Skip to main content

Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics Administration Guide

Manage Users

Understand the difference between Roles and Users. Configure the analysts that have access to the Exabeam User Interface, add the analyst's information, assign them roles, and set up user permissions and access based on your organization's needs.

Users

Users are the analysts that have access to the Exabeam UI to review and investigate activity. These analysts have specific roles, permissions, and can be assigned Exabeam objects within the platform. They also have the ability to accept sessions. Exabeam supports local authentication or authentication against an LDAP server.

Default Roles

Advanced Analytics includes preconfigured default roles with standard permission sets for common user types, such as analysts, administrators, and auditors.

Note

Default roles cannot be edited or deleted.

This role is intended for administrative access to Exabeam. Users assigned to this role can perform administrative operations on Exabeam, such as configuring the appliance to fetch logs from the SIEM, connecting to Active Directory to pull in contextual information, and restarting the analytics engine. The default admin credential belongs to this role. This is a predefined role provided by Exabeam and cannot be deleted.

Default permissions include:

Permission

Description

Manage Users and Context Sources

Manage users and roles in the Exabeam Security Intelligence Platform, as well as the context sources used to enhanced the logs ingested (e.g. assets, peer groups, service accounts, executives).

Manage context tables

Manage users, assets or other objects within Context Tables.

Manage Content Packages

Users add/remove/configure content packages for automatic installation.

View Metrics

View the IR Metrics page.

Manage Data Ingest

Configure log sources and feeds and email-based ingest.

Add IR comments

Add IR comments.

Upload Custom Services

Upload custom actions or services.

Create incidents

Create incidents.

Delete incidents

Delete incidents.

Manage Custom Services and Packages

User can manage custom services and related packages

Manage Data Ingest

Configure log sources and feeds and email-based ingest.

Manage ingest rules

Add, edit, or delete rules for how incidents are assigned, restricted, and prioritized on ingest.

Manage Queues

Create, edit, delete, and assign membership to queues

Manage Templates

Create, edit, or delete playbook templates.

Manage Triggers

Create, update, or delete playbook triggers.

Run Actions

Launch individual actions from the user interface.

Manage Bi-directional Communication

Configure inbound and outbound settings for Bi-Directional Communications.

Manage Incident Configuration

Users can manage the Incident Configurations including Incident Types, Fields, Layouts, and Checklists.

Manage Playbooks

Create, update, or delete playbooks.

Manage Services

Configure, edit, or delete services (3rd party integrations).

Run Playbooks

Run a playbook manually from the workbench.

Reset Incident Workbench

User can reset incident workbench

All Admin Ops

Perform all Exabeam administrative operations such as configuring the appliance, connecting to the log repository and Active Directory, setting up log feeds, managing users and roles that access the Exabeam UI, and performing system health checks.

View comments

View comments.

View health

View health.

View Raw Logs

View the raw logs that are used to built the events on AA timeline

View Rules

View configured rules that determine how security events are handled

View API

View API.

View incidents

View incidents.

View Metrics

View the IR Metrics page.

Edit incidents

Edit an incident's fields, edit tasks, entities & artifacts.

Manage Rules

Create/Edit/Reload rules that determine how security events are handled

Bulk edit

Users can edit multiple incidents at the same time.

Search Incidents

Can search keywords in IR via the search bar.

Basic Search

Perform basic search on the Exabeam homepage. Basic search allows you to search for a specific user, asset, session, or a security alert.

View Restricted Incidents

View incidents restricted to other users or groups.

Users assigned to this role have only view privileges within the Exabeam UI. They can view all activities within the Exabeam UI, but cannot make any changes such as add comments or approve sessions. This is a predefined role provided by Exabeam.

Default permissions include:

Permission

Description

View Comments

View comments

View Activities

View all notable users, assets, sessions, and related risk reasons in the organization.

View Global Insights

View the organizational models built by Exabeam. The histograms that show the normal behavior for all entities in the organization can be viewed.

View Executive Info

View the risk reasons and the timeline of the executive users in the organization. You will be able to see the activities performed by executive users along with the associated anomalies.

View Incidents

View incidents.

View Infographics

View all the infographics built by Exabeam. You will be able to see the overall trends for the organization.

View Insights

View the normal behaviors for specific entities within the organization. The histograms for specific users and assets can be viewed.

Search Incidents

Can search keywords in Incident Responder via the search bar.

Basic Search

Perform basic search on the Exabeam homepage. Basic search allows you to search for a specific user, asset, session, or a security alert.

View Search Library

View the Search Library provided by Exabeam and the corresponding search results associated with the filters.

Threat Hunting

Perform threat hunting on Exabeam. Threat hunting allows you to query the platform across a variety of dimension such as find all users whose sessions contain data exfiltration activities or a malware on their asset.

View Restricted Incidents

View incidents restricted to other users or groups.

Users assigned to this role are junior security analysts or incident desk responders who supports the day-to-day enterprise security operation and monitoring. This type of role will not be authorized to make any changes to Exabeam system except for making user, session and lockout comments. Users in this role cannot approve sessions or lockout activities. This is a predefined role provided by Exabeam.

Default permissions include:

Permission

Description

Add Advanced Analytics Comments

Add comments for the various entities (users, assets and sessions) within Exabeam.

Add Incident Responder Comments

Add Incident Responder comments.

Create Incidents

Create incidents.

Run Playbooks

Run a playbook manually from the workbench.

Run Actions

Launch individual actions from the user interface.

View comments

View comments.

View Global Insights

View the organizational models built by Exabeam. The histograms that show the normal behavior for all entities in the organization can be viewed.

View incidents

View incidents.

View Infographics

View all the infographics built by Exabeam. You will be able to see the overall trends for the organization.

View Activities

View all notable users, assets, sessions and related risk reasons in the organization.

View Executive Info

View the risk reasons and the timeline of the executive users in the organization. You will be able to see the activities performed by executive users along with the associated anomalies.

View Insights

View the normal behaviors for specific entities within the organization. The histograms for specific users and assets can be viewed.

Users assigned to this role will be performing more complex investigations and remediation plans. They can review user sessions, account lockouts, add comments, approve activities and perform threat hunting. This is a predefined role provided by Exabeam and cannot be deleted.

Default permissions include:

Permission

Description

Add Advanced Analytics Comments

Add comments for the various entities (users, assets and sessions) within Exabeam.

Add Incident Responder Comments

Add Incident Responder comments.

Upload Custom Services

Upload custom actions or services.

Create incidents

Create incidents.

Delete incidents

Delete incidents.

Manage Playbooks

Create, update, or delete playbooks.

Manage Queues

Create, edit, delete, and assign membership to queues

Manage Services

Configure, edit, or delete services (3rd party integrations).

Manage Triggers

Create, update, or delete playbook triggers.

Run Actions

Launch individual actions from the user interface.

Manage Bi-directional Communication

Configure inbound and outbound settings for Bi-Directional Communications.

Manage Data Ingest

Configure log sources and feeds and email-based ingest.

Manage ingest rules

Add, edit, or delete rules for how incidents are assigned, restricted, and prioritized on ingest.

Manage Templates

Create, edit, or delete playbook templates.

Run Playbooks

Run a playbook manually from the workbench.

View Activities

View all notable users, assets, sessions and related risk reasons in the organization.

View Comments

View comments.

View Executive Info

View the risk reasons and the timeline of the executive users in the organization. You will be able to see the activities performed by executive users along with the associated anomalies.

View Global Insights

View the organizational models built by Exabeam. The histograms that show the normal behavior for all entities in the organization can be viewed.

View Infographics

View all the infographics built by Exabeam. You will be able to see the overall trends for the organization.

View Rules

View configured rules that determine how security events are handled.

View Insights

View the normal behaviors for specific entities within the organization. The histograms for specific users and assets can be viewed.

Bulk Edit

Users can edit multiple incidents at the same time.

Delete entities and artifacts

Users can delete entities and artifacts.

Manage Watchlist

Add or remove users from the Watchlist. Users that have been added to the Watchlist are always listed on the Exabeam homepage, allowing them to be scrutinized closely.

Approve Lockouts

Accept account lockout activities for users. Accepting lockouts indicates to Exabeam that the specific set of behaviors for that lockout activity sequence are whitelisted and are deemed normal for that user.

Accept Sessions

Accept sessions for users. Accepting sessions indicates to Exabeam that the specific set of behaviors for that session are whitelisted and are deemed normal for that user.

Warning

This permission should be given only sparingly, if at all. Accepting sessions is not recommended. The best practice for eliminating unwanted alerts is through tuning the rules and/or models.

Edit incidents

Edit an incident's fields, edit entities & artifacts.

Sending incidents to Incident Responder

Send incidents to Incident Responder.

Basic Search

Perform basic search on the Exabeam homepage. Basic search allows you to search for a specific user, asset, session, or a security alert.

Search Incidents

Can search keywords in IR via the search bar.

Threat Hunting

Perform threat hunting on Exabeam. Threat hunting allows you to query the platform across a variety of dimensions such as find all users whose sessions contain data exfiltration activities or a malware on their asset.

Manage Search Library

Create saved searches as well as edit them.

View Search Library

View the Search Library provided by Exabeam and the corresponding search results associated with the filters.

This role is needed only when the data masking feature is turned on within Exabeam. Users assigned to this role are the only users that can view personally identifiable information (PII) in an unmasked form. They can review user sessions, account lockouts, add comments, approve activities and perform threat hunting. This is a predefined role provided by Exabeam.

See Mask Data Within the Advanced Analytics UI for more information on this feature.

Default permissions include:

Permission

Description

Add Advanced Analytics Comments

Add comments for the various entities (users, assets and sessions) within Exabeam.

View comments

View comments.

View Global Insights

View the organizational models built by Exabeam. The histograms that show the normal behavior for all entities in the organization can be viewed.

View incidents

View incidents.

View Infographics

View all the infographics built by Exabeam. You will be able to see the overall trends for the organization.

View Activities

View all notable users, assets, sessions and related risk reasons in the organization.

View Executive Info

View the risk reasons and the timeline of the executive users in the organization. You will be able to see the activities performed by executive users along with the associated anomalies.

View Insights

View the normal behaviors for specific entities within the organization. The histograms for specific users and assets can be viewed.

Manage Watchlist

Add or remove users from the Watchlist. Users that have been added to the Watchlist are always listed on the Exabeam homepage, allowing them to be scrutinized closely.

Sending incidents to Incident Responder

Sending incidents to Incident Responder.

Accept Sessions

Accept sessions for users. Accepting sessions indicates to Exabeam that the specific set of behaviors for that session are whitelisted and are deemed normal for that user.

Basic Search

Perform basic search on the Exabeam homepage. Basic search allows you to search for a specific user, asset, session, or a security alert.

Threat Hunting

Perform threat hunting on Exabeam. Threat hunting allows you to query the platform across a variety of dimensions such as find all users whose sessions contain data exfiltration activities or a malware on their asset.

Manage Search Library

Create saved searches as well as edit them

View Search Library

View the Search Library provided by Exabeam and the corresponding search results associated with the filters.

View Unmasked Data (PII)

Show all personally identifiable information (PII) in a clear text form. When data masking is enabled within Exabeam, this permission should be enabled only for select users that need to see PII in a clear text form.

View Restricted Incidents

View incidents restricted to other users or groups.

Create a Custom User Role

If the preconfigured default roles do not meet all your needs, you can create your own roles.

To add a new role:

  1. Click Settings SOC-Platform-Settings-Icon.png, and then click Analytics > Exabeam User Management > Roles.

    The User Management page opens with the Roles tab selected.

  2. Click Create Role.

    User-Manage-Page.png
  3. In the Create a new role dialog box, enter a Role name and ensure that the Advanced Analytics tab is selected.

    Create-A-New-Role-Dialog.png
  4. Select the permissions that you want to assign to the role.

    To quickly find specific permissions, use the search bar. Otherwise, scroll down to view the available permissions.

    Create-A-New-Role-Select-Perms.png
  5. When you are finished, click Save.

    The new role appears in the list of Custom Roles on the Roles tab of the User Management page. From the Users tab, you can assign the role to both new and existing users.

Add an Exabeam User

  1. Navigate to Settings > Exabeam User Management > Users.

  2. Click Add User.

  3. Fill the new user fields and select role(s), and then click SAVE.

Your newly created user should appear in the Users UI.

User Password Policies

Exabeam users must adhere to the following default password security requirements:

  • Passwords must:

    • Be between 8 to 32 characters

    • Contain at least one uppercase, lowercase, numeric, and special character

    • Contain no blank space

  • User must change password every 90 days

  • New passwords cannot match last 5 passwords

  • SHA256 hashing is applied to store passwords

  • Only administrators can reset passwords and unblock users who have been locked out due to too many consecutive failed logins

If you need to modify the default password policies, contact Exabeam Customer Support.