Security ContentInstall Security Content

Table of Contents

Add an Advanced Analytics to Data Lake Query from a Security Content Update

If your new security content includes an Advanced Analytics query in a text file, use it to create a log feed and start ingesting logs from Data Lake.

  1. Ensure that you downloaded security content from the Exabeam Community Content Exchange or your case ticket, saved it to the right location, and navigated to the directory where you downloaded the file.

  2. If you downloaded a tar.gz file, untar it:

    tar -C /opt/exabeam -xvf <tarfile.tar.gz>

    One or more ZIP files are extracted.

  3. In Advanced Analytics, navigate to Settings > Log Management > Log Feeds.

  4. Add a log feed:

    • If you have version i48 and below, click ADD.

    • if you have version i50 and above, click + Add New Query.

  5. Enter the information:

    • Log servers – Select Data Lake.

    • Log type – Select Custom.

    • Query short name – Enter a name that identifies the query.

    • Search query – Copy and paste a query from [vendor]_Queries.txt

    • Retrieve and process logs from – Select a date from when to start retrieving and processing logs.

  6. Click NEXT.

  7. To verify if the query works properly, click Test Query, then click NEXT.

  8. Click PUBLISH.