Exabeam Security Operations
Connector Category: Security Information and Event Management System (SIEM) Tool
About Integration
Exabeam Security Operations is a cloud-native SIEM and security log management platform for threat detection, investigation, and response (TDIR). Exabeam Security Operations seamlessly integrates with Intel Exchange (CTIX) to retrieve indicators of compromise (IOCs) that are ingested and analyzed on Intel Exchange. The retrieved IOCs are added to the context tables for further processing in the Exabeam Security Operations platform.
The Exabeam Security Operations internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Update Context Table New Scale | This action updates the context tables on the Exabeam Security Operations platform with the IOCs retrieved from Intel Exchange. |
Note
With this integration, you can update the context tables on the Exabeam Security Operations platform and not on the Exabeam Advanced Analytics platform. For more information on the Exabeam Advanced Analytics integration, see Exabeam.
To integrate Exabeam Security Operations as an internal application in Intel Exchange, follow these steps:
Configure Exabeam Security Operations App in Intel Exchange
Configure the Exabeam Security Operations internal application in Intel Exchange to establish seamless connectivity with the Exabeam Security Operations platform.
Before you Start
You must have the View Tool Integrations and Update Tool Integrations permissions in Intel Exchange.
You must have the API credentials of the Exabeam Security Operations platform, such as the base URL, API ID, and API key.
Note
Ensure that the API credentials have permission to update context tables on the Exabeam Security Operations platform.
Steps
To configure an Exabeam Security Operations internal application instance in Intel Exchange, follow these steps:
Go to Administration > Integration Management, and select Internal Applications under Tool Integrations.
Select Security Information and Event Management, and then select the Exabeam Security Operations application.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name. For example, Prod_Exabeam.
Base URL: Enter the base URL of your Exabeam Security Operations platform. For example,
https://api.yourregion.exabeam.cloud.API ID: Enter the client ID of your Exabeam Security Operations account.
API Key: Enter the client secret key of your Exabeam Security Operations account to authenticate communication between Intel Exchange and Exabeam Security Operations servers.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and Exabeam Security Operations servers. By default, Verify SSL is enabled.
Note
We recommend you to enable the Verify SSL option. If you choose to disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may lead to improper connection and you may not receive a notification when the connectivity breaks.
Click Save.
The Exabeam Security Operations instance is configured and you can view the list of actions available for the integration. You can configure multiple instances of this integration by clicking Manage > Add More.
Enable App Actions
Enable the action of the Exabeam Security Operations internal application to update context tables of the Exabeam Security Operations platform.
Steps
To enable the Update Context Table New Scale action, follow these steps:
Go to Administration > Integration Management and select Internal Applications under Tool Integrations.
Select Security Information and Event Management, and then select the Exabeam Security Operations application.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Actions and select the Update Context Table New Scale action.
Turn on the toggle to enable the action and click Save.
The action is enabled. You can use the action in rules to update context tables of the Exabeam Security Operations platform.
Create a Rule to Update the Context Table
Create a rule on Intel Exchange to define the IOC sources and the context table of the Exabeam Security Operations platform to be updated.
Before you Start
Ensure that you have created at least one context table on the Exabeam Security Operations platform. The context table must include the following column names to receive IOC details in the expected column.
Column Name | IOC Parameter |
|---|---|
Value | IOC value |
Type | IOC Type |
TLP | Traffic Light Protocol (TLP) |
Score | CTIX Confidence Score |
Risk_severity | Risk severity |
If you add any other column names, the IOC details may appear in random columns.
Note
The IOC value is mapped to the primary key of a context table. Ensure that you set the Value column as the primary key.
Steps
To create a rule to update a context table on the Exabeam Security Operations platform, follow these steps:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name within 100 characters and click Submit.
In Source, select the sources and collections from which you want to retrieve IOCs.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator to retrieve a list of IOCs.
Rule Type: Select a rule type to apply specific conditions.
Select Object for Actioning: Select this option to perform the action of a rule on the selected object. This option ensures that the action is performed only on the selected object when you define multiple conditions with multiple objects.
In Actions, enter the following details:
Actions: Select the Update Context Table New Scale action.
Application: Select the Exabeam Security Operations application.
Account: Select an instance you have configured for the Exabeam Security Operations internal application.
Context Tables: Select a context table of the Exabeam Security Operations platform to be updated.
Operation: Select one of the following operations:
Append: Appends IOCs to the existing rows of a context table.
Replace: Replaces the entire context table with the retrieved IOCs list when you run the rule.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
When you run the rule, IOCs will be retrieved based on the configured sources and conditions, and the selected context table will be updated in the Exabeam Security Operations platform.