Skip to main content

Exabeam Security Operations Platform

This Integration is part of the Exabeam Security Operations Platform Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Exabeam Security Operations Platform offers a centralized and scalable platform for log management. This integration was integrated and tested with version v1.0 of ExabeamSecOpsPlatform.

Configure Exabeam Security Operations Platform in Cortex#

ParameterRequired
Server URLTrue
Client IDTrue
Client SecretTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
Maximum Incidents Per Fetch
Fetch query
Fetch incidents
Incident type

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

exabeam-platform-event-search#


Get events from Exabeam Security Operations Platform.

Base Command#

exabeam-platform-event-search

Input#

Argument NameDescriptionRequired
start_timeThe starting date for the search range.Required
end_timeThe ending date for the search range.Required
queryQuery, using Lucene syntax, filters log data for precise analysis.Optional
fieldsComma-separated list of fields to be returned from the search.Optional
group_byComma-separated list of fields by which to group the results.Optional
limitThe maximal number of results to return. Maximum value is 3000.Optional

Context Output#

PathTypeDescription
ExabeamPlatform.Event.idStringThe unique identifier associated with the event.
ExabeamPlatform.Event.rawLogIdsStringThe raw log identifiers associated with the event.
ExabeamPlatform.Event.tierStringThe tier associated with the event.
ExabeamPlatform.Event.parsedStringWhether the event has been parsed.
ExabeamPlatform.Event.rawLogsStringThe raw logs associated with the event.

Command example#

!exabeam-platform-event-search end_time="today" start_time="7 days ago" limit=2

Context Example#

{
"ExabeamPlatform": {
"Event": [
{
"approxLogTime": 1715694190909000,
"collector_timestamp": 1715694190909000,
"customFieldsJSON": "{}",
"id": "fake",
"ingest_time": 1715694222815000,
"metadataFieldsJSON": "{\"m_collector_id\":\"aae1627e-8637-4597-9f43-e49a703a6151\",\"m_collector_name\":\"exa-cribl-logs-sm_exa_ws\",\"m_collector_type\":\"cribl-logs\"}",
"parsed": false,
"rawLogIds": [
"log-fic"
],
"rawLogs": [
"ANY rawLog"
],
"raw_log_size": 9,
"tier": "Tier 4"
},
{
"approxLogTime": 1715694915916000,
"collector_timestamp": 1715694915916000,
"customFieldsJSON": "{}",
"id": "fictive-id",
"ingest_time": 1715694946775000,
"metadataFieldsJSON": "{\"m_collector_id\":\"aae1627e-8637-4597-9f43-e49a703a6151\",\"m_collector_name\":\"exa-cribl-logs-sm_exa_ws\",\"m_collector_type\":\"cribl-logs\"}",
"parsed": false,
"rawLogIds": [
"rawLogId"
],
"rawLogs": [
"CONNECT hotmail"
],
"raw_log_size": 59,
"tier": "Tier 4"
}
]
}
}

Human Readable Output#

Logs#

IdIs ParsedRaw Log IdsRaw LogsTier
fakefalselog-ficANY rawLogTier 4
fictive-idfalserawLogIdCONNECT hotmailTier 4

exabeam-platform-table-record-list#


Retrieve the records for a specific context table.

Base Command#

exabeam-platform-table-record-list

Input#

Argument NameDescriptionRequired
table_idID of the table. Obtain this value by running exabeam-platform-context-table-list.Required
limitThe number of records to return. Default is 50.Optional

Context Output#

There is no context output for this command.

exabeam-platform-table-record-create#


Add one or more context records directly to an existing table.

Base Command#

exabeam-platform-table-record-create

Input#

Argument NameDescriptionRequired
table_idID of the table. Obtain this value by running exabeam-platform-context-table-list.Required
attributesA key-value map of record attributes.Required
operationOptions for how data should be uploaded to an existing table. Possible values are: append, replace. Default is append.Optional
interval_in_secondsThe interval in seconds between each poll. Default is 30.Optional
timeoutThe timeout in seconds until polling ends. Default is 600.Optional
tracker_idSpecify the tracker ID from an upload request whose progress you want to track.Optional
hide_polling_outputSuppresses the output of polling operations to reduce clutter in logs.Optional

Context Output#

There is no context output for this command.

exabeam-platform-alert-search#


Search for alerts that match one or more search criteria.

Base Command#

exabeam-platform-alert-search

Input#

Argument NameDescriptionRequired
alert_idUnique ID that identifies an alert.Optional
start_timeTimestamp to start the search. Default is 7 days ago.Optional
end_timeTimestamp to end the search. Default is today.Optional
queryQuery, using Lucene syntax, filters log data for precise analysis.Optional
fieldsList of fields to be returned from the search.Optional
order_byOrder results by a specified field in ASC or DESC order, such as "riskScore ASC" or "riskScore DESC".Optional
limitLimit the number of results returned from the search request. Default is 50.Optional
all_resultsIf set to 'True', retrieves all available results, ignoring the limit parameter. Possible values are: True, False. Default is False.Optional
include_related_rulesIf set to 'True', filters the context to include the "rules" array related to the cases in the results. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
ExabeamPlatform.Alert.alertDescriptionRtStringThe description of the alert in real-time.
ExabeamPlatform.Alert.alertIdStringThe unique identifier of the alert.
ExabeamPlatform.Alert.alertNameStringThe name or title of the alert.
ExabeamPlatform.Alert.approxLogTimeDateThe approximate log time of the alert.
ExabeamPlatform.Alert.assigneeStringThe person assigned to the alert.
ExabeamPlatform.Alert.caseCreationTimestampNumberThe timestamp when the case was created.
ExabeamPlatform.Alert.caseIdStringThe unique identifier of the case associated with the alert.
ExabeamPlatform.Alert.creationByStringThe user who created the alert.
ExabeamPlatform.Alert.creationTimestampDateThe timestamp when the alert was created.
ExabeamPlatform.Alert.destEndpointsUnknownThe destination endpoints involved in the alert.
ExabeamPlatform.Alert.destHostsUnknownThe destination hosts involved in the alert.
ExabeamPlatform.Alert.destIpsUnknownThe destination IP addresses involved in the alert.
ExabeamPlatform.Alert.groupedbyKeyStringThe key used for grouping the alert.
ExabeamPlatform.Alert.groupedbyValueStringThe value used for grouping the alert.
ExabeamPlatform.Alert.groupingRuleIdStringThe ID of the rule used for grouping the alert.
ExabeamPlatform.Alert.hasAttachmentsBooleanIndicates if the alert has attachments.
ExabeamPlatform.Alert.ingestTimestampDateThe timestamp when the alert was ingested into the system.
ExabeamPlatform.Alert.lastModifiedByStringThe user who last modified the alert.
ExabeamPlatform.Alert.lastModifiedTimestampDateThe timestamp when the alert was last modified.
ExabeamPlatform.Alert.mitres.tacticStringThe MITRE tactic associated with the alert.
ExabeamPlatform.Alert.mitres.tacticKeyStringThe MITRE tactic key associated with the alert.
ExabeamPlatform.Alert.mitres.techniqueStringThe MITRE technique associated with the alert.
ExabeamPlatform.Alert.mitres.techniqueKeyStringThe MITRE technique key associated with the alert.
ExabeamPlatform.Alert.priorityStringThe priority level of the alert.
ExabeamPlatform.Alert.productsStringThe products involved in the alert.
ExabeamPlatform.Alert.queueStringThe queue in which the alert is placed.
ExabeamPlatform.Alert.riskScoreNumberThe risk score associated with the alert.
ExabeamPlatform.Alert.srcEndpoints.ipStringThe IP addresses of the source endpoints involved in the alert.
ExabeamPlatform.Alert.srcHostsUnknownThe source hosts involved in the alert.
ExabeamPlatform.Alert.srcIpsStringThe source IP addresses involved in the alert.
ExabeamPlatform.Alert.stageStringThe stage of the alert in the investigation process.
ExabeamPlatform.Alert.statusStringThe status of the alert.
ExabeamPlatform.Alert.subscriptionCodeStringThe subscription code associated with the alert.
ExabeamPlatform.Alert.tagsUnknownThe tags associated with the alert.
ExabeamPlatform.Alert.useCasesStringThe use cases related to the alert.
ExabeamPlatform.Alert.usersUnknownThe users involved in the alert.
ExabeamPlatform.Alert.vendorsStringThe vendors associated with the alert.

exabeam-platform-context-table-delete#


Delete a specific context table, including records and attributes.

Base Command#

exabeam-platform-context-table-delete

Input#

Argument NameDescriptionRequired
table_idSpecify the ID of an existing context table.Required
delete_unused_custom_attributesDelete any custom attributes in this table that are not used in another context table. Possible values are: True, False. Default is False.Optional

Context Output#

There is no context output for this command.

exabeam-platform-context-table-list#


Retrieve metadata for all existing context tables, including source, operational status, and attribute mapping.

Base Command#

exabeam-platform-table-record-list

Input#

Argument NameDescriptionRequired
table_idSpecify the ID of an existing context table.Optional
limitLimit the number of results returned from the request. Default is 50.Optional
include_attributesIf set to 'True', filters the context to include the "attributes" array related to the cases in the results. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
ExabeamPlatform.ContextTable.attributeMappingUnknownThe attribute mapping of the context table.
ExabeamPlatform.ContextTable.attributes.displayNameStringThe display name of the attribute.
ExabeamPlatform.ContextTable.attributes.idStringThe unique identifier of the attribute.
ExabeamPlatform.ContextTable.attributes.isKeyBooleanIndicates if the attribute is a key attribute.
ExabeamPlatform.ContextTable.attributes.typeStringThe type of the attribute.
ExabeamPlatform.ContextTable.contextTypeStringThe type of context the table represents.
ExabeamPlatform.ContextTable.idStringThe unique identifier of the context table.
ExabeamPlatform.ContextTable.lastUpdatedNumberThe timestamp of the last update to the context table.
ExabeamPlatform.ContextTable.nameStringThe name of the context table.
ExabeamPlatform.ContextTable.sourceStringThe source of the context table data.
ExabeamPlatform.ContextTable.statusStringThe status of the context table.
ExabeamPlatform.ContextTable.totalItemsNumberThe total number of items in the context table.

exabeam-platform-case-search#


Search for cases that match one or more search criteria. For example, you can search for cases that are associated with a specific caseId and that reference specific rules.

Base Command#

exabeam-platform-case-search

Input#

Argument NameDescriptionRequired
case_idAn optional case id parameter to get a specific case.Optional
start_timeTimestamp to start the search. Default is 7 days ago.Optional
end_timeTimestamp to end the search. Default is today.Optional
queryQuery, using Lucene syntax, filters log data for precise analysis.Optional
fieldsList of fields to be returned from the search.Optional
order_byOrder results by a specified field in ASC or DESC order, such as "riskScore ASC" or "riskScore DESC".Optional
limitLimit the number of results returned from the search request. Default is 50.Optional
all_resultsIf set to 'True', retrieves all available results, ignoring the limit parameter. Possible values are: True, False. Default is False.Optional
include_related_rulesIf set to 'True', filters the context to include the "rules" array related to the cases in the results. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
ExabeamPlatform.Case.alertIdStringUnique identifier for the alert associated with the case.
ExabeamPlatform.Case.alertNameStringName of the alert associated with the case.
ExabeamPlatform.Case.approxLogTimeNumberApproximate log time of the event that generated the case.
ExabeamPlatform.Case.assigneeStringUser assigned to the case.
ExabeamPlatform.Case.caseCreationTimestampNumberTimestamp when the case was created.
ExabeamPlatform.Case.caseIdStringUnique identifier for the case.
ExabeamPlatform.Case.destHostsUnknownDestination hosts involved in the case.
ExabeamPlatform.Case.destIpsUnknownDestination IP addresses involved in the case.
ExabeamPlatform.Case.groupedbyKeyStringKey by which the case was grouped.
ExabeamPlatform.Case.groupedbyValueStringValue by which the case was grouped.
ExabeamPlatform.Case.hasAttachmentsBooleanIndicates if the case has attachments.
ExabeamPlatform.Case.ingestTimestampUnknownTimestamp when the case was ingested.
ExabeamPlatform.Case.lastModifiedTimestampUnknownTimestamp when the case was last modified.
ExabeamPlatform.Case.mitresUnknownMITRE tactics and techniques associated with the case.
ExabeamPlatform.Case.priorityStringPriority level of the case.
ExabeamPlatform.Case.productsStringProducts involved in the case.
ExabeamPlatform.Case.queueStringQueue to which the case is assigned.
ExabeamPlatform.Case.riskScoreNumberRisk score of the case.
ExabeamPlatform.Case.rules.approxLogTimeNumberApproximate log time of the rule that triggered the case.
ExabeamPlatform.Case.rules.ruleIdStringUnique identifier for the rule.
ExabeamPlatform.Case.rules.ruleNameStringName of the rule that triggered the case.
ExabeamPlatform.Case.rules.ruleReasonStringReason for the rule triggering the case.
ExabeamPlatform.Case.rules.ruleSeverityStringSeverity level of the rule.
ExabeamPlatform.Case.rules.ruleSourceStringSource of the rule.
ExabeamPlatform.Case.rules.ruleTypeStringType of the rule.
ExabeamPlatform.Case.srcHostsUnknownSource hosts involved in the case.
ExabeamPlatform.Case.srcIpsUnknownSource IP addresses involved in the case.
ExabeamPlatform.Case.stageStringCurrent stage of the case.
ExabeamPlatform.Case.subscriptionCodeStringSubscription code associated with the case.
ExabeamPlatform.Case.tagsUnknownTags associated with the case.
ExabeamPlatform.Case.useCasesUnknownUse cases associated with the case.
ExabeamPlatform.Case.usersUnknownUsers involved in the case.
ExabeamPlatform.Case.vendorsStringVendors involved in the case.
ExabeamPlatform.Case.alertCreationTimestampDateTimestamp when the alert was created.
ExabeamPlatform.Case.alertDescriptionRtStringDescription of the alert.
ExabeamPlatform.Case.creationByStringUser who created the case.
ExabeamPlatform.Case.creationTimestampDateTimestamp when the case was created.
ExabeamPlatform.Case.destEndpointsUnknownDestination endpoints involved in the case.
ExabeamPlatform.Case.mitres.tacticKeyStringKey of the MITRE tactic associated with the case.
ExabeamPlatform.Case.mitres.techniqueStringMITRE technique associated with the case.
ExabeamPlatform.Case.mitres.techniqueKeyStringKey of the MITRE technique associated with the case.