- Security Content Configuration Files
- Content Installer
- Install Security Content Using Content Installer
- Manually Revert a Security Content Configuration File
- Add an Advanced Analytics to Data Lake Query from a Security Content Update
- Install a Dynamic Lookup Entry
Install Security Content Using Content Installer
After you deploy Content Installer, install new security content.
If you have Advanced Analytics i54 or later, you can install security content directly in Advanced Analytics settings, instead of using Content Installer.
Ensure that you deployed Content Installer.
Locate the file that contains the new security content:
To download a general update, navigate to the Exabeam Community Content Exchange. The file is called
To download content that supports other Exabeam products, like Exabeam cloud connectors, navigate to the Exabeam Community Content Exchange.
If you requested specific content, navigate to your case ticket.
Download the file, then save it to the master node host.
For Advanced Analytics , save the file in
For Data Lake , save the file in
Use SSH to log into the master node host, then navigate to the directory in which you downloaded the file.
If you downloaded a
tar.gzfile, untar it:
tar -C /opt/exabeam -xvf <tarfile.tar.gz>
One or more ZIP files are extracted.
To ensure the security content is compatible with your product version, check the
The Installer won't notify you if the security content is not compatible. You can install incompatible security content, but they won't function correctly.
Ensure that the file contains the security content you want to update:
Possible Advanced Analytics security content:
EDS entries / lookup files
Possible Data Lake security content:
To install the security content in the ZIP file, run:
exa-content-install -c <filepath>/<zipfile>
tar.gzfile contains multiple ZIP files, run the
exa-content-installcommand for each one. For example, to update Advanced Analytics with four new security content:
exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/Detection_Fixes_1910.zip # Repeat the installation for the unpacked ZIP files in the New_Detection subfolder. exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/BloodHound.zip exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Mimikatz.zip exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Process_Temp_directory.zip exa-content-install -c /opt/exabeam/conf/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Remote_Access_Tools.zip
If you successfully install the security content, you see a message that summarizes what's been updated:
Added – New security content added to your configuration files.
Replaced – New security content that replaced existing ones of the same name.
Retained – Security Content that already exist in your configuration files and haven't changed.
The message also details which engines you must restart for the updated security content to take effect.
If you fail to install the security content, you see an error message that explains why. The system reverts the configuration files to how they were originally, before you attempted to install new files. After you address the issue in the error message, try installing the security content again.
After you successfully install the security content, you must apply the changes. To restart the relevant Advanced Analytics or Data Lake engines, run the commands as directed in the message.