Search Features Introduced in 2025

June 2025

Feature	Description
Expanded Access to Timeline View of Search Results	Exabeam has expanded access to the Timeline view of search results. Previously, this view of results was available only to those with one of the New-Scale licenses. Access is now available with any license in the Exabeam portfolio of licenses. The Timeline view brings the investigational timeline experience into the Search application. Analysts and threat hunters can use the Timeline view as a starting point for investigating risky or anomalous events while still leveraging the granular filtering capabilities of the Search application. The Timeline view is designed specifically with this task in mind. It's visually organized so that detection events are easy to spot and investigate. You can drill into the detections or the associated events to find detailed information and data insights. For more information, see Timeline View of Search Results in the Search Guide.
Support for Sort Order Selection of Search Results	A configurable sort order option is now available for search results. The new sort order selector is located in the search bar for Basic, Advanced, and Natural Language modes. It includes options to sort chronologically to show the most recent or the oldest results. The sort happens on the server-side when you run your search, so results display the newest or oldest results from the entire set of results. For more information, see Search Bar in the Search Guide.
Updates to the Display of Detections in the Timeline View of Results	To enhance the chronological aspect of the Timeline view in Search, detections listed on the right-hand side of the view are now shown only on the row of the latest associated event. Detections can be triggered by multiple events and, previously, they were displayed in association with each triggering event. This led to a confusing view of the chronology of detections. To resolve this confusion and simplify the view, a detection is now displayed only on the chronologically latest associated event. For more information about the Timeline view, see Timeline View of Search Results in the Search Guide.
Improved Visibility for Site Tags in Search Results	Site tags are now more easily visible in both the Timeline View and the List View of search results. If you use unique site names to manage access to data from specific collector sources in your environment, tags with site names are now clearly visible on each event ingested by a tagged cloud or site collector. You can also toggle the display of the tags on or off in the search results. For more information, see either Timeline View of Search Results or List View of Search Results in the Search Guide.
Context Searching Using Any Table Type	When searching context values, you can now add any type of context table to a search query. You can search for data in collector-base context tables, in custom or filtered context tables, or in pre-built context tables. For more information, about adding context tables to Basic or Advanced search queries, see Context Tables in Search in the Search Guide.

April 2025

Feature	Description
Context Searching Using Non-key Columns	Until now, when searching for values in a context table, you could search for values only in the key column of the table. Now, the use of context tables in search includes the capability of searching in any column of a context table, including non-key columns. This expanded functionality is available in both the Basic and Advanced search modes. You can include up to two tables in a query, and a single column for each table. To facilitate the selection of non-key columns in Basic search, changes have been made in the UI for adding a context table to the query. When you choose a context table, a preview of the table is displayed. The key column is selected by default, but you can select any other column in the table. In Advanced search, additional syntax is provided to indicate the selection of both a context table and a specific column. For backwards compatibility, you can still add a context table without specifying a column. If no column is indicated, the query searches for values in the key column by default. The new syntax takes the following form: `IN "table name"."column name"` For more information, about adding context tables to Basic or Advanced search queries, see Context Tables in Search in the Search Guide.
Advanced Search Suggestion Improvements	In the Advanced search mode, automated suggestions have been improved to display a greater variety of possible syntax options and to make those suggestions with greater context-awareness. The automated suggestions can now include key words, logical operators, fields, field values, and functions. Suggestions are only displayed if they are appropriate for the clause or syntax you are entering. For visual clarity, each different type of suggestion is accompanied by an icon that indicates what type of syntax is represents. For more information about Advanced search suggestions, see Running an Advanced Search in the Search Guide.
Expanded IOC Field Enrichment	You can now search for IOC data from both Exabeam-provided and STIX/TAXII-based threat intelligence sources. This functionality is made possible because the Context Management service now provides threat intelligence data from both prebuilt, curated sources and from external log sources that support the STIX/TAXII framework. Note STIX/TAXII context tables are available as part of a Cloud Collector Early Access program. During the early access period, you can access this functionality for STIX/TAXII context tables only if you participate in the program. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide. To facilitate this expanded functionality, a new `ioc_sources` attribute has been added to the enriched IOC fields you can query in the Search application. Values in this field identity which log source a suspected IOC record was ingested by. For more information, see Threat Intelligence Enrichment in the Search Guide.

Feature

Description

Context Searching Using Non-key Columns

Until now, when searching for values in a context table, you could search for values only in the key column of the table. Now, the use of context tables in search includes the capability of searching in any column of a context table, including non-key columns. This expanded functionality is available in both the Basic and Advanced search modes. You can include up to two tables in a query, and a single column for each table.

To facilitate the selection of non-key columns in Basic search, changes have been made in the UI for adding a context table to the query. When you choose a context table, a preview of the table is displayed. The key column is selected by default, but you can select any other column in the table.

In Advanced search, additional syntax is provided to indicate the selection of both a context table and a specific column. For backwards compatibility, you can still add a context table without specifying a column. If no column is indicated, the query searches for values in the key column by default. The new syntax takes the following form: IN "table name"."column name"

For more information, about adding context tables to Basic or Advanced search queries, see Context Tables in Search in the Search Guide.

Advanced Search Suggestion Improvements

In the Advanced search mode, automated suggestions have been improved to display a greater variety of possible syntax options and to make those suggestions with greater context-awareness. The automated suggestions can now include key words, logical operators, fields, field values, and functions. Suggestions are only displayed if they are appropriate for the clause or syntax you are entering. For visual clarity, each different type of suggestion is accompanied by an icon that indicates what type of syntax is represents.

For more information about Advanced search suggestions, see Running an Advanced Search in the Search Guide.

Expanded IOC Field Enrichment

You can now search for IOC data from both Exabeam-provided and STIX/TAXII-based threat intelligence sources. This functionality is made possible because the Context Management service now provides threat intelligence data from both prebuilt, curated sources and from external log sources that support the STIX/TAXII framework.

Note

STIX/TAXII context tables are available as part of a Cloud Collector Early Access program. During the early access period, you can access this functionality for STIX/TAXII context tables only if you participate in the program. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide.

To facilitate this expanded functionality, a new ioc_sources attribute has been added to the enriched IOC fields you can query in the Search application. Values in this field identity which log source a suspected IOC record was ingested by.

For more information, see Threat Intelligence Enrichment in the Search Guide.

March 2025

Feature	Description
Data Insights	Data Insights functionality was previously only available to users with one of the New-Scale licenses. It is now also available to users with any Exabeam Security Operations licenses. The Insights tab is available in the Event Details panel for any search results that include parsed user or device information. The Insights tab provides a quick, easy way to drill into information related to events in your results. It lets you visualize what else is going on around a selected event, within specific time ranges. For example, if an event shows that a user triggered an alert, you can investigate which other assets the user has accessed in the past few days, which countries the user logged in from, or what files the user accessed. For more information, see Data Insights in the Search Guide.
Entity Search Enhancements	The Entities tab in the Basic Search mode has been enhanced for more intuitive use and to display an increased level of detail. As part of the Exabeam True Identity functionality, the User Entity search consolidates all of the identifiers associated with a user account in your environment. In this way you can efficiently search across all the user identifiers with a single query. The process has been improved so that you can search by a user's full name or by any username or email address associated with the user account. Tooltips have been added so that you can view all of the associated names and addresses that will be included in the search results. Options are still available to search by specific user account identifiers, including username or email address. For more information, about user entity searching, see Pre-Built Basic Search Lists in the Search Guide. This feature is currently available only if you have either the New-Scale Analytics license or the New-Scale Fusion license. For more information about these licenses, see New-Scale Security Operations Portfolio Licenses. For more information about managing and viewing entities in your environment, see the Attack Surface Insights guide.

Feature

Description

Data Insights

Data Insights functionality was previously only available to users with one of the New-Scale licenses. It is now also available to users with any Exabeam Security Operations licenses.

The Insights tab is available in the Event Details panel for any search results that include parsed user or device information. The Insights tab provides a quick, easy way to drill into information related to events in your results. It lets you visualize what else is going on around a selected event, within specific time ranges. For example, if an event shows that a user triggered an alert, you can investigate which other assets the user has accessed in the past few days, which countries the user logged in from, or what files the user accessed.

For more information, see Data Insights in the Search Guide.

Entity Search Enhancements

The Entities tab in the Basic Search mode has been enhanced for more intuitive use and to display an increased level of detail. As part of the Exabeam True Identity functionality, the User Entity search consolidates all of the identifiers associated with a user account in your environment. In this way you can efficiently search across all the user identifiers with a single query. The process has been improved so that you can search by a user's full name or by any username or email address associated with the user account. Tooltips have been added so that you can view all of the associated names and addresses that will be included in the search results.

Options are still available to search by specific user account identifiers, including username or email address. For more information, about user entity searching, see Pre-Built Basic Search Lists in the Search Guide.

This feature is currently available only if you have either the New-Scale Analytics license or the New-Scale Fusion license. For more information about these licenses, see New-Scale Security Operations Portfolio Licenses.

For more information about managing and viewing entities in your environment, see the Attack Surface Insights guide.

January 2025

Feature	Description
Support for Device Context Tables	You can now include device context tables in both Basic and Advanced search queries, allowing you to search for information about devices in your environment. Specifically, you can now search for results in the following types of device context tables: Active Directory CrowdStrike Microsoft Entra ID For more information, see Context Tables in Search in the Search Guide.
Relative Time Range Option	A new Relative time range option is now available when building your Search queries. It provides a more precise and flexible approach to searching within a relative time range. The Quick time range options are still available but with the Relative option, you are not limited to fixed choices. You can specific a relative start and end date, such as 1 to 3 months ago. The relative options are translated into specific dates, which are displayed in the time range selector box, as shown below.
Guardrails for Pipe Operator Use	New guardrails have been introduced for the use of the pipe operator in the Advanced search mode. They provide warnings to help prevent overuse or misuse of pipe operators in ways that can be slow and inefficient. When you write a query with a pipe operator that could more effectively be written with an AND operator or a WHERE clause, a warning is displayed below the search bar. For more information, see the Pipe Operator section of Query Using Advanced Query Language Operators in the Search Guide.
Timeline View of Search Results	Exabeam introduces a new Timeline view of search results that brings the investigational timeline experience into the Search application. Analysts and threat hunters can use the Timeline view as a starting point for investigating risky or anomalous events while still leveraging the granular filtering capabilities of the Search application. The Timeline view is designed specifically with this task in mind. It's visually organized so that detection events are easy to spot and investigate. You can drill into the detections or the associated events to find detailed information and data insights. For more information, see Timeline View of Search Results in the Search Guide. This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.
Rule Details Panel	A new Rule Details panel is available for viewing detailed rule information when search results return detection events. This new panel facilitates interactions with events that may represent a security threat or anomalous behavior. The panel includes a raw log message, a full list of parsed fields, and an expandable list of any rules associated with the detection event. For more information see Rule Details in the Search Guide. This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.
Data Insights	A new Insights tab is available in the Event Details panel for any search results that include parsed user or device information. The Insights tab provides a quick, easy way to drill into information related to events in your results. It lets you visualize what else is going on around a selected event, within specific time ranges. For example, if an event shows that a user triggered an alert, you can investigate which other assets the user has accessed in the past few days, which countries the user logged in from, or what files the user accessed. For more information, see Data Insights in the Search Guide. This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.
Entity Searching	A new Entities tab has been added to the pre-built search lists in the Basic Search window. From the new tab you can search user and entity accounts using more of the enriched data than is available by searching with common event fields. For more information, see Pre-Built Basic Search Lists in the Search Guide. This feature is currently available only if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.

Exabeam SearchSearch Release Notes

Table of ContentsTable of Contents