Use Cases for Extrahop



So I was asked recently about how I use Extrahop\Revealx. it made me start thinking about all the things we use it for. And the list continued for a long time. I would be interested in hearing use cases that other people are using it for. But here is a list of some that we use it for.

DNS Monitoring
DNS trouble shooting
Application Time out trouble shooting
Vendor Trouble shooting
SMTP Trouble shooting
Change verification
Certificate Expiration management
Brute force detection
Lateral Movement detection
ransomware detection
SMB version detection
SMB version removal
SSL Suite Verification and removal
SSL Version verfication and removal
SQL query performance
Active sync metrics
Active directory trouble shooting
Password failed logon detection and trouble shooting
Web analytics
Web error detection
Web site error detections
File write and read failures
Citrix performance detection
OWA failures
Exchange EWS failures
ICMP port unreachable detection
Working on PMTUD detection
File deletes and renames
FTP Monitoring
DHCP monitoring
VIOP Monitoring and alerting
There are many more things we use this for but this is a start. I want to know what others are doing.


I’m an IT Security Engineer, and in the unique position of being both an employee of ExtraHop and also a heavy user of the product. I visit the ExtraHop community forum to learn how other users are leveraging ExtraHop across both IT and security. It’s a great resource for tips, tricks, and best practices. As a longtime forum lurker, I decided that it’s time to share some of my own experiences.

At ExtraHop, we use the product in much the same way that many of you do. We use Reveal(x) to manage our security posture and hygiene (including managing a TON of SSL certificates and certificate expirations). We’ve “assisted” our VoIP provider by providing metrics that helped them troubleshoot their own system (one of my favorite use cases). I’ve personally used our product to nail down some DNS and database behaviors that really stymied us, as well as an intermittent issue with our internal ticketing and project management software. I was also a member of our Incident Response team looking into our browser plugin issue. Take a look at:

That’s just the tip of the iceberg. We also use it for all kinds of other things, including:

Active directory troubleshooting
Password failed logon detection and troubleshooting
Web analytics
Web site error detections
Atlas Service connection routing and troubleshooting
DNS and DHCP monitoring
Slow internal server response times
Reveal(X) alerting and Detections that create tickets for our team
Public facing traffic inspection and brute force identification
SSL cipher and certificate tracking
CIFS / Ransomware detection
Clear text HTTP authentication

I’ve built a few custom triggers and metrics around remote access auditing and plain text HTTP authentication. I have at least 50 dashboards from bundles and custom metrics.

Any questions for me? Fire away. Any suggestions? Send them my way! As always, I look forward to seeing what you all post.