Exabeam
The Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics, and SOAR.
Configure Exabeam on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Exabeam.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g https://192.168.0.1:{port})
- Username
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the new instance.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Returns notable users in a period of time: exabeam-get-notable-users
- Returns all watchlist IDs and titles: exabeam-get-watchlists
- Returns all peer groups: exabeam-get-peer-groups
- Returns user information data for the username: exabeam-get-user-info
- Returns all labels of the user: exabeam-get-user-labels
- Returns sessions for the given username and time range: exabeam-get-user-sessions
- Deletes a watchlist: exabeam-delete-watchlist
- Returns asset data: exabeam-get-asset-data
1. exabeam-get-notable-users
Returns notable users in a period of time.
Base Command
exabeam-get-notable-users
Input
Argument Name | Description | Required |
---|---|---|
time_period | The time period for which to fetch notable users, such as 3 months, 2 days, 4 hours, 1 year, and so on. | Required |
limit | The maximum number of returned results. | Required |
Context Output
Path | Type | Description |
---|---|---|
Exabeam.User.RiskScore | Number | The risk score of the notable user. |
Exabeam.User.UserFullName | String | The full name of the user. |
Exabeam.User.AverageRiskScore | Number | The average risk score of the user. |
Exabeam.User.FirstSeen | Date | The date the user was first seen. |
Exabeam.User.NotableSessionIds | String | The ID of the notable session. |
Exabeam.User.AccountsNumber | Number | The number of accounts. |
Exabeam.User.LastSeen | Date | The date the user was last seen. |
Exabeam.User.Location | String | The location of the user. |
Exabeam.User.UserName | String | The name of the user. |
Exabeam.User.Labels | String | The labels of the user. |
Exabeam.User.LastActivityType | String | The last activity type of the user. |
Exabeam.User.NotableUser | Boolean | Whether the user is a notable user. |
Command Example
!exabeam-get-notable-users limit=3 time_period="1 year"
Context Example
{ "Exabeam.User": [ { "Department": "IT", "EmployeeType": "employee", "FirstSeen": "2018-08-01T11:50:16", "HighestRiskSession": { "accounts": [ "account_name" ], "endTime": 1535991695000, "initialRiskScore": 9, "label": "", "loginHost": "login_host", "numOfAccounts": 1, "numOfAssets": 5, "numOfEvents": 6, "numOfReasons": 9, "numOfSecurityEvents": 0, "numOfZones": 0, "riskScore": 265, "sessionId": "session_id", "startTime": 1535973498000, "username": "username", "zones": [] }, "Labels": [ "privileged_user" ], "LastActivity": "Account is active", "LastSeen": "2018-09-09T16:36:13", "Location": "Atlanta", "NotableSessionIds": [ "session_id" ], "NotableUser": true, "RiskScore": null, "Title": "Network Engineer", "UserFullName": "full_name", "UserName": "username" }, { "Department": "HR", "EmployeeType": "employee", "FirstSeen": "2018-07-03T14:26:26", "HighestRiskSession": { "accounts": [ "account_name" ], "endTime": 1538233298000, "initialRiskScore": 14, "label": "vpn-in", "loginHost": "login_host", "numOfAccounts": 2, "numOfAssets": 14, "numOfEvents": 15, "numOfReasons": 9, "numOfSecurityEvents": 1, "numOfZones": 0, "riskScore": 169, "sessionId": "session_id", "startTime": 1538222645000, "username": "username", "zones": [] }, "Labels": [], "LastActivity": "Account is active", "LastSeen": "2018-09-30T16:27:01", "Location": "Chicago", "NotableSessionIds": [ "session_id" ], "NotableUser": true, "RiskScore": null, "Title": "Human Resources Coordinator", "UserFullName": "full name", "UserName": "username" }, { "Department": "Sales", "EmployeeType": "employee", "FirstSeen": "2018-08-10T15:55:25", "HighestRiskSession": { "accounts": [ "hosborne" ], "endTime": 1538281057000, "initialRiskScore": 0, "label": "", "loginHost": "", "numOfAccounts": 1, "numOfAssets": 3, "numOfEvents": 62, "numOfReasons": 8, "numOfSecurityEvents": 1, "numOfZones": 0, "riskScore": 132, "sessionId": "session_id", "startTime": 1538250305000, "username": "username", "zones": [] }, "Labels": [ "privileged_user" ], "LastActivity": "Account is active", "LastSeen": "2018-09-30T16:27:01", "Location": "Atlanta", "NotableSessionIds": [ "session_id" ], "NotableUser": true, "RiskScore": null, "Title": "Sales Representative", "UserFullName": "fullname", "UserName": "username" } ] }
Human Readable Output
Exabeam Notable Users:
UserName | UserFullName | Title | Department | Labels | NotableSessionIds | EmployeeType | FirstSeen | LastSeen | LastActivity | Location |
---|---|---|---|---|---|---|---|---|---|---|
username | fullname | Network Engineer | IT | privileged_user | session_id | employee | 2018-08-01T11:50:16 | 2018-09-09T16:36:13 | Account is active | Atlanta |
username | fullname | Human Resources Coordinator | HR | session_id | employee | 2018-07-03T14:26:26 | 2018-09-30T16:27:01 | Account is active | Chicago | |
username | fullname | Sales Representative | Sales | privileged_user | session_id | employee | 2018-08-10T15:55:25 | 2018-09-30T16:27:01 | Account is active | Atlanta |
2. exabeam-get-watchlists
Returns all watchlist IDs and titles.
Base Command
exabeam-get-watchlists
Required Permissions
The following permissions are required for this command.
- permission 1
- permission 2
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
Exabeam.Watchlist.Category | String | The watchlist category. |
Exabeam.Watchlist.Title | String | The watchlist title. |
Exabeam.Watchlist.WatchlistID | String | The watchlist ID. |
Command Example
!exabeam-get-watchlists
Context Example
{ "Exabeam.Watchlist": [ { "Category": "UserLabels", "Title": "Executive Users", "WatchlistID": "5c869ab0315c745d905a26d9" }, { "Category": "UserLabels", "Title": "Service Accounts", "WatchlistID": "5c869ab0315c745d905a26da" }, { "Category": "Users", "Title": "user watchlist", "WatchlistID": "5dbaba2dd4e62a0009dd7ae4" }, { "Category": "PeerGroups", "Title": "VP Operations", "WatchlistID": "5d8751723b72ea000830066a" } ] }
Human Readable Output
Exabeam Watchlists:
WatchlistID | Title | Category |
---|---|---|
5c869ab0315c745d905a26d9 | Executive Users | UserLabels |
5c869ab0315c745d905a26da | Service Accounts | UserLabels |
5dbaba2dd4e62a0009dd7ae4 | user watchlist | Users |
5d8751723b72ea000830066a | VP Operations | PeerGroups |
3. exabeam-get-peer-groups
Returns all peer groups.
Base Command
exabeam-get-peer-groups
Required Permissions
The following permissions are required for this command.
- permission 1
- permission 2
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
Exabeam.PeerGroup.Name | String | The name of the peer group. |
Command Example
!exabeam-get-peer-groups
Context Example
{ "Exabeam.PeerGroup": [ { "Name": "Marketing" }, { "Name": "usa" }, { "Name": "101" }, { "Name": "Program Manager" }, { "Name": "Channel Administrator" }, { "Name": "Chief Marketing Officer" }, { "Name": "" }, { "Name": "Chief Strategy Officer" }, { "Name": "CN=Andrew Bautista,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "BitLockerUsersComputers" }, { "Name": "trinet" }, { "Name": "Admin Operations" }, { "Name": "118" }, { "Name": "Corp" }, { "Name": "102" }, { "Name": "CN=Emery Santiago,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "105" }, { "Name": "Computer Scientist" }, { "Name": "Electrical Engineer" }, { "Name": "VP Business Development" }, { "Name": "Hardware Engineer" }, { "Name": "Executive Assistant" }, { "Name": "GenCouncil" }, { "Name": "Consulting" }, { "Name": "109" }, { "Name": "Legal Secretary" }, { "Name": "VP Operations" }, { "Name": "106" }, { "Name": "Washington" }, { "Name": "Operations Director" }, { "Name": "Process Engineer" }, { "Name": "104" }, { "Name": "Account Manager" }, { "Name": "Shop Floor Supervisor" }, { "Name": "IT Operations" }, { "Name": "VP Marketing" }, { "Name": "HR" }, { "Name": "design,milling" }, { "Name": "superUsers" }, { "Name": "WIFI IL" }, { "Name": "ProgramMgmt" }, { "Name": "Engagement Manager" }, { "Name": "InfoSec" }, { "Name": "Sales Operations" }, { "Name": "Security Systems Engineer" }, { "Name": "design" }, { "Name": "CN=Tracee Weber,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "sap" }, { "Name": "CN=May Mcconnell,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "jobvite" }, { "Name": "Sales" }, { "Name": "partners" }, { "Name": "CN=Emely Blanchard,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "Corporate Marketing Strategist" }, { "Name": "Web Developer" }, { "Name": "Domain Admins" }, { "Name": "VP Information Systems" }, { "Name": "CN=Raelene Thompson,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "VP Engineering" }, { "Name": "Marketing Coordinator" }, { "Name": "VP Sales" }, { "Name": "103" }, { "Name": "Product Manager" }, { "Name": "Welder" }, { "Name": "milling" }, { "Name": "VP Human Resources" }, { "Name": "Partner Corrdinator" }, { "Name": "execs" }, { "Name": "117" }, { "Name": "Engineering" }, { "Name": "Seattle" }, { "Name": "107" }, { "Name": "Program Director" }, { "Name": "Chief Council" }, { "Name": "Machinist" }, { "Name": "Software Developer" }, { "Name": "Office365-Users" }, { "Name": "CN=Harris Oliver,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "CN=Tu Petersen,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "ITServiceUsersDomainAdmins" }, { "Name": "root" }, { "Name": "IT" }, { "Name": "Atlanta" }, { "Name": "autocad" }, { "Name": "Building Engineer" }, { "Name": "Dallas" }, { "Name": "Security Security Coordinator" }, { "Name": "salesforce" }, { "Name": "Software Engineer" }, { "Name": "110" }, { "Name": "Saless" }, { "Name": "CN=Marianne Hughes,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "Civil Engineer" }, { "Name": "CN=Vince Andrade,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "Security Analyst" }, { "Name": "Sales Representative" }, { "Name": "Operations" }, { "Name": "Jobvite-users" }, { "Name": "Chicago" }, { "Name": "Los Angeles" }, { "Name": "New York" }, { "Name": "councilApp" }, { "Name": "VP Information Security" }, { "Name": "Direct Support" }, { "Name": "MA/DCG" }, { "Name": "orch_admins" }, { "Name": "Chief Operating Officer" }, { "Name": "ITInfraAdmins" }, { "Name": "Manager, IT Corporate Services" }, { "Name": "VP Council" }, { "Name": "CN=Felipe Pennington,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "CN=May Mcconnell,OU=US,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local" }, { "Name": "Public Relations Officer" }, { "Name": "Human Resources Coordinator" }, { "Name": "Chief Information Secuity Officer" }, { "Name": "Marketing Strategist" }, { "Name": "Front Desk Receptionist" }, { "Name": "CEO" }, { "Name": "IT Administrator" }, { "Name": "Sales Coordinator" }, { "Name": "Network Engineer" }, { "Name": "108" } ] }
Human Readable Output
Exabeam Peer Groups:
Name |
---|
Marketing |
usa |
101 |
Program Manager |
Channel Administrator |
Chief Marketing Officer |
Chief Strategy Officer |
CN=Andrew Bautista,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
BitLockerUsersComputers |
trinet |
Admin Operations |
118 |
Corp |
102 |
CN=Emery Santiago,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
105 |
Computer Scientist |
Electrical Engineer |
VP Business Development |
Hardware Engineer |
Executive Assistant |
GenCouncil |
Consulting |
109 |
Legal Secretary |
VP Operations |
106 |
Washington |
Operations Director |
Process Engineer |
104 |
Account Manager |
Shop Floor Supervisor |
IT Operations |
VP Marketing |
HR |
design,milling |
superUsers |
WIFI IL |
ProgramMgmt |
Engagement Manager |
InfoSec |
Sales Operations |
Security Systems Engineer |
design |
CN=Tracee Weber,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
sap |
CN=May Mcconnell,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
jobvite |
Sales |
partners |
CN=Emely Blanchard,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
Corporate Marketing Strategist |
Web Developer |
Domain Admins |
VP Information Systems |
CN=Raelene Thompson,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
VP Engineering |
Marketing Coordinator |
VP Sales |
103 |
Product Manager |
Welder |
milling |
VP Human Resources |
Partner Corrdinator |
execs |
117 |
Engineering |
Seattle |
107 |
Program Director |
Chief Council |
Machinist |
Software Developer |
Office365-Users |
CN=Harris Oliver,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
CN=Tu Petersen,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
ITServiceUsersDomainAdmins |
root |
IT |
Atlanta |
autocad |
Building Engineer |
Dallas |
Security Security Coordinator |
salesforce |
Software Engineer |
110 |
Saless |
CN=Marianne Hughes,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
Civil Engineer |
CN=Vince Andrade,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
Security Analyst |
Sales Representative |
Operations |
Jobvite-users |
Chicago |
Los Angeles |
New York |
councilApp |
VP Information Security |
Direct Support |
MA/DCG |
orch_admins |
Chief Operating Officer |
ITInfraAdmins |
Manager, IT Corporate Services |
VP Council |
CN=Felipe Pennington,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
CN=May Mcconnell,OU=US,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local |
Public Relations Officer |
Human Resources Coordinator |
Chief Information Secuity Officer |
Marketing Strategist |
Front Desk Receptionist |
CEO |
IT Administrator |
Sales Coordinator |
Network Engineer |
108 |
4. exabeam-get-user-info
Returns user information data for the username.
Base Command
exabeam-get-user-info
Required Permissions
The following permissions are required for this command.
- permission 1
- permission 2
Input
Argument Name | Description | Required |
---|---|---|
username | The username of the user to fetch. | Required |
Context Output
Path | Type | Description |
---|---|---|
Exabeam.User.RiskScore | Number | The risk score of the user. |
Exabeam.User.AverageRiskScore | Number | The average risk score. |
Exabeam.User.PeerGroupFieldName | String | The field name of the peer group. |
Exabeam.User.FirstSeen | Date | The date when the user was first seen. |
Exabeam.User.PeerGroupDisplayName | String | The display name of the Peer group. |
Exabeam.User.LastSeen | Date | The date the user was last seen. |
Exabeam.User.PeerGroupFieldValue | String | The field value of the peer group. |
Exabeam.User.Label | String | The labels of the user. |
Exabeam.User.Username | String | The name of the user. |
Exabeam.User.PeerGroupType | String | The type of the peer group. |
Exabeam.User.LastSessionID | String | The last session ID of the user. |
Exabeam.User.LastActivityType | String | The last activity type of the user. |
Exabeam.User.AccountNames | String | The account name of the user. |
Command Example
!exabeam-get-user-info username={username}
Context Example
{ "Exabeam.User": { "AccountNames": [ "account_name" ], "AverageRiskScore": 102.53, "FirstSeen": "2018-08-01T11:50:16", "Label": [ "privileged_user" ], "LastActivityType": "Account is active", "LastSeen": "2018-09-09T16:36:13", "LastSessionID": "session_id", "PeerGroupDisplayName": "root", "PeerGroupFieldName": "Peer Groups", "PeerGroupFieldValue": "root", "PeerGroupType": "Group", "RiskScore": 163, "Username": "username" } }
Human Readable Output
User jmontoya information:
Username | RiskScore | AverageRiskScore | LastSessionID | FirstSeen | LastSeen | LastActivityType | AccountNames | PeerGroupFieldName | PeerGroupFieldValue | PeerGroupDisplayName | PeerGroupType |
---|---|---|---|---|---|---|---|---|---|---|---|
{username} | 163 | 102.53 | {session_id} | 2018-08-01T11:50:16 | 2018-09-09T16:36:13 | Account is active | {account_name} | Peer Groups | root | root | Group |
5. exabeam-get-user-labels
Returns all labels of the user.
Base Command
exabeam-get-user-labels
Required Permissions
The following permissions are required for this command.
- permission 1
- permission 2
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
Exabeam.UserLabel.Label | String | The label of the user. |
Command Example
!exabeam-get-user-labels
Context Example
{ "Exabeam.UserLabel": [ { "Label": "privileged_user" }, { "Label": "service_account" } ] }
Human Readable Output
Exabeam User Labels:
Label |
---|
privileged_user |
service_account |
6. exabeam-get-user-sessions
Returns sessions for the given username and time range.
Base Command
exabeam-get-user-sessions
Required Permissions
The following permissions are required for this command.
- permission 1
- permission 2
Input
Argument Name | Description | Required |
---|---|---|
username | The username for which to fetch data. | Required |
start_time | The Start time of the time range. For example, 2018-08-01T11:50:16). | Optional |
end_time | The end time of the time range. For example, 2018-08-01T11:50:16. | Optional |
Context Output
Path | Type | Description |
---|---|---|
Exabeam.User.Session.EndTime | Date | The end time of the session. |
Exabeam.User.Session.InitialRiskScore | Number | The initial risk score of the session. |
Exabeam.User.Session.Label | String | The label of the session. |
Exabeam.User.Session.LoginHost | String | The login host. |
Exabeam.User.Session.RiskScore | Number | The risk score of the session. |
Exabeam.User.Session.SessionID | String | The ID of the session. |
Exabeam.User.Session.StartTime | Date | The start time of the session. |
Exabeam.User.Username | String | The username of the session. |
Command Example
!exabeam-get-user-sessions username={username} start_time=2018-08-01T11:50:16
Context Example
{ "Exabeam.User": { "Session": [ { "EndTime": "2018-08-01T20:00:17", "InitialRiskScore": 0, "Label": "", "LoginHost": "login_host", "RiskScore": 0, "SessionID": "session_id", "StartTime": "2018-08-01T14:05:46" }, { "EndTime": "2018-08-02T02:37:51", "InitialRiskScore": 0, "Label": "vpn-in", "LoginHost": "login_host", "RiskScore": 0, "SessionID": "seesion_id", "StartTime": "2018-08-01T23:17:00" }, ], "Username": "username" } }
Human Readable Output
User {username} sessions information:
SessionID | RiskScore | InitialRiskScore | StartTime | EndTime | LoginHost | Label |
---|---|---|---|---|---|---|
session_id | 0 | 0 | 2018-08-01T14:05:46 | 2018-08-01T20:00:17 | login_host | |
session_id | 0 | 0 | 2018-08-01T23:17:00 | 2018-08-02T02:37:51 | login_host | vpn-in |
7. exabeam-delete-watchlist
Deletes a watchlist.
Base Command
exabeam-delete-watchlist
Required Permissions
The following permissions are required for this command.
- permission 1
- permission 2
Input
Argument Name | Description | Required |
---|---|---|
watchlist_id | The watchlist ID. | Required |
Context Output
There are no context output for this command.
Command Example
!exabeam-delete-watchlist watchlist_id=5de50f82088c6a000865408d
Context Example
{}
Human Readable Output
The watchlist 5de50f82088c6a000865408d was deleted successfully.
8. exabeam-get-asset-data
Returns asset data.
Base Command
exabeam-get-asset-data
Required Permissions
The following permissions are required for this command.
- permission 1
- permission 2
Input
Argument Name | Description | Required |
---|---|---|
asset_name | The name of the asset. | Required |
Context Output
Path | Type | Description |
---|---|---|
Exabeam.Asset.HostName | String | The host name of the asset. |
Exabeam.Asset.IPAddress | String | The IP address of the asset. |
Exabeam.Asset.AssetType | String | Thr type of the asset. |
Exabeam.Asset.FirstSeen | Date | The date the asset was first seen. |
Exabeam.Asset.LastSeen | String | The date the asset was last seen. |
Command Example
!exabeam-get-asset-data asset_name={host_name}
Context Example
{ "Exabeam.Asset": { "AssetType": "Windows", "FirstSeen": "2018-07-03T14:21:00", "HostName": "host_name", "IPAddress": "ip_address", "Labels": null, "LastSeen": "2018-09-30T16:23:17" } }
Human Readable Output
Exabeam Asset Data:
AssetType | FirstSeen | HostName | IPAddress | LastSeen |
---|---|---|---|---|
Windows | 2018-07-03T14:21:00 | host_name | ip_address | 2018-09-30T16:23:17 |