Advanced AnalyticsExabeam Advanced Analytics User Guide

Table of Contents

Get Started With the Threat Hunter Page

Navigate to the Threat Hunter Page

You can navigate to the Threat Hunter page by entering an advanced search in the Search field at the top of any page. An analyst can click on the triangle located in the search box at the top of the page. This opens an extensive drop-down menu (as in the image below) with three tabs along the left that allow you to navigate between the Threat Hunter Search Menu, Saved Searches, and the Search Library.

Search in the Threat Hunter Page

Within categories, the search is an ‘or’ function. For example, if you were to select both Symantec Endpoint Protection and FireEye MPS, your results would list all sessions and sequences that contained Symantec Endpoint Protection alerts or FireEye alerts or both. The exception to this is the Activity Types category, where the operation is ‘and’.

Across categories, the search is an ‘and’ function. For example, if you were to enter the dates 07/01/2015 through 07/31/2015 and FireEye MPS as a Security Vendor, you would return a list of sessions that began in the month of July and also included a FireEye alert.

The date field is mandatory for the system to return results. By default, the Last Day is selected for the timeframe that searches for matching results in the last 24 hours. There is no limit to the number of criteria that can be entered in each category - with the exception of Dates, Accepted Activities, and Risk Scores. For example, Barbara Salazar, Luis Pruitt, and Keith Cook can all be entered under Users. This search would return all existing sessions for all three users. Note that User Label and Asset Label searches are case sensitive.

Search results will appear on a new page and can be sorted by

  • Risk Score (beginning with the highest score and the rest following in descending order)

  • Date (beginning with the most recent result first and the rest following in descending order)

  • User (alphabetical by first name)

Results can be further refined with the filters on the left. If multiple containers (session or feeds) match your search, then your results will be shown in tabs. The maximum number of results that will be returned is 10,000 sessions.

Note

If the number of results returned exceeds the maximum limit, then the result counts on the left panel will not be accurate since they do not include the extra results over the maximum limit. You must narrow your results by selecting additional filters for the counts to be accurate.

Above the search results, all of the search criteria for the current search are listed. To begin a new search from scratch, click on the triangle in the search box at the top of the page.

Threat Hunter Support for Entity Analytics

Advanced Analytics includes the Asset Sequences in Threat Hunter's search capabilities.

Threat Hunter results encompass both Asset Sessions and User Sessions. For example, if the selected date range is 'Last Day' and the selected Activity Type is 'Security Alerts', then the search results will show all of the User Sessions and Asset Sessions that have had security alerts in the past day.

When search results include both Asset Sequences and User Sessions, the two will be differentiated in separate tabs. By default, the top 100 returned sessions are sorted by risk score.

Under the Reasons drop-down panel we have introduced a new icon to help quickly differentiate between User Sessions and Asset Sessions.

Save Search Criteria

Saved Searches are found in the second tab of the Threat Hunter drop-down menu.

Saved searches can be shared among other security analysts and engineers without the need for team members to re-create the search independently or from scratch. This allows a threat hunt, that your security team deems important, to be created and then shared and executed quickly.

From the search results page, you have the option to select Save, Save As, or Export. Save allows you to save a new search or update an existing saved search; Save As will copy an existing saved search and from there you can save any updates with a new name (after saving, this search can be found under the Threat Hunter > Saved Searches tab; with the Export option you are able to export all of the search results as a CSV file.

Selecting any of the Saved Searches from the Saved Searches or Exabeam Search Library tab will populate Threat Hunter with that criteria and return results.

For more information on how to configure roles and views, see Managing Saved Searches.

Managing Saved Searches

Threat Hunter searches can be shared with other Advanced Analytics users in particular roles. By default, save searches are Public, which does not mean all users can view the search but that those with roles with all of the following search permissions will be able to view saved searches:

  • Manage Search Library

  • Threat Hunting

  • View Search Library

A user who can view and copy a search created by another user, will not be able to edit the original saved search. For more information on configuring user view access, see Configure User Roles to View Saved Searches

Only user roles with all Threat Hunter search permissions can create and save searches that can be shared with other analysts.

  1. Go to Settings > User Management > Roles.

  2. Select the role you want to configure or Create Role.

  3. Go to the Search section and then select Manage Search Library, Manage Threat Hunter Public searches, Threat Hunting, and View Search Library.

  4. Click Save to apply the changes.

User roles, by default, do not have permission to view saved searches. With viewing permission, the user can also create copies of saved searches to make changes to.

  1. Go to Settings > User Management > Roles.

  2. Select the role you want to configure or Create Role.

  3. Go to the Search section and then select Manage Search Library, Threat Hunting, and View Search Library.

  4. Click Save to apply the changes.

When you have created and saved your search, you can set which saved search you want others to view. By default, your saved searches are Public. Users with roles that have all of the following permissions may share saved searches:

  • Manage Search Library

  • Manage Threat Hunter Public searches

  • Threat Hunting

  • View Search Library

While roles with the following permissions may create Private searches and use saved searches made public by others.

  • Manage Search Library

  • Threat Hunting

  • View Search Library

Though your entire saved search collection is shared at first, you can selectively configure which saved search is shared.

  1. Click the Search icon.

  2. Click Threat Hunter to expand the menu.

  3. Go to the Save Searches tab. Two categories are displayed, Public and Only me, which shows the current share type.

  4. Find the saved search you want to configure. Click the vertical ellipsis to expand the menu and then select Edit.

  5. Click to expand the share menu and then select the share type.

  6. Click SAVE to apply the changes.

You cannot edit saved searches created by others or found in the Exabeam Search Library. However, you can make a copy of a saved search to reconfigure.

  1. Click the Search icon.

  2. Click Threat Hunter to expand the menu.

  3. Go to the Save Searches or Library tab.

  4. Find the saved search you want to copy. Click the vertical ellipsis to expand the menu and then select Copy.

  5. Enter a new Title for the copied search.

  6. Click SAVE to apply changes.

  7. The copied search is saved as a Public search. To change the share setting, see Configure Which Saved Search to Share.

Other Advanced Analytics users with view permission to saved searches cannot delete saved searches you created, with exception of those with administrator privileges and those with all the following permissions in their roles:

  • Manage Search Library

  • Manage Threat Hunter Public searches

  • Threat Hunting

  • View Search Library

  1. To delete your saved search, click the Search icon.

  2. Click Threat Hunter to expand the menu.

  3. Go to the Save Searches tab.

  4. Find the saved search you want to delete. Click the vertical ellipsis to expand the menu and then select Delete.

  5. Confirm by clicking Delete to remove the search from the library.

View Pre-Configured Searches Using the Exabeam Search Library

The Search Library is the third tab of the Threat Hunter drop-down menu and is a collection of pre-configured Exabeam searches.

These cannot be edited or deleted. However, if you would like to customize the Exabeam searches, you can select Copy from the item menu and then modify the search criteria.

Exabeam ships with the following out-of-the-box searches:

  • Notable Sessions with Security Alerts

    • This search identifies all security alerts that occurred in the previous 24 hours. This search will help an analyst quickly identify third-party security alerts.

  • Notable Sessions with Account Management

    • This search identifies risky account management behavior, typically performed by privileged users. This search identifies the following Risk Reasons that occurred in the previous 24 hours:

      • First account management activity from zone

      • First account management activity from asset

      • First account creation activity for peer group

      • First account group management activity for peer group

      • First account management activity for user from asset

      • First account group management activity for peer group

  • Notable VPN Sessions

    • This search identifies Risky VPN behavior from someone connecting from outside the organization. It identifies the following Risk Reasons that occurred in the previous 24 hours:

      • First VPN connection from country

      • Abnormal VPN connection from country for organization and group

      • Abnormal VPN start time

      • First VPN connection from device for organization

      • VPN connection using a disabled account

      • VPN access by privileged user

      • VPN access by service account

  • Notable Sessions Containing Data Ex-filtration

    • This search identifies all Data Ex-filtration activities that occurred in the previous 24 hours. These events may be an indication that a user is attempting to appropriate sensitive information.

  • Notable Sessions Containing Executive Assets

    • This search identifies risky behavior that may indicate someone is attempting to access privileged resources. It identifies the following Risk Reasons that occurred in the previous 24 hours:

      • First VPN connection for service account

      • First access/logon from an asset for a service account

      • Interactive logon using a service account

  • Notable Failed Logons

    • This search identifies all users who had an abnormal number of failed logon activities in the previous 24 hours. Excessive failed logons can be an indication of that credentials may have been compromised or there has been a privilege escalation attempt.

Search for Assets Associated With an IP Address

Exabeam keeps track of the IPs that are assigned to each asset over time. This allows an analyst to perform searches related to IP-asset associations. For example, if an analyst receives a malware alert with an IP and a timestamp from a security product in the SIEM, he can find the specific asset that has this IP address at that point in time. He can then view the user sessions that connected to this asset and even specify only those sessions where the asset was the source or destination.

From the basic search bar, you can enter the IP address of interest, returning a list of all the assets that have been attributed to that IP in the past.

Selecting View All Assets Associations at the bottom opens a new pop-up window that contains all of the assets associated with the IP Address, as well as the timeframes during which they were assigned.

Clicking the View Sessions icon on the right will take you to the session timeline in which the asset was featured.