Security ContentInstall Security Content

Table of Contents

Install Security Content Using Content Installer

After you deploy Content Installer, install new security content.

If you have Advanced Analytics i54 or later, you can install security content directly in Advanced Analytics settings, instead of using Content Installer.Manage Security Content in Advanced Analytics

There is some security content you can't install using Content Installer, including Advanced Analytics dynamic lookup entries, queries from Advanced Analytics to Data Lake, and Data Lake reports.Import a Report

  1. Ensure that you deployed Content Installer.

  2. Locate the file that contains the new security content:

    • To download a general update, navigate to the Exabeam Community Content Exchange. The file is called Exabeam_<product>_ContentPack_DetectionPackage-<version>.tar.gz

    • To download content that supports other Exabeam products, like Exabeam cloud connectors, navigate to the Exabeam Community Content Exchange.

    • If you requested specific content, navigate to your case ticket.

  3. Download the file, then save it to the master node host.

    • For Advanced Analytics , save the file in /opt/exabeam/config/custom.

    • For Data Lake , save the file in /opt/exabeam/config/lms

  4. Use SSH to log into the master node host, then navigate to the directory in which you downloaded the file.

  5. If you downloaded a tar.gz file, untar it:

    tar -C /opt/exabeam -xvf <tarfile.tar.gz>

    One or more ZIP files are extracted.

  6. To ensure the security content is compatible with your product version, check the README file.

    Note

    The Installer won't notify you if the security content is not compatible. You can install incompatible security content, but they won't function correctly.

  7. Ensure that the file contains the security content you want to update:

    • Possible Advanced Analytics security content:

      • Parsers

      • Event Builder

      • Rules

      • Models

      • Enrichers

      • Persistence

      • Event Templates

      • EDS entries / lookup files

    • Possible Data Lake security content:

      • Parsers

      • Parser Categories

      • Parser Categorizations

  8. To install the security content in the ZIP file, run:

    exa-content-install -c <filepath>/<zipfile>

    If the tar.gz file contains multiple ZIP files, run the exa-content-install command for each one. For example, to update Advanced Analytics with four new security content:

    exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/Detection_Fixes_1910.zip
    
    # Repeat the installation for the unpacked ZIP files in the New_Detection subfolder.
    
    exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/BloodHound.zip
    
    exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Mimikatz.zip
    
    exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Process_Temp_directory.zip
    
    exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Remote_Access_Tools.zip

    If you successfully install the security content, you see a message that summarizes what's been updated:

    • Added – New security content added to your configuration files.

    • Replaced – New security content that replaced existing ones of the same name.

    • Retained – Security Content that already exist in your configuration files and haven't changed.

    The message also details which engines you must restart for the updated security content to take effect.

    If you fail to install the security content, you see an error message that explains why. The system reverts the configuration files to how they were originally, before you attempted to install new files. After you address the issue in the error message, try installing the security content again.

  9. After you successfully install the security content, you must apply the changes. To restart the relevant Advanced Analytics or Data Lake engines, run the commands as directed in the message.