- Advanced Analytics
- Understand the Basics of Advanced Analytics
- Deploy Exabeam Products
- Considerations for Installing and Deploying Exabeam Products
- Things You Need to Know About Deploying Advanced Analytics
- Pre-Check Scripts for an On-Premises or Cloud Deployment
- Install Exabeam Software
- Upgrade an Exabeam Product
- Add Ingestion (LIME) Nodes to an Existing Advanced Analytics Cluster
- Apply Pre-approved CentOS Updates
- Configure Advanced Analytics
- Set Up Admin Operations
- Access Exabeam Advanced Analytics
- A. Supported Browsers
- Set Up Log Management
- Set Up Training & Scoring
- Set Up Log Feeds
- Draft/Published Modes for Log Feeds
- Advanced Analytics Transaction Log and Configuration Backup and Restore
- Configure Advanced Analytics System Activity Notifications
- Exabeam Licenses
- Exabeam Cluster Authentication Token
- Set Up Authentication and Access Control
- What Are Accounts & Groups?
- What Are Assets & Networks?
- Common Access Card (CAC) Authentication
- Role-Based Access Control
- Out-of-the-Box Roles
- Set Up User Management
- Manage Users
- Set Up LDAP Server
- Set Up LDAP Authentication
- Third-Party Identity Provider Configuration
- Azure AD Context Enrichment
- Set Up Context Management
- Custom Context Tables
- How Audit Logging Works
- Starting the Analytics Engine
- Additional Configurations
- Configure Static Mappings of Hosts to/from IP Addresses
- Associate Machine Oriented Log Events to User Sessions
- Display a Custom Login Message
- Configure Threat Hunter Maximum Search Result Limit
- Change Date and Time Formats
- Set Up Machine Learning Algorithms (Beta)
- Detect Phishing
- Restart the Analytics Engine
- Restart Log Ingestion and Messaging Engine (LIME)
- Custom Configuration Validation
- Advanced Analytics Transaction Log and Configuration Backup and Restore
- Reprocess Jobs
- Re-Assign to a New IP (Appliance Only)
- Hadoop Distributed File System (HDFS) Namenode Storage Redundancy
- User Engagement Analytics Policy
- Configure Settings to Search for Data Lake Logs in Advanced Analytics
- Enable Settings to Detect Email Sent to Personal Accounts
- Configure Smart Timeline™ to Display More Accurate Times for When Rules Triggered
- Configure Rules
- Exabeam Threat Intelligence Service
- Threat Intelligence Service Prerequisites
- Connect to Threat Intelligence Service through a Proxy
- View Threat Intelligence Feeds
- Threat Intelligence Context Tables
- View Threat Intelligence Context Tables
- Assign a Threat Intelligence Feed to a New Context Table
- Create a New Context Table from a Threat Intelligence Feed
- Check ExaCloud Connector Service Health Status
- Disaster Recovery
- Manage Security Content in Advanced Analytics
- Exabeam Hardening
- Set Up Admin Operations
- Health Status Page
- Troubleshoot Advanced Analytics Data Ingestion Issues
- Generate a Support File
- View Version Information
- Syslog Notifications Key-Value Pair Definitions
Syslog Notifications Key-Value Pair Definitions
The Incident Notifications sent via Syslog to your SIEM use the following parameters in their key-value pairs. The pairs are separated by a space (for example, reasons_count="3" score="135").
The following tables define each extension field key in Syslog messages by Event Type for Advanced Analytics v.i48 and later.
Event Type: System Health
Key Name | Key Value | Description | Syslog Key Value Example |
|---|---|---|---|
service | Service of the system health | The service of the system health. | service="Analytics Log Ingestion" |
status | Status of the system health | The status of the system health, either "running" or "stopped". | status="stopped" |
Event Type: Notable Sessions / Anomalies
Key Name | Key Value | Description | Syslog Key Value Example |
|---|---|---|---|
id | Session, sequence, or asset sequence ID | The ID of the session, sequence, or asset sequence ID. Also the triggered rule containerId of a session or sequence. | id="npage-201905151524" |
url | URL to the session, sequence, or asset sequence | The URL to the session, sequence, or asset sequence in the timeline. | url="https://<ExabeamAA>:8484/uba/ #user/admin/ timeline/admin- 201906241700" |
entity_value | Asset sequence entity value | The asset sequence entity value. | entity_value="dev_kr" |
score | Session, sequence, or asset sequence risk score | The session, sequence, or asset sequence risk score. Also the triggered rule risk score. | score="316" |
sequence_type | Type of sequence | The type of sequence or asset sequence entity name. | sequence_type="lockout" |
start_time | loginTime in UTC format | The loginTime for the session or sequence. Also the day for the asset sequence. | start_time="2019-05- 25T08:05:24-07:00" |
end_time | logoutTime in UTC format | The logoutTime for the session or sequence. Also the start_time + 24 hours for the asset sequence. | end_time="2019-05- 25T18:26:24-07:00" |
status | Status of the session or sequence | The status of the session or sequence, either "open" or "closed". It is closed if logoutTime is != 0, otherwise it is open. | status="closed" |
user | Session or sequence username | The session or sequence user. Also the triggered rule username. | user="admin" |
src_host | Session or sequence loginHost | The session or sequence loginHost. Also the triggered rule src host. (optional) | src_host="dc_464" |
src_ip | Session src_ip | The session src_ip. Also the triggered rule src_ip. (optional) | src_ip="10.55.0.123" |
accounts | Session or sequence accounts | The session or sequence accounts. | accounts="achan, tmiles, dgreen, mbridges" |
labels | Session or sequence labels | The session or sequence labels. | labels="TIME" |
assets_count | Session or sequence assets count | The total number of assets recorded for the session or sequence. | assets_count="23" |
assets | Session or sequence assets | The names of all unique assets for the session or sequence. | assets="srv_123_dev, 10.23.123.56, tks_en_0b_jt" |
zones | Session zones | The session zones. Also the asset sequence zones. (optional) | zones="atlanta office" |
reasons | All unique rule definition descriptions for any triggered rules for the session | By default, only takes the top three by triggered rule risk score. Configurable through exabeam_custom_config ScoreManager. IncidentReasonsLimit. | reasons="It is abnormal for this user to perform account management activities (a user created and added to a group) on this day of the week. Account management events are notable because they can provide a path for an attacker to move laterally through a system." |
reasons_count | Session or sequence reasons count | The total number of reasons recorded for the session or sequence. | reasons_count="8" |
events_count | Session or sequence events count | The total number of events recorded for the session or sequence. | events_count="779" |
alerts_count | Session or sequence alerts count | The total number of security events recorded for the session or sequence. | alerts_count="7" |
asset_labels (optional) | Labels for the asset | The labels for the asset. | asset_labels="SOURCE HOST" |
asset_locations | Locations for the asset | The locations for the asset. | asset_locations="los angeles office" |
top_users | Top users for the asset | The top users for the asset. | top_users="adonald" |
host_name (optional) | Hostnames for the asset | The hostnames for the asset. | host_name="adonald-win7" |
ip_address (optional) | IP addresses for the asset | The IP addresses for the asset. | ip_address="10.0.0.3" |
dest_host (optional) | dest_host of the triggered rule | The dest_host of the triggered rule. | dest_host="It-adonald-123" |
dest_ip (optional) | dest_ip of the triggered rule | The dest_ip of the triggered rule. | dest_ip="10.23.121.87" |
event_time | Time of the event | When the event took place. | event_time="8:26:00" |
event_type | Type of the event | The type of the event. | event_type="remote-access" |
host (optional) | Host for the triggered rule | The host for the triggered rule. | host="atl-file-01" |
domain (optional) | Domain for the triggered rule | The domain for the triggered rule. | domain="kt_cloud" |
raw (optional) | Raw "payload" | The raw "payload" for the triggered rule or event. | raw="http: //exampleurl" |
rule_id | Rule definition ID | The rule definition ID for the triggered rule. | rule_id="WL-HG-F" |
rule_name | Rule definition name | The rule definition name for the triggered rule. | rule_name="Account switch by new user" |
rule_description | Rule definition description | The rule definition description for the triggered rule. | rule_description="User for which we have insufficient data logged onto a Domain Controller" |
Event Type: Advanced Analytics/Case Manager/OAR Audit
Key Name | Key Value | Description | Syslog Key Value Example |
|---|---|---|---|
time | Time in Unix timestamp | When the event took place. | time="1559076154132" |
user | Admin or user’s username | The user performing the activity in Exabeam. | user="admin" |
host | Hostname, and if not available, IP address | The machine logging the event. | host="10.0.0.4" |
src_ip | Client IP address | The IP from which the user connected to Exabeam. | src_ip="10.0.0.6" |
event_type | Event type | The event type, such as “app-activity”, “remote-logon”, and “logout”. | event_type="failed-app-login" |
app | Name of the application | The name of the application that logs the event, such as “Exabeam Advanced Analytics”. If it is not possible to get the app type then “Exabeam” is used. | app="Exabeam" |
event_subtype | Exabeam Audit Event | The Exabeam Audit Event identifier. | event_subtype="Exabeam Audit Event" |
activity | Activity type | The activity type, such as “User added”, “Role updated”, and “LDAP server removed”. | activity="Failed log in" |
additional_info | Activity details | The activity details, such as those pertaining to user, role, and LDAP updates. | additional_info="User 'admin' failed to login" |
Event Type: Job Status
Key Name | Key Value | Description | Syslog Key Value Example |
|---|---|---|---|
job_status | Job status | The job status, either “Started”, “Failed”, or “Completed”. | job_status="Started" |
job_details | Job details | The job details, which includes modified rules and reprocess times. | job_details="Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC)." |
job_id | Job ID | The job ID string. | job_id="5c1ace5c123 b3801207481f" |
created_by | Admin or user’s username | The user who created the job in Exabeam. | created_by="admin" |
timestamp | Timestamp in UTC format | When the event took place. | timestamp="December 19 2018, 11:05PM (UTC)" |
start_time (optional) | Timestamp in UTC format | When the event started. | start_time="March 12 2019, 10:05PM (UTC)" |
end_time (optional) | Timestamp in UTC format | When the event ended. | end_time="March 13 2018, 12:05AM (UTC)" |