Skip to main content

Exabeam Advanced Analytics

This Integration is part of the Exabeam Advanced Analytics Pack.#

The Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics and SOAR. This integration was integrated and tested with version 53.5 of Exabeam.

Authentication Methods#

There are 2 authentication methods:

  • API Token - API token should be entered in the “API Token” parameter. In order to use the “Fetch Incident” functionality in this integration, the username must be provided also in the “Username” parameter.
  • Basic Authentication - Providing username and password in the corresponding parameters in the configuration. This method also allows fetching incidents.
  • Deprecated: API Key entered in the “password” parameter and __token in the username parameter. This method won’t allow fetching incidents.

Generate a Cluster Authentication Token#

  1. Navigate to Settings > Admin Operations > Cluster Authentication Token.

  2. At the Cluster Authentication Token menu, click the blue + button.

  3. In the Setup Token menu, fill in the Token Name, Expiry Date, and select the Permission Level(s).

  4. Click ADD TOKEN to apply the configuration.

For additional information, refer to Exabeam Administration Guide.

Configure Exabeam on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Exabeam.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g https://100.24.16.156:8484)True
    UsernameFalse
    PasswordFalse
    API TokenCluster Authentication TokenFalse
    Exabeam Incident TypeIncident type to filter in Exabeam. Possible values are: generic, abnormalAuth, accountManipulation, accountTampering, ueba, bruteForce, compromisedCredentials, cryptomining, dataAccessAbuse, dataExfiltration, dlp, departedEmployee, dataDestruction, evasion, lateralMovement, alertTriage, malware, phishing, privilegeAbuse, physicalSecurity, privilegeEscalation, privilegedActivity, ransomware, workforceProtection.False
    PriorityIncident priority to filter in Exabeam. Possible values are: low, medium, high, critical.False
    StatusIncident status to filter in Exabeam. Possible values are: closed, closedFalsePositive, inprogress, new, pending, resolved.False
    Fetch incidentsFalse
    Max incidents per fetchFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Advanced: Minutes to look back when fetchingUse this parameter to determine how long backward to look in the search for incidents that were created before the last run time and did not match the query when they were created. Default is 1.False
    Incident typeFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Fetch#

Exabeam Incident#

  • Description: Information about incidents collected from the Exabeam system.
  • Details: The incidents include details about events and actions identified in the Exabeam system, intended for monitoring and response.

Exabeam Notable User#

  • Description: Information about notable users collected from the Exabeam system.
  • Details: Notable users are identified by the Exabeam system based on suspicious or abnormal behavior, and the information includes details about their actions in the system.
  • Important: Duplicate notable users are never fetched unless the "Reset the 'last run' timestamp" button is pressed.

Note#

The "Reset the 'last run' timestamp" button resets both the regular fetch and the Exabeam Notable User fetch.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

exabeam-get-notable-users#


Returns notable users in a period of time.

Base Command#

exabeam-get-notable-users

Input#

Argument NameDescriptionRequired
time_periodThe time period for which to fetch notable users, such as 3 months, 2 days, 4 hours, 1 year, and so on.Required
limitThe maximum number of returned results. Default is 10.Required

Context Output#

PathTypeDescription
Exabeam.User.RiskScoreNumberThe risk score of the notable user.
Exabeam.User.UserFullNameStringThe full name of the user.
Exabeam.User.AverageRiskScoreNumberThe average risk score of the user.
Exabeam.User.FirstSeenDateThe date the user was first seen.
Exabeam.User.NotableSessionIdsStringThe ID of the notable session.
Exabeam.User.AccountsNumberNumberThe number of accounts.
Exabeam.User.LastSeenDateThe date the user was last seen.
Exabeam.User.LocationStringThe location of the user.
Exabeam.User.UserNameStringThe name of the user.
Exabeam.User.LabelsStringThe labels of the user.
Exabeam.User.LastActivityTypeStringThe last activity type of the user.
Exabeam.User.NotableUserBooleanWhether the user is a notable user.

Command Example#

!exabeam-get-notable-users limit=3 time_period="1 year"

Human Readable Output#

Exabeam Notable Users:#

UserNameUserFullNameTitleDepartmentLabelsNotableSessionIdsEmployeeTypeFirstSeenLastSeenLastActivityLocation
usernamefullnameNetwork EngineerITprivileged_usersession_idemployee2018-08-01T11:50:162018-09-09T16:36:13Account is activeAtlanta
usernamefullnameHuman Resources CoordinatorHRsession_idemployee2018-07-03T14:26:262018-09-30T16:27:01Account is activeChicago
usernamefullnameSales RepresentativeSalesprivileged_usersession_idemployee2018-08-10T15:55:252018-09-30T16:27:01Account is activeAtlanta

exabeam-get-watchlists#


Returns all watchlist IDs and titles.

Base Command#

exabeam-get-watchlists

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Exabeam.Watchlist.CategoryStringThe watchlist category.
Exabeam.Watchlist.TitleStringThe watchlist title.
Exabeam.Watchlist.WatchlistIDStringThe watchlist ID.

Command Example#

!exabeam-get-watchlists

Human Readable Output#

Exabeam Watchlists:#

WatchlistIDTitleCategory
5c869ab0315c745d905a26d9Executive UsersUserLabels
5c869ab0315c745d905a26daService AccountsUserLabels
5dbaba2dd4e62a0009dd7ae4user watchlistUsers
5d8751723b72ea000830066aVP OperationsPeerGroups

exabeam-get-peer-groups#


Returns all peer groups.

Base Command#

exabeam-get-peer-groups

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Exabeam.PeerGroup.NameStringThe name of the peer group.

Command Example#

!exabeam-get-peer-groups

Human Readable Output#

Exabeam Peer Groups:#

Name
Marketing
usa
101
Program Manager
Channel Administrator
Chief Marketing Officer
Chief Strategy Officer

exabeam-get-user-info#


Returns user information data for the username.

Base Command#

exabeam-get-user-info

Input#

Argument NameDescriptionRequired
usernameThe username of the user to fetch.Required

Context Output#

PathTypeDescription
Exabeam.User.RiskScoreNumberThe risk score of the user.
Exabeam.User.AverageRiskScoreNumberThe average risk score.
Exabeam.User.PeerGroupFieldNameStringThe field name of the peer group.
Exabeam.User.FirstSeenDateThe date when the user was first seen.
Exabeam.User.PeerGroupDisplayNameStringThe display name of the Peer group.
Exabeam.User.LastSeenDateThe date the user was last seen.
Exabeam.User.PeerGroupFieldValueStringThe field value of the peer group.
Exabeam.User.LabelStringThe labels of the user.
Exabeam.User.UsernameStringThe name of the user.
Exabeam.User.PeerGroupTypeStringThe type of the peer group.
Exabeam.User.LastSessionIDStringThe last session ID of the user.
Exabeam.User.LastActivityTypeStringThe last activity type of the user.
Exabeam.User.AccountNamesStringThe account name of the user.

Command Example#

!exabeam-get-user-info username={username}

Human Readable Output#

User {username} information:#

UsernameRiskScoreAverageRiskScoreLastSessionIDFirstSeenLastSeenLastActivityTypeAccountNamesPeerGroupFieldNamePeerGroupFieldValuePeerGroupDisplayNamePeerGroupType
{username}163102.53{session_id}2018-08-01T11:50:162018-09-09T16:36:13Account is active{account_name}Peer GroupsrootrootGroup

exabeam-get-user-labels#


Returns all labels of the user.

Base Command#

exabeam-get-user-labels

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Exabeam.UserLabel.LabelStringThe label of the user.

Command Example#

!exabeam-get-user-labels

Human Readable Output#

Exabeam User Labels:#

Label
privileged_user
service_account

exabeam-get-user-sessions#


Returns sessions for the given username and time range.

Base Command#

exabeam-get-user-sessions

Input#

Argument NameDescriptionRequired
usernameThe username for which to fetch data.Required
start_timeThe Start time of the time range. For example, 2018-08-01T11:50:16 or "30 days ago".Optional
end_timeThe end time of the time range. For example, 2018-08-01T11:50:16 or "1 week ago".Optional

Context Output#

PathTypeDescription
Exabeam.User.Session.EndTimeDateThe end time of the session.
Exabeam.User.Session.InitialRiskScoreNumberThe initial risk score of the session.
Exabeam.User.Session.LabelStringThe label of the session.
Exabeam.User.Session.LoginHostStringThe login host.
Exabeam.User.Session.RiskScoreNumberThe risk score of the session.
Exabeam.User.Session.SessionIDStringThe ID of the session.
Exabeam.User.Session.StartTimeDateThe start time of the session.
Exabeam.User.UsernameStringThe username of the session.

Command Example#

!exabeam-get-user-sessions username={username} start_time=2018-08-01T11:50:16

Human Readable Output#

User {username} sessions information:#

SessionIDRiskScoreInitialRiskScoreStartTimeEndTimeLoginHostLabel
session_id002018-08-01T14:05:462018-08-01T20:00:17login_host
session_id002018-08-01T23:17:002018-08-02T02:37:51login_hostvpn-in

exabeam-delete-watchlist#


Deletes a watchlist.

Base Command#

exabeam-delete-watchlist

Input#

Argument NameDescriptionRequired
watchlist_idThe watchlist ID.Required

Context Output#

There is no context output for this command.

Command Example#

!exabeam-delete-watchlist watchlist_id=5de50f82088c6a000865408d

Human Readable Output#

The watchlist 5de50f82088c6a000865408d was deleted successfully.

exabeam-get-asset-data#


Returns asset data.

Base Command#

exabeam-get-asset-data

Input#

Argument NameDescriptionRequired
asset_nameThe name of the asset.Required

Context Output#

PathTypeDescription
Exabeam.Asset.HostNameStringThe host name of the asset.
Exabeam.Asset.IPAddressStringThe IP address of the asset.
Exabeam.Asset.AssetTypeStringThr type of the asset.
Exabeam.Asset.FirstSeenDateThe date the asset was first seen.
Exabeam.Asset.LastSeenStringThe date the asset was last seen.

Command Example#

!exabeam-get-asset-data asset_name={host_name}

Human Readable Output#

Exabeam Asset Data:#

AssetTypeFirstSeenHostNameIPAddressLastSeen
Windows2018-07-03T14:21:00host_nameip_address2018-09-30T16:23:17

exabeam-get-session-info-by-id#


Returns session info data for the given ID.

Base Command#

exabeam-get-session-info-by-id

Input#

Argument NameDescriptionRequired
session_idID of the session to fetch data for.Required

Context Output#

PathTypeDescription
Exabeam.SessionInfo.sessionIdStringID of the session.
Exabeam.SessionInfo.usernameStringUsername of the session.
Exabeam.SessionInfo.startTimeDateStart time of the session.
Exabeam.SessionInfo.endTimeDateEnd time of the session.
Exabeam.SessionInfo.initialRiskScoreNumberInitial risk score of the session.
Exabeam.SessionInfo.riskScoreNumberRisk score of the session.
Exabeam.SessionInfo.numOfReasonsNumberNumber of rules in the session.
Exabeam.SessionInfo.loginHostStringThe host from which the user was logged in.
Exabeam.SessionInfo.labelStringLabel of the session.
Exabeam.SessionInfo.accountsStringAccounts in the session.
Exabeam.SessionInfo.numOfAccountsNumberNumber of accounts in the session.
Exabeam.SessionInfo.numOfZonesNumberNumber of zones in the session.
Exabeam.SessionInfo.numOfAssetsNumberNumber of assets in the session.
Exabeam.SessionInfo.numOfEventsNumberNumber of events in the session.
Exabeam.SessionInfo.numOfSecurityEventsNumberNumber of alerts in the session.
Exabeam.SessionInfo.zonesUnknownZones information of the session.

Command Example#

!exabeam-get-session-info-by-id session_id=test-20200630233800

Human Readable Output#

Session test-20200630233800 Information#

AccountsEnd TimeInitial Risk ScoreLogin HostNum Of AccountsNum Of AssetsNum Of EventsNum Of ReasonsNum Of Security EventsNum Of ZonesRisk ScoreSession IdStart TimeUsernameZones
test2020-07-01T04:38:000test14260221test-202006302338002020-06-30T23:38:00testlos angeles office,
chicago office

exabeam-list-top-domains#


List top domains of a sequence.

Base Command#

exabeam-list-top-domains

Input#

Argument NameDescriptionRequired
sequence_idID of the sequence.Required
sequence_typeType of the sequence.Required

Context Output#

PathTypeDescription
Exabeam.DataFeed.topDomainsUnknownTop domains information.
Exabeam.DataFeed.sequenceIdStringID of the sequence.
Exabeam.DataFeed.sequenceTypeStringType of the sequence.

Command Example#

!exabeam-list-top-domains sequence_id=test-20200630233800 sequence_type=session

Human Readable Output#

Sequence test-20200630233800 Top Domains#

No entries.

exabeam-list-triggered-rules#


Gets all the triggered rules of a sequence.

Base Command#

exabeam-list-triggered-rules

Input#

Argument NameDescriptionRequired
sequence_idID of the sequence to fetch data for.Required
sequence_typeType of the sequence to fetch data for.Required

Context Output#

PathTypeDescription
Exabeam.TriggeredRule._IdStringUUID of the rule.
Exabeam.TriggeredRule.ruleIdStringID of the rule.
Exabeam.TriggeredRule.ruleTypeStringType of the rule.
Exabeam.TriggeredRule.eventIdStringEvent ID of the rule.
Exabeam.TriggeredRule.sessionIdStringSession ID of the rule.
Exabeam.TriggeredRule.lockoutIdStringLockout ID of the rule.
Exabeam.TriggeredRule.sequenceIdStringSequence ID of the rule.
Exabeam.TriggeredRule.usernameStringUsername of the rule.
Exabeam.TriggeredRule.eTypeStringEvent type of the rule.
Exabeam.TriggeredRule.triggeringTimeDateTime when the rule was triggered.
Exabeam.TriggeredRule.riskScoreNumberRisk score of the rule.
Exabeam.TriggeredRule.anchorScoreNumberAnchor score of the rule.
Exabeam.TriggeredRule.anomalyFactorNumberAnomaly factor of the rule.
Exabeam.TriggeredRule.ruleDataUnknownData insight of the rule.
Exabeam.TriggeredRule.createdTimeDateTime when the rule was created.
Exabeam.TriggeredRule.scoreDataUnknownScore data of the rule.
Exabeam.TriggeredRule.multiPeerGroupDataUnknownMulti-peer group data of the triggered rule.

Command Example#

!exabeam-list-triggered-rules sequence_id=test-20200630233800 sequence_type=session

Human Readable Output#

Sequence test-20200630233800 Triggered Rules#

_IdanchorScoreanomalyFactorcreatedTimeeTypeeventIdriskScoreruleDataruleIdruleTypescoreDatasessionIdtriggeringTimeusername
60072e97131b380006eb220815.01.02021-01-19T19:10:15.330000local-logon2311678@m15.0featureValue: tks_en_dd7_kt
scopeValue: test
modelName: LL-UH
LL-UH-FsessionhistScoreData: {"weight": 1.0, "rawScore": 1.0585832492943268}test-202006302338002020-06-30T23:38:00test
60072e97131b380006eb220b15.00.282021-01-19T19:10:15.330000local-logon2311678@m4.27featureValue: tks_en_dd7_kt
scopeValue: it administrator
modelName: LL-GH
LL-GH-FsessionhistScoreData: {"weight": 1.0, "rawScore": 0.6133293162851026}test-202006302338002020-06-30T23:38:00test
60072e97131b380006eb220d7.00.272021-01-19T19:10:15.330000local-logon2311678@m1.9featureValue: tks_en_dd7_kt
scopeValue: salesforce
modelName: LL-GH
LL-GH-AsessionhistScoreData: {"weight": 1.0, "rawScore": 3.5486919149585874}test-202006302338002020-06-30T23:38:00test

exabeam-get-asset-info#


Returns asset information for given asset ID (hostname or IP address).

Base Command#

exabeam-get-asset-info

Input#

Argument NameDescriptionRequired
asset_idID of the asset to fetch info for.Required
max_users_numberThe maximal number of users. Default is 50.Optional

Context Output#

PathTypeDescription
Exabeam.AssetInfo.assetIdStringID of the asset.
Exabeam.AssetInfo.hostNameStringHost of the asset.
Exabeam.AssetInfo.ipAddressStringIP address of the asset.
Exabeam.AssetInfo.assetTypeStringType of the asset.
Exabeam.AssetInfo.firstSeenDateTime when the asset was first seen.
Exabeam.AssetInfo.lastSeenDateTime when the asset was last seen.
Exabeam.AssetInfo.riskScoreNumberRisk score of the asset.
Exabeam.AssetInfo.riskStateStringRisk state of the asset.
Exabeam.AssetInfo.zoneStringZone of the asset.
Exabeam.AssetInfo.assetGroupStringGroup of the asset.
Exabeam.AssetInfo.latestSequenceIdStringID of the latest seqence of the asset.

Command Example#

!exabeam-get-asset-info asset_id=test_asset

Human Readable Output#

Asset test_asset Information#

Asset IdAsset TypeFirst SeenHost NameIp AddressLast SeenLatest Sequence IdRisk ScoreZone
test_assetWindows2020-06-01T14:41:00test_asset8.8.8.82020-07-02T19:58:00asset@test_asset-202006300.0new york office

exabeam-list-asset-timeline-next-events#


Gets next events for a given asset.

Base Command#

exabeam-list-asset-timeline-next-events

Input#

Argument NameDescriptionRequired
asset_idID of the asset.Required
event_timeThe event time, e.g. "2 years ago" or "2019-02-27".Required
number_of_eventsPreferred number of events. Default is 50.Optional
anomaly_onlyWhether to return only anomaly events. Possible values are: true, false. Default is false.Optional
event_typesA comma-separated list of event types.Optional
event_types_operatorWhether or not to include the specified event types. Possible values are: include, exclude. Default is exclude.Optional
sequence_typesA comma-separated list of sequence types.Required
event_categoriesA comma-separated list of event categories.Optional

Context Output#

PathTypeDescription
Exabeam.AssetEvent.event_idStringEvent ID of the asset.
Exabeam.AssetEvent.event_typeStringType of the event.
Exabeam.AssetEvent.event_categoryStringCategory of the event.
Exabeam.AssetEvent.timeDateTime when the event occurred.
Exabeam.AssetEvent.rawlog_timeDateRaw log time of the event.
Exabeam.AssetEvent.session_idStringSession ID of the event.
Exabeam.AssetEvent.session_orderStringSession order of the event.
Exabeam.AssetEvent.src_hostStringSource host of the event.
Exabeam.AssetEvent.src_ipStringSource IP of the event.
Exabeam.AssetEvent.src_zoneStringSource zone of the event.
Exabeam.AssetEvent.dest_hostStringDestination host of the event.
Exabeam.AssetEvent.dest_ipStringDestination IP of the event.
Exabeam.AssetEvent.dest_zoneStringDestination of the event.
Exabeam.AssetEvent.userStringUser of the event.
Exabeam.AssetEvent.hostStringHost of the event.
Exabeam.AssetEvent.domainStringDomain of the event.
Exabeam.AssetEvent.accountStringAccount of the event.
Exabeam.AssetEvent.hashStringHash of the event.
Exabeam.AssetEvent.entity_asset_idStringEntity asset ID of the event.
Exabeam.AssetEvent.sourceStringSource of the event.

Command Example#

!exabeam-list-asset-timeline-next-events asset_id=test_asset event_time="2 years ago" sequence_types=session

Human Readable Output#

Asset test_asset Next Events#

1 local-logon event(s) between 2020-06-01 15:29:00 and 2020-06-01 15:29:00#

AccountAuthPackageAuthProcessDestHostDestIpDomainEntityAssetIdEventCategoryEventCodeEventIdEventTypeGetvalue('ZoneInfo', Dest)HashHostIsSessionFirstLogonTypeTextNonmachineUserRawlogTimeSessionIdSessionOrderSourceSrcHostSrcIpSrcZoneTimeUserUserSid
test_account1ntlmKerberostks_en_360_kt8.8.8.8kt_cloudasset@test_asset-20200601user-events,
asset-events
4624279@mlocal-logonzone551421552590dc_486true2 - Interactiveblozano2020-06-01T15:29:00blozano-202006011529001Windowstest_asset8.8.8.8los angeles office2020-06-01T15:29:00blozanotest_drive\blozano

2 remote-access event(s) between 2020-06-01 16:00:00 and 2020-06-01 16:03:00#

AccountAssetFeatureAuthPackageAuthProcessDestHostDestIpDomainEntityAssetIdEventCategoryEventCodeEventIdEventTypeGetvalue('ZoneInfo', Dest)HashHostLogonTypeTextNtlmHostRawlogTimeSessionIdSessionOrderSourceSrcHostSrcHostWindowsSrcIpSrcZoneTimeUserUserSidZoneFeature
test_account1test_asset:test_asset2ntlmNegotiatetest_asset28.8.8.8dev_ktasset@test_asset-20200601user-events,
asset-events
4624562@mremote-accesschicago office1895168631dc_8873 - Networktest_asset2020-06-01T16:00:00test_account1-202006011600002Windowstest_assettest_asset8.8.8.8zone552020-06-01T16:00:00test_account1test_drive\test_account1zone55:chicago office
test_account2test_asset:test_asset3ntlmKerberostest_asset38.8.8.8dev_ktasset@test_asset-20200601user-events,
asset-events
4624873@mremote-accesszone551665078914dc_8793 - Networktest_asset2020-06-01T16:02:00test_account2-202006011406003Windowstest_assettest_asset8.8.8.8los angeles office2020-06-01T16:02:00test_account2test_drive\test_account2zone55:los angeles office

exabeam-list-security-alerts-by-asset#


Gets security alerts for a given asset.

Base Command#

exabeam-list-security-alerts-by-asset

Input#

Argument NameDescriptionRequired
asset_idID of the asset to fetch info for.Required
sort_byThe key to sort results by. Possible values are: date, riskScore. Default is date.Optional
sort_orderThe results order (ascending or descending). Possible values are: asc, desc. Default is desc.Optional
limitMaximal number of results. Default is 50.Optional

Context Output#

PathTypeDescription
Exabeam.AssetSecurityAlert.processStringProcess of the security alert.
Exabeam.AssetSecurityAlert.process_nameStringProcess name of the security alert.
Exabeam.AssetSecurityAlert.alert_nameStringName of the security alert.
Exabeam.AssetSecurityAlert.alert_typeStringType of the security alert.
Exabeam.AssetSecurityAlert.alert_severityStringSeverity of the security alert.
Exabeam.AssetSecurityAlert.malware_urlStringMalware URL of the security alert.
Exabeam.AssetSecurityAlert.event_idStringEvent ID of the asset.
Exabeam.AssetSecurityAlert.event_typeStringType of the event.
Exabeam.AssetSecurityAlert.timeDateTime when the event occurred.
Exabeam.AssetSecurityAlert.rawlog_timeDateRaw log time of the security alert.
Exabeam.AssetSecurityAlert.session_idStringSession ID of the security alert.
Exabeam.AssetSecurityAlert.session_orderStringSession order of the security alert.
Exabeam.AssetSecurityAlert.src_hostStringSource host of the security alert.
Exabeam.AssetSecurityAlert.src_ipStringSource IP of the security alert.
Exabeam.AssetSecurityAlert.src_portStringSource port of the security alert.
Exabeam.AssetSecurityAlert.dest_hostStringDestination host of the security alert.
Exabeam.AssetSecurityAlert.dest_ipStringDestination IP of the security alert.
Exabeam.AssetSecurityAlert.dest_portStringDestination port of the security alert.
Exabeam.AssetSecurityAlert.userStringUser of the security alert.
Exabeam.AssetSecurityAlert.hostStringHost of the security alert.
Exabeam.AssetSecurityAlert.domainStringDomain of the security alert.
Exabeam.AssetSecurityAlert.accountStringAccount of the security alert.
Exabeam.AssetSecurityAlert.hashStringHash of the security alert.
Exabeam.AssetSecurityAlert.MD5StringMD5 of the security alert.
Exabeam.AssetSecurityAlert.entity_asset_idStringEntity asset ID of the security alert.
Exabeam.AssetSecurityAlert.sourceStringSource of the security alert.
Exabeam.AssetSecurityAlert.vendorStringVendor of the security alert.
Exabeam.AssetSecurityAlert.sensor_idBooleanSensor ID of the alert.
Exabeam.AssetSecurityAlert.local_assetStringLocal asset of the security alert.
Exabeam.AssetSecurityAlert.additional_infoStringAdditional information about the security alert.

Command Example#

!exabeam-list-security-alerts-by-asset asset_id=lt-test_asset-888

Human Readable Output#

Asset lt-test_asset-888 Security Alerts#

AccountAdditional _ InfoAlert _ IdAlert _ NameAlert _ SeverityAlert _ TypeDest _ HostDest _ IpDest _ PortEntity Asset IdEvent _ IdEvent _ TypeHashHostLocal _ AssetMalware _ UrlMd 5ProcessProcess _ NameRawlog _ TimeSensor _ IdSession _ IdSession _ OrderSourceSrc Dest AlertSrc _ HostSrc _ IpSrc _ PortTimeUserVendor
test_accountdefault_taxes:1956test14Export-ReportView-Contacttks_en_eff_kt8.8.8.81117asset@lt-test_asset-888-20200613,
asset@tks_en_eff_kt-20200613,
asset@10.37.0.17-20200613,
asset@192.168.16.137-20200613
968178@msecurity-alert781895093dc_936lt-test_asset-888test.come62ef0ed95b79d4c6327d410cb8100348ctest.exetest.exe2020-06-13T17:25:000xun6ftest_asset-2020061315480022Palo Alto Networks WildFireBackdoor-FFBM:lt-test_asset-888:tks_en_eff_ktlt-test_asset-8888.8.8.812042020-06-13T17:25:00test_assetPalo Alto Networks WildFire
test_account* Pull Request: []3770test2LOWExport-Reporttks_en_0b3_kt8.8.8.8105asset@lt-test_asset-888-20200613,
asset@tks_en_0b3_kt-20200613,
asset@10.37.0.17-20200613,
asset@10.136.0.55-20200613
954176@msecurity-alert1734360022dc_936lt-test_asset-888http://test.com/1c30fae6dadda43962e2444445d3f87f70test.exetest.exe2020-06-13T16:16:000x6m5wtest_asset-202006131548006Palo Alto Networks WildFireExploit/CVE-2015-1539:lt-test_asset-888:tks_en_0b3_ktlt-test_asset-8888.8.8.812042020-06-13T16:16:00test_assetPalo Alto Networks WildFire

exabeam-search-rules#


Searches for rules by a keyword.

Base Command#

exabeam-search-rules

Input#

Argument NameDescriptionRequired
keywordThe search keyword.Required
filterThe search filter.Optional
limitMaximal number of rules to retrieve. Default is 50.Optional
pageResults page number. Default is 0.Optional

Context Output#

PathTypeDescription
Exabeam.Rule.categoryIdStringCategory ID of the rule.
Exabeam.Rule.categoryDisplayNameStringCategory display name of the rule.
Exabeam.Rule.ruleIdStringID of the rule.
Exabeam.Rule.ruleDef.ruleNameStringName of the rule.
Exabeam.Rule.ruleDef.ruleDescriptionStringDescription of the rule.
Exabeam.Rule.ruleDef.reasonTemplateStringReason template of the rule.
Exabeam.Rule.ruleDef.aggregateReasonTemplateStringAggregate reason template of the rule.
Exabeam.Rule.ruleDef.ruleTypeStringType of the rule.
Exabeam.Rule.ruleDef.classifyIfStringClassification definition of the rule.
Exabeam.Rule.ruleDef.ruleEventTypesStringEvent types of the rule.
Exabeam.Rule.ruleDef.disabledBooleanWhether or not the rule is disabled.
Exabeam.Rule.ruleDef.modelNameStringModel name of the rule.
Exabeam.Rule.ruleDef.factFeatureNameStringFact feature name of the rule.
Exabeam.Rule.ruleDef.hasDynamicScoreBooleanWhether or not the rule has a dynamic score.
Exabeam.Rule.ruleDef.scoreNumberScore of the rule.
Exabeam.Rule.ruleDef.percentileThresholdStringPercentile threshold of the rule.
Exabeam.Rule.ruleDef.ruleExpressionStringThe rule expression.
Exabeam.Rule.ruleDef.dependencyExpressionStringThe rule dependency expression.
Exabeam.Rule.ruleDef.ruleCategoryStringThe category of the rule.
Exabeam.Rule.disabledBooleanWhether or not the rule is disabled.
Exabeam.Rule.effectiveBooleanTrue if the rule is effective, false otherwise.
Exabeam.Rule.stateStringState of the rule (DefaultExabeam, ModifiedExabeam or CustomerCreated).
Exabeam.Rule.canSimpleEditBooleanWhether or not it is possible to use the simple editor on this rule.

Command Example#

!exabeam-search-rules limit=1 keyword=account

Human Readable Output#

Rule Search Results#

Can Simple EditCategory Display NameCategory IdDisabledEffectiveRule DefRule IdState
falseAccount Creation and ManagementAccount Creation and ManagementfalsetrueruleId: AM-GOU-A
ruleName: Abnormal account OU addition to this group
ruleDescription: OU means Organizational Unit - a container within a Microsoft Active Directory domain which can hold users, groups, and computers. Account management events are notable because they can provide a path for an attacker to move laterally through a system.
reasonTemplate: Abnormal account OU {default|event.account_ou} addition to group {default|event.group_name}
aggregateReasonTemplate: Abnormal account OU addition to this group: {default|featureValue|histogram}
ruleType: session
classifyIf: (count(account_ou, 'member-added') = 1)
ruleEventTypes: member-added
disabled: false
modelName: AM-GOU
factFeatureName: account_ou
hasDynamicScore: false
score: 7.0
percentileThreshold: 0.1
ruleExpression: ((confidence_factor >= 0.8) && ((num_observations > 0) && (num_observations < percentile_threshold_count)))
dependencyExpression: NA
ruleCategory: Account Creation and Management
ruleLabels:
AM-GOU-AModifiedExabeam

exabeam-get-rule-string#


Gets a rule's information as a string.

Base Command#

exabeam-get-rule-string

Input#

Argument NameDescriptionRequired
rule_idThe ID of the rule.Required

Context Output#

PathTypeDescription
Exabeam.Rule.ruleIdStringThe ID of the rule.
Exabeam.Rule.ruleStringStringThe rule string.

Command Example#

!exabeam-get-rule-string rule_id=AM-GOU-A

Human Readable Output#

Rule AM-GOU-A String#

Rule IdRule String
AM-GOU-AAM-GOU-A {
RuleName = "Abnormal account OU addition to this group"
RuleDescription = "OU means Organizational Unit - a container within a Microsoft Active Directory domain which can hold users, groups, and computers. Account management events are notable because they can provide a path for an attacker to move laterally through a system."
ReasonTemplate = "Abnormal account OU {default|event.account_ou} addition to group {default|event.group_name}"
AggregateReasonTemplate = "Abnormal account OU addition to this group: {default|featureValue|histogram}"
RuleType = "session"
RuleCategory = "Account Creation and Management"
ClassifyIf = "count(account_ou,'member-added')=1"
RuleEventTypes = ["member-added"]
Disabled = "FALSE"
Model = "AM-GOU"
FactFeatureName = "account_ou"
Score = "7"
HistShapeScoring {
Enabled = true
}
PercentileThreshold = "0.1"
RuleExpression = "confidence_factor>=0.8 && num_observations>0 && num_observations <percentile_threshold_count"
DependencyExpression = "NA"
RuleLabels {
mitre = ["T1078"]
}
}

exabeam-fetch-rules#


Gets all rules.

Base Command#

exabeam-fetch-rules

Input#

Argument NameDescriptionRequired
filter_byThe type of the rules to retrieve. Possible values are: all, custom, default. Default is all.Optional
pageWhich page of results to return. Default is 0.Optional
limitMaximal number of results. Default is 50.Optional

Context Output#

PathTypeDescription
Exabeam.Rule.categoryIdStringCategory ID of the rule.
Exabeam.Rule.categoryDisplayNameStringCategory display name of the rule.
Exabeam.Rule.ruleIdStringID of the rule.
Exabeam.Rule.ruleDef.ruleNameStringName of the rule.
Exabeam.Rule.ruleDef.ruleDescriptionStringDescription of the rule.
Exabeam.Rule.ruleDef.reasonTemplateStringReason template of the rule.
Exabeam.Rule.ruleDef.aggregateReasonTemplateStringAggregate reason template of the rule.
Exabeam.Rule.ruleDef.ruleTypeStringType of the rule.
Exabeam.Rule.ruleDef.classifyIfStringClassification expression definition of the rule.
Exabeam.Rule.ruleDef.ruleEventTypesStringEvent types of the rule.
Exabeam.Rule.ruleDef.disabledBooleanWhether or not the rule is disabled.
Exabeam.Rule.ruleDef.modelNameStringModel name that the rule references.
Exabeam.Rule.ruleDef.factFeatureNameStringThe name of a feature used for fact based rules.
Exabeam.Rule.ruleDef.hasDynamicScoreBooleanWhether or not the rule has a dynamic score.
Exabeam.Rule.ruleDef.scoreNumberScore of the rule.
Exabeam.Rule.ruleDef.percentileThresholdStringIndicates which observations are considered anomalous based on the histogram.
Exabeam.Rule.ruleDef.ruleExpressionStringA boolean expression that the rule engine uses to determine if a particular rule will trigger.
Exabeam.Rule.ruleDef.dependencyExpressionStringThe rule dependency expression.
Exabeam.Rule.ruleDef.ruleCategoryStringThe category of the rule.
Exabeam.Rule.disabledBooleanWhether or not the rule is disabled.
Exabeam.Rule.effectiveBooleanTrue if the rule is effective, false otherwise.
Exabeam.Rule.stateStringState of the rule (DefaultExabeam, ModifiedExabeam or CustomerCreated).
Exabeam.Rule.canSimpleEditBooleanWhether or not it is possible to use the simple editor on this rule.

Command Example#

!exabeam-fetch-rules limit=1

Human Readable Output#

Rule Search Results#

Can Simple EditCategory Display NameCategory IdDisabledEffectiveRule DefRule IdState
falseAccount Creation and ManagementAccount Creation and ManagementfalsetrueruleId: AM-GOU-A
ruleName: Abnormal account OU addition to this group
ruleDescription: OU means Organizational Unit - a container within a Microsoft Active Directory domain which can hold users, groups, and computers. Account management events are notable because they can provide a path for an attacker to move laterally through a system.
reasonTemplate: Abnormal account OU {default|event.account_ou} addition to group {default|event.group_name}
aggregateReasonTemplate: Abnormal account OU addition to this group: {default|featureValue|histogram}
ruleType: session
classifyIf: (count(account_ou, 'member-added') = 1)
ruleEventTypes: member-added
disabled: false
modelName: AM-GOU
factFeatureName: account_ou
hasDynamicScore: false
score: 7.0
percentileThreshold: 0.1
ruleExpression: ((confidence_factor >= 0.8) && ((num_observations > 0) && (num_observations < percentile_threshold_count)))
dependencyExpression: NA
ruleCategory: Account Creation and Management
ruleLabels:
AM-GOU-AModifiedExabeam

exabeam-get-rules-model-definition#


Gets a rule model definition by name.

Base Command#

exabeam-get-rules-model-definition

Input#

Argument NameDescriptionRequired
model_nameThe name of the model.Required

Context Output#

PathTypeDescription
Exabeam.Model.alphaStringAlpha value of the model.
Exabeam.Model.nameStringName of the model.
Exabeam.Model.featureStringFeature of the model.
Exabeam.Model.cutOffStringCut off value of the model.
Exabeam.Model.histogramEventTypesStringHistogram event types of the model.
Exabeam.Model.featureNameStringFeature name of the model.
Exabeam.Model.descriptionStringDescription of the model.
Exabeam.Model.trainIfStringTrain if expression definition of the model.
Exabeam.Model.featureTypeStringFeature type of the model.
Exabeam.Model.modelTemplateStringThe model template.
Exabeam.Model.convergenceFilterStringConvergence filter of the model.
Exabeam.Model.iconNameStringIcon name of the model.
Exabeam.Model.modelTypeStringType of the model.
Exabeam.Model.binWidthStringThe bin width.
Exabeam.Model.maxNumberOfBinsStringThe maximal number of bins.
Exabeam.Model.scopeTypeStringThe scope type of the model.
Exabeam.Model.agingWindowStringAging window of the model.
Exabeam.Model.categoryStringThe model category.
Exabeam.Model.disabledStringTRUE if the model is disabled, FALSE otherwise.
Exabeam.Model.scopeValueStringThe scope value of the model.

Command Example#

!exabeam-get-rules-model-definition model_name=AM-AG

Human Readable Output#

Model AM-AG Definition#

Aging WindowAlphaCategoryConvergence FilterCut OffDescriptionDisabledFeatureFeature NameFeature TypeHistogram Event TypesMax Number Of BinsModel TemplateModel TypeNameScope TypeScope ValueTrain If
320.8Otherconfidence_factor>=0.85Models which security groups users are being added to in the organizationFALSEgroup_namegroup_namegroup_namemember-added1000000Account management, groups which users are being added toCATEGORICALAM-AGORGorgTRUE

exabeam-watchlist-add-items#


Add watchlist items by their names or from a CSV file.

Base Command#

exabeam-watchlist-add-items

Input#

Argument NameDescriptionRequired
watchlist_idThe watchlist ID.Required
itemsA comma-separated list of the items to add.Optional
csv_entry_idThe entry ID of the CSV file.Optional
watch_until_daysNumber of days until asset is automatically removed from the watchlist. Default is 50.Optional
categoryThe item category. Possible values are: Anomalies, Assets, Events, Sessions, Users.Required

Context Output#

There is no context output for this command.

Command Example#

!exabeam-watchlist-add-items category=Assets watchlist_id=60249dfb130b3800075b8e36 items=asset1,asset2

Human Readable Output#

Successfully added 2 items to watchlist 60249dfb130b3800075b8e36.

exabeam-watchlist-asset-search#


Gets the assets of a specified watchlist according to a keyword.

Base Command#

exabeam-watchlist-asset-search

Input#

Argument NameDescriptionRequired
keywordA keyword to search.Required
watchlist_idThe watchlist ID.Required
limitMaximum number of results to retrieve. Default is 30.Optional
is_exclusiveWhether or not the item is exclusive on watchlist. Possible values are: true, false. Default is false.Optional
search_by_ipWhether or not to search the item by its IP. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Exabeam.AssetInfo.hostNameStringHost of the asset.
Exabeam.AssetInfo.ipAddressStringIP address of the asset.
Exabeam.AssetInfo.assetTypeStringType of the asset.
Exabeam.AssetInfo.firstSeenDateTime when the asset was first seen.
Exabeam.AssetInfo.lastSeenDateTime when the asset was last seen.
Exabeam.AssetInfo.riskScoreNumberRisk score of the asset.
Exabeam.AssetInfo.riskStateStringRisk state of the asset.
Exabeam.AssetInfo.zoneStringZone of the asset.

Command Example#

!exabeam-watchlist-asset-search watchlist_id=60249dfb130b3800075b8e36 keyword=s

Human Readable Output#

Watchlist 60249dfb130b3800075b8e36 Assets Search Results#

Asset TypeFirst SeenHost NameIp AddressLast SeenRisk ScoreRisk StateZone
Windows2020-06-01T15:01:00asset18.8.8.82020-07-03T23:16:000.0compromisedatlanta office
Windows2020-06-01T14:17:00asset22020-07-03T23:45:00140.0compromised

exabeam-watchlist-remove-items#


Removes items from a watchlist.

Base Command#

exabeam-watchlist-remove-items

Input#

Argument NameDescriptionRequired
watchlist_idThe watchlist ID.Required
itemsA comma-separated list of the items to remove.Required
categoryThe category of the items to remove. Possible values are: Anomalies, Assets, Events, Sessions, Users.Required

Context Output#

There is no context output for this command.

Command Example#

!exabeam-watchlist-remove-items category=Assets watchlist_id=60249dfb130b3800075b8e36 items=asset1,asset2

Human Readable Output#

Successfully removed 2 items from watchlist 60249dfb130b3800075b8e36.

exabeam-list-context-table-records#


Returns a list of a context table records.

Base Command#

exabeam-list-context-table-records

Input#

Argument NameDescriptionRequired
context_table_nameThe name of the context table.Required
limitMaximum number of results to return. Default is 50.Optional
offsetThe offset number to begin (starts from 1). Default is 1.Optional

Context Output#

PathTypeDescription
Exabeam.ContextTable.NameStringName of the context table.
Exabeam.ContextTable.Record.keyStringThe key of the record.
Exabeam.ContextTable.Record.idStringThe ID of the record.
Exabeam.ContextTable.Record.sourceTypeStringThe source type of the record.
Exabeam.ContextTable.Record.positionNumberThe position of the record.
Exabeam.ContextTable.Record.valueStringValue of the record.

Command Example#

!exabeam-list-context-table-records context_table_name=test_table

Human Readable Output#

Context Table test_table Records#

IdPositionSource TypeKeyValue
0-00Manualktest2v3
0-11Manualktest3
0-22Manualktest4v4
0-33Manualk1v1,
v2,
v3

exabeam-add-context-table-records#


Add records to the context table.

Base Command#

exabeam-add-context-table-records

Input#

Argument NameDescriptionRequired
context_table_nameThe name of the context table.Required
recordsA comma-separated list of records to add, for example: k1,k2. If context_table_type argument is set to key_value, every record should be in "key:values" format, where "values" is a semi-colon separated list of values. For example: k1:v1;v2,k2:v3,k3:,k4:v4.Required
session_idThe ID of update session. If not specified, a new session is created.Optional
context_table_typeThe context table type. Possible values are: key_only, key_value.Required

Context Output#

PathTypeDescription
Exabeam.ContextTableUpdate.contextTableNameStringThe context table name.
Exabeam.ContextTableUpdate.sessionIdUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.changeTypeUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.changeIdUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.record.keyUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.record.valueUnknownThe raw data of the context table update.

Command Example#

!exabeam-add-context-table-records context_table_name=test_table context_table_type=key_value records=testk1:v1,testv2:,testv3:v31;v32

Human Readable Output#

Context Table test_do_not_remove Update Details#

createdSize: 3, updatedSize: 0, removedSize: 0, duplicates: [] |Change Id|Change Type|Context Table Name|Record|Session Id| |---|---|---|---|---| | 45dc28dc-28be-426c-9293-d7f477f85408 | created | test_table | key: testk1
value: v1 | f0283c9c-7317-457b-b9de-43888960b4cb | | 1c96f414-dc0e-4106-a972-05dbbb77dd63 | created | test_table | key: testv2
value: | f0283c9c-7317-457b-b9de-43888960b4cb | | 0a2ca93c-e5da-442c-adcd-5c7af2df9b13 | created | test_table | key: testv3
value: v31,
v32 | f0283c9c-7317-457b-b9de-43888960b4cb |

exabeam-update-context-table-records#


Updates records of a context table.

Base Command#

exabeam-update-context-table-records

Input#

Argument NameDescriptionRequired
context_table_nameThe name of the context table.Required
session_idThe ID of update session. If not specified, a new session is created.Optional
recordsA comma-separated list of records to update. If context_table_type argument is set to key_only, each record should be in the following format: id:key. Otherwise it's a key_value type and then the format of a record is id🔑values, where the values are separated by semi-colons.Required
context_table_typeType of the context table. Possible values are: key_only, key_value.Required

Context Output#

PathTypeDescription
Exabeam.ContextTableUpdate.contextTableNameStringThe context table name.
Exabeam.ContextTableUpdate.sessionIdUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.changeTypeUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.changeIdUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.record.keyUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.record.valueUnknownThe raw data of the context table update.

Command Example#

!exabeam-update-context-table-records context_table_name=test_key_only context_table_type=key_only records=0-0:test,0-1:test1

Human Readable Output#

Context Table test_key_only Update Details#

createdSize: 0, updatedSize: 2, removedSize: 0, duplicates: [] |Change Id|Change Type|Context Table Name|Record|Session Id| |---|---|---|---|---| | 9be31efc-0aac-4c56-98e1-dedec68f32dd | updated | test_key_only | key: test
id: 0-0 | fdf0fd02-bf87-4c03-ad09-cc53e4c8aaee | | 744b59ee-0f53-4e1f-8bfc-fcdcc9a8c568 | updated | test_key_only | key: test1
id: 0-1 | fdf0fd02-bf87-4c03-ad09-cc53e4c8aaee |

exabeam-get-context-table-in-csv#


Export a context table to CSV.

Base Command#

exabeam-get-context-table-in-csv

Input#

Argument NameDescriptionRequired
context_table_nameName of the context table.Required

Context Output#

There is no context output for this command.

Command Example#

!exabeam-get-context-table-in-csv context_table_name=test_table

exabeam-add-context-table-records-from-csv#


Add context table records from CSV file in a specific modification session.

Base Command#

exabeam-add-context-table-records-from-csv

Input#

Argument NameDescriptionRequired
context_table_nameName of the context table.Required
session_idThe ID of context table session. If not specified, a new session is created.Optional
has_headerIndicates whether the file has a header. Possible values are: true, false.Required
file_entry_idThe entry ID of the CSV file from which records will be added.Required
append_or_replaceWhether to replace or append the records from the CSV file. Possible values are: append, replace. Default is append.Optional

Context Output#

There is no context output for this command.

Command Example#

!exabeam-add-context-table-records-from-csv context_table_name=test_table file_entry_id=2034d0d-86ad-04bc3dfa1272 has_header=true append_or_replace=append

Human Readable Output#

Context Table test_table Update Details#

createdSize: 2, updatedSize: 0, removedSize: 0, duplicates: [] |Change Id|Change Type|Context Table Name|Record|Session Id| |---|---|---|---|---| | 4a376a74-7f02-49cc-ac37-d73f37ba7809 | created | test_table | key: k33
value: 1 | 15b2499c-8506-48ed-9431-7dce94de33a2 | | 37733fb6-e947-4b07-b240-9c5602317d55 | created | test_table | key: k44
value: 2,3 | 15b2499c-8506-48ed-9431-7dce94de33a2 |

exabeam-delete-context-table-records#


Delete records from a context table.

Base Command#

exabeam-delete-context-table-records

Input#

Argument NameDescriptionRequired
context_table_nameName of the context table.Required
recordsA comma-separated list of the records' keys to delete.Required
session_idThe ID of update session. If not specified, a new session is created.Optional

Context Output#

PathTypeDescription
Exabeam.ContextTableUpdate.contextTableNameStringThe context table name.
Exabeam.ContextTableUpdate.sessionIdUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.changeTypeUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.changeIdUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.record.keyUnknownThe raw data of the context table update.
Exabeam.ContextTableUpdate.record.valueUnknownThe raw data of the context table update.

Command Example#

!exabeam-delete-context-table-records context_table_name=test_table context_table_type=key_value records=testk11,testv2

Human Readable Output#

Context Table test_table Update Details#

createdSize: 0, updatedSize: 0, removedSize: 2, duplicates: [] |Change Id|Change Type|Context Table Name|Record|Session Id| |---|---|---|---|---| | e4469b52-ac45-4c97-91af-16c31b8fbb49 | removed | test_table | key:
id: testk11 | 64e660b7-5f70-40df-adf7-3e8a4bf25462 | | 5137afa2-36d4-4818-93ec-f3fd0e244c38 | removed | test_table | key:
id: testv2 | 64e660b7-5f70-40df-adf7-3e8a4bf25462 |

Base Command#

exabeam-get-notable-assets

Input#

Argument NameDescriptionRequired
limitThe maximum number of returned results.Required
time_periodThe time period for which to fetch notable users, such as 3 months, 2 days, 4 hours, 1 year, and so on.Required

Context Output#

PathTypeDescription
Exabeam.NotableAsset.HostNameStringThe notable asset host name.
Exabeam.NotableAsset.IPAddressStringThe notable asset IP address.
Exabeam.NotableAsset.AssetTypeStringThe notable asset type.
Exabeam.NotableAsset.FirstSeenDateTime when the asset was first seen.
Exabeam.NotableAsset.LastSeenDateTime when the asset was last seen.
Exabeam.NotableAsset.highestRiskScoreNumberThe highest risk score of the asset.
Exabeam.NotableAsset.idStringThe notable asset ID.
Exabeam.NotableAsset.entityNameStringThe entity name of the asset.
Exabeam.NotableAsset.entityValueStringThe entity value of the asset.
Exabeam.NotableAsset.dayDateThe notable asset date.
Exabeam.NotableAsset.triggeredRuleCountOptNumberThe number that asset triggered rule count opt.
Exabeam.NotableAsset.riskScoreOptNumberRisk score opt of the asset.
Exabeam.NotableAsset.incidentIdsUnknownThe incident IDs of the notable asset.
Exabeam.NotableAsset.commentIdStringThe comment ID of the notable asset.
Exabeam.NotableAsset.commentTypeStringThe comment type of the notable asset.
Exabeam.NotableAsset.commentObjectIdStringThe comment object ID of the notable asset.
Exabeam.NotableAsset.textStringThe notable asset text.
Exabeam.NotableAsset.exaUserStringThe notable asset exaUser.
Exabeam.NotableAsset.exaUserFullnameStringThe notable asset exaUser fullname.
Exabeam.NotableAsset.createTimeDateTime when the asset was created.
Exabeam.NotableAsset.updateTimeDateTime when the asset was updated.
Exabeam.NotableAsset.editedBooleanWhether or not the notable asset is edited.
Exabeam.NotableAsset.zoneStringThe number that asset triggered rule count opt.

Command Example#

!exabeam-get-notable-assets limit=1 time_period="1 day"

exabeam-get-notable-session-details#


Returns notable session details.

Base Command#

exabeam-get-notable-session-details

Input#

Argument NameDescriptionRequired
asset_idID of the asset to fetch info for.Required
sort_byThe key to sort results by. Possible values are: date, riskScore. Default is date.Optional
sort_orderThe order of the results (ascending or descending). Possible values are: asc, desc. Default is desc.Optional
limitMaximum number of results. Default is 50.Optional

Context Output#

PathTypeDescription
Exabeam.NotableSession.users.UserNameStringThe notable session user name.
Exabeam.NotableSession.users.RiskScorenumberThe notable session risk score.
Exabeam.NotableSession.users.AverageRiskScorenumberThe average risk score of the notable session.
Exabeam.NotableSession.users.FirstSeenDateTime when the notable session was first seen.
Exabeam.NotableSession.users.LastSeenDateTime when the notable session was last seen.
Exabeam.NotableSession.users.lastActivityTypeStringThe last activity type of the user.
Exabeam.NotableSession.users.LabelsUnknownThe labels of the user.
Exabeam.NotableSession.users.LastSessionIDStringThe last session ID of the user.
Exabeam.NotableSession.users.EmployeeTypeStringThe employee type of the user.
Exabeam.NotableSession.users.DepartmentStringThe department of the user.
Exabeam.NotableSession.users.TitleStringThe role of the user.
Exabeam.NotableSession.users.LocationStringThe location of the user.
Exabeam.NotableSession.users.EmailStringThe email of the user.
Exabeam.NotableSession.sessions.SessionIDStringThe Session ID.
Exabeam.NotableSession.sessions.InitialRiskScoreNumberInitial risk score of the session.
Exabeam.NotableSession.sessions.LoginHostStringThe host from which the user was logged in.
Exabeam.NotableSession.sessions.AccountsStringAccounts in the session.
Exabeam.NotableSession.executiveUserFlagsUnknownWhether the user is a executive user.

Command Example#

!exabeam-get-notable-session-details asset_id=asset_id sort_by=date sort_order=asc limit=1

exabeam-get-notable-sequence-details#


Returns sequence details for the given asset ID and time range.

Base Command#

exabeam-get-notable-sequence-details

Input#

Argument NameDescriptionRequired
asset_idThe asset ID for which to fetch data.Required
start_timeThe Start time of the time range. For example, 2018-08-01T11:50:16.Optional
end_timeThe end time of the time range. For example, 2018-08-01T11:50:16.Optional
limitMaximum number of rules to retrieve. Default is 50.Optional
pageResults page number. Default is 0.Optional

Context Output#

PathTypeDescription
Exabeam.Sequence.sequenceIdStringThe ID of the sequence.
Exabeam.Sequence.isWhitelistedBooleanWhether or not the sequence is on allow list.
Exabeam.Sequence.areAllTriggeredRulesWhiteListedBooleanWhether or not the sequence are all triggered rules allow listed.
Exabeam.Sequence.hasBeenPartiallyWhiteListedBooleanWhether or not the sequence has been partially allow listed.
Exabeam.Sequence.riskScoreNumberThe sequence risk score.
Exabeam.Sequence.startTimeDateStart time of the sequence.
Exabeam.Sequence.endTimeDateEnd time of the sequence.
Exabeam.Sequence.numOfReasonsNumberNumber of reasons in the sequence.
Exabeam.Sequence.numOfEventsNumberNumber of events in the sequence.
Exabeam.Sequence.numOfUsersNumberNumber of users in the sequence.
Exabeam.Sequence.numOfSecurityEventsNumberNumber of security events in the sequence.
Exabeam.Sequence.numOfZonesNumberNumber of zones in the sequence.
Exabeam.Sequence.numOfAssetsNumberNumber of assets in the sequence.
Exabeam.Sequence.assetIdStringThe asset ID of the sequence.

Command Example#

!exabeam-get-notable-sequence-details asset_id=asset_id start_time="30 days"

exabeam-get-sequence-eventtypes#


Returns sequence event types for the given asset sequence ID and time range.

Base Command#

exabeam-get-sequence-eventtypes

Input#

Argument NameDescriptionRequired
asset_sequence_idThe asset sequence ID.Required
search_strString to search for inside display name.Optional
limitMaximum number of rules to retrieve. Default is 50.Optional
pageResults page number. Default is 0.Optional

Context Output#

PathTypeDescription
Exabeam.SequenceEventTypes.eventTypeStringThe sequence event type.
Exabeam.SequenceEventTypes.displayNameStringThe sequence display name.
Exabeam.SequenceEventTypes.countNumberThe number of the sequences.
Exabeam.SequenceEventTypes.sequenceIdStringThe sequence ID.

Command Example#

!exabeam-get-sequence-eventtypes asset_sequence_id=asset_sequence_id search_str="search_str"

exabeam-list-incident#


Returns incidents from Exabeam.

Base Command#

exabeam-list-incident

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Optional
queryQuery string which is a combination of incident type, priority and status.Optional
incident_typeIncident type to filter in Exabeam.Optional
priorityIncident priority to filter in Exabeam.Optional
statusIncident status to filter in Exabeam.Optional
limitMaximum number of rules to retrieve. Default is 50.Optional
page_sizeNumber of total results in each page. Default is 25.Optional
page_numberSpecific page to query.Optional
usernameWhen the instance is configure by an API key, it must be used with the username argument.Optional

Context Output#

PathTypeDescription
Exabeam.incidents.incidentIdStringThe ID of the incident.
Exabeam.incidents.nameStringThe name of the incident.
Exabeam.incidents.fields.startedDateDateThe starting date of the incident.
Exabeam.incidents.fields.closedDateDateThe ending date of the incident.
Exabeam.incidents.fields.createdAtDateThe creation date of the incident.
Exabeam.incidents.fields.ownerStringThe incident owner.
Exabeam.incidents.fields.statusStringThe incident status.
Exabeam.incidents.fields.incidentTypeStringThe incident type.
Exabeam.incidents.fields.sourceStringThe incident source.
Exabeam.incidents.fields.priorityStringThe incident priority.
Exabeam.incidents.fields.queueStringThe incident queue.
Exabeam.incidents.fields.descriptionStringThe incident description.

Command Example#

!exabeam-list-incident priority=high