Exabeam Analytics
App Vendor: Exabeam
App Category: Data Enrichment and Threat Intelligence
Connector Version: 1.6.0
API Version: API V1
About App
Exabeam Analytics enhances threat detection by utilizing user and entity behavior analytics (UEBA). Exabeam Analytics provides advanced threat detection. This app allows security teams to connect to Exabeam Analytics.
The Exabeam Analytics app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Get Notable Users | This action retrieves a list of notable users. |
Get Notable Assets | This action retrieves a list of notable assets. |
Get All Watchlists and Titles | This action retrieves the watchlists and titles. |
Search Asset in Watchlist | This action searches for an asset in a watchlist. |
Get Security Alerts For Asset | This action notifies about security alerts for an asset. |
Get Asset Enrichment Info | This action retrieves a list of watchlists and alerts related to an asset. |
Get User Sequences | This action retrieves the user sequences. |
Get Asset Sequences | This action retrieves the asset sequences. |
Get Notable Sessions For Asset | This action retrieves a list of notable sessions for an asset. |
Add Asset To Watchlist | This action adds an asset to watchlist. |
Get Asset Information | This action retrieves information about an asset. |
Get User Information | This action retrieves information about a user. |
Add Single Context Table Record | This action adds a record to a context table. If the table is a key-value table, then the context table key must be provided. |
Bulk Add Context Table Records | This action adds a list of records to a context table. |
Get Context Table Records | This action retrieves the records from a context table. |
List Context Tables | This action lists the context tables. |
Generic Action | This is a generic action to perform any additional use case on Exabeam Analytics. |
Delete Context Table Records | This action deletes records from a context table. |
Configuration Parameters
The following configuration parameters are required for the Exabeam Analytics app to communicate with the Exabeam Analytics enterprise application. The parameters can be configured by creating instances in the Exabeam Analytics app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL for your Exabeam instance. Example: "https://tbd2-int-e2e.aa.exabeam.com/" | Text | Required |
|
Username | Enter the username used to connect to Exabeam. Example: "john.doe@org.com" | Text | Required |
|
Password | Enter the password used to connect to Exabeam. | Password | Required |
|
Verify | Choose to perform or skip the SSL certificate verification. | Boolean | Optional | Default value: false Allowed values:
|
Timeout | Enter the timeout value in seconds for the actions. Example: 15 seconds | Integer | Optional | Allowed range: 15-120 seconds Default value: 15 seconds |
Action: Get Notable Users
This action retrieves a list of notable users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unit | Enter a unit for the time range to filter the notable users. Example: "h" | Text | Required | Allowed values:
|
Number | Enter an integer value for the time range to filter the notable users. Example: 30 | Integer | Required | |
Number of Results | Enter the maximum number of results to be displayed. Example: 50 | Integer | Optional | Default value: 100 |
Example Request
[
{
"unit": "h",
"number": 30,
"number_of_results": 50
}
]Action: Get Notable Assets
This action retrieves a list of notable assets.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unit | Enter a unit for the time range to filter the notable users. Example: "h" | Text | Required | Allowed values:
|
Number | Enter an integer value for the time range to filter the notable users. Example: 30 | Integer | Required | |
Number of Results | Enter the maximum number of results to be displayed. Example: 50 | Integer | Optional | Default value: 100 |
Example Request
[
{
"unit": "h",
"number": 30,
"number_of_results": 50
}
]Action: Get All Watchlists And Titles
This action retrieves the watchlists and titles.
Action Input Parameters
Note: This action does not have input parameters.
Action: Search Asset in Watchlist
This action searches for an asset in a watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset | Enter the asset ID. Example: "win10-server" | Text | Required | You can retrieve the asset ID using the get notable assets action. |
Watchlist ID | Enter the watchlist ID. Example: "1234" | Text | Optional | You can retrieve the watchlist Id using get all watchlists and titles action. |
Number of Results | Enter the maximum number of results to be displayed. Example: 50 | Integer | Optional | Default value: 100 |
Is Exclusive | Choose to display the exclusive asset if the list ID is provided. Example: True | Boolean | Optional | Allowed values:
Default value: False |
Search by IP | Choose to search the list by IP address. Example: True | Boolean | Optional | Default value: False |
Example Request
[
{
"asset": "Windows-10 Server",
"watchlist_id": "1234",
"number_of_results": 50,
"is_exclusive": true,
"search_by_ip": true
}
]Action: Get Security Alerts For Asset
This action notifies security alerts for an asset.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset ID | Enter the asset ID. Example: "win10-server" | Text | Required | You can retrieve the asset ID using the get notable assets action. |
Num Results | Enter the number of results to be displayed. Example: 200 | Integer | Optional | Default value: 500 |
Example Request
[
{
"asset_id": "Win-10 server",
"num_results": 200
}
]Action: Get Asset Enrichment Info
This action retrieves a list of watchlists and alerts related to an asset.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset ID | Enter the asset ID to retrieve the asset enrichment information. Example: "win10-server" | Text | Required | You can retrieve the asset ID using the get notable assets action. |
Example Request
[
{
"asset_id": "Win-10 server"
}
]Action: Get User Sequences
This action retrieves the user sequences.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Username | Enter the username. Example: "john.doe" | Text | Required | |
Start Epoch | Enter the start epoch date in seconds. Example: 1633369512 | Integer | Required | |
End Epoch | Enter the end epoch date in seconds. Example: 1633369599 | Integer | Required |
Example Request
[
{
"username": "john.doe",
"start_epoch": 1633369512,
"end_epoch": 1633369599
}
]Action: Get Asset Sequences
This action retrieves the asset sequences.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset ID | Enter the asset ID. Example: "win10-sampleorg" | Text | Required | You can retrieve the asset ID using the get notable assets action. |
Start Epoch | Enter the start epoch date in seconds. Example: 1633369512 | Integer | Required | |
End Epoch | Enter the end epoch date in seconds. Example: 1633369599 | Integer | Required |
Example Request
[
{
"asset_id": "win10-sampleorg",
"start_epoch": 1633369512,
"end_epoch": 1633369599
}
]Action: Get Notable Sessions For Asset
This action retrieves a list of notable sessions for an asset.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset ID | Enter the asset ID. Example: "win10-server" | Text | Required | |
Sort by | Enter the field name to sort by. Example: riskscore | Text | Optional | Default value: riskscore |
Sort Order | Enter the sorting order. Example: 1 | Integer | Optional | Allowed values:
Default value: 1 |
Num Results | Enter the number of results to be displayed. Example: 200 | Integer | Optional | Default value: 500 |
Example Request
[
{
"asset_id": "Windows-10 Server",
"sort_by": "riskscore",
"sort_order": 1,
"num_results": 200
}
]Action: Add Asset to Watchlist
This action adds an asset to watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID. Example: "5fd908f50e4985f35c539e93" | Text | Required | You can retrieve the watchlist Id using get all watchlists and titles action. |
Asset ID | Enter the asset ID. Example: "win10-server" | Text | Required | You can retrieve the asset ID using the get notable assets action. |
Watch Until Days | Enter the number of days to monitor the added asset. Example: 30 | Integer | Required |
Example Request
[
{
"watchlist_id": "5fd908f50e4985f35c539e93",
"asset_id": "Windows-10 Server",
"watch_until_days": 30
}
]Action: Get Asset Information
This action retrieves information about an asset.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Asset ID | Enter the asset ID to retrieve the asset information. Example: "win10-server" | Text | Required | You can retrieve the asset ID using the get notable assets action. |
Max number of users | Enter the maximum number of users related to the asset to be displayed. Example: 50 | Integer | Optional | Default value: 100 |
Example Request
[
{
"asset_id": "Windows-10 Server",
"max_number_of_users": 50
}
]Action: Get User Information
This action retrieves information about a user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID. Example: "john.doe" | Text | Required |
Example Request
[
{
"user_id": "john.doe"
}
]Action: Add Single Context Table Record
This action adds a record to a context table. If the context table is a key-value table, then the context table key must be provided.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Table Name | Enter the name of a context table. Example: "users_privileged" | Text | Required | |
Context Table Key | Enter the context key to add to the context table. Example: "email_address" | Text | Required | |
Context Table Value | If the context table is a key-value table, enter the value for the key to be added. Example: "testuser@sampledomain.com" | Text | Optional |
Example Request
[
{
"context_table_key": "email_address",
"context_table_name": "user_privileged"
}
]Action: Bulk Add Context Table Records
This action adds a list of records to a context table.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Table Name | Enter the name of a context table to add records. Example: "user_priviledged" | Text | Required | |
Context Table Keys | Enter a list of keys to add to a context table. Example: $LIST[email_address, username, domain, last_reset] | List | Required | |
Context Table Values | Enter an ordered list of keys to add to the context table. The list of keys must be the same size as the context table keys and in the same order. Example: $LIST[user@domain.corp, user, domain.corp, 10-23-22] | List | Optional |
Example Request
[
{
"context_table_keys": ["email_address", "username", "domain", "last_reset"],
"context_table_name": "user_priviledged",
"context_table_values": ["user@domain.corp", "user", "domain.corp", "10-23-22"]
}
]Action: Get Context Table Records
This action retrieves the records from a context table.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Table Name | Enter the name of the context table. Example: "user_priviledged" | Text | Required | |
Page Size | Enter the number of results to be displayed per page. Example: 100 | Integer | Optional | Default value: 100 |
Example Request
[
{
"context_table_name": "user_privileged",
"page_size": 100
}
]Action: List Context Tables
This action lists the context tables.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Size | Enter the number of results to be displayed per page. Example: 100 | Integer | Optional | Default value: 100 |
Example Request
[
{
"page_size": 100
}
]Action: Generic Action
This is a generic action to perform any additional use case on Exabeam Analytics.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method. Example:
| Text | Required | |
Endpoint | Enter the endpoint to initiate the call. Example: "uba/api/watchlist/assets/search" | Text | Required | |
JSON Payload | Enter the JSON payload to pass to the API. Example: $JSON[{'cateogory':'Assets'}]" | Any | Optional | |
Data Payload | Enter the payload data to pass to the API. Example: {'category':'Assets'} | Any | Optional | |
Query Params | Enter the query parameters to pass to the API. Example: {'sort_by':'risk_score'} | Key Value | Optional |
Example Request
[
{
"method":"GET",
"endpoint":"uba/api/watchlist/assets/search",
"payload":[
{
"cateogory":"Assets"
}
],
"payload_data":{
"category":"Assets"
},
"query_params":{
"sort_by":"risk_score"
}
}
]Action: Delete Context Table Records
This action deletes records from a context table.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Context Table Name | Enter the name of the context table to delete records. Example: "Incidents" | Text | Required | You can retrieve a context table name using the action List Context Tables. |
Records | Enter the list of records to delete. Example: $LIST[ransomware, phishing] | List | Required | You can retrieve the records of a context table using the action Get Context Table Records. |
Example Request
[
{
"context_table_name":"Incidents",
"records":["phishing","ransomware"]
}
]