network, learn about protocol activity and device connections, and investigate inbound and outbound traffic on your network. In this training session we focus on high-level visibility into the security detections that have fired in your environment in order to determine which detections or devices to investigate first, and review any relevant threat briefings about industry-wide security events. We explore common network health and security hygiene metrics which might signal weaknesses or issues in network performance or potentially suspicious activity. We view total active devices and common protocols in use, and traffic entering and leaving your network through connections with external endpoints.

Detection tuning enables you to better control which detections are visible or generated for your network. In this session we focus on the use cases and prerequisites for creating detection rules to hide detections based on the specific victim or offender or both, after the behavior has been investigated. We discuss how to manage detection rules and view hidden detections. We review the use of configuration settings and custom parameters- such as network localites, trusted domains, approved DNS and HTTP communications and more- to further scope and refine the detections that get generated. In addition we illustrate the use of the acknowledgement feature as part of detection investigation workflows. (NOTE: full write permission is required for this session).

The System Health page provides a large collection of charts that enable you to make sure that your system is running as expected, to troubleshoot issues, and to assess areas that are affecting performance. We will discuss data for ingest rate, device count observations, monitor Trigger load and exceptions, follow Open Data Stream and Recordstore transmissions, view historical lookback estimates and any indicators of a sub-optimal feed. We will review system health features on the administration page and demonstrate how to alert on system health data and monitor specific metrics of interest in custom dashboards (NOTE: system admin permission is required for portions of this training).