- What is Exabeam?
- Welcome to the Advanced Analytics Homepage
- High-Level Counters on the Advanced Analytics Homepage
- About the Notable Users List
- Watchlists
- Account Lockouts List on the Advanced Analytics Homepage
- Navigate to Other Pages, Sign Out, or Change Password from the Advanced Analytics Homepage
- Use Dark Mode in Advanced Analytics , Case Manager, and Incident Responder
- Change Language in Advanced Analytics, Case Manager, and Incident Responder
- Get to Know a User Profile
- 1 General Information
- 2 Data Insights
- 3 Active Incident(s)
- 4 User Risk Trend
- 5 Risk Reasons
- Get to Know the User Timeline Page
- Examine Events by Category with the User Session Summary
- About the User Session Timeline
- Filter User Timelines
- View Activity Summary on a Specific Day
- Get to Know the Daily Timeline
- View and Understand an Account Lockout Sequence
- Get to Know the Account Lockout Sequence Timeline
- Accepting a Session or Sequence
- Search for a Data Lake Log from an Advanced Analytics Smart Timelines™ Event
- View a Data Lake Log from an Advanced Analytics Smart Timelines™ Event
- Download a Data Lake Log from an Advanced Analytics Smart Timelines™ Event
- Copy Advanced Analytics Event Data to Your Clipboard
- Search Splunk Logs from an Advanced Analytics Smart Timeline™ Session
- Add Advanced Analytics Evidence to a Case Manager Incident
- Entity Analytics
- Get Started with the Asset Page
- Get Started With the Threat Hunter Page
- Search Histograms Using the Data Insights Page
- Monitor Exabeam Processes Using the System Health Page
- Contact Technical Support
Entity Analytics
Entity Analytics offers analytics capabilities for entities beyond users such as hosts and IP addresses within an environment. For our purposes, the words asset and entity are used interchangeably.
Entity Analytics assigns risk scores on any anomalous activities on Assets in an organization's environment by using machine learning and expert rules. In a single Asset Session, Entity Analytics may report risks related to a machine accessing many new hosts, a malware security alert received from a 3rd party system, and an entity connecting to a host in a new country. Notable Assets (assets that had an Asset Session score of at least 90) will appear on the homepage next to Notable Users.
Entity Analytics creates an Asset Session in cases where logs indicate activities on assets. These can be logs such as Windows authentication, VPN or security alerts that contain events related to users and assets. In addition, asset sessions can be built from logs indicating device to device communication that do not have a user name attached to them, such as firewall, DNS, Netflow or IoT logs. An Asset Session is similar to a User Session in that it is a logical container of events logs. However, unlike User Sessions (which begin when a user logs on and ends when a user logs off) an Asset Session represents a 24-hour window of all activities performed on an asset. Some logs have both asset and user fields and Advanced Analytics creates both a session event and an asset session event out of these.
For example, when a machine is a source of attack and uses multiple identities (user names) in a short amount of time to perform brute force attacks or move laterally within an environment. This type of risk is not elevated by Advanced Analytics as these activities belong to multiple user sessions and a single user did not accumulate enough risk to be identified as anomalous. With Entity Analytics enabled, the entity itself will now have a risk score associated with it. The Asset Session Timeline page displays all the events in chronological order during the session, so the analyst can see all events before and after a security, anomalous, or lockout event. Seeing the whole timeline helps the analyst see, for example, whether a hacker started the sequence from outside the network or a legitimate user started the sequence on-site.
Entity Analytics is available as a licensable option and can be added to an existing Advanced Analytics deployment. Please talk to your Technical Account Manager for more information.