Cloud ConnectorsRelease Notes

Symantec WSS Cloud Connector

(CC-1973)

The Symantec WSS Cloud Connector now collects data for the following three fields in addition to the default fields.

Upgrade to Exabeam Cloud Connectors 2.5.508 to ensure that the cloud connector collects data regarding the new fields along with the default fields.

Rapid 7 Insight Cloud Connectors

(CC-1945)

Fixed an issue in which the Rapid7 Insight API generated fragmental reports instead of a complete large report in a compressed GZIP format.

Upgrade to Exabeam Cloud Connectors 2.5.506 to ensure that the cloud connector collects the complete report data correctly.

All Cloud Connectors

(CC-1978)

Enhanced user experience by adding a pop-up notification for the Cloud Connector instances which do not have the minimum supported cloud connector version required for migration to the new scale platform.

Upgrade to Exabeam Cloud Connectors 2.5.500 to view notification about the minimum supported cloud connector version appropriate for migration.

Snowflake Cloud Connector

(CC-1970)

Updated the JDBC driver version for the Snowflake cloud connector to the latest version 3.16.1 to ensure security and compatibility.

Upgrade to Exabeam Cloud Connectors 2.5.498 to get the latest JDBC driver support for the Snowflake cloud connector.

Custom Cloud Connector

(CC-1950)

Enhanced the Custom Cloud Connector in which the cloud connector can consume data stored in Azure Storage Accounts to retrieve Azure data sources: Azure Storage Account's Blob store and clear-text files. Cloud Connectors 2.5.495 now supports zip formats in addition to .log or.txt format in clear-text files.

Upgrade to Exabeam Cloud Connectors 2.5.495 for the Custom cloud connector to collect data in zip formats stored in Azure Storage Accounts.

Dropbox Cloud Connector

(CC-1929)

Fixed an issue for the Dropbox Cloud Connector in which the cloud connector did not collect logs from Dropbox due to API call conditions.

Impact – The Dropbox Cloud Connector pulled logs intermittently and showed no logs collected from Dropbox. To resolve the issues, follow the remediation steps.

Remediation – Upgrade to Exabeam Cloud Connectors 2.5.494 to ensure that the Dropbox cloud connector instance collects events from Dropbox.

AWS Cloud Connector

(CC-1887)

Fixed an issue for the AWS Cloud Connector in which there was delay in ingesting GuardDuty logs from AWS accounts.

Impact – The AWS Cloud Connector pulled logs intermittently and showed delay in collecting GuardDuty logs from AWS accounts. To resolve the issues, follow the remediation steps.

Remediation – Upgrade to Exabeam Cloud Connectors 2.5.492 and ensure that you monitor logs for delay after updating the cloud connector instance.

Mimecast Cloud Connector

(CC-1893)

Fixed an issue for the Mimecast Cloud Connector in which the region United States of America (USB) was not enabled.

Impact – The Mimecast Cloud Connector did not show the regions USB and USPCOM while configuring the cloud connector. To resolve the issues, follow the remediation steps.

Remediation – Upgrade to Exabeam Cloud Connectors 2.5.492 to select the newly added regions USB and USPCOM for the Mimecast Cloud Connector.

Armis Cloud Connector

(CC-1871)

Fixed an issue for the Armis Cloud Connector in which context tables were incorrectly presented.

Remediation – Upgrade to Exabeam Cloud Connectors 2.5.492 to ensure that context tables are collected in the correct format by the Armis Cloud connector.

Salesforce Cloud Connector

(CC-1860)

Fixed an issue for the Salesforce Cloud Connector in which the cloud connector did not pull all the events from the EventLogFile endpoint.

Remediation – Upgrade to Exabeam Cloud Connectors 2.5.492 to enable the Salesforce Cloud Connector to collect events from the EventLogFile endpoint.

Netskope Cloud Connector

(CC-1842)

Exabeam Cloud Connectors version 2.5.483 includes a fix for the Netskope Cloud Connector in which duplication of events occurred.

Self Service Migration for CrowdStrike Cloud Connector

Exabeam Cloud Connectors version 2.5.483 introduces the Migrate functionality on the SaaS Cloud Connectors platform, using which you can now migrate the CrowdStrike Cloud Connector to Cloud Collectors service on the Exabeam Security Operations Platform.

If you use SaaS Cloud Connectors, your cloud instance is automatically upgraded based on the planned maintenance window schedule. For urgent upgrades, create a support ticket.

To migrate the CrowdStrike Cloud Connector, use the following steps.

Self Service Migration for Office 365 Cloud Connector

Exabeam Cloud Connectors version 2.5.483 includes the Migrate functionality with enhancements on the SaaS Cloud Connectors platform, using which you can now migrate the Office 365 Cloud Connector to Cloud Collectors service on the Exabeam Security Operations Platform.

If you use SaaS Cloud Connectors, your cloud instance is automatically upgraded based on the planned maintenance window schedule. For urgent upgrades, create a support ticket.

To migrate the Office 365 Cloud Connector, use the following steps.

SentinelOne Cloud Connector

(CC-1864) (CC-1866)

Exabeam Cloud Connectors version 2.5.478 includes a fix for the SentinelOne Cloud Connector in which a newly generated SentinelOne API token did not work for the SentinelOne Cloud Connector.

Netskope Cloud Connector

(CC-1842)

Fixed an issue in which Netskope cloud connector pulled duplicate logs. To eliminate duplication of events, upgrade to Exabeam Cloud Connectors 2.5.475 or a later release.

Code42 Cloud Connector

(CC-1856)

Fixed an issue in which the endpoint for the Code42 Cloud Connector did not pull events. To eliminate event ingestion issues, upgrade to Exabeam Cloud Connectors 2.5.475 or a later release.

All Cloud Connectors

(CC-1704)

Introduced a Single Logout feature for Cloud Connectors. You can now log out from the Exabeam Security Operations Platform in a Unified Login or SSO enabled environment, and Cloud Connectors service both by logging out from either of them. To use the Single Logout feature, upgrade to Exabeam Cloud Connectors 2.5.462 or a later release.

CrowdStrike Falcon Cloud Connector

(CC-1817)

Fixed an issue in which duplication of logs and tasks occurred for the endpoint named ENDPOINT-FDR when the number of open tasks reached the maximum limit. To prevent data duplication and FDR Item Explorer sync issues while processing large volume of data, upgrade to Exabeam Cloud Connectors 2.5.461 or a later release.

Code42 Incydr Cloud Connector

(CC-1557)

The Code42 Incydr Cloud Connector now supports File Events API V2 to search for file activity, which is also called as Forensic Search. To select the API version v2 if you want the cloud connector pull file events, upgrade to Exabeam Cloud Connectors 2.5.459 or a later release.

Sophos Central Cloud Connector

(CC-1475)

Added support for the Oauth2 authentication method for configuring the Sophos Central Cloud Connector. To use API credential based OAuth2 authentication method, upgrade to Exabeam Cloud Connectors 2.5.457 or a later release.

Azure Cloud Connector

(CC-1670)

Fixed an issue in which the Event Hub endpoint could not be added for the Azure Cloud Connector. To eliminate the endpoint discovery errors, upgrade to Exabeam Cloud Connectors 2.5.454 or a later release.

Cisco Umbrella Cloud Connector

(CC-1730)

Fixed an issue in which the Cisco Umbrella Cloud Connector could not convert the logs captured in V8 format in the S3 bucket to JSON format to be sent to Advanced Analytics and Data Lake. To eliminate the log format related errors, upgrade to Exabeam Cloud Connectors 2.5.454 or a later release.

Google Workspaces Cloud Connector

(CC-1713)

Fixed an issue in which Google Workspaces Cloud Connector did not ingest Gmail logs at a specific time interval (9 - 16 JST) every day. To eliminate the log ingestion errors, upgrade to Exabeam Cloud Connectors 2.5.454 or a later release.

CrowdStrike Cloud Connector

Fixed an issue in which the CrowdStrike Cloud Connector pulled historical events irrespective of the Ingest From date that is set to ingest logs for the current date. To eliminate the ingestion errors caused due to the incorrect date format after service restart, upgrade to Exabeam Cloud Connectors 2.5.435 or a later release.

Google Workspaces Cloud Connector

(CC-1549)

Fixed an issue in which performing full table scan increased the cost of running the query to fetch Gmail logs for the Google Workspace Cloud Connector. To reduce the cost associated with running queries, upgrade to Exabeam Cloud Connectors 2.5.433 or a later release.

Azure Cloud Connector

(CC-1554)

Fixed an issue related to telemetry monitoring for calculating account lag for Azure Graph Security Alert API endpoint. To view the correct account lag for Azure Graph Security Alert API endpoint, upgrade to Exabeam Cloud Connectors 2.5.433 or a later release.

Netskope Cloud Connector

(CC-1572)

As part of the API requests, the Exabeam Cloud Connectors 2.5.433 platform now sends the user agent v1 for Exabeam-CloudConnectors-v1.0 and user agent v2 for Exabeam-CloudConnectors-v2.0 with every API request for Netskope for ingesting events.

CrowdStrike Falcon Cloud Connector

(CC-1582)

Fixed an issue in which CrowdStrike Falcon Cloud Connector ingested CrowdStrike FDR logs once and created duplicate events to be pushed to Data Lake (DL). To eliminate data duplication issues, upgrade to Exabeam Cloud Connectors 2.5.433 or a later release.

Google Workspaces Cloud Connector

(CC-1436)

Fixed an issue in which Google Workspace Cloud Connector did not ingest Gmail logs. To eliminate Gmail log ingestion issues, upgrade to Exabeam Cloud Connectors 2.5.430 or a later release.

Office 365 Cloud Connector

(CC-1446)

Fixed an issue in which Office 356 Exchange Reports Endpoints for GCC High US Government plan were in an error state. To eliminate endpoint sync issues, upgrade to Exabeam Cloud Connectors 2.5.430 or a later release.

Required SentinelOne Cloud Connector Migration

Due to SentinelOne changes to the integration you must migrate your Deep Visibility endpoint by April 15, 2023.

SentinelOne is changing the way external vendors like Exabeam integrate with their full telemetry feed (formerly known as Deep Visibility) and Cloud Funnel 1.0, and is now called Cloud Funnel 2.0.

The integration is shifting from using Kafka to ingest events, to a customer-managed AWS S3 bucket. In addition, the event format is changing to JSON and additional event categories are supported.

SentinelOne currently supports both versions, and Cloud Funnel 2.0 is planned to go EOL on March 31, 2023.

To address these changes, Exabeam has introduced support for both SaaS and on-premises deployments.

SaaS deployments

The SentinelOne Cloud Funnel Cloud Collector is now available from the Cloud Collectors app on the Exabeam Security Operations Platform. If you currently use SentinelOne Cloud Connector with Deep Visibility, you must migrate to this new collector by April 15, 2023.

On-premises deployments

If you currently use SentinelOne Cloud Connector with Deep Visibility, you must Set up a Custom Cloud Connector with an AWS Data Source by April 15, 2023.

Slack Classic App Cloud Connector

(CC-1276)

Renamed the Slack Enterprise Grid Cloud Connector as Slack Classic App Cloud Connector. If you are using the old Slack apps namely Slack Classic apps, you can continue using the Slack Classic App Cloud Connector to fetch audit logs. If you have created a new Slack app with V2 OAuth 2.0 workflow, you must upgrade Exabeam Cloud Connectors 2.5.422 or a later release and configure the Slack App Cloud Connector.

Slack App Cloud Connector

(CC-1276)

Created a new Slack App Cloud Connector that users can configure to fetch audit logs from Slack apps that are created with V2 OAuth 2.0 workflow. To configure Slack App Cloud Connector that supports new Slack authorization URL for V2 OAuth 2.0 apps, upgrade to Exabeam Cloud Connectors 2.5.422 or a later release.

Exabeam Security Operations Platform

(CC-1336)

Fixed an issue because of which users were not able to log in to legacy Cloud Connector after migration to Universal Role-Based Access. To eliminate the access and authentication issues from the Exabeam Security Operations Platform, you must upgrade to Exabeam Cloud Connectors 2.5.420 or a later release.

CrowdStrike Falcon

(CC-1317)

Fixed an issue by decreasing the number of threads and making the field thread-pool-size configurable via Advanced Configuration for the endpoint endpoint-streaming-api for the CrowdStrike Falcon Cloud Connector which prevented unresponsiveness of the user interface and the Cloud Connector. To eliminate the log ingestion and user interface issues related to the CrowdStrike Falcon Cloud Connector, you must upgrade to Exabeam Cloud Connectors 2.5.418 or a later release.

Rapid7

(CC-1373)

Fixed data ingestion issues for the Cloud Connector Rapid7, which prevented all the endpoints' unintended transition to the paused state. With this fix, the automatic closure of endpoints and log ingestion issues are eliminated. To eliminate the endpoint sync issues related to the Rapid7 Cloud Connector, you must upgrade to Exabeam Cloud Connectors 2.5.418 or a later release.

Office 365

(CC-1446)

Added support for the Azure cloud service that includes Azure AD for High US Government and Azure AD for Dod US Government which provided users with an option to select the cloud service while configuring Office 365 on the Exabeam Cloud Connectors platform, based on the region on which their Azure AD is deployed. To see new Azure cloud service options, you must upgrade to Exabeam Cloud Connectors 2.5.418 or a later release.

LastPass

(CC-1408)

Fixed the timestamp parsing issue that caused event ingestion delay for the LastPass Cloud Connector. Some API time zones were not getting parsed for the cloud connector. To prevent the event ingestion delays, upgrade to Exabeam Cloud Connectors 2.5.410 or a later release.

Proofpoint

(CC-1450)

Fixed the timestamp parsing issue in which the Proofpoint Cloud Connector showed a time lag in ingesting events. To prevent the event ingestion errors related to the timestamp issue that caused time lag, upgrade to Exabeam Cloud Connectors 2.5.410 or a later release.

Snowflake

(CC-1327)

Introduced a new Key Pair authentication method because Snowflake is going to deprecate the JWT authentication method by April 1, 2023. If you are using the JWT method, to eliminate connection failure errors use the following steps before deprecation:

Netskope

(CC-1247)

Added support for Netskope's API version 2 to comply with Netskope’s new API version. Netskope is going to deprecate API version 1 soon. To migrate the connector to use API version 2, perform the following steps:

Duo Security

(CC-1397)

You can now edit the values for the fields time-period and max-api-calls in the API configuration for the connector using the Configuration Editor in Advanced Settings. To eliminate the HTTP 429 Too Many Requests error related to the Cloud Connector Duo Security by setting the required values for these fields, you must upgrade to Exabeam Cloud Connectors 2.5.406 or a later release.

Tenable

(CC-1296)

Fixed data ingestion issues for the Cloud Connector Tenable, which prevented all the endpoints' unintended transition to the paused state. With this fix, the automatic closure of endpoints and log ingestion issues are eliminated. To eliminate the endpoint sync issues related to the Tenable Cloud Connector, you must upgrade to Exabeam Cloud Connectors 2.5.405 or a later release.

GCP

(CC-1398)

Fixed an issue for the GCP Cloud Connector which prevented unresponsiveness of the user interface and the Cloud Connector. To eliminate the log ingestion and user interface issues related to the GCP Cloud Connector, you must upgrade to Exabeam Cloud Connectors 2.5.405 or a later release.

Okta, Mimecast

(CC-1386, 1392)

Fixed endpoint sync issues for the Okta and Mimecast Cloud Connector. With this fix, endpoints for Okta and Mimecast Cloud Connectors started syncing and logs are being ingested without errors. To eliminate the endpoint sync issues related to the Okta and Mimecast Cloud Connectors, you must upgrade to Exabeam Cloud Connectors 2.5.403 or a later release.

Google Workspace

(CC-1324)

Added support for the new Gmail logs location for Google Workspace Cloud Connector, because Google has merged Gmail logs in BigQuery with Workspace logs and reports in BigQuery. Introduced a new configuration field Gmail Logs Source to support the new logs location for new deployments. The existing deployments now display Gmail Logs in BigQuery (deprecated) by default.

To migrate from Gmail logs in BigQuery to Workspace logs in BigQuery you must perform the following steps in order:

Office 365

(CC-1205)

Fixed issues associated with Task Timed Out errors that occurred because of metadata storage limitation of postgreSQL database. With this fix, the cursor tracking metadata is compressed so that it does not cross the threshold level of storage in postgreSQL database. There are no visible changes. To eliminate the Task Timed Out issues related to Exchange-admin-reports-mail-detail-ATP endpoint for the Office 365 Cloud Connector, you must upgrade to Exabeam Cloud Connectors 2.5.403 or a later release.

Salesforce

(CC-1149)

Fixed an issue which prevented the unintended exclusion of events while pulling events from the endpoint EventLogFile/Search. With this fix, the ArrayindexOutOfBoundsException error is eliminated. The Salesforce Cloud Connector stops excluding events and pulls all the events from the endpoints now. To eliminate ingestion issues, you must upgrade to Exabeam Cloud Connectors 2.5.396 or a later release.

GCP

(CC-1344)

Fixed an issue which prevented the ingestion errors associated with memory utilization and pulling logs. With this fix, GCP Cloud Connector pulls the logs consistently without a time lag. To eliminate issues pertaining to memory utilization and ingestion, you must upgrade to Exabeam Cloud Connectors 2.5.396 or a later release.

Salesforce

(CC-1214)

Fixed an issue which prevented ingestion of duplicate events and unintended exclusion of events while pulling events from the endpoint EventLogFile. With this fix, the Salesforce Cloud Connector stops ingesting duplicate events and pulls all the events from the endpoint EventLogFile. To eliminate ingestion issues, you must upgrade to Exabeam Cloud Connectors 2.5.375 or a later release.

Okta

(CC-1229)

Removed the deprecated endpoint Events from the user interface. This endpoint was previously replaced with the endpoint Logs. To eliminate the log ingestion errors associated with the endpoint Events, you must upgrade to Exabeam Cloud Connectors 2.5.373 or a later release.

Office 365

(CC-1072)

Removed the deprecated basic authentication method for Endpoints Exchange Admin Reports that is no longer supported by Microsoft Office 365. To migrate from the basic authentication method to OAuth2 or Certificate based on your existing configuration, you must perform the following steps in order:

Dropbox

(CC-1121)

Added support for the authentication method OAuth2. To use the authentication method OAuth2, you must upgrade to Exabeam Cloud Connectors 2.5.372 or a later release.Configure the Dropbox Business Cloud Connector

All Connectors

(CC-960)

You can now use Universal Role-Based Access (URBA) to centralize user identity and access management, streamline SOC workflows, and enhance security for your Cloud Connectors platform. To use URBA, you must upgrade related services to the following versions:

All Connectors

(CC-901)

Fixed an issue related to Open APIs which enabled access to Exabeam Security Operations Platform for the users who have specific roles defined on the dashboard. With this fix, the users who do not have administrator permissions can access Exabeam Security Operations Platform using a direct URL.

Cisco Meraki

(CC-1150)

Upgraded the dashboard API version 0 (v0) to version 1 (v1) and migrated all the endpoints to v1 to provide consistent user experience with reduced support cases. The dashboard API v0 is deprecated hence upgrade your Cisco Meraki service to use dashboard API v1 for preventing data loss. There is no visible change.

Office 365

(CC-933)

Replaced the deprecated endpoints exchange-admin-reports-mail-detail-spam and exchange-admin-reports-mail-detail-malware with exchange-admin-reports-mail-detail-atp to ingest data from Office defender data sources. The MailDetailATP report is the data source for the new endpoint exchange-admin-reports-mail-detail-atp. With this enhancement, the resourceNotFound errors associated with the deprecated endpoint are resolved. The Office 365 cloud connector now ingests spam and malware data to Advanced Analytics and Data Lake.

Azure Storage Analytics, AWS CloudWatch, Github

(CC-1158)

Enhanced the performance of the data sources Azure Storage Analytics, Github repo, and AWS CloudWatch Logs group that used to send events to local kafka and flood Kafka’s metadata. With this enhancement, the data sources now send events directly to SIEM.

Cisco AMP

(CC-1146)

Added support for the regions apjc and consumer which provided users with an option to select the region apjc or consumer while configuring Cisco AMP on the Exabeam Cloud Connectors platform.

Custom Cloud Connector

(CC-1127)

Fixed an issue that prevented ingestion of Azure Blob Storage using Custom Application connector. With this fix, the Custom Application connector now sends its Azure Storage data directly to SIEM.

Mimecast Email Security

(CC-1098)

Added support for the region Canada (CA) which provided users with an option to select the region CA while configuring Mimecast Email Security on the Exabeam Cloud Connectors platform. With this enhancement, Mimecast Email Security server for the region CA can communicate with the Exabeam Cloud Connectors platform to send and collect data.

Code42

(CC-1055)

Fixed an issue which provided users with an option to select the region US2 while configuring Code42 on the Exabeam Cloud Connectors platform. With this enhancement, Code42 server for the region US2 to which users migrated, can communicate with the Exabeam Cloud Connectors platform to send and collect data.

Snowflake

(CC-1028)

Fixed an issue where the Snowflake Cloud Connector timed out when trying to pull events from a view, due to slow Snowflake query performance. There is no visible change.

Telemetry

Added a new metric cc.endpoint_eps to improve accuracy for volume drop and Kafka lag monitoring. This release does not include any visible changes.

Snowflake

Added troubleshooting information in the internal logs. This release does not include any visible changes.

All Cloud Connectors

(CC-986)

Fixed an issue which prevented alerts for the stopped endpoints. With this fix, DataDog does not monitor the inactive endpoints.

Citrix ShareFile

(CC-1011)

Fixed an issue which extended the maximum time for report completion and made the report configurable. With this fix, the Citrix ShareFile integration errors are eliminated.

Duo Security

(CC-991)

Fixed an issue which prevented ingestion of duplicate events for Duo for each AD sync. However, because of Duo Security’s API limitation, Duo administrator log contains numerous events that cause data loss.

All Connectors

(CC-1003)

The default behavior for all the discovered endpoints is now set to be disabled upon discovery. The Storage Analytics, OMS Workspace (Log Analytics), and Activity Log now do not start automatically when discovered.

All Connectors

(CC-1004)

The default behavior for all the dynamic endpoints is now set to be inactive upon discovery. The endpoints for Cloudflare: CDN Logs, AWS: CloudTrail, CloudWatch Alerts, GuardDuty, RedShift Events, RedShift Audit Logs, Shield, Inspector, Cisco Meraki: Security Events, Rapid7: Sites, and Tenable.io: Scans are now inactive after their discovery.

All Connectors

(CC-993)

The previous default behavior for all the connectors is now set to persist data in Kafka before forwarding the data to the configured forwarding destination.

Carbon Black Cloud

(CC-941)

For the new Carbon Black Cloud Connector, only auditlog endpoint is available. All the other endpoints have been removed.

Carbon Black Cloud

(CC-940)

Carbon Black Defense is now renamed as Carbon Black Cloud.

Exabeam Cloud Connectors platform

Sync Status Visibility

To help you monitor the status of an endpoint, you can now view the number of in-progress sync activities. To view additional details for in-progress jobs, you can select the endpoint and view details such as start time, max timeout, and unique job ID in the summary pane.

CC-968

To mitigate potential vulnerabilities related to log4j1.2.x versions for on-premises Exabeam Cloud Connectors platform, the JMSAppender class file is now removed.

CC-965

Fixed an issue where the Azure Cloud Connector did not retrieve events from Azure Storage Blob when the blob file name did not match expected filename structure. With this fix, the Azure Cloud Connector now supports filenames that have additional characters in the name following the duration and allows plaintext files (previously only JSON).

CC-958

Fixed an issue with thread leakage in GAX (Google API Extensions) which interfered with the operation of the Exabeam Cloud Connectors platform. With this fix, the Google Java libraries have been updated.

CrowdStrike

(CC-915)

CrowdStrike Historical Logs Filtering

Exabeam Cloud Connectors now enable you to apply filtering for historical logs. This can be useful if you are only interested in receiving new logs or want to receive only logs that occur after a specific time threshold.

By default, the CrowdStrike Cloud Connector uses the timestamp associated with the saved cloud connector configuration as the threshold for which it should receive logs. As a result, the connector receives only new events. Alternatively, if you want to receive logs from a specific historical point in time, you can set the Ingest-From threshold when you Configure the CrowdStrike Falcon Connector.

Exabeam Cloud Connectors platform

(CC-914)

Fixed a vulnerability that affected slf4j against CVE-2021-4104 in Exabeam Cloud Connectors.

To take advantage of the fix, it is recommended to upgrade to this or a later version.

All Cloud Connectors

Introduced support for telemetry to proactively collect v2 metrics including the status, lag, and EPS for each cloud connector in your deployment. Notifications related to these metrics are not yet available on the Exabeam status page.

GitHub Cloud Connector

(CC-896)

Fixed an issue where the GitHub Cloud Connector displayed an excessive list of projects and folders.

All Cloud Connectors

(CC-916)

Fixed an issue for LDAP/Active Directory configurations where the client-shiro.ini file used improper quote syntax for Group names containing whitespace.

Custom Cloud Connectors

(CC-881)

For Custom Cloud Connectors, you can now use JSON arrays to process events instead of reading one event per line. You can configure the new File Processing option when you configure the Custom Cloud Connector.

All Cloud Connectors

Fixed an issue where Cloud Connectors excluded ELK from metrics reporting.

Bitglass

(CC-875)

Fixed throttling handling issues with the Bitglass Cloud Connector such that the cloud connector collects the same data every sync and collects the data for the previous 24 hours or until it reaches a throttling error.

Cloudflare Cloud Connector

(CC-870)

Fixed an issue where the CDN endpoint reported HTTP 400 Bad Request errors due to time reporting violations. Now, task management for this cloud connector can evaluate and synchronize the time to avoid the reported errors.

All Cloud Connectors

(CC-867)

Fixed an issue where the cloud connector cleared authentication data on token expiration.

All Cloud Connectors

Fixed an issue with time range task endpoints where pulling a timespan could result in a timeout of the task.

All Cloud Connectors

Known Issue: Cloud Connectors exclude ELK from metrics reporting.

Azure Cloud Connector

(CC-582)

Optimized ETCD usage with the Azure Cloud Connector to prevent timeouts in ETCD queries.

Ping Identity Cloud Connector

(CC-855)

Fixed an issue with the Ping Identity Cloud Connector, where the connector did not send raw events.

Salesforce

(CC-761)

Reduced the test connection scope to validate authentication and reachability to LoginHistory such that it completes in regions where Sales Cloud APIs respond slower.

Symantec WSS

(CC-806)

Introduced a new configuration option to allow the Symantec WSS Cloud Connector to filter events. By default, filtering is disabled such that the connector sends all events.

Egnyte

CC-837

Fixed an issue with the Egnyte Cloud Connector to reduce calls frequency such that the connector now passes the Egnyte throttling response and automatically suspends API calls for the requested time period.

CC-764

Fixed an issue in which AD authentication could not be configured if a group name contained whitespace.

CC-785

Fixed an issue where reset password was erroneously prompted when logging in to the UI via Advanced Analytics authentication.

CC-813

Fixed an issue that was introduced in 2.5.267 for deployments that use multiple SIEMs where any Cloud Connectors configured on a non-default tenant would stop sending logs and display an error.

Duo Security

Simplified the throttling logic of the Duo Security Cloud Connector to adhere to DUO's throttling limits.

ETCD

Added guards to ensure data consistency between ETCD and Postgresql.

CC-813

Addressed in Exabeam Cloud Connectors 2.5.268.

SentinelOne

For increased accuracy, the SentinelOne Cloud Connector now uses the time attribute (instead of the createdAt attribute) to track the retrieval of a threat.

In addition, the SentinelOne Cloud Connector now uses API version 2.1 (the latest) which adds more event types and attributes to data collection.

LastPass

The apiuser authentication parameter is now optional with a default value.

Tenable.io

Fixed an issue to allow collection of custom scan folders.

Salesforce

The initialization process is improved to shorten the time the process takes and includes fixes for connection timeouts when testing on remote environments.

SentinelOne

The SentinelOne Cloud Connector can now retrieve updates to threat logs. Previously the connector could only retrieve new threat logs.

SentinelOne

Added configuration per data source to specify whether to send both update and creation events or only creation events.

Snowflake

Enabled the cloud connector to specify the source of the event per table/view such that downstream parsers can correctly extract information.

Armis

Fixed an issue where responses of events from Armis with malformed timestamp causes sync errors.

Okta

Fixed an issue with the sync logic to optimize API utilization. With this fix, environments with heavy volume now see a drop of 90% in the number of API calls and maintain no lag in data retrieval.

AWS - CloudWatch Logs

Changed logic for exported report object deletion from S3 buckets. Now an object is deleted after finished to iterate it successfully.

Shared Libraries

Fixed an unclosed iterator in the MultiClosableReadOnlyIterator class.

Custom Connector and Crowdstrike FDR

Added support for government cloud backend in AWS.

Armis

Added retry mechanism to overcome frequent API errors.

Tomcat (UI Server service)

Upgraded to Tomcat version 8.5.70 to include all latest fixes and CVEs fixes.

AWS - GuardDuty

Fixed an issue to handle sync failures to resume at correct position.

Tomcat (UI) container

Fixed an issue to not expose server details on port 8445.

AWS - All dynamic endpoints

Allow discovery of only part of the regions (while some do not have permissions).

AWS - GuardDuty

Use alerts' updated time as the event's timestamp.

Armis

Handle undocumented timestamp formats (seen in the wild).

Office365 - Graph Directory Audit logs / Graph Sign-In logs

Allow the user to use the beta graph API rather than the default v1.0.

AWS - CloudWatch Logs

Allow discovery of only part of the regions (while some do not have permissions).

Tenable.io

Fixed connector response to failure due to 429 (Too Many Requests).

Cisco Umbrella

Updated to prevent skipping files written in the same 10min time window.

Netskope

Added two optional filter fields to enable users to filter alerts such that only matching alerts will be ingested. The filter uses Netskope query language and a type. See the Netskope Cloud Connector documentation for additional information.

All connectors with dynamic endpoints

Changed to report directly to SIEM without buffering in local storage. Fixed issue where connectors with many dynamic endpoints overwhelmed the buffer

All connectors

ETCD Increase the maximum configuration size that can be fetched from the ETCD service to 5MB to support large configuration sizes (usually attributed to a large number of endpoints).

SentinelOne Deep Visibility

Log Data Enrichment: SentinelOne Deep Visibility endpoint is now enhanced to include the event metadata and the event itself, and to provide three new fields: Destination Hostname, OS and User Agent. To take advantage of the additional fields in Advanced Analytics and Data Lake, install the following Content Packs:

Kafka

Fixed a potential resource leakage issue and other bugs.

SentinelOne Deep Visibility

Reverted the raw data format back to the 'encoded' protobuf (revert a parsing change introduced in 2.5.216).

Armis

Fixed a potential resource leakage issue.

SentinelOne Deep Visibility

Fixed an issue with the Kafka record value type where the Kafka record type was casted to Event rather than Packet.

Tomcat

Upgraded Tomcat (frontend service microservice) version from 8.5.51 to 8.5.66 to resolve some CVEs.

SentinelOne Deep Visibility

Fixed UnsupportedOperationException regression introduced in 2.5.216

SentinelOne Deep Visibility

Improved performance to send SYSLOG over multiple concurrent TCP connections in a single sync. This change was made to increase EPS when the SYSLOG receiver could not process high EPS in a single connection.

Salesforce

Fixed custom settings serialization and deserialization.

Custom connector - Kafka Datasource

Fixed NullPointerException in the test connection of Custom connector - Kafka datasource.

Proofpoint

Log API - Fixed failed status when sync 'uses' its entire allowed sync time Fixing CancellationException error message in the endpoint status

Custom Connector - Kafka Datasource and SentinelOne - Deep Visibility

Performance optimization. Switch to from sync to async, use a single concurrent connector with multiple Kafka consumers rather than multiple concurrent connectors, in SentinelOne - send raw data as decoded json (with human readable property names) instead of sending the encoded protobuf json.

In addition, note the following bugs in Custom Connector - Kafka Datasource:

AWS Connector - CloudTrail

Fixed a parsing issue where the session issuer was put under sessionContext instead of sessionIssuer.

Task Management

Fixed updating task definition following a sync strategy change. In 2.5.201 a sync strategy change of Office365 - exchange-admin-reports-mail-detail-* endpoints was applied. Without this fix, sync strategy change can't be applied to already existing definitions.

AWS

Fixed missing attributes in raw event of CloudTrail A regression introduced in v2.5.93 where some attributes of the raw event of CloudTrail were not present in the output event cs6 CEF field.

Armis

New Armis Cloud Connector.

Custom connector - Kafka Datasource

Fixed "missing username" error Fix Kafka datasource as part of the custom connector.

Cybereason

Fixed the request body Requests to GET MALOPS (https://nest.cybereason.com/documentation/api-documentation/all-versions/get-malops) - set templateContext to be OVERVIEW instead of FULL (which returned a server error).

UI Client

Improved performance by making the UI client more robust when list of connectors or endpoints is long (over 200).

Office365

Exchange-admin-reports-mail-detail-* - change sync strategy from time range to cursor In order to be able to pull events as soon as they are available and given that the events availability delay from Office365 side can be up to 24hrs, the sync strategy of the following endpoints has changed from a time range to a cursor: exchange-admin-reports-mail-detail-dlp-policy, exchange-admin-reports-mail-detail-malware, exchange-admin-reports-mail-detail-spam.

GCP Pub/Sub

Fixed an issue where send was not acked in test connection and in case of failure. With this fix, added a listener to failures and logging and change max-active-connectors from 16 to 1.

Server

Fixed general code for async events pull. With this fix, changed is-alive check during async events pull to block and prevent thread leakage.

GCP Pub/Sub

Fixed an issue where send not acked in test connection and in case of failure. Add listener to failures and log.

Prometheus

Public port closed so that the metrics service app is not exposed externally. Previously open on port 9090.

HSTS

Enabled HSTS (info) by default on the client. Applies to new installations only. Upgrades need to enable manually.

Azure - EventHub

Isolated EventHub discovery for each discovered subscription. Prevented failure in EventHubs discovery for one of the subscriptions to fail EventHubs discovery in other subscriptions.

Azure - EventHub

Extended session timeout to 60 sec to avoid rebalance errors.

AWS - CloudTrail

Applied API rate limit Apply API rate limit of 1 call per second.

Azure - OMS Workspace

Reduced the default max sync period Reduce default max sync period from 10 to 1 min.

Tenable

Fixed NullPointerException in persona and groups sync.

General

Optimized number of Kafka topics Avoid creating Kafka topics for internal endpoints which bring no data.

Internal regression

Regression introduced in 2.5.157 had frozen accounts and prevented regular syncs, now resolved

Resource allocation service

Introduced a system-internal microservice that learns that resource requirements of each connector and automatically balances the system resources between the connectors

Office 365 - MCAS

Prevented data duplication in data retrieval.

GCP

Changed the default state of auto discovered Stackdriver endpoints from active to non active. With this change, the discovered Stackdriver endpoint will be added from now on as a non active endpoint

GCP Pub/Sub

Enabled you to sync Pub/Sub messages given a project ID, a subscription ID, and a service account JSON key with the proper permissions.

Resource Allocation Micro Service

The objective of the service is to adjust how threads are allocated amongst the connectors running on the cloud connectors instance.

Cloudflare

Removed deprecated Firewall Events endpoints that are no longer supported by Cloudflare.

GCP

Fixed status for Stackdriver - Sinks Explorer with partial success in discovering project sinks.

AWS CloudWatch Logs

The CloudWatch Logs endpoint has been split to 3 different endpoints. All 3 endpoints must be active in order to pull data. Please refer to the CWL setup guide for further explanation.

Symantec SEP Mobile

Fixed an API POST Fix API call to /organizations/<org-id>/security_events/store_security_events that in some organization resulted in 411 error

Custom connector - Kafka Datasource

Code42 - Fix - add support to regions other than the US default Allow the user to select one of the following regions: US (console.us), US_CRASHPLAN (crashplan), US_GOVT (console.gov), IRELAND (console.ie).

Egnyte

Added an optional client-secret such that when a client secret is provided with the API key it is required for authentication.

ETCD Settings

Fix persistency of CefTransformationSettings. If you customized the content of their CEF events, please upgrade to this or a later version.

Egnyte

Fixed an issue when creating an application key so that you now also get a client-secret. If such a client secret was generated it is a mandatory parameter for token request.

Proofpoint

Fixed API throttling in SIEM endpoint.

CrowdStrike

Fixed streaming endpoints to prevent thread leakage and properly close the CrowdStrike client. In extreme scenarios when connector was frequently restarted threads pools were left open.

AWS

Fixed CloudWatch endpoints to close export tasks on error. If an exception was thrown during an export task, the task must be closed to prevent the next export task from exceeding the limit of a single concurrent export task allowed.

Custom Application Connector

Fixed regression in Azure backend such that when Custom connector was used to pull data from Azure Storage it produced an error; regression was introduced between 2.5.66 - 2.5.120.

Client

Mitigate XSS. Some fields in the account settings used to render html content w/o proper escaping.

Snowflake

Internal enhancements to make the integration more robust. Also prevents data duplication. Users of the Snowflake integration are advised to upgrade

Palo Alto Networks SaaS Security (formerly Aperture)

Extended support from the United States region to also include EMEA and APAC.

Proofpoint

Added the Proofpoint on Demand (PoD) LogAPI data source, which provides detailed logs of exchange activity. In Preview - parsers/content for this data source is not yet available

SIEM Consumer

Updated to use a single group ID for health information queries triggered by Prometheus to avoid failure to fetch metadata by the consumer. For more information, see Recover SIEM Consumer - Kafka Client.

AWS

Endpoints of type "CloudWatch Events (via SQS)" now run periodically, and poll until the SQS queue is empty or 10min. timeout.

GCP

Search for sinks to pull from in all reachable GCP projects (vs. only in the project where the service account is configured). Requires CloudResource Manager to be enabled; enable per project via: https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=PROJECT_ID_HERE

Palo Alto Networks SaaS Security (formerly Aperture)

Tested connection now reflects any underlying errors (if any) Workday - when a http proxy is used then use correct port (i.e. not fallback to 443)

All connectors using AWS backend

Dependency collision fix with aws sdk .

Audit logs

The CC audit log (auditlog.log) is now available in the logs directory.

AWS redshift

Fixed an issue with thread leaks.

ETCD client

Fixed bugs in the ETCD client. If you are on version 2.5.106 OR 2.5.110 please upgrade to this release or later (2.5.112).

LDAP integration settings

Removed redundant attributes from UI.

ETCD

Introduced the new ETCD client.

Infra

Invalidated caches on credentials change so that credentials change take immediate effect.

ETCD

Fixed bug in ETCD's client retry mechanism.

AWS MT

Fixed an issue to properly ignore and delete S3 test message from SQS.

Office365 + Azure

Fixed a regression in certificate authentication.

Github

Removed basic authentication.

ETCD

Added timeout and retry mechanism for ETCD server requests.

Kafka

Upgraded to 2.6.0.

Zookeeper

Upgraded to 3.5.8.

GCP

Used new SDK; resolves issue of DEADLINE_EXCEEDED. Critical for GCP users.

Prometheus

(On-prem only) New Prometheus metrics that monitor CPU and disk usage.

Snowflake augmentation and cloud connector

Introduced the Snowflake augmentation and cloud connector.

Tomcat security enhancements

SSL - support version 1.2 or later. Do not show tomcat information on failure.

LDAP/AD integration for Cloud Connector authentication

VMware carbon black threat hunter

New source. Adding carbon black data feeds to Exabeam.

Cloudflare

Added a new endpoint "Firewall Activity Log" which replaces the deprecated "Firewall Events" endpoint. See https://support.skyformation.com/hc/en-us/articles/360017477139 for details.

Azure

Eventhub - fix event duplication, memory and resource leaks; requires minimum level of Eventhub of "Standard", as we use the capability accessing EH as Kafka consumers Remove the Console/Audit panel from the CC UI.

Cloud Connector UI

Remove the Console/Audit panel from the CC UI

Office365

Endpoints:

Initial sync time changed from 1 day to 2 days to avoid possible deadlock.

Mimecast

Better handling of invalid domain names.

Okta

Updated to always send "Exabeam" user agent in api call.

Gsuite

Fixed test connection AWS MT connector.

AWS MT

Made performance improvements.

Code42

Fetch events by insertion time in order not to miss any event per Code42 team recommendation.

Symantec WSS

Increased polling interval to make the time delta smaller. Also fixed edge case of disk space leak.

Azure - EventHub

Fixed resources leak occurring when multiple EHs are run in heavy load.

Crowdstrike FDR

Properly handle unparsable events coming from crowdstrike.

Custom connector (Azure backend)

Fixed task deletion logic which prevented new events to be synced.

AWS

Decreased the amount of threads and cache threads for large amount of accounts.

GCP

Adapted to new SDK which fixed Goggle's API break.

Processed the event body to be a readable Json.

Infrastructure

Fixed starvation in task management which caused delays in synchronization of some endpoints.

Code42

Fixed 400 Bad Request error - connector stops working after several hours.

AWS

Fixed resource leak.

Tomcat security enhancements

General: add safety mechanism to remove stale resources

Custom connector - Azure backend, Cisco Umbrella, CrowdStrike

Fixed failure to test connection where SFRuntimeException: Failed to get task owner for account [dummy-account-id], data management not found.

Office365

Fixed false positive "failed logins" in Sign in logs.

Mimecast

Fixed users enrichment. Before this fix, even if one domain was returned incorrectly from mimecast, all users syncs stopped and reported failures. With this fix, the wrong domain is ignored and the rest continue.

Infrastructure

Health reports are now sent via nats messaging service and not kafka (no impact)

Slack

Fixed duplicated events.

Duo

Added API throttling support.

Code42

Introduced the Code42 Cloud Connector. Refer to the Code42 Incydr Connector documentation and the Code42_ContentDoc for the parser information on github.

AWS

Fixed resource leak in error flow of Cloudwatch alarms. Highly recommended to upgrade to this or a later release if you have multiple AWS accounts.

Gsuite connector (Google Apps) and Gmail Logs

Optimized query processing costs, query only relevant daily tables.

CloudFlare

Fixed the issue where cs6 (raw event) was not sent to AA/DL so parsers did not work correctly.

Symantec WSS

Performance improvement and other fixes to remove duplicate events.

CloudFlare

Fixed an issue with multiple zones, failure in one endpoint mistakenly affected other endpoints.

Migration improvements

Introduced a UI button to export/import the account configuration and an automated script to perform the entire procedure automatically.

N/A

Critical: Fixed resource leak in task management cache which may cause event duplication and in rare cases also endpoint starvation. The issue was introduced in 2.5.27. If you are on this version, please update.

Cylance

Fixed "400 - bad request" error.

Performance Improvements

Bug Fixes

Infrastructure change

Moved configuration data from zookeeper to etcd.

Zoom

Added support for oauth type authentication.

Office365

Management-exchange endpoint. Fixed regression where message type (mapped to CEF fileType field) was detected by parent folder full match, instead of prefix connector.

G Suite

Fixed null pointer exception in GMailLogs endpoint connector.

Cylance

Fixed handling of empty response from Cylance + add debug information to further debug the issue.