Exabeam Security Management PlatformExabeam Operational Hardening

Table of Contents

How to Enable Cross-Site Request Forgery Protection

Cross-Site Request Forgery (CSRF) attacks are web-based vulnerabilities where attackers trick users with trusted credentials to commit unintended malicious actions. CSRF attacks change the states of their targets rather than steal data. Examples include changing account emails and changing passwords.

CSRF protection is available for Exabeam Advanced Analytics and Data Lake and previously inactive. Older versions of Advanced Analytics and Data Lake may manually harden or upgrade to a hardened supported version (Advanced Analytics i53.6 or later and Data Lake i34.6 or later) to enable the security configuration by default.

For information about enabled versions, see Exabeam Hardening.

These protections may affect API calls to the Exabeam SMP; please review customs scripts and APIs used by your organization. Please follow instructions given in Step 1c to conform your scripts.

To enable CSRF protection, apply the following:

  1. For all deployments, the /opt/exabeam/config/common/web/custom/application.conf file at each master host needs to be configured to enable CSRF protection at service startup.

    1. Edit the following parameters in the CONF file:

      csrf.enabled=true
csrf.cookie.secure=true
csrf.cookie.name="CSRF_TOKEN"

    2. Restart web-common to enable CSRF protection.

      . /opt/exabeam/bin/shell-environment.bash
web-common-restart

      Note

      Log ingestion will not be interrupted during the restart. web-common can take up to 1 minute to resume services.

    3. API calls to Exabeam that utilize POST requests using types application/x-www-form-urlencoded, multipart/form-data and text/plain are affected by CSRF configurations. Ensure API clients have headers that has Csrf-Token set to value nocheck.

      Continue with the next step.

  2. For Advanced Analytics using Case Manager or Incident Responder , edit /opt/exabeam/code/soar-python-action-engine/soar/integrations/exabeamaa/connector.py.

    1. Find the entry self._session = SoarSession(base_url=apiurl, timeout=timeout, verify=False) and replace with:

      self._session = SoarSession(base_url=apiurl, timeout=timeout, verify=False, headers={'Csrf-Token': 'nocheck'})

    2. Restart services.

      sudo systemctl restart exabeam-soar-python-action-engine-web-server
sudo systemctl restart exabeam-soar-python-action-engine

  3. If SAML is configured, the IdP’s domain needs to be explicitly added to the CORS origins and then apply the new configuration. Please follow steps given in How to Enable Cross-Origin Resource Sharing Protection.