Skip to main content

Exabeam SearchSearch Release Notes

Table of Contents

Search Features Introduced in 2025

April 2025

Feature

Description

Context Searching Using Non-key Columns

Until now, when searching for values in a context table, you could search for values only in the key column of the table. Now, the use of context tables in search includes the capability of searching in any column of a context table, including non-key columns. This expanded functionality is available in both the Basic and Advanced search modes. You can include up to two tables in a query, and a single column for each table.

To facilitate the selection of non-key columns in Basic search, changes have been made in the UI for adding a context table to the query. When you choose a context table, a preview of the table is displayed. The key column is selected by default, but you can select any other column in the table.

context-in-search-2.png

In Advanced search, additional syntax is provided to indicate the selection of both a context table and a specific column. For backwards compatibility, you can still add a context table without specifying a column. If no column is indicated, the query searches for values in the key column by default. The new syntax takes the following form: IN "table name"."column name"

For more information, about adding context tables to Basic or Advanced search queries, see Context Tables in Search in the Search Guide.

Advanced Search Suggestion Improvements

In the Advanced search mode, automated suggestions have been improved to display a greater variety of possible syntax options and to make those suggestions with greater context-awareness. The automated suggestions can now include key words, logical operators, fields, field values, and functions. Suggestions are only displayed if they are appropriate for the clause or syntax you are entering. For visual clarity, each different type of suggestion is accompanied by an icon that indicates what type of syntax is represents.

For more information about Advanced search suggestions, see Running an Advanced Search in the Search Guide.

Expanded IOC Field Enrichment

You can now search for IOC data from both Exabeam-provided and STIX/TAXII-based threat intelligence sources. This functionality is made possible because the Context Management service now provides threat intelligence data from both prebuilt, curated sources and from external log sources that support the STIX/TAXII framework.

Note

STIX/TAXII context tables are available as part of a Cloud Collector Early Access program. During the early access period, you can access this functionality for STIX/TAXII context tables only if you participate in the program. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide.

To facilitate this expanded functionality, a new ioc_sources attribute has been added to the enriched IOC fields you can query in the Search application. Values in this field identity which log source a suspected IOC record was ingested by.

For more information, see Threat Intelligence Enrichment in the Search Guide.

March 2025

Feature

Description

Data Insights

Data Insights functionality was previously only available to users with one of the New-Scale licenses. It is now also available to users with any Exabeam Security Operations licenses.

The Insights tab is available in the Event Details panel for any search results that include parsed user or device information. The Insights tab provides a quick, easy way to drill into information related to events in your results. It lets you visualize what else is going on around a selected event, within specific time ranges. For example, if an event shows that a user triggered an alert, you can investigate which other assets the user has accessed in the past few days, which countries the user logged in from, or what files the user accessed.

For more information, see Data Insights in the Search Guide.

Entity Search Enhancements

The Entities tab in the Basic Search mode has been enhanced for more intuitive use and to display an increased level of detail. As part of the Exabeam True Identity functionality, the User Entity search consolidates all of the identifiers associated with a user account in your environment. In this way you can efficiently search across all the user identifiers with a single query. The process has been improved so that you can search by a user's full name or by any username or email address associated with the user account. Tooltips have been added so that you can view all of the associated names and addresses that will be included in the search results.

user-entity-selection-tooltip.png

Options are still available to search by specific user account identifiers, including username or email address. For more information, about user entity searching, see Pre-Built Basic Search Lists in the Search Guide.

This feature is currently available only if you have either the New-Scale Analytics license or the New-Scale Fusion license. For more information about these licenses, see New-Scale Security Operations Portfolio Licenses.

For more information about managing and viewing entities in your environment, see the Attack Surface Insights guide.

January 2025

Feature

Description

Support for Device Context Tables

You can now include device context tables in both Basic and Advanced search queries, allowing you to search for information about devices in your environment. Specifically, you can now search for results in the following types of device context tables:

  • Active Directory

  • CrowdStrike

  • Microsoft Entra ID

For more information, see Context Tables in Search in the Search Guide.

Relative Time Range Option

A new Relative time range option is now available when building your Search queries. It provides a more precise and flexible approach to searching within a relative time range. The Quick time range options are still available but with the Relative option, you are not limited to fixed choices. You can specific a relative start and end date, such as 1 to 3 months ago. The relative options are translated into specific dates, which are displayed in the time range selector box, as shown below.

relative-time-range.png

Guardrails for Pipe Operator Use

New guardrails have been introduced for the use of the pipe operator in the Advanced search mode. They provide warnings to help prevent overuse or misuse of pipe operators in ways that can be slow and inefficient. When you write a query with a pipe operator that could more effectively be written with an AND operator or a WHERE clause, a warning is displayed below the search bar.

pipe-warning.png

For more information, see the Pipe Operator section of Query Using Advanced Query Language Operators in the Search Guide.

Timeline View of Search Results

Exabeam introduces a new Timeline view of search results that brings the investigational timeline experience into the Search application. Analysts and threat hunters can use the Timeline view as a starting point for investigating risky or anomalous events while still leveraging the granular filtering capabilities of the Search application.

The Timeline view is designed specifically with this task in mind. It's visually organized so that detection events are easy to spot and investigate. You can drill into the detections or the associated events to find detailed information and data insights.

For more information, see Timeline View of Search Results in the Search Guide.

This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.

Rule Details Panel

A new Rule Details panel is available for viewing detailed rule information when search results return detection events. This new panel facilitates interactions with events that may represent a security threat or anomalous behavior. The panel includes a raw log message, a full list of parsed fields, and an expandable list of any rules associated with the detection event.

For more information see Rule Details in the Search Guide.

This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.

Data Insights

A new Insights tab is available in the Event Details panel for any search results that include parsed user or device information. The Insights tab provides a quick, easy way to drill into information related to events in your results. It lets you visualize what else is going on around a selected event, within specific time ranges. For example, if an event shows that a user triggered an alert, you can investigate which other assets the user has accessed in the past few days, which countries the user logged in from, or what files the user accessed.

For more information, see Data Insights in the Search Guide.

This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.

Entity Searching

A new Entities tab has been added to the pre-built search lists in the Basic Search window. From the new tab you can search user and entity accounts using more of the enriched data than is available by searching with common event fields. For more information, see Pre-Built Basic Search Lists in the Search Guide.

This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.