Security ContentInstall Security Content

Table of Contents

Install a Dynamic Lookup Entry

Manually install a dynamic lookup entry provided on the Exabeam Community Content Exchange or a case ticket. You can't use the Content Installer to install dynamic lookup entries.

  1. Ensure that you downloaded security content from the Exabeam Community Content Exchange or your case ticket, saved it to the right location, and navigated to the directory where you downloaded the file.

  2. If you downloaded a tar.gz file, untar it:

    tar -C /opt/exabeam -xvf <tarfile.tar.gz>

    One or more ZIP files are extracted.

  3. Add the dynamic lookup entries to the /opt/exabeam/config/custom/custom_exabeam_config.conf file:

    • If you have a DynamicLookup section in the custom_exabeam_config.conf file, copy and paste the content in [vendor]_DynamicLookup.txt starting from "0"=. Ensure that you change this key to the next serial number. For example:

      DynamicLookup {
          MaxSize = 2000000
          Entries {
              "0" = { //existing Dynamic Lookup entry
                  //remote-access mapping set for account-creation
                  Expression = "event_types='remote-access' and InList(event_code, '4624','540') and exists(user) and exists(host) and exists(logon_id) and logon_types='3'"
                  Key = ["user","logon_id","host"]
                  Values = ["src_ip","src_host"]
              },
              "1" = { //existing Dynamic Lookup entry
                  //sid mapping for account detail extraction (for member-added/member-removed events)
                  Expression = "(event-type='account-creation' or InList(event_code,'4624','4768','672')) and exists(account_id)"
                  Key = ["account_id"]
                  Values = ["account_name","account_domain"]
              },
              "2" = { //new Dynamic Lookup entry, keyed with the next serial number
                  Expression="vendors='Zoom'" and InList(event_type, 'web-meetin-created','webmeeting-updated') and exists(user_email) and exists(meeting_host_id)"
                  Values = ["user_email"]
                  Key = ["meeting_host_id"]
              }
          }
      }
    • If you don't have a DynamicLookup section in the custom_exabeam_config.conf file, at the end of the file, copy and paste all content in [vendor]_DynamicLookup.txt starting from DynamicLookup {.

  4. To apply these changes, you must restart the Analytics Engine. To avoid restarting the same engine several times, it's best that you install all security content, including those you install using the Content Installer, then restart the relevant engines as directed in the message.