Skip to main content

Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics Administration Guide

Notifications

You can configure Advanced Analytics to send notification about system health, notable sessions, anomalies, and other important system information. You can configure notification to be sent in the following formats:

  • Log repository – Notifications can be sent to a log repository in a structured data format using the Syslog protocol. These notifications are formatted so machines, like your log repository, can easily understand them.

  • Email – Notifications can be sent to an email account in a format that's more human-readable.

Set Up Notifications to a Log Repository, Ticketing System, or SIEM

To configure notifications to a log repository, log ticketing system, or SIEM using the Syslog protocol:

  1. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  2. Under NOTIFICATIONS, select Setup Notifications.

  3. Click add A blue circle with a white plus sign., then select Syslog Notification.

  4. Configure the following notification settings:

    • IP / Hostname – Enter the IP or hostname of your Syslog server.

    • Port – Enter the port your Syslog server uses.

    • Protocol – Select the network protocol your Syslog server uses to send messages: TCP, SSL_TCP, or UDP.

    • Syslog Security Level – Assign a severity level to the notification:

      • Informational – Normal operational events, no action needed.

      • Debug – Useful information for debugging, sent after an error occurs.

      • Error – An error has occurred and must be resolved.

      • Warning – Events that will lead to an error if you don't take action.

      • Emergency – Your system is unavailable and unusable.

      • Alert – Events that should be corrected immediately.

      • Notice – An unusual event has occurred.

      • Critical – Some event, like a hard device error, has occurred and your system is in critical condition.

    • Notifications by Product – Select the events for which you want to be notified:

      • Advanced Analytics:

        • System Health – All system health alerts for Advanced Analytics.

        • Notable Sessions – A user or asset has reached a risk threshold and become notable. This notification describes which rule was triggered and contains any relevant information.

        • Anomalies – A rule has been triggered.

        • AA/CM/OAR Audit – An Exabeam user does something in Advanced Analytics, Case Manager, or Incident Responder that's important to know when auditing their activity history; for example, when someone modifies rule behavior, changes log sources, or changes user roles and permissions.

        • Job Start – Data processing engines have started processing a log.

        • Job End – Data processing engines have stopped processing a log.

        • Job Failure – Data processing engines have failed to process a log.

  5. Click ADD NOTIFICATION.

  6. Restart the Analytics Engine.

Set Up Notifications to Email

You can configure email notifications for both Advanced Analytics and for some Incident Responder actions. The Incident Responder notifications can include:

  • Notify User By Email Phishing

  • Phishing Summary Report

  • Send Email

  • Send Template Email

  • Send Indicators via Email

If you configure these settings correctly, Incident Responder uses IRNotificationSMTPService as the service for these actions. If you configure these settings incorrectly, these actions won't work correctly.

To configure human-readable email notifications:

  1. In the sidebar, click SETTINGSA grey gear icon, then select Core.

  2. Under NOTIFICATIONS, select Setup Notifications.

  3. Click add A blue circle with a white plus sign., then select Email Notification.

  4. Configure the following notification settings:

    • IP / Hostname – You must enter cloudrelay1.connect.exabeam.com.

    • Port – Enter the port number for your outgoing mail server.

    • SSL – You must select this box.

    • Username Required – If your mail server requires a username, select the box, then enter the username.

    • Password Required – If your mail server requires a password, select the box, then enter the password.

    • Sender Email Address – Enter <yourinstance>@notify.exabeam.com.

    • Recipients – List the email addresses to receive these email notifications, separated by a comma.

    • E-mail Signature – Enter text that's automatically added to the end of all email notifications.

    • Notifications by Product – Select the events for which you want to be notified.

      • Incident Responder:

        • System Health – All system health alerts for Case Manager and Incident Responder.

      • Advanced Analytics:

        • System Health – All system health alerts for Advanced Analytics.

        • Notable Sessions – A user or asset has reached a risk threshold and become notable. This notification describes which rule was triggered and contains any relevant information.

        • Anomalies – A rule has been triggered.

        • AA/CM/OAR Audit – An Exabeam user does something in Advanced Analytics, Case Manager, or Incident Responder that's important to know when auditing their activity history; for example, when someone modifies rule behavior, changes log sources, or changes user roles and permissions.

        • Job Start – Data processing engines have started processing a log.

        • Job End – Data processing engines have stopped processing a log.

        • Job Failure – Data processing engines have failed to process a log.

  5. Click ADD NOTIFICATION.