Exabeam Data Lake
ExabeamDataLake Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
Exabeam Data Lake provides a searchable log management system. Data Lake is used for log collection, storage, processing, and presentation. This integration was integrated and tested with version LMS-i40.3 of Exabeam Data Lake.
#
Configure Exabeam Data Lake in CortexParameter | Description | Required |
---|---|---|
Server URL | True | |
User Name | True | |
Password | True | |
Cluster Name | The default value is usually 'local', suitable for standard setups. For custom cluster deployments, consult Exabeam Support Team. | True |
Trust any certificate (not secure) | ||
Use system proxy settings |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
exabeam-data-lake-searchGet events from Exabeam Data Lake.
#
Base Commandexabeam-data-lake-search
#
InputArgument Name | Description | Required |
---|---|---|
query | The search query string to filter the events by. Examples can be found in the syntax documentation section of the integration description. | Required |
start_time | The starting date for the search range. The search range should be at least one day long and can extend up to a maximum of 10 days. | Required |
end_time | The ending date for the search range. This defines the end of the search range, which should be within one to ten days after the start_time. | Required |
limit | The maximal number of results to return. Maximum value is 3000. | Optional |
page | The page number for pagination. | Optional |
page_size | The maximal number of results to return per page. Maximum value is 3000. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ExabeamDataLake.Event._id | str | The event ID. |
ExabeamDataLake.Event._source.Vendor | str | Vendor of the event. |
ExabeamDataLake.Event._source.Product | str | Product of the event. |
ExabeamDataLake.Event._source.@timestamp | str | The time of the event. |
ExabeamDataLake.Event._source.message | str | The message of the event. |
#
Command example!exabeam-data-lake-search query="risk_score:3" start_time="2024.02.27" end_time="2024.02.28" limit=2
#
Context Example#
Human Readable Output#
Logs
Created_at Id Message Product Vendor 2024-02-28T16:15:50.614Z some_id <86>1 2024-02-28T16:15:50.609Z exabeam-analytics-master Exabeam - - - timestamp="2024-02-28T16:15:29.192Z" id="ghardin-20240228143533" score="3" user="ghardin" event_time="2024-02-28 14:35:35" event_type="dlp-alert" domain="kenergy" time="1709130935833" source="ObserveIT" vendor="ObserveIT" lockout_id="NA" session_id="ghardin-20240228143533" session_order="2" account="ghardin" getvalue('zone_info', src)="new york office" alert_name=" rule violation" local_asset="lt-ghardin-888" alert_type="DATA EXFILTRATION" os="Win" rule_name="Abnormal DLP alert name for user" rule_description="Exabeam noted that this alert name has been triggered for this user in the past yet it is still considered abnormal activity. This activity may be an early indication of compromise of a user by malware or other malicious actors." rule_reason="Abnormal DLP alert with name rule violation for user" Exabeam AA Exabeam 2024-02-27T16:21:45.721Z another_id <86>1 2024-02-27T16:21:45.539Z exabeam-analytics-master Exabeam - - - timestamp="2024-02-24T16:16:29.975Z" id="ghardin-20240224140716" score="3" user="ghardin" event_time="2024-02-24 14:34:42" event_type="kerberos-logon" host="exabeamdemodc1" domain="ktenergy" time="1708785282052" source="DC" lockout_id="NA" session_id="ghardin-20240224140716" session_order="4" account="ghardin" ticket_options_encryption="0x40810010:0x12" nonmachine_user="ghardin" event_code="4768" ticket_encryption_type="0x12" ticket_options="0x40810010" rule_name="IT presence without badge access" rule_description="This user is logged on to the company network but did not use their badge to access a physical location. It is unusual to have IT access without badge access." rule_reason="IT presence without badge access" Exabeam AA Exabeam