Exabeam Security Operations
App Vendor: Exabeam Security Operations
App Category: Analytics & SIEM
Connector Version: 1.1.0
API Version: v1 & v2
About App
Exabeam Security Operations Platform revolutionizes threat detection, investigation, and response with its New-Scale SIEM approach. Utilizing a cloud-native architecture, it offers rapid security log management, behavioral analytics, and a Common Information Model for streamlined data preparation and ingestion, empowering organizations to swiftly detect and respond to threats with enhanced efficiency and performance.
The Exabeam Security OperationsIDs app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Context Records to an Existing Table | This adds one or more context records directly to an existing table by including them in the request body. |
Create Context Table With Metadata | This action creates a new custom context table (only custom table creation is supported) with attributes that represent the schema of the new table. you can either create new attributes, by providing new names, or reuse existing attributes, by providing their ids. attribute ids can be retrieved using the get attributes api. use is key to signify which attribute is the key. There can be only a single key attribute in a table. |
Generic Action | This is a generic action used to transcend the actions implemented by making a request to any endpoint. |
Get All Context Tables Metadata | This action retrieves metadata for all existing context tables, including source, operational status, and attribute mapping. |
Get Attributes for Specific Table Record | This action retrieves all of the available attributes for a specific type of context table. |
Get Metadata Context Table | This action retrieves metadata for a specific context table, including source, operational status, and attribute mapping. |
Get Table Records by ID | This action retrieves the records for a specific context table. |
Search Audit Events | This action searches for events. |
Search for Events | This action searches for events. |
Track Ingestion Progress | This action polls the status of an add records job. |
Configuration Parameters
The following configuration parameters are required for the Exabeam Security Analytics app to communicate with the Exabeam Security Operations enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID for authentication with Exabeam security operations. | Text | Required |
|
Client Secret | Enter the client secret to authenticate with Exabeam security operations. | Password | Required |
|
Region | Enter the region of the exabeam security operations instance. | Text | Required | Allowed values:
|
Verify | Select the SSL/TLS certification status. | Boolean | Optional | Default value: true |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Exabeam Security Operations app. | Integer | Optional | Allowed range: 15-120 seconds Default value: 15 |
Action: Add Context Records to an Existing Table
This action adds one or more context records directly to an existing table by including them in the request body.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Table ID | Enter the ID of an existing context table to which you want to add context records. | Text | Required |
|
Operation | Enter the options for how data should be uploaded to an existing table. | Text | Required | Allowed values:
|
Data | Enter the list of data in JSON format. | List | Optional |
|
Action: Create Context Table With Metadata
This action creates a new custom context table (only custom table creation is supported) with attributes that represent the schema of the new table. You can either create new attributes, by providing new names, or reuse existing attributes, by providing their IDs. Attribute IDs can be retrieved using the get attributes API. Use isKey to signify which attribute is the key. There can be only a single key attribute in a table.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Table Name | Enter the table display name. | Text | Required |
|
Context Type | Enter the valid context type for creating a table. | Text | Required | Allowed values:
|
Source | Enter the vendor from which the table will be sourced. Example: Microsoft, IBM. | Text | Required |
|
Attributes | Enter the list of table metadata attributes in JSON format. | List | Optional |
|
Action: Generic Action
This is a generic action used to transcend the actions implemented by requesting any endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to request. | Text | Required |
|
Endpoint | Enter the endpoint to request. | Text | Required |
|
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional |
|
Payload | Enter the payload to pass to the API. | Any | Optional |
|
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
|
Action: Get All Context Tables Metadata
This action retrieves metadata for all existing context tables, including source, operational status, and attribute mapping.
Action Input Parameters
This action does not require any input parameter.
Action: Get Attributes for Specific Table Record
This action retrieves all the available attributes for a specific type of context table.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Type | Enter the type of context table for which you want to retrieve the available attributes. | Text | Required | Allowed values:
|
Action: Get Metadata Context Table
This action retrieves metadata for a specific context table, including source, operational status, and attribute mapping.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Table ID | Enter the ID of an existing context table. | Text | Required |
|
Action: Get Table Records by ID
This action retrieves the records for a specific context table.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Table ID | Enter the ID for the specified table. | Text | Required |
|
Limit | Enter the number of records to return per page. | Integer | Optional |
|
Offset | Enter the number of rows to skip before beginning to return records. | Integer | Optional |
|
Action: Search Audit Events
This action searches for events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Fields | Enter the list of fields to be returned from the audit search. | List | Required |
|
Start Time | Enter the ISO 8601 UTC timestamp to start the audit search. Example: 2023-01-01t00:00:00z. | Integer | Required |
|
End Time | Enter the ISO 8601 UTC timestamp to end the audit search. Example: 2023-01-01t00:00:00z. | Integer | Required |
|
Filter | Enter the filter for specific audit events. Example: ID:123 and src_ip:1.1.1.1. | Text | Required |
|
Limit | Enter the number of events returned from the audit search request. | Integer | Optional | Default value: 3000 |
Group By | Enter the list of groups by fields. | List | Optional |
|
Order By | Enter the list of orders by fields in ascending or descending order. | List | Optional |
|
Distinct | Choose the value to include or exclude distinct from the select clause. | Boolean | Optional | Default value: false |
Action: Search for Events
This action searches for events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Fields | Enter the list of fields to be returned from the search. | List | Required |
|
Start Time | Enter the timestamp to start the search. Example: 2023-01-01t00:00:00z. | Integer | Required |
|
End Time | Enter the timestamp to end the search. Example: 2023-01-01t00:00:00z. | Integer | Required |
|
Filter | Enter the filter for specific events. Example: id:123 and src_ip:00.00.000.000 | Text | Required |
|
Limit | Enter the number of events returned from the search request. | Integer | Optional | Default value: 3000 |
Group By | Enter the list of groups by fields. | List | Optional |
|
Order By | Enter the list of orders by fields in ascending or descending order. | List | Optional |
|
Distinct | Choose the value to include or exclude distinct from the select clause. | Boolean | Optional | Default value: False |
Action: Track Ingestion Progress
This action polls the status of an add records job.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tracker ID | Enter the tracker ID from an upload request whose progress you want to track | Text | Required |
|