New Features & Capabilities in ExtraHop 7.3 and Reveal(x) | ExtraHop


ExtraHop 7.3 boldly shines a light on potential threats with powerful Reveal(x) Summer 2018 features.

Our 7.3 release notes provide a comprehensive list of new features, enhancements, and fixes for each appliance with links to the most relevant technical documentation, but here are some quick links to information about our most exciting new features.

Security Overview

Previously, we introduced a Security Dashboard to provide easy access to insights about top security metrics. For this release, we've added a Security Overview page that appears when you first log into your Reveal(x) system. The page dynamically updates in real time as your wire data is collected and analyzed.

In addition, an activity map of your device connections appears and rotates by protocol.

Learn more about the Security Overview page.

Learn more about the Security Dashboard.

Threat Intelligence

Leverage the power of threat intelligence. Integrate with free or commercial feeds from your threat intelligence platforms by loading curated STIX files into Reveal(x) through the Admin UI or REST API. You'll be able to quickly identify any indicators of compromise from suspicious hosts, IP addresses, and URIs found in your wire data.

In addition, you can filter records that match suspicious IP addresses, hosts, and URIs that are in your threat collection and download all associated packets for further analysis.

Learn more about threat intelligence with Reveal(x).

Records + Packets

With the Explore and Trace appliances deployed, you can now download all of the packets associated with the results of a record query.

  • Find all of the packets associated with the records for a VOIP call and playback the call in Wireshark
  • Collect multiple database transactions in a single packet capture
  • Query for all of the packets for an SMB/CIFS resource and reassemble a file in case of a ransomware attack


Detections (formerly called anomalies) have leveled up in ExtraHop 7.3 and in Reveal(x) with detection markers that appear through the ExtraHop Web UI. These markers give you quick access to detailed metric activity that deviates from what is standard, normal, or expected on your network.

Detection markers appear in dashboard charts, protocol pages, and activity maps.

Learn more about Detections.

Session Key Logging for Packets

Traditional packet sniffers struggle to analyze encrypted packets that are above the L4 layer. ExtraHop 7.3 introduces a unique solution for decryption, so you can finally decrypt packets without sharing long-term private keys with analysts.

By storing session keys on your Trace appliance, you can enable privileged users to download both packets and session keys from your packet query results. Then, upload the packets and keylog file into a third-party analyzer such as Wireshark to view the decrypted data.

This solution works for RSA key exchanges as well as ephemeral Diffie-Hellman key exchanges, which provide Perfect Forward Secrecy (PFS).

Learn how to store SSL session keys and download session keys with packet captures.

10G Virtual Trace Appliance for VMware (6150v)

In 7.3, we've expanded our virtual Trace appliance for VMware to 10 Gbps to maintain packet-for-packet parity with our Discover appliance.

Learn how to deploy the new ETA 6150v.

Visit our Customer Portal for upgrade options and let us know if you have any questions!

This is a companion discussion topic for the original entry at


We upgraded to 7.3 yesterday on both the EDA’s we have and the revealx appliance we have. And so far no issues. And some of the new features are pretty cool.