Exabeam Advanced Analytics
Integration version: 5.0
Use Cases
- Perform active actions - create/delete watchlists, add entities to watchlists, add comments to entities.
- Perform enrichment - enrich information about entities using information from Exabeam.
Configure Exabeam Advanced Analytics integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Generate Cluster Authentication Token
- In Exabeam, select Settings > Core > Admin Operations > Cluster Authentication Token. The Cluster Authorization Token page is displayed.
- Click the add symbol. The Setup Token dialog is displayed.
- Enter the Token Name and Expiry Date in the relevant fields.
- In the Permission Level section, select Default Roles for the token.
- Click Add Token. Use the generated file to allow your APIs to authenticate by token.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://{api root} | Yes | API root of the Exabeam Advanced Analytics instance. |
| API Token | Secret | N/A | Yes | API token of the Exabeam Advanced Analytics instance. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Exabeam Advanced Analytics server is valid. |
Actions
Ping
Description
Test connectivity to the Exabeam Advanced Analytics with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:
|
General |
Enrich Entities
Description
Enrich entities using the information from Exabeam Advanced Analytics. Supported entities: Hostname, IP and User. Event time frame parameter works with hours.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Return Entity Timeline | Checkbox | True | Yes | If enabled, action will return the timeline for the entity. |
| Event Time Frame | Integer | 24 | No | Specify the time frame for the events that you want to see in hours. |
| Only Anomaly Events | Checkbox | True | No | If enabled, action will only return events that are considered to be anomalies. |
| Lowest Event Risk Score To Fetch | Integer | N/A | No | Specify what should be the lowest risk score of the event in order to ingest it. If nothing is specified, action will not do any filtering. |
| Return Comments | Checkbox | True | No | If enabled, action will return comments related to the entity. |
| Create Insight | Checkbox | True | No | If enabled, action will create an insight per entity. |
| Max Events To Return | Integer | No | Specify how many events should be returned. If nothing is specified, action will return all of the events. | |
| Max Comments To Return | Integer | 10 | No | Specify how many comments to return. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- User
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result For User
{
"username": "root",
"userInfo": {
"username": "root",
"riskScore": 0.0,
"averageRiskScore": 0.0,
"pastScores": [
0.0,
0.0,
0.0,
0.0,
0.0,
0.0
],
"lastSessionId": "root-20201010000111",
"firstSeen": 1601510468890,
"lastSeen": 1602298872682,
"lastActivityType": "Account deleted",
"lastActivityTime": 1602288071248,
"info": {},
"labels": [
"service_account"
],
"pendingRiskTransfers": []
},
"isExecutive": false,
"accountNames": [],
"peerGroupFieldName": "Peer Groups",
"peerGroupType": "",
"isMultiPeerGroup": true,
"commentCount": 0,
"isOnWatchlist": false,
"hasDisabledModel": false,
"hasDisabledEventType": false,
"comments": [
{
"commentId": "6002d31b130b3800072d1c1d",
"commentType": "user",
"commentObjectId": "sysadmin",
"text": "asd",
"exaUser": "admin",
"createTime": 1610797851298,
"updateTime": 1610797851298,
"edited": false
}
],
"events": [
{
"risk_score": "{value if available}",
"source": "systemd",
"session_id": "root-20201009000110",
"rawlog_time": 1602201670967,
"host": "centos-002",
"session_order": 1,
"hash": 1013256238,
"event_type": "local-logon",
"account": "root",
"time": 1602201670967,
"event_id": "4602@m",
"user": "root",
"event_code": "Started Session",
"nonmachine_user": "root",
"is_session_first": true
}
]
}
JSON Result For Asset
{
"username": "root",
"userInfo": {
"username": "root",
"riskScore": 0.0,
"averageRiskScore": 0.0,
"pastScores": [
0.0,
0.0,
0.0,
0.0,
0.0,
0.0
],
"lastSessionId": "root-20201010000111",
"firstSeen": 1601510468890,
"lastSeen": 1602298872682,
"lastActivityType": "Account deleted",
"lastActivityTime": 1602288071248,
"info": {},
"labels": [
"service_account"
],
"pendingRiskTransfers": []
},
"isExecutive": false,
"accountNames": [],
"peerGroupFieldName": "Peer Groups",
"peerGroupType": "",
"isMultiPeerGroup": true,
"commentCount": 0,
"isOnWatchlist": false,
"hasDisabledModel": false,
"hasDisabledEventType": false,
"comments": [
{
"commentId": "6002d31b130b3800072d1c1d",
"commentType": "user",
"commentObjectId": "sysadmin",
"text": "asd",
"exaUser": "admin",
"createTime": 1610797851298,
"updateTime": 1610797851298,
"edited": false
}
],
"events": [
{
"risk_score": "{value if available}",
"event_category": [
"user-events",
"asset-events"
],
"source": "UNIX",
"session_id": "sysadmin-20201009125727",
"rawlog_time": 1602248247376,
"host": "centos-002",
"src_ip": "172.30.202.187",
"session_order": 1,
"getvalue('zone_info', src)": "siemplify",
"dest_host": "centos-002",
"hash": 1236616962,
"event_type": "remote-logon",
"src_network_type": "LAN",
"account": "sysadmin",
"time": 1602248247376,
"event_id": "4619@m",
"user": "sysadmin",
"event_code": "ssh",
"nonmachine_user": "sysadmin",
"is_session_first": true,
"entity_asset_id": "asset@centos-002-20201009"
}
]
}
Entity Enrichment For User
| Enrichment Field Name | Logic - When to apply |
|---|---|
| EXBAA_riskScore | When available in JSON |
| EXBAA_pastScores | When available in JSON |
| EXBAA_lastSessionId | When available in JSON |
| EXBAA_firstSeen | When available in JSON |
| EXBAA_lastSeen | When available in JSON |
| EXBAA_lastActivityType | When available in JSON |
| EXBAA_lastActivityTime | When available in JSON |
| EXBAA_labels | When available in JSON |
| EXBAA_isExecutive | When available in JSON |
| EXBAA_commentCount | When available in JSON |
| EXBAA_accountNames | When available in JSON |
| EXBAA_isNotable | When available in JSON |
Entity Enrichment For Asset
| Enrichment Field Name | Logic - When to apply |
|---|---|
| EXBAA_riskScore | When available in JSON |
| EXBAA_hostname | When available in JSON |
| EXBAA_ipAddress | When available in JSON |
| EXBAA_assetType | When available in JSON |
| EXBAA_lastSessionId | When available in JSON |
| EXBAA_firstSeen | When available in JSON |
| EXBAA_lastSeen | When available in JSON |
| EXBAA_labels | When available in JSON |
| EXBAA_commentCount | When available in JSON |
| EXBAA_accountNames | When available in JSON |
| EXBAA_isNotable | When available in JSON |
Entity Insight for User
Entity Insight for Asset
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If unsuccess for some (is_success = true): "Action wasn't able to return information about the following entities from Exabeam Advanced Analytics:\n {0}".format(entity.identifier) If not success for all (is_success = false): No entities were enriched using information from Exabeam. The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Case Wall table based on the enrichment table, but without prefixes. The idea is that we have one column called "Key" and second column is called "Value" |
Entity |
Case Wall Table For User Events (if available) |
Table Name: "{entity.identifier} Events" Columns: Time Risk Score Type Host Source |
General |
Case Wall Table For Asset Events (if available) |
Table Name: "{entity.identifier} Events" Columns: Time Type User Risk Score Source |
General |
Case Wall Table For comments |
Table Name: "{entity.identifier} Comments" Columns: User Comment |
General |
| Case Wall Link | {link} |
List Watchlists
Description
List available watchlists in Exabeam Advanced Analytics.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Max Watchlists To Return | Integer | 100 | No | Specify how many watchlists should be returned. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
[
{
"watchlistId": "5e66f85c8fe56e9a122ccb45",
"title": "Service Accounts",
"category": "UserLabels"
},
{
"watchlistId": "5e66f85c8fe56e9a122ccb44",
"title": "Executive Users",
"category": "UserLabels"
},
{
"watchlistId": "5ffd9686130b3800072d1bef",
"title": "user watchlist",
"category": "Users"
},
{
"watchlistId": "5ffb0fc0130b3800072d1bd3",
"title": "testdan",
"category": "Assets"
},
{
"watchlistId": "5f7c37a2130b38000701691f",
"title": "linux",
"category": "Assets"
},
{
"watchlistId": "5f7adc46130b38000701690d",
"title": "Test-UBA",
"category": "AssetLabels"
},
{
"watchlistId": "5f22851d130b3800070168ff",
"title": "DM Test",
"category": "Users"
},
{
"watchlistId": "5eb27c20130b3800077954e2",
"title": "PrivilegedUsers-SailPoint",
"category": "Users"
},
{
"watchlistId": "5eb27ab6130b3800077954df",
"title": "DisabledUsers-SailPoint",
"category": "Users"
},
{
"watchlistId": "5eb27a92130b3800077954dc",
"title": "ServiceAccountsList-SailPoint",
"category": "Users"
},
{
"watchlistId": "5e9495d8130b380007795476",
"title": "DANOTEST",
"category": "Assets"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
if 200 and data is not available: "No watchlists were found in Exabeam Advanced Analytics". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Watchlist Items". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: "Available Watchlists" Columns Watchlist ID Title Category |
General |
List Watchlist Items
Description
List available items in watchlists from Exabeam Advanced Analytics.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Watchlist Titles | CSV | N/A | Yes | Specify a comma-separated list of watchlist titles for which you want to return items. |
| Max Days Backwards | Integer | 1 | No | Specify how many days backwards to list watchlists. Default: 1. |
| Max Items To Return | Integer | 100 | No | Specify how many watchlist items should be returned. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"title": "Test-UBA",
"creator": "admin",
"accessControl": "public",
"category": "AssetLabels",
"description": "Testing for dev purpose",
"isOutOfBox": false,
"items": [],
"criteria": [
"Server",
"Workstation",
"LdifFile",
"Domain Controller",
"TopTalker",
"EducatedGuess"
],
"totalNumberOfItems": 3,
"accessControlRoles": [],
"numberOfNotableItems": 0
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
if data is not available for some(is_success = true): "Action wasn't able to retrieve available items for the following watchlists in Exabeam Advanced Analytics:\n{0}".format(list of watchlist titles) if data is not available for all: "No items were found for the provided watchlists in Exabeam Advanced Analytics". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Watchlists". Reason: {0}''.format(error.Stacktrace) |
General |
Case Wall Table |
Table Name: "Watchlists {0} Items".format(watchlist title) Columns Username Risk Score |
General |
Case Wall Table |
Table Name: "Watchlists {0} Items".format(watchlist title) Columns Type Endpoint Risk Score |
General |
Add Entity To Watchlist
Description
Add entities to the watchlist in Exabeam Advanced Analytics.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Watchlist Title | String | N/A | Yes | Specify the title of the watchlist to which you want to add entities. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- User
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if data is available(is_success = true): "Successfully added the following entities to the watchlist {0}in Exabeam Advanced Analytics:\n{1}".format( watchlist title, entity identifier) if some were not added(is_success = true): "Action wasn't able to add the following entities to the watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(watchlist title, entity identifier) If none were added: "No entities were added to the watchlist {0} in Exabeam Advanced Analytics".format(watchlist title) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Add Entity To Watchlist". Reason: {0}''.format(error.Stacktrace) If watchlist not found: "Error executing action "Add Entity To Watchlist". Reason: Watchlist {0} was not found in Exabeam Advanced Analytics''.format(watchlist title) If watchlist category == "AssetLabel" or "UserLabel": "Error executing action "Add Entity To Watchlist". Reason: Watchlists with category 'AssetLabels' and 'UserLabels' are not supported in this action.'' |
General |
Remove Entity From Watchlist
Description
Remove entities from the watchlist in Exabeam Advanced Analytics.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Watchlist Title | String | N/A | Yes | Specify the title of the watchlist from which you want to remove entities. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- User
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if removed(is_success = true): "Successfully removed the following entities from the watchlist{0} in Exabeam Advanced Analytics:\n{1}".format(title, entity identifier) if some were not added(is_success = true): "Action wasn't able to remove the following entities from watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(title, entity identifier) If none were added: "No entities were removed from the watchlist {0} in Exabeam Advanced Analytics".format(watchlist title) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Remove Entity From Watchlist". Reason: {0}''.format(error.Stacktrace) If watchlist not found: "Error executing action "Remove Entity From Watchlist". Reason: Watchlist {0} was not found in Exabeam Advanced Analytics''.format(watchlist title) If watchlist category == "AssetLabel" or "UserLabel": "Error executing action "Remove Entity From Watchlist". Reason: Watchlists with category 'AssetLabels' and 'UserLabels' are not supported in this action.'' |
General |
Add Comments To Entity
Description
Add comments to entities in Exabeam Advanced Analytics. Supported entities: Hostname, IP and User.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Comment | String | N/A | Yes | Specify the comment that needs to be added to the entity. |
Run On
This action runs on the following entities:
- Hostname
- IP Address
- User
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"newComment": {
"commentId": "6003e6e8130b3800072d1c35",
"commentType": "asset",
"commentObjectId": "centos-002",
"text": "qwe",
"exaUser": "admin",
"createTime": 1610868456906,
"updateTime": 1610868456906,
"edited": false
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if status code 200 for some(is_success = true): "Successfully added comment to the following entities {0} in Exabeam Advanced Analytics:\n{1}".format(entity identifier) If entity is not found: "Action wasn't able to add comment to the following entities {0} in Exabeam Advanced Analytics:\n{1}".format(entity identifier) If not entities: "No comments were added to the provided entities." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Add Comments To Entity". Reason: {0}''.format(error.Stacktrace) |
General |
Сreate Watchlist
Description
Create a watchlist in Exabeam Advanced Analytics.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Title | String | N/A | Yes | Specify the title for the watchlist. |
| Category | DDL | User Possible Values: User Asset |
Yes | Specify the category for the watchlist. |
| Access Control | DDL | Private Possible Values: Public |
Yes | Specify the access control for the watchlist. |
| Description | String | N/A | No | Specify description for the watchlist. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"watchlistId": "6003ed61130b3800072d1c37",
"title": "Keke",
"category": "Users"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if status code 200(is_success = true): "Successfully created watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(title) If response contains "_apiErrorCode" (is_success=false): "Action wasn't able to create a watchlist in Exabeam Advanced Analytics. Reason: {0}".format(internalError) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Create Watchlist". Reason: {0}''.format(error.Stacktrace) |
General |
Delete Watchlist
Description
Delete a watchlist in Exabeam Advanced Analytics.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Watchlist Title | String | N/A | True | Specify the title of the watchlist that needs to be deleted. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if status code 200(is_success = true): "Successfully deleted watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(title) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Delete Watchlist". Reason: {0}''.format(error.Stacktrace) |
General |