Data LakeData Lake Administration Guide

User Management

Exabeam Data Lake Role-based Access Control

Customers are able to control the responsibilities and activities of their SOC team members with Role-based Access Control (RBAC). Local users, LDAP users or SAML authenticated users will be assigned roles within Exabeam.

Each user can be assigned one or more roles and the responsibilities of those roles are determined by the permissions their role allows. If users are assigned more than one role, that user receives the permissions of both roles.

In conjunction with RBAC, Data Lake also uses object-based access control which manages the viewing and editing of objects. For more information, see Exabeam Data Lake Object-based Access Control.


If a user is assigned multiple roles with conflicting permissions, Exabeam enforces the role having more permission. For example, if a role with lighter permission and a role with full permission are both assigned to a user, then the user will have full permission.

To access the Roles page, navigate to Settings > User Management > Roles.


The Exabeam-created managed users in Web Common that appear as native users on the Users tabs of Settings > User Management. These accounts are service accounts that are necessary for Exabeam's basic functionality and should not be altered or deleted. These particular accounts are Common Access Card (CAC) accounts. They login through encryption certificates only and resetting or changing their passwords is not possible.

Data Lake service accounts
Figure 3. Data Lake service accounts

Below is a table listing the CAC service accounts and their functions. These accounts cannot be disabled or deleted.

Account Name



Used for out of the box content.


This is account allows log/remote agent collectors to connect to Data Lake. Connecting to Data Lake is necessary for management and collector metrics, and the authentication is based on highly secure TLS authentication using secured certificates.


Reserved user for core Data Lake service.

Table 2. CAC Service Accounts

Out-of-the-Box Access Roles

Exabeam provides pre-configured access roles that restrict a user's tasks, actions, and views. A user may have more than one role. When a task, action, or view has more than one role associated to a user, the role with the greater access is applied.

Administrator: This role is intended for administrative access to Exabeam. Users assigned to this role can perform administrative operations on Exabeam, such as configuring the appliance to fetch logs from the SIEM and connecting to Active Directory to pull in contextual information. The default admin credential belongs to this role. This is a predefined role provided by Exabeam and cannot be deleted.

Default permissions include:



[default Data Lakepermissions]

By default, all users of the Data Lake have the following permissions:

Perform Search, View and Edit Saved Searches, View and Edit Saved Visualizations, View and Edit Saved Dashboards.

Manage context tables

Manage users, assets or other objects within Context Tables.

Manage Users and Context Sources

Manage users and roles in the Exabeam Security Intelligence Platform, as well as the context sources used to enhanced the logs ingested (e.g. assets, peer groups, service accounts, executives).

Manage Correlation Rules

Create and Edit Correlation Rules.

Manage Collectors

Perform all collector-related operations, such as managing and configuring collectors, changing template assignments, as well as performing start/stop operations.

Manage Exabeam Reports

Update and reload the list of the Exabeam reports.

Manage Data Retention

Modify Data Retention configuration.

Manage Data Access

Create and Edit Data Access Rules.

Manage Indices

Reparse and reindex the logs of one or several indices.

Manage Saved Objects

Create, edit, share saved object (such as dashboards, visualizations, searches).

View Saved Objects

View-only saved object (such as dashboards, visualizations, searches).

Auditor: Users assigned to this role have only view privileges within the Exabeam UI. They can view all activities within the Exabeam UI, but cannot make any changes. This is a predefined role provided by Exabeam.

Default permissions include:



Manage Saved Objects

Create and edit saved searches, visualizations, dashboards, and reports.

View Saved Objects

View saved searches, visualizations, dashboards, and reports.

Tier 1 Analyst: Users assigned to this role are junior security analysts or incident desk responders who supports the day-to-day enterprise security operation and monitoring. This is a predefined role provided by Exabeam.

Default permissions include:



[default Data Lake permissions]

By default, all users of the Data Lake have the following permissions:

Perform Search, View and Edit Saved Searches, View and Edit Saved Visualizations, View and Edit Saved Dashboards.

Creating Custom Roles

Roles assigned to Exabeam users determine the level of access to tasks and data. Exabeam provides standard out-of-the-box roles that cannot be edited. However, you create new roles using the same access features and adjust accordingly.

  1. To create a new role, navigate to

    Settings > User Management > Roles, and then click Create Role.

    DL-Roles UI.jpg


    Settings > User Management > Users > Add User, and then click Create a new role.

  2. Fill in the fields and enable features in the DATA LAKE tab, as needed.

  3. Click the CORE tab and enable the listed features, as needed.

  4. Click Save to make the role available to add or associate with users.

Exabeam Data Lake View-only Access Control

A role that has View Saved Objects permission does not automatically have the right to Manage Saved Objects (create, edit, and delete). The two permissions are independent of each other and a role must have both permissions in order to manage a saved object. A role with View Saved Object permission but without Manage Saved Objects permission will not be able to manage the object.


However, by default out-of-the-box roles provided by Exabeam have View and Manage Saved Objects permissions, and cannot be edited.



Role-based permissions override Object-based permissions. For example, if Manage Saved Objects is off in all the roles associated with a user, then the user is limited to running searches (without the ability to save, create, etc.). If one role of a collection of roles associated with a user has Manage Saved Objects, then the user has permission to search, save, create, and view objects. (For more information on object-based permissions, see Exabeam Data Lake Object-based Access Control.) Users with view-only privileges will receive a banner message on the Search page:


For more information on configuring access for saved objects, see Data Lake User Guide > Access Restrictions for Saved Objects.

Exabeam Data Lake Object-based Access Control


Object-based access control (OBAC) manages the viewing and editing of tangible output products such as searches, visualizations, dashboards, and reports. Workflow is shared amongst user groups (defined by roles). Exabeam Data Lake Role-based Access Control (RBAC) manages execution (task-based) permissions within the Exabeam platform. Both forms of access control can restrict access dependent on roles. OBAC can be implemented in conjunction with RBAC, where objects can be displayed but executing tasks on those objects are managed or limited based on role privileges. OBAC is independent from role management in that objects can allow all actions based on RBAC, but OBAC can limit certain operations to the given role. OBAC manages objects by granting and restricting view and/or edit abilities to roles. OBAC permissions are not inherited from parent objects nor are they shared with child objects.

Managing Data Migration of Existing Objects

To view saved objects, your must have View Saved Objects permission selected in at least one of the roles assigned to you. Additionally, you must change access permissions per each object by setting configurations in Manage Saved Objects. Access permissions must be changed for each saved object individually.


New objects are by default saved with Private settings (managed and viewed only by the object originator). Only the object originator can change Share settings to Public or Role-based access, where None, View and Edit, and View-only are managed.

Exabeam Data Lake Secured Resources Overview

Secured resources allow you to control access to logs based on a search filter. For example, a secured resource can define logs from sensitive applications, sources, or geographies. Once configured, users are only able to view and utilize specific sets of data for their searches, visualizations, dashboards, scheduled reports, or correlation rules.

For example, restrict data access based on:

  • Log feeds from specific sources (e.g., Application logs from a business sensitive app can only be accessed by the SOC team).

  • Host, source or sourcetype (e.g., Access to logs of a specific database is restricted to a role).

  • Search keywords or fields (e.g., Logs of the executive users can only be accessed by specific roles).

This section walks through adding and managing secured resources within the Data Lake UI.

Configure Exabeam Data Lake Log Access with Secured Resources

Secured resources allow you to control access to logs based on a search filter. Use the Secured Resources page to add, manage, and make additional changes to your secured resources.

The top-right of the page provides helpful management actions, including:

  • Manage Access – Open the Manage Data Access Control page to limit access to roles within your organization.

  • Add – Add a new secured resource.

  • Search – Search for a secured resource.

Manage Add and Search.png

The secured resources table displays information regarding your secured resources, including:

  • Name – Name of the secured resource.

  • Description – Brief description of the secured resource.

  • Query – Search query matching the log events for the secured resource.

  • Roles – Role(s) allowed to view the secured resource.


Filter the table according to roles by clicking the lined-triangle next to the Roles column header.

Roles Filter.png

Hover over a secured resource in the table to edit (name, description, and query) or delete it.

Edit and Delete Role.png

Additionally, you can delete resources by selecting them in the table and then clicking Delete.

Delete Roles.png

Adding a Secured Resource in Exabeam Data Lake

Secured resources is a role-base search filter that applies restrictions to the data being searched. Before applying which roles have access, you must define the secured resource being filtered.

To add a secured resource:

  1. Navigate to Settings > Secured Resources > Data. This link takes you to the Secured Resources page.

    Secured Resources Data.png
  2. On the secured resources page, click Add.


    If this is your first secured resource, the Add button appears in the middle of the secured resources page. If this is not your first secured resource, the Add button appears at the top-right of the secured resources table.

    Creating Secured Resource - Add First.png

    (Add button location when adding your first secured resource.)

    Creating Secured Resource - Add.png

    (Add button location when adding additional secured resources.)

  3. Enter a name and description for the new secured resource, and then click Next.

    Creating Secured Resource - Name, Descript, Next.png
  4. Enter the search query that matches the log events you want to secure, and then press enter on your keyboard to run the query.


    Typing "*" prevents access to any logs by anyone unless they are granted permission.

    Creating Secured Resource - Query, Next.png
  5. Review the query results. Edit and re-run the query (step 4, above) until you receive the desired results.

    Creating Secured Resource - Review Query.png
  6. Once your query is ready, click Create.

    Creating Secured Resource - Create.png

Your new secured resource(s) appear in the secured resource table in the Secured Resources page. Now, you can manage access to the secured resource(s) for users in your organization.

Managing Exabeam Data Lake Data Access to Secured Resources

Secured resources allow you to control access to logs based on a search filter. Access to secured resources is based on a user's role. To grant roles access secured resources, configure associations on the Secure Resources page:

  1. Navigate to Settings > User Management > Roles.

    User Management - Roles.png
  2. Select any role from the list of default and custom roles.

    Roles List.png
  3. Click the Secured Resources link. This link takes you to the Secured Resources page.

    Secured Resources Link.png
  4. On the secured resources page, click Manage Access.

    Manage Access.png
  5. Select a role from the Roles panel, and then select secured resource(s) by clicking the appropriate checkbox(es).

    Select Roles and Resources.png
  6. Click Save.


To support data access for specific users, the Limit access to these selections toggle will be turned on so that any user assigned to that role is restricted to access the selected secured resources in this list. They cannot access resources which are not explicitly allowed.

Limit Access Toggle.png

Single Sign-on and Multi-factor Authentication Using SAML

Exabeam users may have a single sign on vendor in their environment, such as Okta, Ping, Duo, Google, or Microsoft Active Directory Federation Services. Exabeam integrates with them, allowing administrators and users to sign on to Exabeam using their existing credentials.

With SAML Authentication enabled, there is no need for users to enter credentials and/or remember/renew a password with Exabeam.

Configure Single Sign-on and Multi-factor Authentication

Exabeam users may have a single sign on vendor in their environment, such as Okta, Ping, Microsoft Active Directory Federated Services (ADFS), or Google. You may also implement a custom or generic identity provider (IdP). Exabeam integrates with them, allowing administrators and users to sign on to Exabeam using their existing credentials. With SAML authentication enabled, there is no need for users to enter credentials and/or remember/renew a password with Exabeam.


If your instance of Exabeam is running in a private network, you must ensure webcommon.service.externalAddress is pointing to the correct external IP address and is the same as <exabeam_master_host>, which was specified in configuration for IdP. The property is pointing to EXABEAM_IP environment variable, which is assigned during Exabeam deployment.

When Exabeam is deployed on AWS, there should not be any issues. When Exabeam is deployed on Google Cloud Platform, you may need to set the property in /opt/exabeam/config/common/web/default/application_default.conf.


For Exabeam SaaS deployments, additional restrictions have been applied to enforce security cross origin resource sharing (CORS) practices. Please add the origin of your SSO provider by following the Exabeam Operational Hardening guidelines to ensure SSO works when CORS protection is enabled.Exabeam Operational Hardening

Single sign-on: If your organization uses Okta, Ping Identity, Microsoft Active Directory Federated Services (ADFS), or Google as an IdP, you can configure single sign-on directly within the UI. Once configured, your users are automatically authenticated into the UI and will not be asked to create and/or enter specific login credentials.

Multi-factor authentication: Similarly, Exabeam products automatically support your multi-factor authentication (MFA, including two-factor authentication and/or two-step verification) through Okta, Ping Identity, and Google.

Configure your identity service provider to produce credentials. The following instructions are for identity providers supported by Exabeam.

  1. Log onto Google Admin, then go to Home > SAML apps.

  2. Click the + icon to enable SSO for a SAML application.


  4. Click Next.

  5. Set the Application name, and then click Next.

  6. Set the following properties ACS URL and Entity ID.


    ACS URLhttps://<exabeam_master_host>:8484/api/auth/saml2/google/handle-assertion

    Entity IDhttps://<exabeam_master_host>:8484/api/auth/saml2/google/login

    where the <exabeam_master_host> is either an external IP address or hostname of the UI accessible by Google.

  7. Click Attribute Mapping to create a mapping. Fill in the fields. The values in the first column are keys and should correspond to those which will be provided in web-common SAML SP config later. In this example First Name of the user from IdP is used for grouping.

  8. Click Next and then click OK.

  9. Click the vertical ellipse icon and then click ON for everyone.

  10. Open Service Provider DetailsManage Certificates. Then, select the DOWNLOAD IDP METADATA file. Put the file in an easily accessible location. Hold this file for later configuration. Go to Configure Identity Providers in Exabeam to set up SSO.


The instructions that follow are based on Windows 2019 Server.

  1. Ensure that the identity provider (IdP) initiated SSO is enabled in ADFS. Verify using the PowerShell cmdlets Get-AdfsProperties and Set-AdfsProperties.

    Get-AdfsProperties | Select EnableIdpInitiatedSignonpage 
    # EnableIdpInitiatedSignonPage
    # ----------------------------
    #                        False 
    Set-AdfsProperties –EnableIdpInitiatedSignonPage $True


    For more information on enabling IdP SSO, see

  2. Configure Microsoft ADFS Relying Party Trust by going to the Server Manager > Tools > AD FS > AD FS Management.

  3. Go to the Relying Party Trusts branch and click Add Relying Party Trust.

  4. Select Claims aware and then click Start.

  5. Select Enter data about the relying party manually and then click Next.

  6. Enter a Display name. Exabeam SAML SSO, for example, and then click Next.

  7. Click Next at the Configure Certificate menu.

  8. Select Enable support for the SAML 2.0 WebSSO protocol.

  9. At Relying party SAML 2.0 SSO service URL, enter the ACS link https://<exabeam master host>:8484/api/auth/saml2/adfs/handle-assertion, and then click Next.

  10. At Relying party trust identifier, enter the Exabeam Entity ID, https://<exabeam master host>:8484/api/auth/saml2/adfs/login. Click Add to enter it into the list of trusted identifiers.

  11. At the Choose Access Control Policy menu, choose an access control policy from the list that adheres to your organization's policies. Then click Next.

  12. Leave Configure claims issuance policy for this application selected. Click Close.

  13. Verify that a new record was created in the Rely Party Trusts list.

  14. Select the new record. Right-click and then select Edit Claim Issuance Policy.

  15. Select Add Rule and choose the template Send LDAP Attributes as Claims.

  16. In the Edit Rule menu, enter a Claim rule name. Select Choose Active Directory as the Attribute store, and add the following attribute mappings:

    • E-Mail-Addresses > EmailAddress

      Set to user email

    • Display-Name > FirstName

      First name of exabeam user

    • Display-Name > Username

      Username with prefix added (For example, if username is Jackyl it becomes [saml]Jackyl, username of exabeam user.)

    • Surname > LastName

      Last name of exabeam user

    • Display-Name > ExaGroup

      Associated user group for retrieving role and permissions. The display name will be set as the value ExaGroup attribute inside IdP response and must exist among all group mappings on the Exabeam side.

  17. Click Finish to save the configuration. Click Okay to close the menu.

  18. Select the record again. Right-click and then select Edit Claim Issuance Policy.

  19. Click Add Rule and then select the template Transform an Incoming Claim. Click Next.

    add transform claim rule wizard
  20. Set a rule to transform Username to Name ID in an unspecified format. Click View Rule Language to see the resultant rule. Here is an example:

    c:[Type == "Username"] => issue(Type = "", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[""] = "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"); 
  21. Download metadata.xml file from IdP (ADFS) at https://<adfs host>/FederationMetadata/2007-06/FederationMetadata.xml.

  22. Go to Configure Identity Providers in Exabeam to set up SSO. In the setup, use the following Exabeam-to-IdP attribute mappings:

    • Email Address > EmailAddress

    • Username > Username

    • First Name > FirstName

    • Last Name > LastName

    • Group > ExaGroup

      Exagroup is used here as an example of a group name.

  1. Log into the Okta console for your organization. The instructions that follow are based on the Okta Classic UI.

  2. Click Admin.

  3. Click Add Applications.

  4. Click Create New App.

  5. Select SAML 2.0.

  6. Enter the App name and then click Next.

  7. Enter the following properties:

    Single sign on URLhttps://<exabeam_master_host>:8484/api/auth/saml2/okta/handle-assertion

  8. Click Next to go to the confirmation menu.

  9. Select I'm an Okta customer adding an internal app and the checkbox This is an internal app that we have created.

  10. Press Finish to apply the configuration.

  11. Click on the Assignments section of the Exabeam test application and select Assign to People.

  12. Press Assign.

  13. Leave the username as-is and press Save and Go Back.

  14. Press Done.

  15. Click on the Sign On section of the Exabeam test application and press View Setup Instructions.

  16. In the new page that opens, you can find the SSO URL, certificate file, metadata file content. Hold this information for later configuration. Go to Configure Identity Providers in Exabeam to set up SSO.

  1. Log into the Ping console for your organization.

  2. Go to Applications and press Add Application.

  3. Choose New SAML Application.

  4. Enter Application NameApplication Description and choose Other category. Press Continue to Next Step.

  5. Set mandatory properties:

    Assertion Consumer Service (ACS):  https://<exabeam_master_host>:8484/api/auth/saml2/ping/handle-assertion

    Entity ID:  https://<exabeam_master_host>:8484/api/auth/saml2/ping/login

    where the <exabeam_master_host> is either an external IP address or hostname of the UI accessible by Ping.

  6. Press Continue to Next Step.

  7. Specify attribute mapping. Mark each property as Required. The SAML_SUBJECT attribute is required for Ping to function correctly.

  8. For the attribute SAML_SUBJECT attribute press Advanced.

  9. Set Name ID Format to send to SP to the value shown in the example below, then press Save.

  10. Pay attention to this.

  11. On the Preview settings page, download the Certificate file and Metadata file. Hold these files for later configuration.

  12. The SSO URL is found in the Metadata file, with the tag md:SingleSignOnService, where Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".

  13. Press Finish. Make sure the created application is enabled.

  14. Go to Configure Identity Providers in Exabeam to set up SSO.

Once you have collected authentication metadata or certificate files from your IdP, you will associate the IdP to your Exabeam product. These instructions assumes you have created an identity service provider record. (See Configure SAML Identity Provider)

  1. Log into your Exabeam product

  2. Navigate to Settings > Admin Operations > Configure SAML.

    user management to configure SAML
  3. Select the IdP in the list and click the Edit icon to configure the record to open the Edit Identity Provider menu.

    SAML edit identity service provider
    1. Click the IdP Enable toggle to activate the service.

    2. Ensure the correct SAML Provider is shown.

    3. If you have a metadata file from your IdP, select Upload the XML file metadata file provided by your IdP and then click CHOOSE FILE to upload the file.

    4. If you have a certificate file and SSO URL, select Configure SSO manually and then click CHOOSE FILE to upload the certificate and enter the SSO URL.

    5. You can optionally specify the Authentication Method, if you are uploading SSO assets.

    6. Configure the Query Attributes mappings.

    7. Click SAVE to apply the configurations.

  4. Go to Map SAML Groups to Exabeam User Roles to associate user roles to your IdP service.

To configure an identity provider in your Exabeam deployment:

  1. Log in to your instance of the UI.

  2. Navigate to Settings.

  3. On the Settings page, go to User Management > Configure SAML.

    user management to configure SAML
  4. Click Add Identity Provider.

    Configure SAML settings with the Add Identity Provider button highlighted in a red circle.

    This step assumes you have already configured the IdP service provider. If not, configure your IdP service before proceeding.

    • Google

    • Microsoft ADFS

    • Okta

    • Ping

    • Custom or generic SSO IdP are to include: (Please refer to the IdP vendor for additional instructions.)

      • IdP vendor name (15 characters or less)

      • Idp logo (PNG file size of 1Mb or less and in 3:4 or 9:16 aspect ratio)

  5. The IdP is enabled by default upon saving. It can be disabled by toggling the IdP Disabled button.

    New Identity Provider with Idp Disabled On and OFF switch.


    You can configure multiple identity providers for your organization, but you can enable only one at a time. For information on configuring your SAML Identity Provider, see Configure SAML Identity Provider.

  6. Select your SAML Identity Provider. All supported IdPs are listed in the drop-down.

    SAML Provider with options like Okta, Google,etc...
  7. Complete the SSO Configuration by choosing one of the two options below. If you have an XML metadata file from you IdP, choose the first option. If you do not, you will need to manually configure SSO.

    • Upload the XML file metadata provided by your IdP – Click the Choose File button to locate and upload the XML file from your computer. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP).

      SSO configuration with Choose file to upload XML file.
    • Configure SSO manually – Click the Choose File button to locate and upload the IdP certificate from your computer, and then enter the Single Sign-on URL and select either HTTP Post or HTTP Redirect. Optionally, configure the Single Log-Out URL and Redirect to URL after Log-Out.

  8. Select the Authentication Method or leave the field blank to accept the default configuration.

  9. For Custom/Generic IdPCustom/Generic IdP, configure the Name of IdP and Upload IdP logo.

  10. For ADFS, configure the encryption. Select the option(s) that applies to your environment.

    • Encryption Enabled -- Users are able to fill data for signature request and decryption response.

    • Signature Enabled -- Adds a signature to the SAML authorization requests. Encryption keys (private key and certificate) are required.

    • Internal Keys -- User internal Exabeam encryption key-pair (located in the trust store). To download the internal certificate, click the Download certificate link.

    • Custom Keys -- User the key-pair from your organization.

  11. Configure the Query Attributes to map your identity provider attributes to Exabeam's attributes.

    Exabeam Attributes with Idp Attribute as Email Address, Username, First Name, Last Name, Group for Query attribute.
  12. Click Save. Your identity provider now appears in the Identity Providers table.

    Identity providers list with Name and Status and ADD NEW option.

You can also continue customizing the configuration by mapping your SAML groups to Exabeam user roles.

Once you have configured a SAML identity provider, the Group Mappings options appears below the Identity Providers table.

To map your existing SAML groups to Exabeam user roles:

  1. Click Add Group.

    Configure SAML settings, with the Add Group button used to map SAML groups to Exabeam user roles highlighted in a red circle.
  2. Select your configured Identity Provider.

    New Group Mapping to map users with the group with Identity Proivder, Group Name, Exabeam User Roles.
  3. Enter a SAML Group Name. The name must match the Group value that comes from the IdP response in the group attribute; meaning, <Attribute name="Group" value="[saml_group_name]">.

  4. Use the checkboxes to select default and custom roles.

  5. Click Save.

Your SAML user groups are now mapped to Exabeam user roles.

You can dictate how SAML authentication is handled within Exabeam products. There are two ways to implement SAML as well as disabling it entirely.

  1. Navigate to Settings > User Management > Configure SAML.

    user management to configure SAML
  2. In the SAML Status box has setting your organization is to support. To change the status, click EDIT.

  3. The SAML Status box shows the current condition of how your users are permitted to log in to the UI. Click Edit to configure how your users are permitted to log in, including:

    SAML Status to select the Disabled, Allowed, and Mandatory option. Allowed as selected status.
    • Disabled – SAML was configured, but it is not currently enabled. Consequently, users from your organization can only log in with their Exabeam credentials, but they will not be automatically authorized based on the their SAML credentials.

    • Allowed – Users can log in with their SAML or Exabeam credentials. If they have Exabeam credentials, they will also be able to use them to log in.

    • Mandatory – Users can log in with their SAML credentials, but they cannot log in with their Exabeam credentials.

    Select Allowed or Mandatory to implement SAML credentialing, and then click SAVE to apply changes.

Audit Log Management in Data Lake

There are a host of reasons to audit user activity. Insider threat show up in the form of unusual queries to sensitive information or unauthorized configuration changes. Perhaps your organization is undergoing an internal audit. Data Lake's audit mechanism centralizes important and useful data for generating reports or help fill gaps in an investigation.

How Audit Logging Works

Specific activities related to Exabeam product administrators and users are logged, including activities within the UI as well as configuration and server changes. This is especially useful for reviewing activities of departed employees as well as for audits (for example, GDPR).

The following events are logged:

  • Log in and log out

  • Failed log in

  • User addition, update, and removal

  • Role addition, update, and deletion

  • Permission addition and deletion

  • Audit being turned on or off

  • Token create, read, and update

    These audit logs are stored in MongoDB. You can find them at exabeam_audit_db inside the audit_events collection. The collection stores the entire auditing history. You cannot purge audit logs or set retention limits.

    Audit Log Retention
    Hardware and Virtual Deployments Only

    The Exabeam audit logs are activity logs for user and asset activity in your organization. The logs are held for 90 days by default and retention can be extended up to 365 days.

    Retention time is found in /opt/exabeam/config/common/web/custom/application.conf, where webcommon.audit.retentionPeriod determines the number of days logs are held. The range may be 1 to 365 days.

    What Fields Are in the Audit Data Logs

    Audit data in Data Lake contains event logs for user activity committed within the product. In the same manner as other event logs, audit event logs can be forwarded to Exabeam Advanced Analytics via Syslog Forwarding.

    The default retention time for audit data is 90 days.

    The following table lists the fields for each event being stored.




    "Exabeam Data Lake"


    Type categories:

    • dl-search-activity

    • dl-filtered-search-activity

    • dl-correlation-rules-activity

    • dl-secured-resource-activity

    • dl-reports-activity


    "Exabeam Audit Event"


    Time of event


    Currently authenticated user’s IP address


    Currently authenticated user’s username


    Type categories:

    • Search query

    • Visualization query

    • Correlation rule [$ruleId] [$ruleName] create

    • Correlation rule [$ruleId] [$ruleName] update

    • Correlation rule [$ruleId] deletion

    • Correlation rule [${}] error

    • Correlation rule [${}] disabled

    • Correlation rule [${}] disabling failed

    • Correlation rule [${}] timeout

    • Secured resource [$id] was updated

    • Secured resource [$id] was deleted

    • Import reports from file


    Host IP address


    The activity containing the search, query, etc.


    Indicates whether the message has been sent to Syslog

    How to Enable Audit Logging

    Audit logging is not enabled by default. Syslog notification must configured with it messages sent to the Data Lake host.

    1. Navigate to Settings > Notifications > Setup Notifications.

      notification settings setup panel
    2. Click A blue circle with a white plus sign. to expand the menu and then select Syslog notifications.

    3. In the configuration menu, use the IP or FQDN of your Data Lake master host in the IP/Hostname field.

    4. Select DL Audit.

      syslog notification setup ui
    5. Click ADD NOTIFICATION to create the record.

    Audit event logs will start writing to Data Lake immediately.

    How to Access Audit Data

    You can view, create reports, export, etc. audit data like you would for any event log in Data Lake . Apply queries with the event subtype Exabeam Audit Event as a filter.

    data lake audit log search

    Common Access Card (CAC) Authentication and Limitations

    Exabeam supports Common Access Card (CAC) authentication. CAC is the principal card used to enable physical spaces, and provides access to computer networks and systems. Analysts have CAC readers on their workstations that read their Personal Identity Verification (PIV) and authenticates them to use various network resources.

    Exabeam allows CAC authentication in combination with other authentication mechanisms (Kerberos, Local authentication, etc.).

    Please note the following restrictions:

    • Configure CAC users that are authorized to access Exabeam from the Exabeam User Management page.

    • During the user provisioning, the CAC analysts must be assigned roles. The roles associated with a CAC user will be used for authorization when they login.

      Add User menu
      Figure 4. Add User menu

    Configure a CAC User

    1. Generate Certificate and add to the cluster by running the shell script below. Fill in the fields pertinent to your organization.

      # Main variables
      # C =  Country Name (2 letter code)
      # ST = State or Province Name (full name)
      # L =  Locality Name (eg, city)
      # O =  Organization Name (eg, company)
      # OU = Organizational Unit Name (eg, section)
      # CN = Common Name (eg, your name or your server's hostname)
      # emailAddress = Email Address
      # Run the following commands on Exabeam server to create Client Certificate
      openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out ca.key -pass pass:test
      openssl req -new -x509 -days 365 -sha256 -key ca.key -out ca.pem -subj "$SubjString" -passin pass:test 
      # Create client cert that will be signed by CA
      cSubjString="/C=$cCountry/CN=$cCommonName/emailAddress=$cEmailAddress/ST=$cState/L=$cLocality/O=$cOrganization/OU=$cOrganizationalUnit"openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out client.keyopenssl req -new -key client.key -sha256 -out client.csr -subj "$cSubjString"openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca.key -set_serial 0x`openssl rand 16 -hex` -sha256 -out client.pem -passin pass:testopenssl pkcs12 -export -in client.pem -inkey client.key -name "Sub-domain certificate for some name" -out client.p12 -passout pass:test
    2. Upload the generated ca.pem file to the CAC user home directory at the master node.

    3. Execute the following commands at the master node:

      source /opt/exabeam/bin/shell-environment.bash
      docker cp ca.pem exabeam-web-common:/
      docker exec exabeam-web-common keytool -import -trustcacerts -alias cacbundle -file ca.pem -keystore /opt/exabeam/web-common/config/custom/truststore.jks -storepass changeit -noprompt
    4. To associate the credentials to a login, create a CAC user by navigating to Settings > User Management > Users > Add User and select CAC in User type.

    Configuration of Client Certificates

    Located in /opt/exabeam/config/common/web/custom/application.conf the sslClientAuth flag must be set to true. Example below.

    tequila {
      service {
        interface = ""
        #hostname = "<hostname>"
        port = 8484
        https = true
        sslKeystore = "$EXABEAM_HOME/config/custom/keystore.jks"
        sslKeypass = "password"
        # The following property enables Two-Way Client SSL Authentication
        sslClientAuth = true

    To install client certificates for CAC, add the client certificate bundle to the trust store on the master host. Example below (replace the name of the file with the bundle you are installing):

    # For Exabeam Data Lake
    sudo docker exec exabeam-web-common-host1 /bin/bash -c "cd /opt/exabeam/config/custom; keytool -import -trustcacerts -alias cacbundle -file ca.pem -keystore truststore.jks -storepass changeit -noprompt"
    # For Exabeam Advanced Analytics
    sudo docker exec exabeam-web-common /bin/bash -c "cd /opt/exabeam/config/custom; keytool -import -trustcacerts -alias cacbundle -file ca.pem -keystore truststore.jks -storepass changeit -noprompt

    To verify the contents of the trust store on the master host, run the following:

    # For Exabeam Data Lake 
    sudo docker exec exabeam-web-common-host1 /bin/bash -c "keytool -list -v -keystore /opt/exabeam/config/custom/truststore.jks -storepass changeit"
    # For Exabeam Advanced Analytics
     sudo docker exec exabeam-web-common /bin/bash -c "keytool -list -v -keystore /opt/exabeam/config/custom/truststore.jks -storepass changeit"

    After configuration changes, restart web-common.

    source /opt/exabeam/bin/shell-environment.bash; web-common-restart

    Adding a User to Exabeam Data Lake

    Data Lake users must be added in a separate process from your organization's LDAP service. User permissions to view and execute tasks are based on the role(s) a user is assigned. Actions and views where a user has more than one role designation will follow the permission with the greatest access privilege.

    To add a new user in Data Lake:

    1. Log in to your instance of the UI.

    2. Click the settings icon at the top-right corner of any page, and then click Settings.

      Settings on the Dashboard menu.
    3. In the User Management section, click Users.

      DL Users.png
    4. Click + Add User.

      Add User.png
    5. Enter the user details.

      Add User Fields.png
    6. Select applicable roles.

      Add User Roles.png
    7. Click SAVE.

    The new user now appears on the User Management page.

    AA - User Mangement Page.png

    Exabeam User Password Policy

    Exabeam users must adhere to security requirements for forming passwords. The Exabeam Security Management Platform (SMP) adheres to the following for user passwords:

    • Passwords must:

      • Be between 8 to 32 characters

      • Contain at least one uppercase, lowercase, numeric, and special character

      • Contain no blank space

    • User must change password every 90 days

    • New passwords cannot match last 5 passwords

    • SHA256 hashing is applied to store passwords

    • Only administrator user can rest passwords and unblock users who have been locked out due to too many consecutive failed logins

    The management policies that are adjustable:

    • Strong password policy can be changed by editing the webcommon block in /opt/exabeam/config/common/web/custom/application.conf.

      webcommon {
        auth {
          defaultAdmin {
            username = "admin"
            password = "changeme"
          passwordConstraints {
            minLength = 8
            maxLength = 32
            lowerCaseCount = 1
            upperCaseCount = 1
            numericCount = 1
            specialCharCount = 1
            spacesAllowed = false
            passwordHistoryCount = 5 # 0 to disable password history checking
          failedLoginLockout = 0  # 0 to disable loginLockout
          passwordExpirationDays = 90 # 0 to disable password expiration
          passwordHashing = "sha256" # accept either sha256 or bcrypt as options
    • Default idle session timeout is 4 hours. Edit the silhouette.authenticator.cookieIdleTimeout value (in seconds) in /opt/exabeam/config/common/web/custom/application.conf.

      silhouette.authenticator.cookieIdleTimeout = 14400

    User Engagement Analytics Policy

    Exabeam uses user engagement analytics to provide in-app walkthroughs and anonymously analyze user behavior, such as page views and clicks in the UI. This data informs user research and improves the overall user experience of the Exabeam Security Management Platform (SMP). Our user engagement analytics sends usage data from the web browser of the user to a cloud-based service called Pendo.

    There are three types of data that our user engagement analytics receives from the web browser of the user. This data is sent to a cloud-based service called Pendo:

    • Metadata – User and account information that is explicitly provided when a user logs in to the Exabeam SMP, such as:

      • User ID or user email

      • Account name

      • IP address

      • Browser name and version

    • Page Load Data – Information on pages as users navigate to various parts of the Exabeam SMP, such as root paths of URLs and page titles.

    • UI Interactions Data – Information on how users interact with the Exabeam SMP, such as:

      • Clicking the Search button

      • Clicking inside a text box

      • Tabbing into a text box

    Opt Out of User Engagement Analytics


    For customers with a Federal license, we disable user engagement analytics by default.

    To prevent Exabeam SMP from sending your data to our user analytics:

    1. Access the config file at

    2. Add the following code snippet to the file:

      webcommon {
          app.tracker {
            appTrackerEnabled = false
            apiKey = ""
    3. Run the following command to restart Web Common and apply the changes:

      . /opt/exabeam/bin/shell-environment.bash web-common-restart