How does the ECM portray data?



My company is thinking about getting an ECM for our deployment of ExtraHop for a new client. The reason for my question is because the old and the new clients have completely different data that needs to be analyzed. It would be great if we could have a centralized ExtraHop view where it would show both clients’ ExtraHop results at the same time. My question is, does it take all of the data and just places it in the metrics like a Discovery addition would? Or does it take both clients’ data and separate it where you can see Client 1 on one half of the screen and Client 2 on the other half of the screen? I understand that customizing your dashboards would help in this regard but I mean the actual data itself being recorded. Is this separated by the ECM? For example, if I wanted to look at TCP traffic, would it show the combined traffic of both clients? Or would it have results saying, “TCP traffic for client one:” and “TCP traffic for client 2:” ?


This is a great question, @pdaubman. The ECA (as it is now called), or the “Command Appliance” doesn’t actually store any metrics. As soon as you load a dashboard, device, or other page, the ECA executes API calls to the EDA nodes (Discover Appliances) and then displays the data holistically.

Now, that’s not to say you can’t separate the data. Each device is tagged with the node ID that discovered it. So, you can somewhat separate your data. But, it can be tedious, and those that are not familiar enough with it, could cause some confusion. The ECA isn’t meant to manage multi-tenancy, but rather, to aggregate the data between multiple EDA’s. Because of this, it may not work 100% the way you want it to.

But, if you want to manage multiple clients, and the clients are not going to have access to it, here are some pointers:

1). Enable Tunnel mode to the EDAs. This will allow your technicians who may not have direct access to the client box, to tunnel to it from your ECA, as if they are local. This would be the recommended way to manage the remote box.

2). You can build dynamic groups based on the Node ID. So, if you want to see ALL DEVICES from client 1, you can create a group with the criteria “node”, and enter the node ID. This will group/aggregate all the devices from that node into a single group.

3). If you do build specific dashboards, keep in mind that duplicate devices can exist. A device called Exchange1 at client1, and a device called Exchange1 at client2 can happen. This is because they are separated by node IDs. As you select devices, make sure you are selecting the device from the correct node.

Does this answer your question or help with your understanding?