Skip to main content

Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics Administration Guide

Exabeam Threat Intelligence Service

The Exabeam Threat Intelligence Service delivers up-to-date threat indicators, on a daily basis, to Advanced Analytics deployments. Threat indicator data is stored in context tables that are associated with each feed. These threat indicators provide enhanced data based on curated threat intelligence.

The table below lists the categories of threat indicators provided by each threat intelligence feed and the rules that leverage each feed. For detailed tables mapping use cases and rules for each corresponding context table, see the Exabeam Community article: TIS-populated Context Tables Mapped to Rules.

Note

All of the threat intelligence feeds, except the TOR network category, provide curated threat intelligence from ZeroFox. The TOR network feed is an open source data feed.

IoC Category

Rules

Ransomeware IP

IP addresses associated with ransomware attacks

  • Auth-Ransomware-Shost

  • Auth-Ransomware-Shost-Failed

  • A-NET-Ransomware-IP

  • A-NETF-Ransomware-IP

  • WEB-UI-Ransomware

Threat IP

IP addresses associated with ransomware or malware attacks

  • VPN02

  • Auth-Blacklist-Shost

  • Auth-Blacklist-Shost-Failed

  • EPA-PI-ThreatIp

  • A-NET-TI-IP-Outbound

  • A-NETF-TI-IP-Outbound

  • A-NET-TI-IP-Inbound

  • A-WEB-Reputation-IP

  • EPA-PI-ThreatIp

  • WEB-UI-Reputation

Reputation Domain

Domain names and URLs associated with sites that often contain malware, drive-by compromises, and more

  • WEB-UD-Reputation

  • A-WEB-Reputation-Domain

  • A-NET-TI-H-Outbound

  • A-NETF-TI-H-Outbound

  • A-NET-TI-H-Inbound

  • A-DNS-MALDOM-QUERY

  • A-DNS-MALDOM-RESPONSE

Web Phishing

Domain names associated with phishing or ransomware

WEB-UD-Phishing

TOR IP

IP addresses associated with the TOR network

  • Auth-Tor-Shost-Failed

  • Auth-Tor-Shost

  • EPA-PI-TorIp

  • WEB-UI-Tor

  • A-NET-TOR-Outbound

  • A-NETF-TOR-Outbound

  • A-NET-TOR-Inbound

Cloud-delivered deployments of Advanced Analytics and Data Lake connect to the Threat Intelligence Service (TIS) through an Exabeam Data Service (EDS) cloud connector, as shown in the image below. The cloud connector service provides authentication and establishes a secure connection to the Threat Intelligence Service. The cloud connector service collects updated threat indicators from the Threat Intelligence Service and makes them available within Advanced Analytics and Data Lake on a daily basis.

TIS Diagram with Threat Intelligence Source connecting to TIS and TIS connecting EDS Cloud Connector.

The Threat Intelligence Service does not require a separate license. It is bundled with Advanced Analytics deployments. Additional installation is not required.

For on-premise deployments of Advanced Analytics and Data Lake, threat indicators are downloaded directly from the Threat Intelligence Service on a daily basis.

For more information about the Threat Intelligence Service, contact your technical account manager.