Cloud ConnectorsRelease Notes

What's New

Tip

To take advantage of the latest updates and fixes, it is recommended to upgrade Exabeam Cloud Connectors to the latest release.

Cloud Connectors 2.5 Releases

Cloud Connectors 2.5.268 (October 20 2021)

Issue

Description

CC-813

Fixed an issue that was introduced in 2.5.267 for deployments that use multiple SIEMs where any Cloud Connectors configured on a non-default tenant would stop sending logs and display an error.

Cloud Connectors 2.5.267 (October 18 2021)

Cloud Connector or Issue

Description

Duo Security

Simplified the throttling logic of the Duo Security Cloud Connector to adhere to DUO's throttling limits.

ETCD

Added guards to ensure data consistency between ETCD and Postgresql.

CC-813

Addressed in Exabeam Cloud Connectors 2.5.268.

Caution

For deployments that use multiple SIEMs, any Cloud Connectors configured on a non-default tenant stop sending logs and display an error. As a result, it is recommended to upgrade to Exabeam Cloud Connectors 2.5.268.

Cloud Connectors 2.5.264 (October 11 2021)

Cloud Connector

Description

SentinelOne

For increased accuracy, the SentinelOne Cloud Connector now uses the time attribute (instead of the createdAt attribute) to track the retrieval of a threat.

In addition, the SentinelOne Cloud Connector now uses API version 2.1 (the latest) which adds more event types and attributes to data collection.

LastPass

The apiuser authentication parameter is now optional with a default value.

Tenable.io

Fixed an issue to allow collection of custom scan folders.

Salesforce

The initialization process is improved to shorten the time the process takes and includes fixes for connection timeouts when testing on remote environments.

Cloud Connectors 2.5.258 (September 22 2021)

Cloud Connector

Description

SentinelOne

The SentinelOne Cloud Connector can now retrieve updates to threat logs. Previously the connector could only retrieve new threat logs.

Cloud Connectors 2.5.257 (September 14 2021)

Cloud Connector

Description

SentinelOne

Added configuration per data source to specify whether to send both update and creation events or only creation events.

Snowflake

Enabled the cloud connector to specify the source of the event per table/view such that downstream parsers can correctly extract information.

Armis

Fixed an issue where responses of events from Armis with malformed timestamp causes sync errors.

Cloud Connectors 2.5.254 (September 12 2021)

Cloud Connector

Description

Okta

Fixed an issue with the sync logic to optimize API utilization. With this fix, environments with heavy volume now see a drop of 90% in the number of API calls and maintain no lag in data retrieval.

Cloud Connectors 2.5.253 (August 31 2021)

Cloud Connector

Description

AWS - CloudWatch Logs

Changed logic for exported report object deletion from S3 buckets. Now an object is deleted after finished to iterate it successfully.

Shared Libraries

Fixed an unclosed iterator in the MultiClosableReadOnlyIterator class.

Cloud Connectors 2.5.252 (August 18 2021)

Cloud Connector

Description

Custom Connector and Crowdstrike FDR

Added support for government cloud backend in AWS.

Armis

Added retry mechanism to overcome frequent API errors.

Tomcat (UI Server service)

Upgraded to Tomcat version 8.5.70 to include all latest fixes and CVEs fixes.

Cloud Connectors 2.5.246 (August 16 2021)

Cloud Connector

Description

AWS - GuardDuty

Fixed an issue to handle sync failures to resume at correct position.

Tomcat (UI) container

Fixed an issue to not expose server details on port 8445.

Cloud Connectors 2.5.245 (August 12 2021)

Cloud Connector

Description

AWS - All dynamic endpoints

Allow discovery of only part of the regions (while some do not have permissions).

AWS - GuardDuty

Use alerts' updated time as the event's timestamp.

Armis

Handle undocumented timestamp formats (seen in the wild).

Cloud Connectors 2.5.243 (August 9 2021)

Cloud Connector

Description

Office365 - Graph Directory Audit logs / Graph Sign-In logs

Allow the user to use the beta graph API rather than the default v1.0.

AWS - CloudWatch Logs

Allow discovery of only part of the regions (while some do not have permissions).

Cloud Connectors 2.5.236 (July 21 2021)

Cloud Connector

Description

Tenable.io

Fixed connector response to failure due to 429 (Too Many Requests).

Cloud Connectors 2.5.235 (July 19 2021)

Cloud Connector

Description

Cisco Umbrella

Updated to prevent skipping files written in the same 10min time window.

Cloud Connectors 2.5.234 (July 15 2021)

Cloud Connector

Description

Netskope

Added two optional filter fields to enable users to filter alerts such that only matching alerts will be ingested. The filter uses Netskope query language and a type. See the Netskope documentation for additional information.

All connectors with dynamic endpoints

Changed to report directly to SIEM without buffering in local storage. Fixed issue where connectors with many dynamic endpoints overwhelmed the buffer

Cloud Connectors 2.5.231 (July 4 2021)

Cloud Connector

Description

All connectors

ETCD Increase the maximum configuration size that can be fetched from the ETCD service to 5MB to support large configuration sizes (usually attributed to a large number of endpoints).

Cloud Connectors 2.5.230 (July 4 2021)

Cloud Connector

Description

SentinelOne Deep Visibility

Log Data Enrichment: SentinelOne Deep Visibility endpoint is now enhanced to include the event metadata and the event itself, and to provide three new fields: Destination Hostname, OS and User Agent. To take advantage of the additional fields in Advanced Analytics and Data Lake, install the following Content Packs:

  • https://community.exabeam.com/s/article/SentinelOne-Cloud-Connector-Parser-Data-Lake-Update

  • https://community.exabeam.com/s/article/SentinelOne-Cloud-Connector-Parser-Advanced-Analytics-Update

Kafka

Fixed a potential resource leakage issue and other bugs.

Cloud Connectors 2.5.228 (June 13 2021)

Cloud Connector

Description

SentinelOne Deep Visibility

Reverted the raw data format back to the 'encoded' protobuf (revert a parsing change introduced in 2.5.216).

Armis

Fixed a potential resource leakage issue.

Cloud Connectors 2.5.225 (June 9 2021)

Cloud Connector

Description

SentinelOne Deep Visibility

Fixed an issue with the Kafka record value type where the Kafka record type was casted to Event rather than Packet.

Tomcat

Upgraded Tomcat (frontend service microservice) version from 8.5.51 to 8.5.66 to resolve some CVEs.

Cloud Connectors 2.5.222 (June 3 2021)

Cloud Connector

Description

SentinelOne Deep Visibility

Fixed UnsupportedOperationException regression introduced in 2.5.216

SentinelOne Deep Visibility

Improved performance to send SYSLOG over multiple concurrent TCP connections in a single sync. This change was made to increase EPS when the SYSLOG receiver could not process high EPS in a single connection.

Cloud Connectors 2.5.219 (May 31 2021)

Cloud Connector

Description

Salesforce

Fixed custom settings serialization and deserialization.

Custom connector - Kafka Datasource

Fixed NullPointerException in the test connection of Custom connector - Kafka datasource.

Cloud Connectors 2.5.216 (May 27 2021)

Cloud Connector

Description

Proofpoint

Log API - Fixed failed status when sync 'uses' its entire allowed sync time Fixing CancellationException error message in the endpoint status

Custom Connector - Kafka Datasource and SentinelOne - Deep Visibility

Performance optimization. Switch to from sync to async, use a single concurrent connector with multiple Kafka consumers rather than multiple concurrent connectors, in SentinelOne - send raw data as decoded json (with human readable property names) instead of sending the encoded protobuf json.

In addition, note the following bugs in Custom Connector - Kafka Datasource:

  • Test connection fails with NullPointerException

  • After you create the account in the UI, before starting the account, go to advanced setting and change max-active-connectors from 16 to 1

AWS Connector - CloudTrail

Fixed a parsing issue where the session issuer was put under sessionContext instead of sessionIssuer.

Task Management

Fixed updating task definition following a sync strategy change. In 2.5.201 a sync strategy change of Office365 - exchange-admin-reports-mail-detail-* endpoints was applied. Without this fix, sync strategy change can't be applied to already existing definitions.

Cloud Connectors 2.5.209 (May 5 2021)

Cloud Connector

Description

AWS

Fixed missing attributes in raw event of CloudTrail A regression introduced in v2.5.93 where some attributes of the raw event of CloudTrail were not present in the output event cs6 CEF field.

Armis

New Armis Cloud Connector.

Cloud Connectors 2.5.206 (May 3 2021)

Cloud Connector

Description

Custom connector - Kafka Datasource

Fixed "missing username" error Fix Kafka datasource as part of the custom connector.

Cybereason

Fixed the request body Requests to GET MALOPS (https://nest.cybereason.com/documentation/api-documentation/all-versions/get-malops) - set templateContext to be OVERVIEW instead of FULL (which returned a server error).

UI Client

Improved performance by making the UI client more robust when list of connectors or endpoints is long (over 200).

Cloud Connectors 2.5.201 (April 27 2021)

Cloud Connector

Description

Office365

Exchange-admin-reports-mail-detail-* - change sync strategy from time range to cursor In order to be able to pull events as soon as they are available and given that the events availability delay from Office365 side can be up to 24hrs, the sync strategy of the following endpoints has changed from a time range to a cursor: exchange-admin-reports-mail-detail-dlp-policy, exchange-admin-reports-mail-detail-malware, exchange-admin-reports-mail-detail-spam.

GCP Pub/Sub

Fixed an issue where send was not acked in test connection and in case of failure. With this fix, added a listener to failures and logging and change max-active-connectors from 16 to 1.

Cloud Connectors 2.5.192 (April 24 2021)

Component

Description

Server

Fixed general code for async events pull. With this fix, changed is-alive check during async events pull to block and prevent thread leakage.

GCP Pub/Sub

Fixed an issue where send not acked in test connection and in case of failure. Add listener to failures and log.

Prometheus

Public port closed so that the metrics service app is not exposed externally. Previously open on port 9090.

HSTS

Enabled HSTS (info) by default on the client. Applies to new installations only. Upgrades need to enable manually.

Cloud Connectors 2.5.187 (April 13 2021)

Cloud Connector

Description

Azure - EventHub

Isolated EventHub discovery for each discovered subscription. Prevented failure in EventHubs discovery for one of the subscriptions to fail EventHubs discovery in other subscriptions.

Cloud Connectors 2.5.186 (April 13 2021)

Cloud Connector

Description

Azure - EventHub

Extended session timeout to 60 sec to avoid rebalance errors.

AWS - CloudTrail

Applied API rate limit Apply API rate limit of 1 call per second.

Azure - OMS Workspace

Reduced the default max sync period Reduce default max sync period from 10 to 1 min.

Tenable

Fixed NullPointerException in persona and groups sync.

General

Optimized number of Kafka topics Avoid creating Kafka topics for internal endpoints which bring no data.

Cloud Connectors 2.5.160 (Mar 19 2021)

Item

Description

Internal regression

Regression introduced in 2.5.157 had frozen accounts and prevented regular syncs, now resolved

Resource allocation service

Introduced a system-internal microservice that learns that resource requirements of each connector and automatically balances the system resources between the connectors

Office 365 - MCAS

Prevented data duplication in data retrieval.

Cloud Connectors 2.5.152 (Mar 9 2021)

Item

Description

GCP

Changed the default state of auto discovered Stackdriver endpoints from active to non active. With this change, the discovered Stackdriver endpoint will be added from now on as a non active endpoint

GCP Pub/Sub

Enabled you to sync Pub/Sub messages given a project ID, a subscription ID, and a service account JSON key with the proper permissions.

Resource Allocation Micro Service

The objective of the service is to try to adjust how threads are allocated amongst the connectors running on the CC instance. Refer to Resource Allocation Preview for further explanation.

Cloud Connectors 2.5.139 (Feb 24 2021)

Cloud Connector

Description

Cloudflare

Removed deprecated Firewall Events endpoints that are no longer supported by Cloudflare.

GCP

Fixed status for Stackdriver - Sinks Explorer with partial success in discovering project sinks.

AWS CloudWatch Logs

The CloudWatch Logs endpoint has been split to 3 different endpoints. All 3 endpoints must be active in order to pull data. Please refer to the CWL setup guide for further explanation.

Cloud Connectors 2.5.134 (Feb 16 2021)

Cloud Connector

Description

Symantec SEP Mobile

Fixed an API POST Fix API call to /organizations/<org-id>/security_events/store_security_events that in some organization resulted in 411 error

Custom connector - Kafka Datasource

Code42 - Fix - add support to regions other than the US default Allow the user to select one of the following regions: US (console.us), US_CRASHPLAN (crashplan), US_GOVT (console.gov), IRELAND (console.ie).

Egnyte

Added an optional client-secret such that when a client secret is provided with the API key it is required for authentication.

Cloud Connectors 2.5.130 (Feb 13 2021)

Cloud Connector

Description

ETCD Settings

Fix persistency of CefTransformationSettings. If you customized the content of their CEF events, please upgrade to this or a later version.

Egnyte

Fixed an issue when creating an application key so that you now also get a client-secret. If such a client secret was generated it is a mandatory parameter for token request.

Cloud Connectors 2.5.128 (Feb 09 2021)

Cloud Connector

Description

Proofpoint

Fixed API throttling in SIEM endpoint.

CrowdStrike

Fixed streaming endpoints to prevent thread leakage and properly close the CrowdStrike client. In extreme scenarios when connector was frequently restarted threads pools were left open.

AWS

Fixed CloudWatch endpoints to close export tasks on error. If an exception was thrown during an export task, the task must be closed to prevent the next export task from exceeding the limit of a single concurrent export task allowed.

Cloud Connectors 2.5.126 (Feb 03 2021)

Cloud Connector

Description

Custom Application Connector

Fixed regression in Azure backend such that when Custom connector was used to pull data from Azure Storage it produced an error; regression was introduced between 2.5.66 - 2.5.120.

Client

Mitigate XSS. Some fields in the account settings used to render html content w/o proper escaping.

Snowflake

Internal enhancements to make the integration more robust. Also prevents data duplication. Users of the Snowflake integration are advised to upgrade

Cloud Connectors 2.5.120 (Jan 12 2021)

Cloud Connector

Description

Palo Alto Networks SaaS Security (formerly Aperture)

Extended support from the United States region to also include EMEA and APAC.

Proofpoint

Added the Proofpoint on Demand (PoD) LogAPI data source, which provides detailed logs of exchange activity. In Preview - parsers/content for this data source is not yet available

Cloud Connectors 2.5.118 (Jan 6 2021)

Cloud Connector

Description

SIEM Consumer

Updated to use a single group ID for health information queries triggered by Prometheus to avoid failure to fetch metadata by the consumer. For more information, see Recover SIEM Consumer - Kafka Client.

Cloud Connectors 2.5.116 (Dec 28 2020)

Cloud Connector

Description

AWS

Endpoints of type "CloudWatch Events (via SQS)" now run periodically, and poll until the SQS queue is empty or 10min. timeout.

GCP

Search for sinks to pull from in all reachable GCP projects (vs. only in the project where the service account is configured). Requires CloudResource Manager to be enabled; enable per project via: https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=PROJECT_ID_HERE

Palo Alto Networks SaaS Security (formerly Aperture)

Tested connection now reflects any underlying errors (if any) Workday - when a http proxy is used then use correct port (i.e. not fallback to 443)

Cloud Connectors 2.5.115 (Dec 14 2020)

Cloud Connector

Description

All connectors using AWS backend

Dependency collision fix with aws sdk .

Audit logs

The CC audit log (auditlog.log) is now available in the logs directory.

AWS redshift

Fixed an issue with thread leaks.

Cloud Connectors 2.5.112 (Dec 8 2020)

Component

Description

ETCD client

Fixed bugs in the ETCD client. If you are on version 2.5.106 OR 2.5.110 please upgrade to this release or later (2.5.112).

LDAP integration settings

Removed redundant attributes from UI.

Cloud Connectors 2.5.110 (Dec 6 2020)

Component

Description

ETCD

Introduced the new ETCD client.

Infra

Invalidated caches on credentials change so that credentials change take immediate effect.

Cloud Connectors 2.5.107 (Dec 2 2020)

Cloud Connector

Description

ETCD

Fixed bug in ETCD's client retry mechanism.

AWS MT

Fixed an issue to properly ignore and delete S3 test message from SQS.

Cloud Connectors 2.5.106 (Nov 29 2020)

Cloud Connector

Description

Office365 + Azure

Fixed a regression in certificate authentication.

Github

Removed basic authentication.

ETCD

Added timeout and retry mechanism for ETCD server requests.

Kafka

Upgraded to 2.6.0.

Zookeeper

Upgraded to 3.5.8.

Cloud Connectors 2.5.98 (Nov 18 2020)

Cloud Connector

Description

GCP

Used new SDK; resolves issue of DEADLINE_EXCEEDED. Critical for GCP users.

Prometheus

(On-prem only) New Prometheus metrics that monitor CPU and disk usage.

Cloud Connectors 2.5.93 (Nov 16 2020)

Cloud Connector

Description

Snowflake augmentation and cloud connector

Introduced the Snowflake augmentation and cloud connector.

Tomcat security enhancements

SSL - support version 1.2 or later. Do not show tomcat information on failure.

LDAP/AD integration for Cloud Connector authentication

  • Configure LDAP authentication

  • Configure Active Directory Authentication

  • See advanced > LDAP/AD tab

VMware carbon black threat hunter

New source. Adding carbon black data feeds to Exabeam.

Cloud Connectors 2.5.92 (Nov 12 2020)

Cloud Connector

Description

Cloudflare

Added a new endpoint "Firewall Activity Log" which replaces the deprecated "Firewall Events" endpoint. See https://support.skyformation.com/hc/en-us/articles/360017477139 for details.

Cloud Connectors 2.5.86 (Oct 26 2020)

Cloud Connector

Description

Azure

Eventhub - fix event duplication, memory and resource leaks; requires minimum level of Eventhub of "Standard", as we use the capability accessing EH as Kafka consumers Remove the Console/Audit panel from the CC UI.

Cloud Connector UI

Remove the Console/Audit panel from the CC UI

Cloud Connectors 2.5.77 (Oct 15 2020)

Cloud Connector

Description

Office365

Endpoints:

  • exchange-admin-reports-mail-detail-spam

  • exchange-admin-reports-mail-detail-malware

  • exchange-admin-reports-mail-detail-dlp-policy

Initial sync time changed from 1 day to 2 days to avoid possible deadlock.

Mimecast

Better handling of invalid domain names.

Cloud Connectors 2.5.72 (Oct 4 2020)

Cloud Connector

Description

Okta

Updated to always send "Exabeam" user agent in api call.

Gsuite

Fixed test connection AWS MT connector.

AWS MT

Made performance improvements.

Cloud Connectors 2.5.66 (Sep 23 2020)

Cloud Connector

Description

Code42

Fetch events by insertion time in order not to miss any event per Code42 team recommendation.

Symantec WSS

Increased polling interval to make the time delta smaller. Also fixed edge case of disk space leak.

Azure - EventHub

Fixed resources leak occurring when multiple EHs are run in heavy load.

Cloud Connectors 2.5.60 (Sep 16 2020)

Cloud Connector

Description

Crowdstrike FDR

Properly handle unparsable events coming from crowdstrike.

Custom connector (Azure backend)

Fixed task deletion logic which prevented new events to be synced.

AWS

Decreased the amount of threads and cache threads for large amount of accounts.

Cloud Connectors 2.5.55 (Sep 8 2020)

Cloud Connector

Description

GCP

Adapted to new SDK which fixed Goggle's API break.

Processed the event body to be a readable Json.

Infrastructure

Fixed starvation in task management which caused delays in synchronization of some endpoints.

Cloud Connectors 2.5.50 (Sep 3 2020)

Cloud Connector

Description

Code42

Fixed 400 Bad Request error - connector stops working after several hours.

AWS

Fixed resource leak.

Tomcat security enhancements

General: add safety mechanism to remove stale resources

Cloud Connectors 2.5.49 (August 27 2020)

Cloud Connector

Description

Custom connector - Azure backend, Cisco Umbrella, CrowdStrike

Fixed failure to test connection where SFRuntimeException: Failed to get task owner for account [dummy-account-id], data management not found.

Office365

Fixed false positive "failed logins" in Sign in logs.

Cloud Connectors 2.5.48 (August 26 2020)

Cloud Connector

Description

Mimecast

Fixed users enrichment. Before this fix, even if one domain was returned incorrectly from mimecast, all users syncs stopped and reported failures. With this fix, the wrong domain is ignored and the rest continue.

Infrastructure

Health reports are now sent via nats messaging service and not kafka (no impact)

Cloud Connectors 2.5.47 (August 10 2020)

Cloud Connector

Description

Slack

Fixed duplicated events.

Cloud Connectors 2.5.46 (August 9 2020)

Cloud Connector

Description

Duo

Added API throttling support.

Code42

Introduced the Code42 Cloud Connector. Refer to Configure the Code42 Incydr Connector and the Code42_ContentDoc for the parsers on github.Configure the Code42 Incydr Connector

Cloud Connectors 2.5.42 (August 5 2020)

Cloud Connector

Description

AWS

Fixed resource leak in error flow of Cloudwatch alarms. Highly recommended to upgrade to this or a later release if you have multiple AWS accounts.

Gsuite connector (Google Apps) and Gmail Logs

Optimized query processing costs, query only relevant daily tables.

Cloud Connectors 2.5.34 (July 29 2020)

Cloud Connector

Description

CloudFlare

Fixed the issue where cs6 (raw event) was not sent to AA/DL so parsers did not work correctly.

Cloud Connectors 2.5.33 (July 22 2020)

Cloud Connector

Description

Symantec WSS

Performance improvement and other fixes to remove duplicate events.

CloudFlare

Fixed an issue with multiple zones, failure in one endpoint mistakenly affected other endpoints.

Migration improvements

Introduced a UI button to export/import the account configuration and an automated script to perform the entire procedure automatically.

Cloud Connectors 2.5.30 (July 6 2020)

Cloud Connector

Description

N/A

Critical: Fixed resource leak in task management cache which may cause event duplication and in rare cases also endpoint starvation. The issue was introduced in 2.5.27. If you are on this version, please update.

Cylance

Fixed "400 - bad request" error.

Cloud Connectors 2.5.27 (June 30 2020)

Category

Description

Performance Improvements

  • Introduced Task Management Caching

  • For Multi-Tenant deployments, introduced db per tenant.

Bug Fixes

  • Critical - Fixed resource leak in health reporting which consumes CPU resources up to 100% The issue was introduced in 2.4.264. If you are in this release or higher, please update.

  • Office365 connector - audit API returned unexpected new value that caused processing to stop and events were not received

  • GCP connector - client used for detecting sinks for dynamic e.p. was prematurely closed causing an error and no events received

  • Slack connector - introduce api throttling to adhere to rate limitation by slack

  • Gsuite connector - fix GMailLogs null pointer exception

  • Symantec WSS- change decompression technology to adjust to new compression by Wss

  • SentinelOne deep visibility endpoint - tune consumer parameters and fix commit error

Cloud Connectors 2.5.0 (June 9 2020)

Cloud Connector

Description

Infrastructure change

Moved configuration data from zookeeper to etcd.

Zoom

Added support for oauth type authentication.

Office365

Management-exchange endpoint. Fixed regression where message type (mapped to CEF fileType field) was detected by parent folder full match, instead of prefix connector.

Gsuite

Fixed null pointer exception in GMailLogs endpoint connector.

Cylance

Fixed handling of empty response from Cylance + add debug information to further debug the issue.

Cloud Connectors 2.4 Releases

For Cloud Connectors 2.4 and earlier releases, refer to the SkyFormation documentation.