Advanced AnalyticsExabeam Advanced Analytics User Guide

This section defines the counters that make up the session summary. The counters are for categories that an analyst might want to examine in detail. These are interactive and all-inclusive: they represent all events whether the events are benign, anomalous, or threatening.

The session summary expedites research. A session can have many thousands of events, but instead of scrolling through many screens to locate the risk-associated events, the analyst can click a counter to see a popup with all the events for that category. Clicking on an item in the popup shifts the timeline to that specific event. The choice of which count to click first can depend on previous steps, but analysts frequently start with a security event.

Details of the counters are as follows:

Near the bottom of the session summary in is a tag icon. This icon is a label for the nature of the VPN that started the session (if applicable). In the current release, this label is informational only. The possible labels are:

At the bottom right is the option to query Splunk Logs, Export Events, and Accept Session. Before accepting a session be sure to read Accepting a Session on page 1.

If your SIEM is Splunk, then clicking Splunk Logs opens a new window where you can search for events within Splunk, with the appropriate query parameters set. This is helpful if an analyst wants to gather additional details regarding the user by looking within the SIEM during investigations.

Clicking the Export Events link exports all the events in a user session to a CSV file that the user can save locally; default file name is Exabeam_<username>_<sessionid>_<riskscore>. The CSV contains a list of all events and key details. Columns titled time, session_id, Event_id, event type, host source, user, and account are populated for every file. The columns following those are dependent on the information available (i.e. dest_host, domain, etc.). Under risk_reason the rules that were triggered are listed; if more than one rule was triggered then semicolons separate them.

This section describes the information elements in the User Session Timeline.

Details for an event are on the left side of the timeline regardless of whether the event was an anomaly or a security risk. If an event also has a risk score, the details of the risk are on the right side of the timeline.

The risk from Sequences and Daily Feeds can be transferred to the session. For example, Exabeam could have found that the user’s web activities included going to a malicious domain, which resulted in a risk score. This score will be transferred to the user’s session. If the malicious web activity happened outside of a session (i.e. during a time period where there was not an open session) the score will be transferred to the user’s next session.

When the session timeline is opened, by default the events that earned points are expanded. We collapse events of the same type that have no score, in which case the page displays something like, “3x Remote access,” as in the center of the image above.

The image also shows a session started about 5:45PM, with three risk transfers from web activities (clicking on any of those highlighted web activities links will take you to the relevant Daily Summary where they occurred) and ten points added to the session because of the abnormal session start time.

The drop-down Filter panel can be accessed to the left of the timeline. An analyst can choose to see all events, or only those with anomalies. They can also choose to see any combination of session and feeds. When loading the timeline page from the homepage the default selections are All Events and Session Activity turned on; Web Activity and Account Lockout are off.

The calendar at the bottom makes it easy to jump to a different day. The days are color coded to signpost when there was a high-risk session - red indicates a high-risk session, green indicates a low-risk session.

The Daily Summary and Timeline only appear when at least one of the feeds filters are turned on.

A Feed here refers to events that happen outside of the logical container of a session. They are often high volume feeds and processed in parallel to session and lockout sequences. These can be application logs, web access logs, DHCP, etc. Feeds are measured in a different timeframe to sessions - they are 24 hours. If a feed begins at 5pm on 01/10/16 then it will end at 5pm on 01/11/16. Anomalies within daily feeds will be assigned a risk score and that score is transferred to the nearest session that begins after the feed. You will also notice the Feed Score Breakdown at the bottom of the Daily Summary. This is an at-a-glance bar graph that breaks down what percentage of each feed comprises the Daily Summary. This is color-coded to match the color of each feed in the timeline.

The Daily Summary provides a look at what happened in a 24-hour period. This is different from the session view because sessions are bound by the time a user logs in, to when the user logs out. The Daily Summary is a way to look only at what happened on a specific day.

At the top of the Daily summary heading are tabs on the right which allow you to select if you want to see a summary of the day’s feeds or a summary of the day’s session and lockout events that also occurred in that same day. In the image above, the Feed tab is selected. This informs the analyst of all the feed activity that happened during the day; in this case the user had 2 feeds, one with 160 web activity events for which there was 0 risk reasons, and one with 273 DHCP events for which there was 1 risk reason. Clicking on the reason will open a pop-up window that explains what the event was and how many points were added to the session because of it.

If the analyst were to select the Session & Lockout tab, as in the above image, she would see that there was 1 Lockout Event and one Session that began during that day. Because there is no logout event the session did not end during that same day, however. You can jump to the lockout or session header by clicking Go to Lockout or Go to Session.

This section describes the information elements present in the Daily Timeline.

The Daily Summary and Daily Timeline only appear when one or more of the feeds filters are turned on; the Daily Timeline will show all of the feeds that are selected in the filter. For example, in the image above, the Web Access filter is turned on, and so all of the Web Access events are present in the Daily Timeline.

The event itself is on the left side of the timeline, and if the event was assigned a risk score then the details of the rule(s) triggered are to the right. We collapse events of the same type that have no risk score. Clicking a caret will open further details. In the image above, six rules were triggered by the Web Access to scores.espn.go.com event, five of those rules were assigned a risk score of 5 points and one a score of 3 points, totaling 28 risk scores for that one event.

Analysts can access an Account Lockout Sequence by clicking the warning symbol on the homepage or clicking View Activity on the User page. By default, the Show Lockouts filter will be turned on and the Show Sessions filter will be off.

The image above shows the summary for an account lockout sequence in the timeline. To the left of the Logon Failures and Lockouts title is a warning icon – orange means Exabeam deems this sequence risky, green means Exabeam sees it as normal. The summary counters at the top give detailed information about the lockout related activities, including:

This section describes the information elements in an account lockout sequence timeline.

Details for the event itself are on the left side of the timeline and details of the risk – including the rule triggered and how Exabeam has evaluated the event – are on the right side of the timeline. Events of the same type and reason are aggregated, in which case the page displays something like “15 x Account lockout” as in the image below.

Exabeam views account lockout events slightly differently from standard session events. For one, they are not given a score, but a binary rank of either Risky or Normal. In addition, certain lockout related activities increase the risk of the event and some reduce it. For example, if a user fails to logon from an abnormal location, that is a risk increasing activity. Alternatively, if a user has changed their password recently and they are failing to logon to their workstation, that is a risk reducing activity. In the image below, the orange up arrow indicates this is a risk increasing event, while the green down arrow indicates a risk reducing event.

The sum of these scores determines whether Exabeam sees the sequence as risky or normal – if risky the sequence will show an orange warning symbol and appear on the homepage. In addition, if a sequence is risky, 50 points are added to the overall session score.

Experienced analysts, such as Tier 3 Analysts, can accept behaviors for users and assets so that the behaviors no longer trigger alerts. Accepted behaviors are effectively whitelisted. This action applies only to the particular user or asset associated with the session or sequence, and it is only applied to future events. Sessions and sequences that occurred prior to the date of acceptance are not affected. This feature requires extreme caution because once a behavior is accepted, the action cannot be undone.

Behaviors can be accepted from the User, User Timeline, Asset, and Asset Timeline pages.