PROTO COL FLUEN C Y

FLUENT IN THE APPLICATION PROTOCOLS

ExtraHop Reveal(x) speaks the same language as the applications that run your business. Reveal(x) can understand the content of
communications as they occur in real time, and use that understanding to detect threats, identify critical assets, quantify risk, and
enable the SOC to execute rapid, effective investigations all the way down to forensic-level data inside application transactions
and decrypted packets.

PROTOCOLS SUPPORTED
AAA: Diameter HTTP/S PCoIP
AAA: RADIUS IBM MQ POP3
ActiveMQ ICMP PPTP
AJP ICMP6 RDP
ARP IEEE 802.1X RFB (VNC)
BitTorrent IKE Skinny (SCCP)
CIFS IMAP SMPP*
Citrix ICA* IPSEC SMTP
Cryptocurrency mining protocols Database: DB2 IPX SNMP
Database: Informix IRC SSH
Database: Microsoft SQL Database: MongoDB ISAKMP SSL
Database: MySQL iSCSI STP
Database: Oracle Kerberos Syslog
Database: Postgres L2TP TCP
Database: Redis LACP Telnet
Database: Riak LDAP VNC
Database: Sybase LLDP VoIP: RTCP*
Database: Sybase IQ Memcache VoIP: RTCP XR*
DHCP Modbus VoIP: RTP*
DICOM* MPLS VoIP: SIP*
DNS MS-RPC WebSocket
DSCP MSMQ LLMNR
FIX* Netbios WMI
FTP NFS WSMAN
GRE NTLM
HL7 (including FHIR and ICD-9/10)* NTP
HTTP-AMF OpenVPN

*Available as add-ons
Reveal(x)
What Protocol Fluency Means for You

Reveal(x) collects application layer metadata, via decoding and full payload analysis of more than 50 Layer 7 protocols, to derive
4,600+ features for user, application, and device activity. Our machine learning and detection models index this metadata for feature
extraction as well as anomaly and other behavioral detections. The richness of this application-layer metadata enables Reveal(x) to
detect malicious activities at each stage of the attack lifecycle that other products – which rely on flow-level information – cannot.

Of particular interest to SecOps analysts, Reveal(x) analyzes application-layer metadata for databases, Active Directory, DNS, web,
SSL, and storage systems:

DATABASE RDBMSs: Oracle, Microsoft SQL Server, MySQL, PostgreSQL, Informix, Sybase, and DB2. NoSQL
databases: MongoDB, Memcached, Redis, Riak. Metadata extracted include transaction timing, table/user
access patterns, query errors, SQL queries and responses, and system-level commands.

IDENTITY & Active Directory visibility (includes LDAP, Kerberos, and DNS) for monitoring of privileged identities and
ACCESS service accounts to improve detection and facilitate audits. Reveal(x) extracts metadata including user/-
MANAGEMENT computer account activity, invalid or expired passwords, new privileged access, privileged access errors,
DNS SRV lookups, plain-text LDAP binds, plain-text HTTP authentications, Unknown SPNs, and Golden
Ticket detection.

WEB Full HTTP payload analysis of user activity, SOAP/XML, JSON, Javascript, APIs, etc. Extracted metadata
TR ANSACTIONS includes URI, query parameters, host headers, and user agent, among others.

STOR AGE Metadata extraction for all NAS and SAN transactions (iSCSI, NFS, and CIFS) enables machine learning
detections based on actual file details and equips security analysts to track file access patterns and detect
ransomware activity by examining file extensions and WRITE operations.

info@extrahop.com
© 2020 ExtraHop Networks, Inc. All rights reserved. ExtraHop is a registered trademark of ExtraHop Networks,
Inc. in the United States and/or other countries. All other products are the trademarks of their respective owners.
www.extrahop.com