Documentation - Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Joe Security Joe Sandbox Service Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Respond to Security Incidents
Use Incident Responder to respond to security incidents. Run pre-configured turnkey playbooks that are ready out of the box. Create you own custom playbook that fits your specific needs and consider using templates to get started quickly. Run playbooks automatically using triggers or manually from an incident's workbench.
Fully pre-configured turnkey playbooks are ready to run out of the box.
Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.
If you don't want to create a playbook from scratch, use a template. These templates come out-of-the-box or you can import your own from an existing playbook.
For a playbook to run automatically, define which circumstances and conditions trigger the playbook. You define a playbook trigger from the PLAYBOOKS page, or when you create or edit a playbook.
Instead of automating an action using a playbook, run an action manually on an incident from its workbench.
Instead of triggering a playbook with a certain scenario, run a playbook manually on a specific incident from its workbench.
Clear an Incident's Playbook and Action Outputs
In the workbench, the outputs of all the playbook and actions you've ever run accumulate so it's hard to tell what's most recent. Clean up your workbench and only display the latest results.
Turnkey Playbooks
Fully pre-configured turnkey playbooks are ready to run out of the box.
Turnkey playbooks are pre-configured playbooks that are ready for you to run, without having to purchase additional services to get the actions you need. If you have a Fusion license, you can run all turnkey playbooks, even without an Incident Responder add-on.
Turnkey playbooks are listed along other playbooks you created on the PLAYBOOKS page. Like a playbook you created yourself, you can run them manually or automatically with a playbook trigger. If you have a Fusion license, you must have an Incident Responder add-on to add triggers to turnkey playbooks.
Turnkey playbooks use out-of-the-box services that are free to use, including Exabeam Case Manager, Exabeam AA Default, Exabeam Actions, and Yara.
There are five turnkey playbooks:
You can modify turnkey playbooks to customize them to your needs. If you have a Fusion license, you must have an Incident Responder add-on to modify turnkey playbooks.
Threat Intelligence Reputation Lookup Turnkey Playbook
Analyze and triage suspicious emails and change an incident's priority with the Threat Intelligence Reputation Lookup turnkey playbook.
The Threat Intelligence Reputation Lookup turnkey playbook helps you analyze and triage suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of an email entity and its artifacts.
First, the playbook assesses the reputation of the incident's entities, including:
Files attached to the email
IP addresses
Domains of any URLs in the email body
Domain of the sender's email address
If the playbook finds any IP addresses with a malicious reputation, it searches for other incidents that has the same IP address entity or artifact. View the output in the incident's workbench, under IR INCIDENTS WITH IOC.
If any entity or artifact has a malicious reputation, the playbook escalates the incident's priority to Critical. If none of the artifacts have a malicious reputation, the playbook de-escalates the incident's priority to Low.
The Threat Intelligence Reputation Lookup turnkey playbook is similar to the Phishing turnkey playbook, but only analyzes entity and artifact reputations and changes an incident's priority and status. To get even more information for your investigation and automate your response to a phishing incident, use the Phishing turnkey playbook instead.
Phishing Turnkey Playbook
Analyze suspicious emails, detonate malicious email attachments, and change an incident's priority and status with the Phishing turnkey playbook.
The Phishing turnkey playbook helps you analyze, triage, and respond to suspicious emails, like potential spam and phishing emails. It changes a Case Manager incident's priority based on the reputation of the evidence. It also gathers information about the email recipient from Advanced Analytics and detonates any malicious files in a sandbox.
First, the playbook assesses the reputation of the incident's entities and other evidence, including:
Files attached to the email
IP addresses
Domains of any URLs in the email body
Domain of the sender's email address
If the playbook finds any entity with a malicious reputation, it searches for other incidents with the same entity. View the output in the incident's workbench, under IR INCIDENTS WITH IOC. Then, it escalates the incident's priority to Critical. If the playbook doesn't find any entity with a malicious reputation, it changes the incident's priority to Low.
From Advanced Analytics, the playbook retrieves the email recipient's risk score, top device, and other additional contextual information about the recipient. View the output in the incident's workbench, under GET USER RISK SCORES – EXABEAM AA DEFAULT, GET TOP DEVICE FOR USER - EXABEAM AA DEFAULT, and GET USER INFORMATION – EXABEAM AA DEFAULT.
If the playbook finds any files with malicious reputation, it detonates the file in a sandbox.
Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.
The Phishing turnkey playbook is similar to the Threat Intelligence Reputation Lookup turnkey playbook, but also includes additional actions for gathering Advanced Analytics data and detonating malicious files. To quickly assess and view the reputation of an incident's entities and artifacts, run the Threat Intelligence Reputation Lookup turnkey playbook instead.
Malware Turnkey Playbook
Analyze suspicious files and detonate potential malware with the Malware turnkey playbook.
The Malware turnkey playbook helps you analyze, triage, and detonate suspicious files that may be potential malware. Depending on the reputation of the file entities and their related hashes, it changes the incident's priority and comments on the incident.
First, the playbook gathers the file entities and artifacts from an incident. Then, it scans and assesses the reputation of the files, and detonates them in a sandbox. It also the assesses the reputation of any associated MD5, SHA1, and SHA256 hashes. View the output in the workbench under SCAN FILE – YARA.
If any file entities, artifacts, or hashes have malicious reputation, it changes the incident's priority to Critical and comments on the incident, Exabeam Actions detected at least one malicious file on this incident. As a result, the priority has been raised to critical. If none of the files, entities, and hashes have a malicious reputation, it changes the incident's priority to Low and comments on the incident, Exabeam Actions didn't detect malicious files on this incident. As a result, the priority has been changed to low.
If the associated hashes have a malicious reputation, the playbook searches for other incidents with the same hashes. View the output in the workbench, under IR INCIDENTS WITH IOC.
If you configured any third-party services, you can customize the Malware turnkey playbook and make it more robust. For example, if your incident doesn't have a file entity or artifact, you can use a Get File action to retrieve a file from another data source. You can also take further action on the malware; for example, using Okta's Suspend User action, CarbonBlack Response's or FireEye's Isolate (Contain) Host action, CiscoAMP's Isolate Host action, or Quarantine Host action from various services.
Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.
Automated Incident Classification Turnkey Playbook
Classify Behavior Analytics incidents into the correct incident type with the Automated Incident Classification turnkey playbook.
When an Advanced Analytics user or asset session becomes notable, Case Manager automatically creates an incident with the Behavior Analytics incident type. The Automated Incident Classification turnkey playbook analyzes session to accurately change the incident's type, helping you make sense of all the evidence in Advanced Analytics and quickly diagnose what threat you're investigating. It's important that incidents have the correct incident type so you standardize the evidence you collect and define tasks for investigating, containing, and remediating the incident.
First, the playbook retrieves the Exabeam Threat Detection, Investigation, and Response (TDIR) Use Case Packages rule tags associated with session's triggered rules. View the output in the workbench, under GET RULE LABELS – EXABEAM AA DEFAULT.
Depending on the rule tag, the playbook adds an incident type.
If the session is associated with any of these rule tags: | The playbook adds this incident type to the incident: |
|---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
Audit Log Manipulation | |
Data Deletion | |
Access to Physical Space | |
| |
Abnormal User Activity | |
Brute Force Attack | |
Cryptomining | |
Malware | |
Phishing | |
Ransomware |
View which incident type was added in the workbench, under MODIFY INCIDENT TYPE – INTERNAL or under the Incident Type incident field.
Automated Incident Enrichment Turnkey Playbook
Gather evidence from an Advanced Analytics session and add them to the corresponding Case Manager incident with the Automated Incident Enrichment turnkey playbook.
When an Advanced Analytics Smart Timeline™ user or asset session becomes notable, Case Manager automatically creates an incident with the Behavior Analytics incident type. The Automated Incident Enrichment turnkey playbook gathers additional contextual or supporting information from the Advanced Analytics session and populates the Case Manager incident so you have everything you need to investigate the incident.
First, the playbook returns the session's anomalous activity, and gathers evidence to add to the Case Manager incident:
The playbook returns the MITRE ATT&CK® tactics and techniques rule tags associated with the session. View the output in the workbench under GET RULE LABELS – EXABEAM AA DEFAULT.
The playbook gathers all the rules triggered during the notable session and other related details, like the rule description, rule category, and associated model name. View the output in the workbench under GET TRIGGERED RULES – EXABEAM AA DEFAULT.
The playbook gathers other relevant evidence about the event, including event type, event ID, raw log time, and details about any processes, files, domains, hosts, URLs, or email addresses involved. View the output in the workbench under GET EVENT INFO – EXABEAM AA DEFAULT.
Then, it adds this evidence to the incident in incident fields, or as entities or artifacts. For example, it adds the destination IP to the incident as an IP artifact. In the workbench, view the information and whether an entity or artifact was created under ADD TO INCIDENT – INTERNAL.
If the incident involves a notable user, the playbook returns the user's past anomalous behavior, including their risk score for every session in the past 14 days and all the rules triggered in the user's sessions in the past 14 days. Then, it collects any additional contextual information about the user and searches for other Case Manager incidents involving the user. View the output in the workbench, including:
Risk score for each session in the past 14 days, under GET USER RISK SCORE – EXABEAM AA DEFAULT.
All rules triggered in the user's sessions in the past 14 days, under GET TRIGGERED RULES – EXABEAM AA DEFAULT.
Additional contextual information about the user, under GET USER INFORMATION – EXABEAM AA DEFAULT.
Other Case Manager incidents involving the notable user in the past 14 days, under SEARCH IR INCIDENTS WITH IOC.
If the incident involves a notable asset, the playbook returns the asset's past anomalous behavior, including their risk score for every session in the past 14 days and all the rules triggered in the asset's sessions in the past 14 days. Then, it collects any additional contextual information about the asset and searches for other Case Manager incidents involving the asset. View the output in the workbench, including:
Risk score for each session in the past 14 days, under GET ASSET RISK SCORE – EXABEAM AA DEFAULT
All rules triggered in the asset's sessions in the past 14 days, under GET ASSET TRIGGERED RULES – EXABEAM AA DEFAULT.
Additional contextual information about the asset, under GET ASSET INFORMATION – EXABEAM AA DEFAULT.
Other Case Manager incidents involving the same notable asset in the past 14 days, under SEARCH IR INCIDENTS WITH IOC.
Create a Playbook
Create a playbook to automate your workflow, and respond more quickly and efficiently to attacks.
You can create your own playbook only if you're assigned an Incident Responder seat. If you aren't assigned an Incident Responder seat, you can only use turnkey playbooks.
Ensure you're familiar with the logic of compound, relational, and conditional operators.
In the sidebar, click PLAYBOOKS
.Click Add a new playbook
.Enter information about the playbook:
Playbook template – Choose a template from the list. To create an empty playbook, select New Playbook.
Name – Give your playbook a unique name.
(Optional) Description – Describe your playbook, what it does, and when it should be used.
Click Create. The playbook contains a start node and end node. If you selected a template, the playbook contains other nodes based on the template.
Define the logic of your playbook: add a node, and configure action, decision, or filter nodes. As you design your playbook, keep in mind:
All nodes must be linked in some way to the start and end node; otherwise, you can't run the playbook.
You can only use the output from the previous node as an input for the next node.
You can use the output of one node in another only if the latter node takes in data of the same type. For example, if one node outputs a list of URLs, you can't link it to a node that takes in a list of IP addresses.
You must configure all necessary input fields for a given node. If you haven't configured one or more necessary fields, the node is outlined in red.
Click Save
. You may save your playbook at any time, but if it contains an error, it won't run and is disabled by default. Your playbook appears in the list on the PLAYBOOKS page.
Add a Node
When you create or edit a playbook, add nodes to define or change its logic.
From a node, add another node, then select ACTION.
Select a Service. These services are available for you to use; they either come out-of-the-box or have been configured by your organization. You might find the descriptions helpful in choosing the appropriate service to use.
Select the action type the node performs.
Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.
To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.
A decision node evaluates whether the input is true or false. Based on this evaluation, the next node in the playbook executes an action.
From the node you wish to make a decision on, add a node and select DECISION. If you add the node straight from the start node, it operates on all the fields and raw data in the incident.
Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.
Select an operator:
Equals – Checks if values are equal.
Not Equal To – Checks if values are not equal.
Contains – Checks if values partially match.
Not Contains – Checks if values do not match.
Is Empty – Checks if incident field doesn't have an assigned value.
Exists – Checks if incident field has an assigned value.
Starts With – Checks if string data type starts with a specified value.
Not Starts With – Checks if string data type doesn't start with a specified value.
Ends With – Checks if string data type ends with a specified value.
Not Ends With – Checks if string value doesn't end with a specified value.
In – Checks if value is in a specified list.
Not In – Checks if value is not in a specified list.
Matches – Checks if values match exactly.
Not Matches – Checks if values don't match exactly.
Greater Than – Checks if value is greater than a specified value.
(Optional) If relevant, enter or select a value.
Click SAVE.
(Optional) Add additional conditions to the decision node.
To add an or condition, select +OR.
To add an and condition, select +AND.
From the decision node's outbound ports, add a node that executes depending on how the input was evaluated:
To execute a node if the input is evaluated as true, add a node from the outbound port on the side.
To execute a node if the input is evaluated as false, add a node from the top or bottom outbound ports.
To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.
You use a filter node to filter out a subset of the input source, based on conditions you specify when you configure the node. The filter node outputs the remaining subset and passes it on to the next node. The next node only evaluates this remaining subset. For example, you can use a filter node to remove:
Normal domains, so the next node evaluates malicious domains only.
Allow listed URLs, so the next node evaluates block listed URLs only.
Email attachments with a risk score below 90, so the next node evaluates attachments with a risk score above 90 only.
IP addresses from other countries, so the next node evaluates IP addresses from a specific country only.
To evaluate a single value, add a decision node.
From one node, add another node, then select FILTER.
Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.
Select an operator:
Equals – Checks if values are equal.
Not Equal To – Checks if values are not equal.
Contains – Checks if values partially match.
Not Contains – Checks if values do not match.
Is Empty – Checks if incident field doesn't have an assigned value.
Exists – Checks if incident field has an assigned value.
Starts With – Checks if string data type starts with a specified value.
Not Starts With – Checks if string data type doesn't start with a specified value.
Ends With – Checks if string data type ends with a specified value.
Not Ends With – Checks if string value doesn't end with a specified value.
In – Checks if value is in a specified list.
Not In – Checks if value is not in a specified list.
Matches – Checks if values match exactly.
Not Matches – Checks if values don't match exactly.
Greater Than – Checks if value is greater than a specified value.
(Optional) If relevant, enter or select a value.
Click SAVE.
(Optional) Add an additional condition to the filter node. You can't use both in one filter node; you must choose one or the other.
To add an or condition, select +OR.
To add an and condition, select +AND.
To change a condition from one to the other, select the down arrow next to it, then select the appropriate condition.
To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.
Playbook Templates
If you don't want to create a playbook from scratch, use a template. These templates come out-of-the-box or you can import your own from an existing playbook.
Playbook templates are frameworks that are already designed and ready for you to use; you just indicate the service you want to use. You can use playbook templates only if you're assigned an Incident Responder seat.
There are 16 templates available out of the box, including ones for malware and phishing. You can also use turnkey playbooks as templates.
You can't delete these out-of-the-box templates.
To modify a template, export an existing playbook, then import it back into the system as a template. You can also create a new playbook from scratch.
Import a Playbook Template
When you export a playbook, import it back into the system or another system as a template. It can only import as a template, not a playbook.
You can import playbook templates only if you're assigned an Incident Responder seat.
Ensure your template file is in a valid JSON format. If you created and exported the playbook from Incident Responder, it is already in a valid format.
In the sidebar, click PLAYBOOKS
.Click Import template
.Click CHOOSE TEMPLATE FILE, then select a valid JSON file to upload.
The playbook is imported as a template. To use the playbook, create a new playbook using the template.
Phishing Playbook Template
Break down the logic flow of the out-of-the-box phishing playbook template.
 |
Phishing emails imitate reputable senders to fool recipients into installing malicious software or revealing personal information.
The phishing playbook sources emails ingested into Case Manager. It checks the reputation of the domain that sent the email; extracts any files, URLs, or links; and checks the reputation of these entities. Then, the playbook checks if the email recipient has any web activity related to the URL.
Based on the sender's email address, the playbook searches for other recipients. If it finds other recipients, the playbook alerts you.
Create a Playbook Trigger
For a playbook to run automatically, define which circumstances and conditions trigger the playbook. You define a playbook trigger from the PLAYBOOKS page, or when you create or edit a playbook.
You can create a playbook trigger only if you're assigned an Incident Responder seat.
If you manually create an incident, playbooks aren't triggered.
In the sidebar, click PLAYBOOKS
, or create or edit a playbook.Click Add trigger to playbook.:
On the PLAYBOOKS page, select the clock
for an existing playbook in the list.If you're creating or editing a playbook, select the clock
.
Click + Trigger.
Select the situation that triggers the playbook:
Incident Created – When a playbook triggers and creates an incident.
Status Changed – When someone changes an incident's status.
Priority Changed – When someone changes an incident's priority.
Queue Changed – When someone is assigned to another queue.
Assignee Changed – When someone changes who's assigned to an incident.
Incident Type Changed – When an incident's type changes, manually or automatically.
To add a condition to the situation, select + Condition. If the situation occurs and the condition is met, the playbook runs. These conditions are based on incident fields, default or custom.
(Optional) To add another condition, click + ADD.
Click SAVE.
If you aren't assigned an Incident Responder seat, you can only run out-of-the-box actions; you can't run custom actions.
In an incident's workbench, click RUN ACTION.
Select an action from the list and enter the relevant information.
Click LAUNCH.
If the action runs successfully, it appears in the workbench ACTIONS tab with a
check mark, and you see its output in the workbench.
Manually Run a Playbook
Instead of triggering a playbook with a certain scenario, run a playbook manually on a specific incident from its workbench.
If you aren't assigned an Incident Responder seat, you can only run turnkey playbooks; you can't run custom playbooks.
In an incident's workbench, click RUN PLAYBOOK.
Select a playbook from the list.
Click LAUNCH.
If the actions in your playbook run successfully, they appear in the workbench ACTIONS tab with a check mark
, and you see their outputs in the workbench.If your playbook runs successfully, it appears in the workbench PLAYBOOKS tab with a check mark
.
Clear an Incident's Playbook and Action Outputs
In the workbench, the outputs of all the playbook and actions you've ever run accumulate so it's hard to tell what's most recent. Clean up your workbench and only display the latest results.
Ensure that you have Reset Incident Workbench permissions. To request Reset Incident Workbench permissions, contact your Exabeam administrator.
In an incident's workbench, click RESET CARDS. In the workbench and the incident, the playbook and action results clear.