ExtraHop Reveal(x)

Audience: Security Operations and Network Engineering teams.

Purpose: Network detection and response (NDR) for monitoring and analyzing network traffic.

---

Service Overview

ExtraHop Reveal(x) is a set of appliances that performs network detection and response. The system consists of:

• EDA/Sensor — Analyzes and visualizes network data
• ETA/Packetstore — Stores packets for deeper analysis
• Connected storage array
• Google BigQuery — Records storage

Service Ownership

Role	Contact
Service Owner	William Deigaard (soren@tamu.edu)
Stakeholders	William Deigaard, Christopher Wiley

---

Appliances

EDA (Sensor)

Passively collects wire data from the network and transforms unstructured data into structured, actionable insights.

ETA (Packetstore)

Stores full packets for forensic analysis and investigation.

---

User Interfaces

URI	Port	Purpose
eda.extrahop.cloud.tamu.edu	443	EDA console
eta.extrahop.cloud.tamu.edu	443	ETA console
10.55.144.233	80	EDA iDRAC
10.55.144.234	80	ETA iDRAC

---

System Dependencies

Service	Purpose
Azure AD	Identity provider for EDA access
Google BigQuery	Records storage

---

Maintenance

Certificate Updates

Certificate	Frequency
HTTPS SSL	Annually
SAML (Azure AD)	Every 3 years

Update HTTPS SSL Certificate

1. Install Certbot:

   # macOS
   brew install certbot
   
   # Ubuntu
   sudo apt-get install certbot

2. Create config at /etc/letsencrypt/cli.ini:

   non-interactive = true
   standalone = true
   server = https://acme.enterprise.sectigo.com
   email = {your email}
   authenticator = standalone
   agree-tos = true
   key-type = rsa
   eab-kid = {key id from Sectigo}
   eab-hmac-key = {hmac key from Sectigo}

3. Generate certificates:

   sudo certbot certonly -d eda.extrahop.cloud.tamu.edu --force-renew -c /etc/letsencrypt/cli.ini
   sudo certbot certonly -d eta.extrahop.cloud.tamu.edu --force-renew -c /etc/letsencrypt/cli.ini

4. Create combined PEM files:

   sudo cat /etc/letsencrypt/live/eda.extrahop.cloud.tamu.edu/fullchain.pem \
            /etc/letsencrypt/live/eda.extrahop.cloud.tamu.edu/privkey.pem > eda.pem
   sudo cat /etc/letsencrypt/live/eta.extrahop.cloud.tamu.edu/fullchain.pem \
            /etc/letsencrypt/live/eta.extrahop.cloud.tamu.edu/privkey.pem > eta.pem

5. Upload via WebUI to respective appliances

6. Delete local PEM files:

   rm eda.pem eta.pem

Update SAML Certificate

1. Navigate to Azure Portal → Enterprise Applications → TAMU-SSO-Extrahop-Technology Services
2. Go to Single sign-on → SAML Certificates → Edit
3. Click New Certificate
4. Set as active and download
5. Upload to EDA WebUI → Settings → SAML settings
6. Save changes

---

User Management

Access is controlled via Entra ID group membership with SAML authentication.

Enterprise Application

Property	Value
Display Name	TAMU-SSO-Extrahop-Technology Services
Application ID	ca12ca19-c67d-456d-88b8-98eee6142879
Object ID	b77f5174-a052-43e9-a482-dbbacd04b445

Entra ID Groups

Group	Purpose
extrahop_security	Security team access
extrahop_packetslevel_full	Full packet access
extrahop_writelevel_full_readonly	Read-only full access
extrahop_writelevel_unlimited	Unlimited write access
extrahop_ioc	IOC access

---

Recovery Procedures

Data Recovery

Due to data size, backups rely on Google BigQuery durability. See BigQuery Reliability.

System Recovery

See ExtraHop Backup Documentation.

Hardware Support

Vendor provides next-day shipping on hardware replacement.

---

Vendor Support

Contact	Email
Support	support@extrahop.com
Jason Jones (Solutions Engineer)	jasonj@extrahop.com
Rachel Guliano (Customer Success)	rachelg@extrahop.com
Tom Roeh (Sales Engineering Director)	tomr@extrahop.com
Steve Moerbe (Regional Sales)	stevemo@extrahop.com

---

Resources

Resource	Link
ExtraHop Learning	learn.extrahop.com
SAML Configuration	ExtraHop Docs
User Management	ExtraHop Docs
Credentials	1Password (tamu.1password.com)