Exabeam
Connector Category: Security Information and Event Management System (SIEM) Tool
About Integration
CTIX can ingest threat data from a multitude of sources in different formats. The Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics, and SOAR capabilities. The integration between CTIX and the Exabeam applications enables the analysts to gain more context into the threat data.
You can add IoCs that have been detected and analyzed from within the CTIX platform to update the Context Tables of type Threat Intelligence Services (TIS) and Custom in Exabeam. Your analysts can use these Context Tables in Exabeam to view and analyze a list of resources that could range from assets, users, a list of IPs, or Internet domains.
The ArcSight ESM internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Update Context Table | This action updates the Threat Intelligence Services (TIS) and Custom context tables in Exabeam with the IoCs retrieved from Intel Exchange. |
Configure Exabeam as an Internal Application
Exabeam is available as an out-of-the-box integration in the CTIX application.
To configure Exabeam integration with CTIX, do the following:
Create a Minimum Privilege Role in Exabeam
Make a custom role with only the minimum required permissions necessary for updating the context tables or you can choose to use Exabeam default roles such as Tier 3 Analyst or Administrator that have elevated privileges. If you choose a default role, you can skip this procedure.
Steps
Sign in to the Exabeam application with administrator credentials.
Click Settings on the bottom left corner and select Core.
Click Roles under User Management.
Click Create Role on the right side of the screen and enter a name.
Under Manage, add Manage context table permissions to your role.
Click Save.
Generate Cluster Authentication Credentials in Exabeam
To enable integration between Exabeam and CTIX applications, you have to generate a cluster authentication token in Exabeam.
Steps
In Exabeam, click Settings on the bottom left corner of the screen and select Cluster Authentication Token from Admin Operations.
Click + on the right side of the screen.
Enter a name for your token and set up an expiry date.
From the Permission Level, choose your role. Choose the custom role or any default roles you created.
Click Add Token.
Copy the created token value and retain them to enter in the CTIX application.
Configure Exabeam App in CTIX
You must have the base URL and access token of your Exabeam account to configure the Exabeam app in CTIX.
Before you Start
Ensure that you have View and Update Tool Integration permission.
Steps
Sign in to the CTIX application.
From Administration, open Integration Management, and select Internal Applications from the Tool Integrations section.
Select Security Information and Event Management system.
Look for Exabeam and click on the app.
Click Add Instance to add an Exabeam instance.
Enter the Instance name, Base URL, and Access ID.
To secure the connection between CTIX and Exabeam server, select Verify SSL.
Click Save.
Enable Update Context Table Action
After configuring the Exabeam application on CTIX, enable the actions to update context tables in Exabeam. CTIX can update the tables of the type TIS and Custom in the Exabeam application.
Steps:
From Administration, open Integration Management, and select Internal Applications under Tool Integrations.
Select Security Information and Event Management System.
Select Exabeam and click the vertical ellipsis on the top right corner of the screen, and click Manage.
Click Manage Action(s).
Select the Update Context Table action to enable.
Enable the toggle to update the reference sets.
Click Save.
Create a Rule in CTIX to Update the Context Tables
In CTIX, rules are automated tasks that can execute some actions on a trigger. Create a rule in the CTIX application to update the context tables in Exabeam.
Steps:
Sign in to the CTIX application.
From the main menu, select Actions and then choose Rules.
Click New Rule.
Enter a rule name and a description.
Add any tags to easily identify and categorize components in the CTIX application.
Click Submit.
Set the following optional Basic Details for a rule:
Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.
Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.
Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.
Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected and no false positives are included. This option ignores any conditions configured in the rule to remove false positive threat data objects.
Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.
Define the Sources and Collections, Conditions, and Actions for this rule.
In Actions, choose the following:
Actions - Update Context Table
Application - Exabeam
Account - Choose the default account.
Choose the context table from Exabeam
Click Save.