Security ContentInstall Security Content

Ensure that you deployed Content Installer.

Locate the file that contains the new security content:

• To download a general update, navigate to the Exabeam Community Content Exchange. The file is called Exabeam_<product>_ContentPack_DetectionPackage-<version>.tar.gz

• To download content that supports other Exabeam products, like Exabeam cloud connectors, navigate to the Exabeam Community Content Exchange.

• If you requested specific content, navigate to your case ticket.

Download the file, then save it to the master node host.

• For Advanced Analytics , save the file in /opt/exabeam/config/custom.

• For Data Lake , save the file in /opt/exabeam/config/lms

Use SSH to log into the master node host, then navigate to the directory in which you downloaded the file.

If you downloaded a tar.gz file, untar it:

tar -C /opt/exabeam -xvf <tarfile.tar.gz>

One or more ZIP files are extracted.

To ensure the security content is compatible with your product version, check the README file.

Ensure that the file contains the security content you want to update.

To install the security content in the ZIP file, run:

exa-content-install -c <filepath>/<zipfile>

If the tar.gz file contains multiple ZIP files, run the exa-content-install command for each one. For example, to update Advanced Analytics with four new security content:

exa-content-install -c /opt/exabeam/config/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/Detection_Fixes_1910.zip

# Repeat the installation for the unpacked ZIP files in the New_Detection subfolder.

exa-content-install -c /opt/exabeam/config/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/BloodHound.zip

exa-content-install -c /opt/exabeam/config/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Mimikatz.zip

exa-content-install -c /opt/exabeam/config/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Process_Temp_directory.zip

exa-content-install -c /opt/exabeam/config/custom/Exabeam _AA_ContentPack_DetectionPackage-2019_1/Detection_Fixes/New_Detection/Remote_Access_Tools.zip

When security content is successfully installed, a message displays a summary of what's been updated:

***** CONTENT UPDATE SUMMARY *****
------------------------------------------------------------------------
|Component         |Added           |Replaced         |Retained        |
------------------------------------------------------------------------
|Event Enricher    |                |                 |                |
|
------------------------------------------------------------------------
|Models            |                |                 |                |
|
------------------------------------------------------------------------
|Rules             |                |                 |                |
|
------------------------------------------------------------------------
***** RESTART/RELOAD THE FOLLOWING SERVICES MANUALLY *****
To apply the content changes, please restart '<Exabeam engine>'
  <command to restart Exabeam engine>

The message also details which engines you must restart for the updated security content to start functioning.

If the security content installation fails, an error message is displayed explaining why. The system reverts the configuration files to the versions before the installation attempt. After addressing any issues in the error message, retry the security content installation.

After you successfully install the security content, you must apply the changes. To restart the relevant Advanced Analytics or Data Lake engines, run the commands as directed in the message.