Advanced AnalyticsExabeam Advanced Analytics User Guide

Table of Contents

Welcome to the Advanced Analytics Homepage

The home page alerts the analysts to items that require investigation.

Some panels are unique to products you've purchased and installed. My Incidents and Incidents in My Queue panels as well as Folder icon in the Notable Users panel are only available when Case Management is deployed. Notable Assets is available when Entity Analytics is deployed.

AA-IR-Home-Homepage.jpg

The home page presents the following:

  • Search Field for locating information. Users can perform a basic search in using username, asset name, a specific security alert using the event ID, or incident (when Case Management has been installed; for more information on Case Management, see chapter Case Management).

  • Threat Hunter is an advanced search function which allows for searches across a variety of dimensions. Clicking on the triangle inside the search box opens the Threat Hunter menu.

    AA-IR-ThreatHunter.jpg
  • Proactive Health Checks that will alert administrators when:

    • Any of the core Exabeam services are not running.

    • There is insufficient disk storage space to store the logs or events.

    • Exabeam has not been fetching logs from the SIEM for a configurable amount of time.

  • High-level counters for key metrics that Exabeam monitors.

  • My Incidents An incident is an unusual event that may indicate a threat to an organization's security that is or was being investigated. The list consists of active, closed, or newly created incidents. This feature is available when Case Management has been installed. For more information on Case Management, see chapter Case Management.

  • My Queues A group of users designated to handle assigned incidents is known as a queue. Incidents assigned to the queues you are associated with are listed. This feature is available when Case Management has been installed. For more information on Case Management, see chapter Case Management.

  • Notable Users where notable means the user had a session score that met or exceeded the configured threshold (default is 90).

  • Notable Assets where notable means the asset had a session score that met or exceeded the configured threshold (default is 90). This feature is available when Entity Analytics has been installed. For more information on Entity Analytics, see the Advance Analytics Administration Guide chapter Entity Analytics. contact your Technical Account Manager.

  • Account Lockouts is a list of users that have an account lockout event in the Session Timeline.

  • Multiple Watchlists Watchlist Users are lists of users or assets the analyst wants to keep an eye on.

  • Next to some usernames and risk scores there is a small dot. This indicates that there is a comment from an analyst on that User Page or Timeline (Commenting on a User, Asset, or Session).

  • Within Notable Users and Watchlist Users analysts can click on the username or score. Clicking the username opens the User Page, clicking the score opens that specific session on the user's Timeline Page.

  • Clicking on the username in Account Lockouts opens the User Page, while clicking the lockout symbol opens that specific Lockout Sequence on the user's Timeline Page.

High-Level Counters on the Advanced Analytics Homepage

Along the top of the home page is a row of counters for the environment that Exabeam is monitoring. The counters are for users, assets, sessions, events, and anomalies. Each counter shows totals for the organization and recent counts (during regular operation, recent means the past 30 days). Take the following image, for example:

AA-IR-Home-Homepage.jpg

The organization has 7.9K employees and 22 have been active recently. These counters refresh automatically every 5 minutes.

About the Notable Users List

The Notable Users list shows the highest scoring session for users whose highest score is at least 90. Only the highest scoring session for a user is represented in the Notable Users list. Even if a user has many sessions with a score of 90 or above, his or her name appears in this list only once.

Clicking the caron at the top right activates a drop-down list for selecting the timeframe for that list: last day, last 2 days, last 3 days, last week, last 1 month, or last 3 month.

Watchlists

The users that are on watchlists are users that the analyst may want to keep an eye on for a time. For example, if an employee’s computer was infected with malware and needed to be monitored to ensure the remediation was effective or if an employee has been given termination notice. Watchlists provide quick visibility into any sessions started by these sets of users, their latest risk scores, any assets they touched, and abnormal activities of which they were a part.

There are two types of watchlists - those that are created out-of-the-box by Exabeam and those that are created by an analyst. Users cannot be added or removed from watchlists generated by Exabeam, though the watchlists themselves can be deleted. Analysts can also create their own watchlists (see “Customizing Watchlists”). Users can be added using a search expression or by importing a list of usernames from a CSV file. They can be removed the same way, or deleted automatically after a configurable period of time.

Asset Watchlists

Analysts can create asset watchlists on the homepage.

Similar to user-based watchlists, assets can be added to a watchlist based on any of the following criteria:

  • Asset Name

  • Asset Label

  • CSV

  • IP Address

Analysts can create user watchlists or asset watchlists but not a watchlist composed of both users and assets. Asset watchlists created by analysts can have a maximum of 100 assets, and can be edited and deleted. When creating an asset watchlist, analysts can determine how long a given asset will remain on the list (Figure 1-2). For example, if a 30-day limit is set then every asset added to that watchlist will be automatically removed 30 days after it is added.

Assets can also be added to an existing asset watchlist from the timeline.

Out-of-the-Box Watchlists

By default, Exabeam will create the following Watchlist categories: Executive Users and Service Accounts. These Watchlists are automatically populated by Exabeam and therefore cannot be configured to add or remove individual users. However, the Watchlists themselves can be deleted. When deleted, the users are removed from the Watchlist and the Watchlist is removed from the dashboard.

  • Executive Users: Users that are identified as executives during the setup process are automatically added to the Executive Users Watchlist. When executives are added or deleted, these changes are automatically reflected in the Watchlist.

  • Service Accounts: Users that are identified as service accounts are automatically added to the Service Accounts Watchlist. When service accounts are added or deleted, these changes are automatically reflected in the Watchlist.

Customizable Watchlists

Analysts can create their own watchlists - these can be username-based, CSV-based, user label-based, or peer group-based. To create a custom watchlist, click Add A Watchlist at the bottom of the home page, and then select the type of watchlist you wish to create.

AA-IR-Home-AddAWatchlist.jpg

The customizable watchlists can be edited by clicking the vertical ellipsis icon in the upper right corner of each watchlist panel. Watchlist can be edited in the following ways:

  • Add User – Add users by username, by uploading a CSV file, by user label, or by peer group. You can also set a timeframe, after which the user(s) will be removed from the watchlist. This timeframe is per user, not per watchlist. Users can also be added individually from the User Page.

  • Add Asset – Add assets by asset name, by uploading a CSV file, or by IP address.

  • Remove User – Remove users either individually or by uploading a CSV file.

  • Remove Asset – Remove assets either individually, by uploading a CSV file, or by IP address.

  • Edit Watchlist: – This option allows the analyst to edit the name or description of the watchlist.

  • Delete Watchlist – The watchlist will be permanently deleted.

Configure Role-based Access Control for Watchlists

When you create a new watchlist or edit an existing watchlist, you can configure permissions to view and manage them according to user roles.

Choose from one of the following options:

  • Public – Allow all users in your organization to view the watchlist.

  • Based on Role – Allow specific users to either view or view and edit the watchlist.

  • Only Me – Deny access (view and edit) to all users in your organization.

Picking Based on Role lets you select the watchlist's permissions, which are based on user roles.

Revise the watchlist permissions at any time by locating a watchlist on the homepage and clicking Edit Watchlist and then clicking the permissions dropdown menu.

Account Lockouts List on the Advanced Analytics Homepage

Account Lockouts is a list of users who have been locked out of their account within the timeframe selected. Clicking the caron at the top right activates a drop-down list for selecting the timeframe for that list: last day, last 2 days, last 3 days, last week, last 1 month, or last 3 months. The account lockouts that Exabeam has deemed risky are at the top.

The account lockouts that Exabeam has deemed risky are at the top.

Navigate to Other Pages, Sign Out, or Change Password from the Advanced Analytics Homepage

The admin drop-down menu can be found in the upper-right corner of any page. From there you can navigate to the Settings, Data Insights, or System Health pages, and visit Starred Session Users without returning to the homepage. The Admin Panel also offers the option to logout or to change your password. At the bottom right is where the current Exabeam build number is located.

The information available in the admin panel is primarily for administrators or Exabeam customer support, but it does give access to models not available elsewhere.

AA-IR-Home-SubmenusStack - AdminPanel.jpg

Bookmark Sessions

Starred Sessions is a list of selected sessions that an analyst keeps. The list is a mini-bookmark of sessions that an analyst might want to revisit or show to other analysts. Clicking an employee name in this area opens the same Risk Timeline area.

A starred session remains in this list regardless of time. An analyst can add or remove the session from the list by visiting the Session Timeline Page.

AA-IR-Home-SubmenusStack2.jpg

Use Dark Mode in Advanced Analytics , Case Manager, and Incident Responder

Turn on Dark Mode to make Advanced Analytics, Case Manager, and Incident Responder easier on your eyes in low light environments.

Dark Mode is not available for the Metrics page.

 
  1. In the navigation bar, select the menu The menu icon in the navigation bar; three white lines on a green background..

  2. Select Color Mode.

  3. Select Dark.

Change Language in Advanced Analytics, Case Manager, and Incident Responder

Change the language in which you use Advanced Analytics, Case Manager, and Incident Responder.

Advanced Analytics, Case Manager, and Incident Responder is available in English and Japanese.

Localized text is not available for some administrative tasks including the Metrics page, System Health page, and some settings, all health alerts, all error messages, and the details of Case Manager incidents.

  1. In the navigation bar, select the menu The menu icon in the navigation bar; three white lines on a green background..

  2. Select Select Language.

  3. From the list, select your preferred language. After the page reloads, you see Advanced Analytics text in the language you selected.