Cloud-delivered Data LakeData Lake Administration Guide

User Management

Universal Role-Based Access

Universal role-based access centralizes user identity and access management (IAM) for applications across the entire Exabeam SOC Platform. If you are a new Data Lake customer, you should set up IAM exclusively with universal role-based access. For information on configuring universal role-based access, refer to Universal Role-Based Access in the Exabeam SOC Platform Administration Guide.Universal Role-Based Access

For information on migrating from legacy authentication to universal role-based access, see Migrate to Universal Role-Based Access.

Note

Existing customers can continue to use legacy role-based access control until they are prepared to migrate to universal role-based access. For information, see Legacy Role-Based Access Control.

Migrate to Universal Role-Based Access

If you are an existing Exabeam SOC Platform customer, you are encouraged to migrate from the individualized identity and access management (IAM) of your Exabeam products to universal role-based access. You can continue to use legacy authentication until your organization is prepared to migrate.

Warning

Migration to universal role-based access cannot be reversed.

Prerequisites

  • Unlike the legacy IAM, universal role-based access requires a unique email address for each user account. If your legacy account configurations do not include email addresses, you need to be prepared to add email addresses to the accounts to complete their migration.

  • For customers using a third-party identity provider (IdP), you need to have an IdP administrator available to modify the IdP configuration for it to authenticate with universal role-based access.

  • Universal role-based access does not support migration from LDAP directories. If LDAP is enabled, it needs to be disabled.

  • You should see a notification about centralizing identity management up the upper-left side of the home page, along with a button to add missing emails. If you do not see this notification, try clearing your cookies or logging in with your browser in incognito/private mode. If the notification still does not appear, contact customer support.

    DL-Add-Missing-Emails-Msg.png

To migrate to universal role-based access:

  1. In the centralized identity management notification banner, click Add missing emails.

    The Add Missing Emails page opens. The page lists any accounts that do not have email addresses attached to them.

  2. Click the name of each of the listed users to either add their unique email addresses or delete their accounts.

    Important

    You should delete the accounts of former employees and/or inactive users.

    Add-Missing-Emails-Page.png
  3. Click Next and repeat step 2 if needed.

    When all of the accounts are ready for migration, the Enable Unified Login page appears.

    Enable-Unified-Login-Page.png
  4. To proceed with the migration, click Enable.

    An email is sent to the migrated users to welcome them to the Exabeam SOC Platform. The email includes a link for them to confirm their accounts and set their passwords.

    URBAC-Enabled-Confirm-Email.png
    SOC-Platform-HomePage.png

Legacy Role-Based Access Control

With its introduction in Data Lake i40.3, universal role-based access is the recommended method for identity and access management (IAM). If you are a new Data Lake customer, you should set up IAM exclusively with universal role-based access. Existing customers can continue to use legacy role-based access control until they are prepared to migrate to universal role-based access. For information on migrating, see Migrate to Universal Role-Based Access.

Role-Based Access Overview

Customers are able to control the responsibilities and activities of their SOC team members with role-based access. Local users, LDAP users or SAML authenticated users will be assigned roles within Exabeam.

Each user can be assigned one or more roles and the responsibilities of those roles are determined by the permissions their role allows. If users are assigned more than one role, that user receives the permissions of both roles.

In conjunction with role-based access, Data Lake also uses object-based access control which manages the viewing and editing of objects. For more information, see Exabeam Data Lake Object-based Access Control.

Note

If a user is assigned multiple roles with conflicting permissions, Exabeam enforces the role having more permission. For example, if a role with lighter permission and a role with full permission are both assigned to a user, then the user will have full permission.

To access the Roles page, navigate to Settings > User Management > Roles.

Caution

The Exabeam-created managed users in Web Common that appear as native users on the Users tabs of Settings > User Management. These accounts are service accounts that are necessary for Exabeam's basic functionality and should not be altered or deleted. These particular accounts are Common Access Card (CAC) accounts. They login through encryption certificates only and resetting or changing their passwords is not possible.

Data Lake service accounts
Figure 2. Data Lake service accounts


Below is a table listing the CAC service accounts and their functions. These accounts cannot be disabled or deleted.

Account Name

Description

exabeam

Used for out of the box content.

lm-collector-api-user

This is account allows log/remote agent collectors to connect to Data Lake. Connecting to Data Lake is necessary for management and collector metrics, and the authentication is based on highly secure TLS authentication using secured certificates.

lms-server

Reserved user for core Data Lake service.

Table 2. CAC Service Accounts


Out-of-the-Box Access Roles

Exabeam provides pre-configured access roles that restrict a user's tasks, actions, and views. A user may have more than one role. When a task, action, or view has more than one role associated to a user, the role with the greater access is applied.

Administrator: This role is intended for administrative access to Exabeam. Users assigned to this role can perform administrative operations on Exabeam, such as configuring the appliance to fetch logs from the SIEM and connecting to Active Directory to pull in contextual information. The default admin credential belongs to this role. This is a predefined role provided by Exabeam and cannot be deleted.

Default permissions include:

Permission

Description

[default Data Lakepermissions]

By default, all users of the Data Lake have the following permissions:

Perform Search, View and Edit Saved Searches, View and Edit Saved Visualizations, View and Edit Saved Dashboards.

Manage context tables

Manage users, assets or other objects within Context Tables.

Manage Users and Context Sources

Manage users and roles in the Exabeam Security Intelligence Platform, as well as the context sources used to enhanced the logs ingested (e.g. assets, peer groups, service accounts, executives).

Manage Correlation Rules

Create and Edit Correlation Rules.

Manage Collectors

Perform all collector-related operations, such as managing and configuring collectors, changing template assignments, as well as performing start/stop operations.

Manage Exabeam Reports

Update and reload the list of the Exabeam reports.

Manage Data Retention

Modify Data Retention configuration.

Manage Data Access

Create and Edit Data Access Rules.

Manage Indices

Reparse and reindex the logs of one or several indices.

Manage Saved Objects

Create, edit, share saved object (such as dashboards, visualizations, searches).

View Saved Objects

View-only saved object (such as dashboards, visualizations, searches).

Auditor: Users assigned to this role have only view privileges within the Exabeam UI. They can view all activities within the Exabeam UI, but cannot make any changes. This is a predefined role provided by Exabeam.

Default permissions include:

Permission

Description

Manage Saved Objects

Create and edit saved searches, visualizations, dashboards, and reports.

View Saved Objects

View saved searches, visualizations, dashboards, and reports.

Tier 1 Analyst: Users assigned to this role are junior security analysts or incident desk responders who supports the day-to-day enterprise security operation and monitoring. This is a predefined role provided by Exabeam.

Default permissions include:

Permission

Description

[default Data Lake permissions]

By default, all users of the Data Lake have the following permissions:

Perform Search, View and Edit Saved Searches, View and Edit Saved Visualizations, View and Edit Saved Dashboards.

Creating Custom Roles

Roles assigned to Exabeam users determine the level of access to tasks and data. Exabeam provides standard out-of-the-box roles that cannot be edited. However, you create new roles using the same access features and adjust accordingly.

  1. To create a new role, navigate to

    Settings > User Management > Roles, and then click Create Role.

    DL-Roles UI.jpg

    or

    Settings > User Management > Users > Add User, and then click Create a new role.

    DL-Users-CreateRole.jpg
  2. Fill in the fields and enable features in the DATA LAKE tab, as needed.

    DL-Roles-Create.jpg
  3. Click the CORE tab and enable the listed features, as needed.

    DL-Roles-Create-Core.jpg
  4. Click Save to make the role available to add or associate with users.

Adding a User to Exabeam Data Lake

Data Lake users must be added in a separate process from your organization's LDAP service. User permissions to view and execute tasks are based on the role(s) a user is assigned. Actions and views where a user has more than one role designation will follow the permission with the greatest access privilege.

To add a new user in Data Lake:

  1. Log in to your instance of the UI.

  2. Click the settings icon at the top-right corner of any page, and then click Settings.

    Settings on the Dashboard menu.
  3. In the User Management section, click Users.

    DL Users.png
  4. Click + Add User.

    Add User.png
  5. Enter the user details.

    Add User Fields.png
  6. Select applicable roles.

    Add User Roles.png
  7. Click SAVE.

The new user now appears on the User Management page.

AA - User Mangement Page.png

Third-Party Identity Provider Configuration

Exabeam supports integration with SAML 2.0 compliant third-party identity providers (IdPs) for single sign-on (SSO), multi-factor authentication, and access control. Once an IdP is added to your product, you can make IdP authentication mandatory for users to log in to the product, or you can allow users to log in through either the IdP or local authentication.

Note

You can add multiple IdPs to your Exabeam product, but only one IdP can be enabled at a time.

Add Exabeam to Your SAML Identity Provider

This section provides instructions for adding Exabeam to your SAML 2.0 compliant identity provider (IdP). For detailed instructions, refer to your IdP's user guide.

The exact procedures for configuring IdPs to integrate with Exabeam vary between vendors, but the general tasks that need to be completed include the following (not necessarily in the same order):

  1. Begin the procedure to add a new application in your IdP for Exabeam (if needed, refer to your IdP's user guide for instructions).

  2. In the appropriate configuration fields, enter the Exabeam Entity ID and the Assertion Consumer Service (ACS) URL as shown in the following:

    Entity ID:

    https://<exabeam_primary_host>:443/api/auth/saml2/<identity_provider>/login

    ACS URL:

    https://<exabeam_primary_host>:443/api/auth/saml2/<identity_provider>/handle-assertion

    Important

    Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host. The only acceptable values for <identity_provider> are the following:

    • adfs

    • google

    • ping

    • okta

    • others

    If you are using Microsoft AD FS, Google IdP, Ping Identity, or Okta, enter the corresponding value from the preceding list. For all other IdPs, enter others. All of the values are case sensitive.

  3. In the attribute mapping section, enter descriptive values for the IdP user attributes.

    You need to provide values for the following user attributes:

    • Email address

    • First name

    • Last name

    • Group

    • Username (this attribute is optional)

    For example, if Primary email is the user email attribute in your IdP, you could enter EmailAddress as the descriptive value. The following is an example of a completed attribute map in Google IdP:

    Example-IdP-Attribute-Mapping.png

    Important

    When you Configure Exabeam for Your SAML Identity Provider, you need to use the same descriptive values to map the Exabeam query attributes with the corresponding IdP user attributes.

  4. Complete any additional steps in your IdP that are necessary to finish the configuration. Refer to your IdP user guide for details.

  5. Copy the IdP's connection details and download the IdP certificate or, if available, download the SAML metadata file.

    Note

    You need either the connection details and the IdP certificate or the SAML metadata file to complete the integration in Exabeam.

  1. From the main menu on the left, select Apps and then click Web and mobile apps.

  2. From the Add app drop-down menu, click Add custom SAML app.

    Google-Add-Custom-SAML-App.png

    The App Details section opens.

  3. In the App name field, enter a name.

  4. Under App icon, click the blue circle, navigate to an image file that can be used as an icon and click to upload it.

    Google-SAML-App-Details.png
  5. Click Continue.

    The Google Identity Provider Details section opens.

  6. Click Download IdP Metadata.

    Note

    The IdP metadata file needs to be uploaded to Exabeam when you Configure Exabeam for Your SAML Identity Provider.

  7. Click Continue.

    The Service Provider Details section opens.

  8. Enter the ACS URL and Entity ID as shown in the following:

    ACS URL:

    https://<exabeam_primary_host>:443/api/auth/saml2/google/handle-assertion

    Entity ID:

    https://<exabeam_primary_host>:443/api/auth/saml2/google/login

    Note

    Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host.

  9. Click Continue.

    The Attribute Mapping section opens.

  10. Click Add Mapping, and then from Select field drop-down menu, select Primary email.

  11. Repeat the previous step for each of the following attributes:

    • Primary email

    • First name

    • Last name

    • Group

  12. In the App attributes fields, enter descriptive values for the attributes.

    For example, for the Primary email attribute, you could enter EmailAddress for the descriptive value. The following is an example of a completed attribute map:

    Example-IdP-Attribute-Mapping.png

    Important

    When you Configure Exabeam for Your SAML Identity Provider, you need to use the same descriptive values to map the Exabeam query attributes with the corresponding IdP user attributes.

  13. Click Continue.

    The details page opens for your Exabeam app.

  14. In the User Access panel, click the Expand panel icon to begin assigning the appropriate organizational units and groups to your Exabeam app and manage its service status.

    SAML-Google-IdP-Details.png

    You are now ready to Configure Exabeam for Your SAML Identity Provider.

Note

The following instructions include procedural information for configuring both Azure AD and Exabeam to complete the IdP setup.

  1. Log in to Microsoft Azure and navigate to Enterprise Applications.

  2. Create an Exabeam enterprise application by doing the following:

    1. Click New application, and then click Create your own application.

      The Create your own application dialog box appears.

    2. In the What's the name of your app field, type a name for the app (for example, "Exabeam-SAML").

      Create-Your-Own-App-Dialog.png
    3. Select Integrate any other application you don't find in the gallery (Non-gallery).

    4. Click Create.

  3. On the Enterprise Application page, locate and click the application that you added in step 2.

  4. In the Manage section, click Single sign-on.

    Single-Sign-On.png
  5. Click the SAML tile.

    Single-Sign-On-Select.png
  6. In the Basic SAML Configuration box (1.png), click Edit, and then do the following:

    1. In the Identifier (Entity ID) field, enter the following: https://<exabeam_primary_host>:443/api/auth/saml2/others/login

      Note

      Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host.

    2. In the Reply URL (Assertion Consumer Service URL) field, enter the following: https://<exabeam_primary_host>:443/api/auth/saml2/others/handle-assertion

      Note

      Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host.

    3. Click Save.

  7. In the User Attributes & Claims box (2.png), click Edit, and then map the Azure objects to your Exabeam field attributes.

    1. Click the row for the user.mail claim.

      The Manage claim dialog box appears.

    2. In the Name field, type the name of the appropriate Exabeam field attribute.

      Manage-Claim-Dialog.png
    3. If needed, clear the value in the Namespace field to leave it empty.

    4. Click Save.

    5. Repeat steps a through d as needed for the following claims:

      • user.givenname

      • user.userprincipalname

      • user.surname

    6. Click Add a group claim.

      Add-A-Group-Claim.png
    7. In the Group Claims dialog box, select All groups.

    8. From the Source attribute drop-down list, select Group ID.

    9. In the Advanced Options section, select the checkbox for Customize the name of the group claim.

    10. In the Name (required) field, type Group.

      Group-Claims.png
    11. Click Save.

      The Group claim is added to the User Attributes & Claims box.

      User-Attributes-Claims-Group.png
  8. In the SAML Signing Certificate box (3.png), download the Federation Metadata XML certificate to upload to Exabeam.

    SAML-Signing-Certificate.png
  9. In Exabeam, navigate to Settings > User Management > Configure SAML, and then click Add Identity Provider.

    The New Identity Provider dialog box appears.

  10. From the SAML Provider drop-down list, select Custom/Generic IdP.

  11. Under SSO Configuration, select Upload the XML metadata filed provided by your IdP, and then choose the Federation Metadata XML file that was downloaded in step 8.

  12. In the Name of IdP field, type a name (for example, "Azure").

  13. In the Upload IdP logo field, click Choose File, and then select a PNG file of the logo that you want to use.

    Note

    The PNG logo file size cannot exceed 1 MB.

    Edit-Identity-Provider-Dialog.png
  14. In the Query Attributes section, enter the appropriate IdP attribute values for each field that you defined in step 7.

    Important

    The IdP attribute values must match the values that you defined in step 7.

    Exabeam Attributes with Idp Attribute as Email Address, Username, First Name, Last Name, Group for Query attribute.
  15. Click Save.

    Azure now appears as an identity provider in the Configure SAML tab of the User Management page, and a Group Mappings section also appears.

    Group-Mappings-Section.png
  16. To map a SAML group to Exabeam user roles, do the following:

    1. On the home page of Azure, click Groups.

      Azure-Home-Groups.png
    2. From the Object Id column, copy the ID for the Azure group that you want to map.

      Azure-Object-ID.png
    3. In Exabeam, on the Configure SAML tab of the User Management page, click Add Group.

      The Edit Group Mapping dialog box appears.

    4. From the Identity Provider drop-down menu, select Others.

    5. In the Group Name field, paste the object ID that you copied in step b.

      Edit-Group-Mapping.png
    6. Select the Exabeam User Roles that you want to assign to the group.

    7. Click Save.

    8. Repeat steps a through g for each Azure group that you want mapped to user roles.

  17. To verify that Azure has been successfully configured, log out of Exabeam and look for the Azure Active Directory option on the sign-on screen.

    Azure-AD-Confirm-Config.png
Configure Exabeam for Your SAML Identity Provider

Important

Before you begin this procedure, you need to Add Exabeam to Your SAML Identity Provider.

  1. Log in to your Exabeam product.

  2. Navigate to Settings A grey gear icon > User Management > Configure SAML.

  3. Click Add Identity Provider.

    Add-Identity-Provider.png
  4. From the SAML Provider drop-down menu, select your IdP.

    Note

    If your IdP is not listed, select Custom/Generic IdP.

    SAML-Provider-Menu.png
  5. With the information that you collected in step 5 of Add Exabeam to Your SAML Identity Provider, do one of the following:

    • If you have an XML metadata file from your IdP, select Upload the XML metadata provided by your IdP, and then click Choose File to locate and upload the file from your computer.

    • If you do not have a metadata file, select Configure SSO manually and then do the following:

      1. Click Choose File to locate and upload the IdP certificate from your computer.

        Legacy-SAML-Manual-Config.png
      2. In the Single Sign-on URL field, enter the appropriate URL, and then select either HTTP Post or HTTP Redirect as needed from the drop-down menu.

      3. (Optional) In the Single Log-Out URL and Redirect to URL after Log-Out fields, enter the appropriate URLs.

  6. If you selected Custom/Generic IdP in the previous step, do the following:

    1. In the Name of IdP field, enter a name.

    2. Under Upload IdP Logo, click Choose File to locate and upload an IdP logo image in PNG format.

      Legacy-Generic-IdP-Fields.png
  7. (Optional) From the Authentication Method drop-down menu, select an authentication method.

    Note

    Leave the field blank to accept the IdP's default method.

  8. If you are using AD FS and want to enable encryption, click the Encryption Disabled toggle to enable it (the toggle turns blue when enabled), and then configure the following encryption options that apply to your environment:

    Legacy-ADFS-Encryption-Config.png
  9. In the Query Attributes table, map the Exabeam query attributes to the corresponding IdP user attributes by entering the same descriptive values that you did in Add Exabeam to Your SAML Identity Provider, as demonstrated in the following example:

    Exabeam Attributes with Idp Attribute as Email Address, Username, First Name, Last Name, Group for Query attribute.
  10. (Optional) If you are ready to enable the IdP, click the IdP Disabled toggle. When the IdP is enabled, the toggle turns blue.

    Note

    You can add multiple IdPs to your Exabeam product, but only one IdP can be enabled at a time.

    Legacy-IdP-Disabled-Toggle.png
  11. Click Save. Your identity provider now appears in the Identity Providers table.

    Identity providers list with Name and Status and ADD NEW option.
  12. To complete the configuration, you need to map your SAML groups to Exabeam user roles. For instructions, see Map SAML Groups to Exabeam User Roles.

Map SAML Groups to Exabeam User Roles

After adding a third-party identity provider (IdP) to your Exabeam product, you need to map the IdP user groups to the appropriate user roles in Exabeam. For example, if in your IdP you have an "Advanced Analyst" user group that needs the permissions included in the Tier 3 Analyst (Advanced Analytics) role, you can map the group to that role. Each group can be mapped to one or more roles as needed.

  1. Navigate to Settings A grey gear icon > User Management > Configure SAML.

  2. In the Group Mappings section (which appears below the Identity Providers table), click Add Group.

    On-Prem-SAML-Add-Group.png

    The New Group Mapping dialog box appears.

  3. From the Identity Provider drop-down menu, select the IdP that you want to map.

    Legacy-New-Group-Mapping-Dialog.png
  4. In the Group Name/ID field, enter the group name or ID as it is listed in the IdP.

    Important

    Group names are case sensitive.

  5. In the Exabeam User Roles list, select the checkboxes for the role(s) that you want to assign to the group.

  6. Click Save.

Manage SAML Login Status

You can make authentication through your selected identity provider (IdP) mandatory for users to log in, or you can allow users to log in through either the IdP or local authentication. You can also disable your selected IdP so that users can only log in through local authentication.

  1. Navigate to Settings A grey gear icon > Core > User Management > Configure SAML.

  2. In the SAML Status box, select a login status for your IdP.

    Legacy-SAML-Status-Box.png
  3. Click Save.

Enable or Disable Identity Providers

Note

You can add multiple identity providers (IdPs) to your Exabeam product, but only one IdP can be enabled at a time.

  1. Navigate to Settings > Core > User Management > Configure SAML.

  2. Move your pointer over the IdP that you want to enable or disable, and click the edit icon.

    Legacy-IdP-Edit-Icon1.png

    The Edit Identity Provider dialog box opens.

  3. Click the IdP Enabled/Disabled toggle to enable or disable the IdP as needed.

    The toggle is blue when the IdP is enabled and gray when it is disabled.

    Legacy-IdP-Enable-Switch.png

Exabeam Data Lake View-only Access Control

A role that has View Saved Objects permission does not automatically have the right to Manage Saved Objects (create, edit, and delete). The two permissions are independent of each other and a role must have both permissions in order to manage a saved object. A role with View Saved Object permission but without Manage Saved Objects permission will not be able to manage the object.

DL-OBAC-NewRoleConfig.jpg

However, by default out-of-the-box roles provided by Exabeam have View and Manage Saved Objects permissions, and cannot be edited.

DL-OBAC-ExistingRoleConfig.jpg

Note

Role-based permissions override Object-based permissions. For example, if Manage Saved Objects is off in all the roles associated with a user, then the user is limited to running searches (without the ability to save, create, etc.). If one role of a collection of roles associated with a user has Manage Saved Objects, then the user has permission to search, save, create, and view objects. (For more information on object-based permissions, see Exabeam Data Lake Object-based Access Control.) Users with view-only privileges will receive a banner message on the Search page:

DL-ViewOnlyBanner-truncated.jpg

For more information on configuring access for saved objects, see Data Lake User Guide > Access Restrictions for Saved Objects.

Exabeam Data Lake Object-based Access Control

OBAC vs RBAC

Object-based access control (OBAC) manages the viewing and editing of tangible output products such as searches, visualizations, dashboards, and reports. Workflow is shared amongst user groups (defined by roles). Role-Based Access Overview (RBAC) manages execution (task-based) permissions within the Exabeam platform. Both forms of access control can restrict access dependent on roles. OBAC can be implemented in conjunction with RBAC, where objects can be displayed but executing tasks on those objects are managed or limited based on role privileges. OBAC is independent from role management in that objects can allow all actions based on RBAC, but OBAC can limit certain operations to the given role. OBAC manages objects by granting and restricting view and/or edit abilities to roles. OBAC permissions are not inherited from parent objects nor are they shared with child objects.Exabeam Data Lake Role-based Access Control

Managing Data Migration of Existing Objects

To view saved objects, your must have View Saved Objects permission selected in at least one of the roles assigned to you. Additionally, you must change access permissions per each object by setting configurations in Manage Saved Objects. Access permissions must be changed for each saved object individually.

Note

New objects are by default saved with Private settings (managed and viewed only by the object originator). Only the object originator can change Share settings to Public or Role-based access, where None, View and Edit, and View-only are managed.

Exabeam Data Lake Secured Resources Overview

Secured resources allow you to control access to logs based on a search filter. For example, a secured resource can define logs from sensitive applications, sources, or geographies. Once configured, users are only able to view and utilize specific sets of data for their searches, visualizations, dashboards, scheduled reports, or correlation rules.

For example, restrict data access based on:

  • Log feeds from specific sources (e.g., Application logs from a business sensitive app can only be accessed by the SOC team).

  • Host, source or sourcetype (e.g., Access to logs of a specific database is restricted to a role).

  • Search keywords or fields (e.g., Logs of the executive users can only be accessed by specific roles).

This section walks through adding and managing secured resources within the Data Lake UI.

Configure Exabeam Data Lake Log Access with Secured Resources

Secured resources allow you to control access to logs based on a search filter. Use the Secured Resources page to add, manage, and make additional changes to your secured resources.

The top-right of the page provides helpful management actions, including:

  • Manage Access – Open the Manage Data Access Control page to limit access to roles within your organization.

  • Add – Add a new secured resource.

  • Search – Search for a secured resource.

Manage Add and Search.png

The secured resources table displays information regarding your secured resources, including:

  • Name – Name of the secured resource.

  • Description – Brief description of the secured resource.

  • Query – Search query matching the log events for the secured resource.

  • Roles – Role(s) allowed to view the secured resource.

DL-SecuredResources-Listing.jpg

Filter the table according to roles by clicking the lined-triangle next to the Roles column header.

Roles Filter.png

Hover over a secured resource in the table to edit (name, description, and query) or delete it.

Edit and Delete Role.png

Additionally, you can delete resources by selecting them in the table and then clicking Delete.

Delete Roles.png

Adding a Secured Resource in Exabeam Data Lake

Secured resources is a role-base search filter that applies restrictions to the data being searched. Before applying which roles have access, you must define the secured resource being filtered.

To add a secured resource:

  1. Navigate to Settings > Secured Resources > Data. This link takes you to the Secured Resources page.

    Secured Resources Data.png
  2. On the secured resources page, click Add.

    Note

    If this is your first secured resource, the Add button appears in the middle of the secured resources page. If this is not your first secured resource, the Add button appears at the top-right of the secured resources table.

    Creating Secured Resource - Add First.png

    (Add button location when adding your first secured resource.)

    Creating Secured Resource - Add.png

    (Add button location when adding additional secured resources.)

  3. Enter a name and description for the new secured resource, and then click Next.

    Creating Secured Resource - Name, Descript, Next.png
  4. Enter the search query that matches the log events you want to secure, and then press enter on your keyboard to run the query.

    Warning

    Typing "*" prevents access to any logs by anyone unless they are granted permission.

    Creating Secured Resource - Query, Next.png
  5. Review the query results. Edit and re-run the query (step 4, above) until you receive the desired results.

    Creating Secured Resource - Review Query.png
  6. Once your query is ready, click Create.

    Creating Secured Resource - Create.png

Your new secured resource(s) appear in the secured resource table in the Secured Resources page. Now, you can manage access to the secured resource(s) for users in your organization.

Managing Exabeam Data Lake Data Access to Secured Resources

Secured resources allow you to control access to logs based on a search filter. Access to secured resources is based on a user's role. To grant roles access secured resources, configure associations on the Secure Resources page:

  1. Navigate to Settings > User Management > Roles.

    User Management - Roles.png
  2. Select any role from the list of default and custom roles.

    Roles List.png
  3. Click the Secured Resources link. This link takes you to the Secured Resources page.

    Secured Resources Link.png
  4. On the secured resources page, click Manage Access.

    Manage Access.png
  5. Select a role from the Roles panel, and then select secured resource(s) by clicking the appropriate checkbox(es).

    Select Roles and Resources.png
  6. Click Save.

Important

To support data access for specific users, the Limit access to these selections toggle will be turned on so that any user assigned to that role is restricted to access the selected secured resources in this list. They cannot access resources which are not explicitly allowed.

Limit Access Toggle.png

Audit Log Management in Data Lake

There are a host of reasons to audit user activity. Insider threat show up in the form of unusual queries to sensitive information or unauthorized configuration changes. Perhaps your organization is undergoing an internal audit. Data Lake's audit mechanism centralizes important and useful data for generating reports or help fill gaps in an investigation.

How Audit Logging Works

Specific activities related to Exabeam product administrators and users are logged, including activities within the UI as well as configuration and server changes. This is especially useful for reviewing activities of departed employees as well as for audits (for example, GDPR).

The following events are logged:

  • Log in and log out

  • Failed log in

  • User addition, update, and removal

  • Role addition, update, and deletion

  • Permission addition and deletion

  • Audit being turned on or off

  • Token create, read, and update

  • Reindex job create and initiate

  • Troubled/failed queries

    When you enable audit and configure the message feeding back into Data Lake, you can query these audit log through the Data Lake UI as you can with any other logs filtering, using the event_subtype Exabeam Audit Event.

    What Fields Are in the Audit Data Logs

    Audit data in Data Lake contains event logs for user activity committed within the product. In the same manner as other event logs, audit event logs can be forwarded to Exabeam Advanced Analytics via Syslog Forwarding.

    The default retention time for audit data is 90 days.

    The following table lists the fields for each event being stored.

    Element

    Comment

    app

    Exabeam Data Lake

    event_type

    Type categories:

    • dl-search-activity

    • dl-filtered-search-activity

    • dl-correlation-rules-activity

    • dl-secured-resource-activity

    • dl-reports-activity

    • dl-reindex-activity

    • Search

    event_subtype

    Exabeam Audit Event

    time

    Time of event

    src_ip

    Currently authenticated user’s IP address

    user

    Currently authenticated user’s username

    activity

    Type categories:

    • Search query

    • Visualization query

    • Correlation rule [$ruleId] [$ruleName] create

    • Correlation rule [$ruleId] [$ruleName] update

    • Correlation rule [$ruleId] deletion

    • Correlation rule [${rule.name}] error

    • Correlation rule [${rule.name}] disabled

    • Correlation rule [${rule.name}] disabling failed

    • Correlation rule [${rule.name}] timeout

    • Secured resource [$id] was updated

    • Secured resource [$id] was deleted

    • Import reports from file

    • Create reindex job

    • Reindex job

    • Troubled_Query

    host

    Host IP address

    additional_info

    The activity containing the search, query, etc.

    sent_to_syslog

    Indicates whether the message has been sent to Syslog

    How to Enable Audit Logging

    Audit logging is not enabled by default. Syslog notification must configured with it messages sent to the Data Lake host.

    1. Navigate to Settings > Notifications > Setup Notifications.

      notification settings setup panel
    2. Click A blue circle with a white plus sign. to expand the menu and then select Syslog notifications.

    3. In the configuration menu, use the IP or FQDN of your Data Lake master host in the IP/Hostname field.

    4. Select DL Audit.

      syslog notification setup ui
    5. Click ADD NOTIFICATION to create the record.

    Audit event logs will start writing to Data Lake immediately.

    How to Access Audit Data

    You can view, create reports, export, etc. audit data like you would for any event log in Data Lake . Apply queries with the event subtype Exabeam Audit Event as a filter.

    data lake audit log search

    Set Up LDAP Server

    If you are adding an LDAP server for the first time, then the Add LDAP Server page displays when you reach the Import LDAP page. Otherwise, if you have already added an existing LDAP server, click Add LDAP Server to add more.

    The add/edit LDAP Server page displays the fields necessary to query and pull context information from your LDAP server(s), including:

    • Server Type – Select either Microsoft Active Directory (default) or NetIQ eDirectory.

    • Primary IP Address or Hostname – Enter the LDAP IP address or hostname for the primary server of the given server type.

    Note

    For context retrieval in Microsoft Active Directory environments, we recommend pointing to a Global Catalog server. To list Global Catalog servers, enter the following command in a Windows command prompt window: nslookup -querytype=srv gc.tcp.acme.local.

    Replace acme.local with your company's domain name.

    • I have a secondary server – If the primary LDAP server is unavailable, Exabeam falls back to the secondary LDAP server if configured. Click this checkbox to add a secondary LDAP server and display a Secondary IP Address or Hostname field.

    • TCP Port – Enter the TCP port of the LDAP server. Optionally, select Enable SSL (LDAPS) and/or Global Catalog to auto-populate the TCP port information accordingly.

    • Bind DN – Enter the bind domain name, or leave blank for anonymous bind.

    • Bind Password – Enter the bind password, if applicable.

    • Base DN – Enter the base domain name. For example, DC=acme, DC=local, etc.

    For Microsoft Active Directory:

    • LDAP attributes for Account Name – This field auto-populated with the value sAMAccountName. Please modify the value if your AD deployment uses a different value.

    For NetIQ eDirectory:

    • LDAP Attributes – The list of all attributes to be queried by the Exabeam Directory Service (EDS) component is required. When testing the connection to the eDirectory server, EDS will collect from the server a list of the available attributes and display that list as a drop down menu. Select the name of the attribute from that list or provide a name of your own. Only names for the LDAP attributes you want EDS to poll are required (i.e., not necessarily the full list). Additionally, EDS does not support other types of attributes, therefore you cannot add “new attributes” on the list below.

    Click Validate Connection to test the LDAP settings.

    If you selected Global Catalog, this button displays as Connect & Get Domains.

    Azure AD Context Enrichment

    Important

    For the Azure AD context enrichment feature to function, your organization must have a hybrid Active Directory deployment that uses Azure AD and either Microsoft AD or Microsoft ADDS.

    Organizations using Azure Active Directory (AD) can enrich their event logs by adding user context. This feature automatically pulls user attribute information from Azure AD on a daily basis and enriches logs in real time. Pulled attributes include the following:

    • ID

    • userType

    • userPrincipalName

    • mailNickname

    • onPremisesSamAccountName

    • displayName

    • mail

    Note

    While context information from Azure AD is pulled daily, you can also perform manual pulls from Azure AD to immediately update information after changes to user accounts.

    The following table lists the events that can be enriched with context from Azure AD:

    Office 365

    Azure

    Windows Defender

    Windows

    Failed Sign in Alert

    Failed App Login

    App Login

    Sign in Alert

    Account Unlocked

    Account Password Changed

    Account Disabled

    Security Alert 1

    Security Alert 3

    Member Added

    Member Removed

    PowerBI Activity

    Hub Network Connection

    App Activity

    App Activity

    App Login

    Core Directory

    EventHubs Login

    PIM Activity

    Security Alert

    Auth Events

    App Login

    Activity

    Set Up Azure AD Context Enrichment

    1. From the Settings menu, select Core.

    2. In the Context Management section, click Add Context Source.

      The Context Management page opens.

    3. From the Server Type drop-down menu, select Microsoft Azure Active Directory.

      context-management-azure-fields.png
    4. Provide the appropriate values for the following fields:

      • Application Client ID

      • Application Client Secret

      • Tenant ID

      To generate the appropriate values for these fields, do the following:

      1. Log in to Microsoft Azure.

      2. Under Azure services, click App registrations.

        Azure-App-Registrations.png
      3. Click New registrations.

      4. In the Name field, type a name for the app.

        Azure-Register-App-Name.png
      5. Under supported account types, ensure that the following setting is selected: Accounts in this organizational directory only (Your Directory only - Single tenant).

      6. At the bottom of the page, click Register.

        The Overview page for your new app appears.

      7. Copy the Application (client) ID and paste it into the Application Client ID field in Exabeam; copy the Directory (tenant) ID and paste it into the Tenant ID field.

        Azure-Client-Tenant-IDs.png
      8. In the Manage menu, click API permissions.

        Azure-API-Permissions.png

        The API permissions page opens.

      9. Click Add a permission.

        The Request API permissions panel opens on the right.

      10. Click the Microsoft Graph box.

        Azure-Microsoft-Graph.png
      11. Click the Application permissions box.

        Azure-Application-Permissions-Box.png
      12. In the Select permissions text filter, type directory.

      13. Click the Directory drop-down arrow, and then select Directory.Read.All.

        Azure-Directory-Read-All.png
      14. At the bottom of the panel, click Add permissions.

        The panel closes and the added permission appears under Configured permissions.

      15. Click Grant admin consent for Exadev Directory, and then click Grant admin consent confirmation.

        Azure-Grant-Admin-Consent.png
      16. In the Manage menu on the left, click Certificates & secrets.

        The Certificates & secrets page opens.

      17. Click New client secret.

        Azure-New-Client-Secret.png

        The Add a client secret panel opens on the right.

      18. In the Description field, provide a description of the secret (such as what the secret is being used for).

      19. From the Expires drop-down menu, select a time frame for when you want the secret to expire.

      20. At the bottom of the panel, click Add.

        The panel closes and the added secret appears in the Client secrets list.

      21. Click the copy-to-clipboard icon for the secret Value, and then paste the value into the Application Client Secret field in Exabeam.

        Azure-Client-Secret-Copy-rev.png
    5. To test the connection with Azure AD, click Validate Connection.

      A message displays to indicate whether the connection is successful.

    6. If the connection is successful, click Save to complete the setup.

      Azure AD is added to the list of data sources on the Context Management page.

      Context-Management-AzureAD-Added.png

    Set Up LDAP Authentication

    In addition to local authentication Exabeam can authenticate users via an external LDAP server.

    When you arrive at this page, by default the ‘Enable LDAP Authentication’ is selected and the LDAP attribute name is also populated. To change the LDAP attribute, enter the new account name and click Save. To add an LDAP group, select Add LDAP Group and enter the DN of the group you would like to add. Test Settings will tell you how many analysts Exabeam found in the group. From here you can select which role(s) to assign. It is important to note that these roles are assigned to the group and not to the individual analysts; if an analyst changes groups their role will automatically change to the role(s) associated with their new group.

    User Password Policies

    Exabeam users must adhere to the following default password security requirements:

    • Passwords must:

      • Be between 8 to 32 characters

      • Contain at least one uppercase, lowercase, numeric, and special character

      • Contain no blank space

    • User must change password every 90 days

    • New passwords cannot match last 5 passwords

    • SHA256 hashing is applied to store passwords

    • Only administrators can reset passwords and unblock users who have been locked out due to too many consecutive failed logins

    If you need to modify the default password policies, contact Exabeam Customer Support.

    User Engagement Analytics Policy

    Exabeam uses user engagement analytics to provide in-app walkthroughs and anonymously analyze user behavior, such as page views and clicks in the UI. This data informs user research and improves the overall user experience of the Exabeam Security Management Platform (SMP). Our user engagement analytics sends usage data from the web browser of the user to a cloud-based service called Pendo.

    There are three types of data that our user engagement analytics receives from the web browser of the user. This data is sent to a cloud-based service called Pendo:

    • Metadata – User and account information that is explicitly provided when a user logs in to the Exabeam SMP, such as:

      • User ID or user email

      • Account name

      • IP address

      • Browser name and version

    • Page Load Data – Information on pages as users navigate to various parts of the Exabeam SMP, such as root paths of URLs and page titles.

    • UI Interactions Data – Information on how users interact with the Exabeam SMP, such as:

      • Clicking the Search button

      • Clicking inside a text box

      • Tabbing into a text box