Search Features Introduced in 2024

October 2024

Feature

Description

Structured Fields Available in Basic Search Mode

Certain structured fields, represented by dot notation, can now be selected from the Common Event Fields list in the Basic Search mode. Support for these fields in Basic search makes adding them to a query simple and fast. For example, you can now easily select field names such as geo_dest_ip.country, rules.rule_source, or rules.mitre_labels_technique.

For more information and syntax examples, see Building a Basic Search in the Search Guide

August 2024

Feature	Description
New Null Check Box in Basic Search	It is now easier to build a Basic Search query that will look for fields that either do or do not contain an empty value. A new Empty (null) check box has been added to the field selection dialog box in the Basic Search panel. Using the check box automatically generates the correct syntax to search for a field with a null value. For more information and syntax examples, see Building a Basic Search in the Search Guide

Feature

Description

New Null Check Box in Basic Search

It is now easier to build a Basic Search query that will look for fields that either do or do not contain an empty value. A new Empty (null) check box has been added to the field selection dialog box in the Basic Search panel. Using the check box automatically generates the correct syntax to search for a field with a null value.

For more information and syntax examples, see Building a Basic Search in the Search Guide

July 2024

Feature	Description
Additional Advanced Query Language Expansion	Exabeam Query Language (EQL) capabilities have been enhanced to include the use of the following operators: Pipe (\|) – Can be used to separate clauses in a query statement. The pipe operator feeds the result set from an initial clause into the next clause, allowing for the creation of more complex search queries. FOREACH – Can be used to run a search function on every row of a results set returned by a previous query or by an earlier clause in a complex, pipe-separated (\|) query. For more information and syntax examples, see Query Using Advanced Query Language Operators in the Search Guide
Support for Multiple Context Tables in Search	You can now reference multiple context tables in a single search query, enhancing search efficiency and depth. This update supports adding up to two context tables simultaneously, to either a Basic Search or an Advanced Search query. The date range that can support querying with a context table has also been expanded from a 31 day sliding window to a 90 day sliding window. For more information, see the following topics in the Search Guide: Context Tables in Search Advanced Search - Query by Context Table Building a Basic Search

Feature

Description

Additional Advanced Query Language Expansion

Exabeam Query Language (EQL) capabilities have been enhanced to include the use of the following operators:

Pipe (|) – Can be used to separate clauses in a query statement. The pipe operator feeds the result set from an initial clause into the next clause, allowing for the creation of more complex search queries.
FOREACH – Can be used to run a search function on every row of a results set returned by a previous query or by an earlier clause in a complex, pipe-separated (|) query.

For more information and syntax examples, see Query Using Advanced Query Language Operators in the Search Guide

Support for Multiple Context Tables in Search

You can now reference multiple context tables in a single search query, enhancing search efficiency and depth. This update supports adding up to two context tables simultaneously, to either a Basic Search or an Advanced Search query.

The date range that can support querying with a context table has also been expanded from a 31 day sliding window to a 90 day sliding window.

For more information, see the following topics in the Search Guide:

May 2024

Feature	Description
New UI Indicators for Enriched Fields	You can now easily identify enriched fields in the Event Details panel of search results, thanks to new indicator icons and tooltips. Enriched fields provide additional information that can be useful for threat detection and analysis. Each enriched field displays an icon, signaling that it contains data enhanced by a specific type of enrichment data. Hover over these icons to view a tooltip that describes the enrichment source. For more information, see Event Details in the Search Guide.

Feature

Description

New UI Indicators for Enriched Fields

You can now easily identify enriched fields in the Event Details panel of search results, thanks to new indicator icons and tooltips. Enriched fields provide additional information that can be useful for threat detection and analysis. Each enriched field displays an icon, signaling that it contains data enhanced by a specific type of enrichment data. Hover over these icons to view a tooltip that describes the enrichment source.

For more information, see Event Details in the Search Guide.

April 2024

Feature

Description

Search Bar Improved Redesign

The search bar on the Search home page has been redesigned for additional flexibility and ease of use. You can now select the method of search from a Search Mode drop down menu directly under the search bar. Options include Basic, Advanced, and Natural Language search modes. The search bar display changes to accommodate each search mode. In addition, the Run Search and time range selector have both been moved inside the search bar.

For Advanced search, the search bar has been specifically enhanced for improved readability. It now supports the following:

White space characters (such as spaces, tabs, and line breaks) can be used between query syntax terms.
Line numbering is displayed for queries that are formatted on multiple lines.
Warnings and syntax validation errors that are displayed per line.
Color-coding to make syntax elements recognizable.

For more information, see Advanced Search in the Search Guide.

March 2024

Feature	Description
Advanced Query Language Expansion	Exabeam Advanced Search Language capabilities have been enhanced to include the following: Advanced Query Language Operators – Exabeam introduces a number of operators that can be used to create complex queries in Search. You can leverage these operators to build multi-clause queries, where one clause can provide results or filtering to subsequent clauses. For more information and syntax examples, see Query Using Advanced Query Language in the Search Guide Aggregation Functions – Exabeam introduces aggregation functions that can be used when creating complex queries in Search. Available functions include `COUNT`, `MAX`, `MIN`, `SUM`, and `AVG`. For more information and syntax examples, see Query Using Aggregation Functions in the Search Guide. Dynamic Parsed Fields – Search has been enhanced to enable dynamic extraction of unparsed fields from a Search query. This dynamic field extraction capability allows you to parse fields without first defining a new parser. To perform a dynamic field extraction, use an advanced EQL function (`RGX_EXTRACT(<field_expr>)`) to parse, at run-time, fields that might have been missed at the parsing stage. In this way, you can immediately address your search needs directly from the query. For more information, see Dynamic Field Extraction in the Search Guide. Geolocation IP Fields – Search now provides the capability to query geolocation IP data that is enriched by Log Stream to produce new geo-named fields (such as `geo_src_ip`). These new geo fields can then be leveraged to filter log data. For more information, see Query Geolocation IP Fields in the Search Guide.

Feature

Description

Advanced Query Language Expansion

Exabeam Advanced Search Language capabilities have been enhanced to include the following:

Advanced Query Language Operators – Exabeam introduces a number of operators that can be used to create complex queries in Search. You can leverage these operators to build multi-clause queries, where one clause can provide results or filtering to subsequent clauses.
For more information and syntax examples, see Query Using Advanced Query Language in the Search Guide
Aggregation Functions – Exabeam introduces aggregation functions that can be used when creating complex queries in Search. Available functions include COUNT, MAX, MIN, SUM, and AVG.
For more information and syntax examples, see Query Using Aggregation Functions in the Search Guide.
Dynamic Parsed Fields – Search has been enhanced to enable dynamic extraction of unparsed fields from a Search query. This dynamic field extraction capability allows you to parse fields without first defining a new parser.
To perform a dynamic field extraction, use an advanced EQL function (RGX_EXTRACT(<field_expr>)) to parse, at run-time, fields that might have been missed at the parsing stage. In this way, you can immediately address your search needs directly from the query.
For more information, see Dynamic Field Extraction in the Search Guide.
Geolocation IP Fields – Search now provides the capability to query geolocation IP data that is enriched by Log Stream to produce new geo-named fields (such as geo_src_ip). These new geo fields can then be leveraged to filter log data.
For more information, see Query Geolocation IP Fields in the Search Guide.

February 2024

Feature	Description
Introducing Global Log Retention	Exabeam introduces global log retention, providing the capability to configure specific log retention periods. By configuring your system's global log retention, you can optimize your long-term search and storage capacities to ensure that you store logs only while they add value, or are required to be stored according to regulatory requirements. You can access this functionality if your license has a subscription for Long-term Search or Long-term Storage add-ons, and your account has admin access. With global log retention you can: Define a global retention period for all log data based on their age, so storage space is not wasted on logs that are no longer valuable. View your current long term storage capacity and license usage, so that you can plan your usage and costs. Understand when your long term storage capacity usage is reaching the contracted capacity limit, allowing you to extend your long term storage capacity on time. Purge logs that have a data age greater than the global log retention period you have defined, ensuring that accidental retention changes won’t affect your regulatory requirements. For more information, see Global Log Retention in the Search Guide
Natural Language Search	Search now supports a new natural language query mode. This feature is part of Exabeam Copilot and its set of AI-driven capabilities.. When you click the Natural Language icon () in the search bar, you can enter a query prompt using natural language. The prompt is translated automatically into Exabeam Query Language, which is displayed on screen and can be edited. For example, the following natural language prompt can be translated into the following Exabeam Query Language: Natural Language Prompt: top 50 users in the last 24 hours filtered by vendor Microsoft Exabeam Query Language: `SELECT user, count() AS user_count WHERE vendor:"Microsoft" GROUP-BY user ORDER-BY user_count desc LIMIT 50` With natural language queries you can: Build complex queries without the need for expert knowledge of complicated query syntax. Build day-to-day queries quickly in order to focus efficiently on potential threats. Modify queries either by editing the natural language prompt or by editing the generated query syntax. Modify queries to easily zero in on specific aspects of the results. For more information, see Natural Language Search in the Search Guide*.
Natural Language Event Titles in Search Results	When Search results are returned, the events list now displays easy-to-read event titles. Each event title includes a representative icon and provides a natural language description of the event. These improvements provide understanding at a glance that helps to accelerate investigations and decision making. For more information, see List View of Search Results in the Search Guide.

Feature

Description

Introducing Global Log Retention

Exabeam introduces global log retention, providing the capability to configure specific log retention periods. By configuring your system's global log retention, you can optimize your long-term search and storage capacities to ensure that you store logs only while they add value, or are required to be stored according to regulatory requirements.

You can access this functionality if your license has a subscription for Long-term Search or Long-term Storage add-ons, and your account has admin access.

With global log retention you can:

Define a global retention period for all log data based on their age, so storage space is not wasted on logs that are no longer valuable.
View your current long term storage capacity and license usage, so that you can plan your usage and costs.
Understand when your long term storage capacity usage is reaching the contracted capacity limit, allowing you to extend your long term storage capacity on time.
Purge logs that have a data age greater than the global log retention period you have defined, ensuring that accidental retention changes won’t affect your regulatory requirements.

For more information, see Global Log Retention in the Search Guide

Natural Language Search

Search now supports a new natural language query mode. This feature is part of Exabeam Copilot and its set of AI-driven capabilities..

When you click the Natural Language icon () in the search bar, you can enter a query prompt using natural language. The prompt is translated automatically into Exabeam Query Language, which is displayed on screen and can be edited.

For example, the following natural language prompt can be translated into the following Exabeam Query Language:

Natural Language Prompt: top 50 users in the last 24 hours filtered by vendor Microsoft
Exabeam Query Language: SELECT user, count(*) AS user_count WHERE vendor:"Microsoft" GROUP-BY user ORDER-BY user_count desc LIMIT 50

With natural language queries you can:

Build complex queries without the need for expert knowledge of complicated query syntax.
Build day-to-day queries quickly in order to focus efficiently on potential threats.
Modify queries either by editing the natural language prompt or by editing the generated query syntax.
Modify queries to easily zero in on specific aspects of the results.

For more information, see Natural Language Search in the Search Guide.

Natural Language Event Titles in Search Results

When Search results are returned, the events list now displays easy-to-read event titles. Each event title includes a representative icon and provides a natural language description of the event. These improvements provide understanding at a glance that helps to accelerate investigations and decision making.

For more information, see List View of Search Results in the Search Guide.

January 2024

Feature	Description
Add Search to Event Details Panel	To quickly locate specific fields in your search results, you can now use a Search field at the top of the Event Details panel. The new search will find fields in both the raw message text and in the list of fields that have been parsed by an event. For more information, see Event Details.

Exabeam SearchSearch Release Notes

Table of ContentsTable of Contents