Exabeam SearchSearch Release Notes

Exporting Search Results with or without Null Fields

Search now provides the option to export search results with or without null fields. A new check box has been added to the Export Events dialog box. By default, the check box is not selected, which means that null fields are excluded from export. For more information, see Export Search Results in the Search guide.

New Syntax for Regex and Wildcard

Search has been enhanced by introducing 4 new operators for Regex and wildcard queries, giving you more explicit control.

For more information, see Query Syntax.

Aggregation Enhancements

Search aggregations have been enhanced to allow multiple functions to be used at the same time for a single field and to allow time fields to be aggregated.

IPv6 Support

Search has been enhanced to include support for IPv6-formatted IP addresses. This most recent version of the Internet Protocol offers over 1,000 times the number of unique IP addresses offered by IPv4. Other technical differences make IPv6 more secure and flexible than IPv4.

Search Visualizations

To quickly view and analyze search results, you can now pivot from search results to the Dashboard app to create a visualization.

Pivot support is available from the following areas in the Search app:

Upon pivoting to the Dashboard app, you are presented with the visualization editor view with your information preconfigured.

Improved Search Logic

The Search logic for producing results has been optimized to remove the possibility of running out of memory. This enhancement enables the processing of large logs with a lot of events that produce a large number of results.

Increased Search Capability

New capabilities have been added to Search for customers that have a Security Investigation License.

These include:

Increased Long-term Search Capability

New capabilities have been added to Search for customers that have the Long-term Search add-on:

Log Retention Enforcement

For deployments without a Long-term Search or Storage license, Exabeam will begin enforcing the log retention period (see Exabeam License Entitlements for term details). When this occurs, Exabeam will purge all logs beyond the one month contracted obligation for the Search application.

By default, Exabeam Security Investigation and Exabeam Security Analytics both come with one month of retention for anomalies in the Search application. These licenses are not eligible to add-on the Long-term Search and Long-term Storage license. Therefore, for additional storage, contact your Exabeam representative to upgrade to the Exabeam Fusion license and purchase the desired add-on licenses.

This retention policy will be applied to all deployments that do not have these add-ons, including Exabeam Security Log Management, Exabeam SIEM, and Exabeam Fusion licenses.

Global Log Retention

The June feature release of Global Log Retention has been temporarily postponed to complete UI improvements . The July 31st customer deadline to configure Global Log Retention settings will no longer be enforced. 

There is no customer action required at this time. We will communicate the new release timeline when it becomes available.

Advanced Search Autocomplete Suggestions

Advanced Search has been enhance to provide autocomplete suggestions of possible values for subject, vendor, and products as you are creating your query.

This allows you to more easily reference default Common Information Model fields and values to build search queries faster with fewer mistakes.

Time Range Searches

Advanced Search has been enhanced to support any date/time fields in Search, such as datetime or timestamp.

Previously the only supported time field you could use when building queries was the approxLogTime field.

Exact Match Queries

Advanced Search has been enhanced to support a new specification for full text search and field value search, in order to accommodate every use case.

Previously, searches returned results following a token-match logic. You can now define search queries which will return exact matches, using the newly supported == syntax.

This allows you to narrow down your search results to exact match events only, if desired.

User-Based Context Tables

Search now supports user-based custom context tables and allows you to filter on these tables.

Aggregated Search Enhancements

Search has added several enhancements to aggregated searches:

Faster Narrowed Down Searches

Search has been enhanced to allow you to narrow down searches faster by leveraging any parsed field from the results view without the need to open a full event view. This is done by allowing you to select any parsed field in your search results and include, exclude, or copy it, and add it to your query, to quickly update your search query.

Descriptions of Fields and Subjects

Query Builder has been enhanced by adding descriptions to Common Information Model fields and subjects. This provides you with immediate knowledge of the fields without having to leave the Search application to search for more information, allowing you to make faster decisions while building your query.

The data type of the fields is also provided in the description. Syntax for queries is dependent on the data type of the fields, and this allows you to tailor your query to the data type, assisting you in writing correct queries. This will reduce the number of errors, and instances of queries that produce no results.

Search Within Query Builder

Query Builder has been enhanced to allow you to search across subjects, products and vendors, and fields in order to quickly narrow down your choices. Previously, it could be time consuming to find what you were looking for in the subjects, vendors & products, and fields sections of Query Builder. This allows you to build your query faster.

Aggregated Search Results

Search results have been enhanced to enable you to build aggregated search results, providing a quick way to build fast, high-level search result summaries. This eliminates the need to use Dashboards or third-party tools.

Context Table Size Increase

Search is now enhanced to support searches using context tables up to 100,000 rows. Context tables were previously limited to 10,000 rows.

Regex Support for Free Text Searches

Free text search is now enhanced to support Regex expressions for full text search. Previously, Regex expressions were only allowed for field searches. This provides more flexibility and allows you to filter results with additional granularity.

Context Search with Hexadecimals

Basic and advanced search modes now allow context searches on a hexadecimal type field. Previously, only searches on decimal type fields were supported.

Hidden Internal Fields

To streamline the user interface, Query Builder now hides internal fields. This enables you to concentrate on Common Information Model, metadata, and custom fields.

Interface Improvements

Made several general interface improvements, including the ability to pin the Field Summary panel to the search results page, and, when scrolling through the Event Details panel, the navigation controls remain visible.

Saved Search Field Template

The selected field template is now saved as part of the saved search. This saved field template will be visible in the saved searches list.

Export Parsed Events

When exporting events, you can now choose between exporting raw log data and/or the full event data with all or some of the parsed fields.

Customer Specific Common Fields

The Common Fields list in Query Builder will now only reflect those fields that are specific to your environment. Common fields that are not specific to you, will still be searchable and will still receive autocomplete suggestions in the Search bar.

Searchable MITRE ATT&CK^® Tactics

You can use the mitre_labels field in the Common Fields list to search for MITRE ATT&CK^® tactics when searching for correlation triggers and alerts.

Secured Resources Notification

Exabeam introduces Secured Resources functionality, a new capability to configure restricted log event subsets and limit their visibility based on a role. This provides a powerful mechanism to control data access for specific roles. These restrictions will apply to Search, Dashboards, and Correlation Rule Builder.

Within the Search application, you will be informed when your access to certain events are restricted. This will help to explain why you might be receiving fewer search results than you expected.

Full Support of IP ranges

The IP range support has been expanded to support all octets of IP ranges. For example, src_ip : [0.0.0.0 TO 255.255.255.255]. Previously, only the last two octets were supported.

Public Saved Searches

You can specify whether the search that you created should be saved as private or public. A private search is only able to be viewed or edited by the creator. When viewing your saved searches, you are able to see which are marked as private and public.

Downloads Page

When you receive a notification of a successful export, the link in the notification redirects you to the Downloads Page, so that you can download any or all of the exported files with one click.

Search Query Progress

The Search process was improved by providing additional visibility into the progress of a Search query. This is accomplished by showing key parameters such as scanned bytes, number of rows fetched and timeframe searched.

Context Table Lookup

Search has been enhanced to allow you to select a context table to use with a field. This allows you to manage large IOC lists, and search against these IOC lists, providing a way to leverage your company context for your searches.

Metadata Fields

Query Builder has been enhanced with a new tab, Metadata Fields, that lists the metadata fields that you can incorporate into your search.

Using CIDR Notation with IP Addresses

Search has been enhanced to allow you to query for a range of IP Addresses using CIDR notation.

Expanded Field Summary Results

The field summary results have been expanded to include fields that do not belong to the selected subject. This "General" category of fields includes a predefined list of the most commonly used fields, even if they are not subject fields.