Security ContentInstall Security Content

Content Installer

Install security content onto your Advanced Analytics and Data Lake systems using Exabeam Content Installer.

Security content are tools, like parsers, event builders, rules, and models, that help ingest, parse, and analyze data. Content Installer directly installs security content onto your Advanced Analytics and Data Lake systems. You install new security content whenever you request the capability to parse or monitor a new activity. You get them in a content pack on the Exabeam Community Content Exchange or a case ticket.

To deploy Content Installer and install security content, you must use a command line environment to carefully manipulate files in the Exabeam product file directory. If you're not familiar with using the command line, it's best if you contact Exabeam Customer Success to help you.

If you have Advanced Analytics i54 or later, you can install security content directly in Advanced Analytics settings, instead of using Content Installer.Manage Security Content in Advanced Analytics

Content Installer takes in a ZIP file that contains the new security content, then adds the content to the corresponding custom configuration file. For example, it adds new parsers to custom/parsers.conf. The new, updated security content overrides old, existing security content. For example, let's look at two scenarios:

  • Content Installer installs parser p10 in a configuration file that already contains a parser named p10. The Content Installer removes the old p10, then replaces it with the updated p10.

  • Content Installer installs parser p10 in a configuration file that contains parsers p1 to p4. The Content Installer reads the config file from top to bottom, so it places parser p10 above parsers p1 to p4.

To control which security content overrides others, open a case to contact your Technical Account Manager.

There is some security content you can't install using Content Installer, including Advanced Analytics dynamic lookup entries, queries from Advanced Analytics to Data Lake, and Data Lake reports.Import a Report

Deploy Content Installer

Before you install new log ingesting security content, you must download and open Content Installer.

If you have Advanced Analytics i48 or Data Lake i31 or earlier, each product has their own version of Content Installer.

If you have Advanced Analytics i50 or Data Lake i32 or later, you use the same Content Installer to install security content for both products.

If you have Advanced Analytics i48.5 and later, your Advanced Analytics deployment already comes with a version of the Content Installer. If there are any bug-fix updates to Content Installer, you may follow these steps to download a newer version.

  1. To verify that Content Installer is compatible with your product version, ensure you have Advanced Analytics i38 or Data Lake i20 and later.

  2. Download the content_installer_v1.0.tar.gz file.

  3. Copy the file to the master node.

  4. Untar the Content Installer:

    tar -Pxvf content_installer_v1.0*.tar.gz

    If you fail to untar Content installer, you see an error message:

    • For Advanced Analytics:

      /opt/exabeam/bin/pit/exa-content-install
      /opt/exabeam/config/custom/Content-install-aa-assembly-0.1.jar
    • For Data Lake:

      /opt/exabeam/bin/lms/exa-content-install
      /opt/exabeam/config/custom/Content-install-dl-assembly-0.1.jar

    Ensure that Content Installer has completely downloaded. If it has completely downloaded and you're still getting an error, contact Exabeam Customer Success.