Data LakeData Lake User Guide

Table of Contents

Exabeam Data Lake Reports

Repetitive summaries and queries for known data of interest can be stored in reports.

The Reports page has two tabs:

  • The My Reports tab lists only the Reports that you have created.

  • The All tab lists all available Reports including those you have created as well as any Reports shared with you.

From here you can Edit or Delete reports by selecting the pencil icon or the trash icon that appears when you hover your mouse over individual reports.

DL-Reports-ReportList.jpg

In Data Lake, a Report can be created from either the enhanced view of a search's results (the results of a search query), a table view (the results of a search query), or a dashboard (potentially multiple search results) or a brand new Search.

Note

Reports cannot be created from Visualizations alone. If you would like to create a Report with only a Visualization, save a Dashboard that includes the Visualization and create a Report from the Dashboard.

Reports have the following attributes:

  • Report Name

  • Report Description

  • Type: What the Report is created from (Enhanced View, Table View, or Dashboard).

  • Creator: Administrator who created the report.

  • Date: When the report was last generated in the system.

  • Time Range:

    • When Reports are scheduled, this parameter reflects a variable time range.

    • When Reports are unscheduled, this parameter reflects whether queries in the report have a fixed or a variable time range.

Create an Exabeam Data Lake Report

You can create a Report from a Saved Search or Dashboard, or from a brand new Search.

A few notes about the time frame of reports:

  • If a report is created from an enhanced view search, table view search, or dashboard of a newly saved search, the time frame in the report will be the same as the time frame of the saved search or dashboard. Note that the time frame applies to all searches and visualizations within the dashboard.

  • Modification of the time frame must be performed in the Saved Search or Saved Dashboard.

Select the Reports Tab at the top right, which brings you to the Reports Page, click on the blue Add button at the bottom right. From here you can choose whether to create a Report from a Saved Search or Saved Dashboard or create a Report from a new search.

Create New Report2.bmp

Create a New Exabeam Data Lake Report from a Saved Search/Dashboard

If you choose to create a Report from a Saved Search or Dashboard, your Saved Library will be opened. Select the Saved Search or Saved Dashboard from which you would like to create a Report by selecting the Report.

Create New Report.bmp

The drop-down card gives you more information regarding the Dashboard or Search you have selected. Click Add to Report.

Create New Report2.bmp

A preview of your report will appear on the next page. If you are satisfied with the preview, click Add to Report at the top right.

Preview New Report Saved.jpg

You will be taken to the Report Details page and asked to give the Report a name and description.

From here you can:

  • Select Save Report, which saves the report to your Report Library without sending.

  • Tick the Send Now box and then click Save Report, which immediately runs the report and saves the Report to your Reports library.

  • Schedule your report by ticking the Schedule a Report box and enter the frequency with which you would like the report sent and well as all of the recipients who should receive it.

    DLReportsUI-ReportsDetail.jpg

    Warning

    Scheduled reports with 3 billion or more logs can cause data outage in the PDF output.

  • Select Save Report. You will be returned to your Reports Page.

Create an Exabeam Data Lake Report from New Search

If you choose to create a Report from a New Search, the Search landing page will be opened. Data Lake accepts searches in the Lucene query language. Input the search terms that you would like your Report to be based on.

Click the blue Add to Report button.

Report_from_New_Search-DLi35.png

Your search will be run and the results displayed on the next page. This is a preview of what your Report would look like with those search terms.

If you are pleased with the Report preview, click Add to Report. If not, return to the previous screen and edit your search terms.

Preview New Report Search.jpg

You will be taken to the Report Details page and asked to give the Report a name and description.

From here you can:

  • Select Save Report, which saves the report to your Report Library without sending.

  • Tick the Send Now box and then click Save Report, which immediately runs the report and saves the Report to your Reports library.

  • Schedule your report by ticking the Schedule a Report box and enter the frequency with which you would like the report sent and well as all of the recipients who should receive it.

    Schedule Report.bmp

    Warning

    Scheduled reports with 3 billion or more logs can cause data outage in the PDF output.

  • Select Save Report. You will be returned to your Reports Page.

Multi-select Exabeam Data Lake Reports

Reports can be multi-selected in order for the user to perform mass operations on them. The following changes can be made:

  • Scheduled - Reports can be scheduled. When multiple reports are selected and scheduled, they will be put on the same schedule and delivered to the same list of email recipients.

  • Export Template - Reports can be exported. When multiple reports are selected, and the export button is clicked, all the reports (along with the underlying search, visualization, and schedule) are downloaded as a zip archive of JSON files.

  • Delete - Reports can be deleted. When multiple reports are selected and the delete button is clicked, all reports will be deleted. This action cannot be undone.

Bulk Reports1.bmp
Bulk Reports3.bmp

Compliance Reports in Exabeam Data Lake

Exabeam offers compliance report templates for both U.S. and international regulations. Data Lake supports the following compliance reports out-of-the-box:

Note

Please contact your Data Lake administrator to enable/disable any out-of-the-box compliance reports listed below.

  • GDPR – Protects the data and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.

  • GPG – Protects U.K. citizens by ensuring protective monitoring of business processes and technology. It provides visibility and understanding of who is accessing an organization’s sensitive data.

  • HIPAA – Protects sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

  • NIST – Protects U.S.-based organizations in the science and technology industry by producing standards and guidelines to help these federal agencies meet the requirements of the Federal Information Security Management Act (FISMA).

  • PCI DSS– A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

  • SOX – Protects shareholders and the general public from accounting errors and fraudulent practices in enterprises, and improves the accuracy of corporate disclosures.

Administrators have access to Exabeam-provided reports in Settings > Security Content > Exabeam Reports. Permission to access these reports must be granted by a user assigned the Administrator role.

Out-of-the-box Reports:

  • Access Granted/Revoked Activity

  • Account Management Activity

  • Successful Database Logon Activity

  • Failed Database Logon Activity

  • Audit Log Change Activity

  • File Alert Activity

  • Physical Access Activity

  • Default Credential Usage/Change Activity

  • Denied Web Access Activity

  • Privileged Access

  • Remote Session Overview

  • Failed VPN Logons and Remote Session Timeouts

  • Overall Log Monitor

  • Protocols by Network Traffic

  • Database Deletions

  • Top Attackers

  • Exabeam AA - Top Suspicious Users

  • Windows User Privilege Elevation

  • Unix User Privilege Elevation

  • Vendor Authentication Activity

  • Signature Update

  • Successful Application Logon Activity

  • Failed Application Logon Activity

  • User Account Lockout Activity

  • Disabled User Account Summary

  • Deleted User Account Summary

  • User Account Creation Summary

  • Data Loss Prevention Activity Summary

  • Object Access Summary

  • Account Logout Summary

  • System Startup and Shutdown Summary

  • Security Alert Summary - Users

  • Security Alert Summary - Impacted Hosts

  • Security Alert Summary - Origin Hosts

  • Windows Audit Failure Summary by Users

  • Windows Audit Failure Summary by Hosts

  • Vulnerabilities Detected

  • System Critical and Error Activity Summary

  • Policy Activity Summary

Only users with administrator privileges can view these reports unless they are shared amongst various roles. 

These reports cannot be edited. However, you can make copies of reports to edit by you or roles you have shared the copy with.

Tags

Data Lake Analysts are able to see which report is mapped to which regulation, sort and search by tag. Tags provide the ability to group different types of objects together. They can also be used in searching and filtering. Within Data Lake there are hundreds of out-of-the-box reports that could map to multiple regulations. Analysts can edit tags that Exabeam has added to a report as well as add tags to reports that they have created. When reports are exported, the tags will be included as part of the export.

Tagged Reports1.bmp

Data Lake Event Categorization

Data Lake supports multiple categorization attributes for each log or event type defined in the product. Different vendors use different fields and terms in their logs.

Categorizing events provides a consistent taxonomy for queries, reports, visualization, dashboard, search, and correlation rules. Our out-of-the-box compliance reports leverage this nomenclature.

For example, a log has the following value:

exa_activity_type: authentication/local_logon

This log will also be returned in the query:

exa_activity_type=authentication

Current categories are:

exa_category

exa_device_type

exa_activity_type

exa_outcome

Examples:

exa_activity_type = account-management/user/create

exa_device_type = operating-system/network/firewall

exa_outcome = success/allow

Import a Report

Import a report you manually created to move it between POC, UAT, and production clusters; or a report from a content pack to get data and dashboards about external partners and vendors.

If you move from a proof-of-concept (POC) or User Accepting Testing (UAT) cluster to a production cluster, and you also want to move any reports you manually created using searches or visualizations, you must export and import them to the new cluster. You can import the report only if the clusters are of the same version or adjacent versions.

  1. If you're moving between a POC, UAT, or production cluster, ensure that you exported the report(s) you're moving. If you downloaded a content pack in a tar.gz format, ensure that you untar it:

    tar -C /opt/exabeam -xvf <tarfile.tar.gz>
  2. Navigate to the REPORTS page.

  3. Click IMPORT REPORT.

  4. Select and upload the JSON file from your file system. You can only import a Data Lake report exported from another cluster, or JSON files provided in an security content package. The reports are sorted alphabetically.Content Installer

    Data Lake automatically creates dashboards from these reports. To view these dashboards, navigate to the DASHBOARDS page, click Open Library, then click the Saved Dashboards tab.

How to Suppress Empty Exabeam Data Lake Reports

You can optimized Data Lake’s output by suppressing reports that have empty content.

  1. To prevent empty reports from generating, navigate to Reports.

  2. Find the report you want to suppress empty outputs and click the Edit icon.

    DL-SuppressEmptyReport-Edit.jpg
  3. In Report Details, click Schedule Report to expand the menu.

  4. Click Suppress empty reports and then click SAVE REPORT.

    DL-SuppressEmptyReports.jpg