Send ExtraHop ML Security Detections To Splunk

ExtraHop Reveal(x) is great at Security Detections. I recommend running Firmware v7.8.2+. In Reveal(x) currently you cannot create new custom dashboards because the ML Detections are not available metrics. There are also no available trending dashboards out of the box. If you are interested in this capability you can you use a custom trigger and send ML Detections to your SIEM. :fire:

I have attached my EH ML Detections To Splunk Bundle. It includes a simple Trigger to send ML events to Splunk. I have also attached my Splunk custom dashboard for the ML detections.

You must make sure that you configure Splunk as a Syslog target in your Reveal(x) appliance.

@canalesjj

www.linkedin.com/in/canalesj

EH ML Detections To Splunk v1.txt (2.4 KB)
EH ML Detections To Splunk Dashboard V1.txt (12.1 KB)

  • I liked this post
  • I didn’t like this post

0 voters

2 Likes

To use the attached Splunk dashboard you must create an “ExtraHop“ index feed. I use Syslog from ExtraHop to Splunk. Create a new Splunk dashboard, name it something cool like “ExtraHop ML Detections Dashboard V1”. Hit edit source and paste the XML from my attached sample dashboard file. Hit save and your done.:fire:

All

I recommend you also review my article on how to display real-time ExtraHop ML Detections to a mobile Device. :fire:

ExtraHop ML Detections On Mobile

This is awesome-- I set this up in my lab and put together a walk through video. Nice Work!

1 Like

Really cool video rattmaul! One correction is that ExtraHop API documentation states that the ML Security Detection Events fire on every ML detection regardless of device assignment. Note however that if you create detection rules to hide detections on devices it will not trigger. I have some ideas on how to fix this but in some cases this may be the desired outcome if you want to reduce the noise in Splunk. Stay tune for the next version. :fire: