Exabeam SOC PlatformExabeam SOC Platform Administration Guide

Universal Role-Based Access

The universal role-based access centralizes user identity and access management for applications across the Exabeam SOC Platform. With universal role-based access, users can access all their Exabeam applications through a single login account. Likewise, administrators can manage user accounts and permissions for the entire Exabeam SOC Platform through a single interface. Universal role-based access streamlines the threat detection and incident response (TDIR) workflow by reducing access gaps and making it easier for users to navigate between products. It simplifies account administration and reduces opportunities for credential misuse.

Universal role-based access supports local user accounts created in Exabeam as well as account integration with SAML 2.0 compliant third-party identity providers.

Considerations for Adopting Universal Role-Based Access

You are encouraged to migrate to universal role-based access as soon as your organization is ready.

Before migrating to universal role-based access, note the following:

  • Customers can continue to use legacy authentication until they are prepared to migrate.

  • Migration to universal role-based access is permanent.

  • Universal role-based access supports concurrent local authentication and SAML 2.0 compliant third-party IdP authentication.

  • Universal role-based access does not support authentication from services such as LDAP, MS Active Directory, common access card (CAC), and personal identity verification (PIV).

  • Advanced Analytics and Data Lake are migrated separately.

  • User email addresses are required for migration. Each email address designates a single identity.

  • Customers using third-party IdPs need to update their IdP configuration to complete the migration process.

  • Legacy Advanced Analytics identities are still needed to authenticate into Cloud Connectors.

    Note

    When universal role-based access becomes available for Cloud Connectors, Cloud Connectors will automatically migrate to it.

  • Universal role-based access is not available for on-premises applications.

User Roles

Exabeam uses role-based access control to manage user permissions. A variety of preconfigured default roles are included in the Exabeam SOC Platform for its different products. The roles are designed for common user types such as analysts, administrators, and auditors. However, if the default roles do not meet all your needs, you can create your own roles.

Create Custom User Roles

  1. On the lower-left side of the page, click Settings SOC-Platform-Settings-Icon.png, and then click Roles.

    The Roles page opens.

    Add-Group-Mapping-Completed.png
  2. On the upper-right side of the page, click New Role.

    The New Role dialog box appears.

    New-Role-Dialog-Box.png
  3. In the Display Name field, enter a name for the role.

  4. In the Description field, enter a description of the role.

  5. From the Permissions drop-down menu, select the permissions that you want to assign to the role.

    New-Role-Select-Permissions.png
  6. When you have selected all the permissions that you want to include, click outside the drop-down menu, and then click Create.

    The new role is added to the list on the Roles page.

Edit or Delete Custom Roles

Note

Default roles cannot be modified or deleted.

  1. On the lower-left side of the page, click Settings SOC-Platform-Settings-Icon.png, and then click Roles.

    The Roles page opens.

    Roles-Page.png
  2. Click the vertical ellipsis icon Vertical-Ellipsis-ECP.png for the custom role that you want to edit or delete, and then do either of the following:

    • To edit the role, click Edit, and then modify the role's properties as needed. When you are done, click Update.

      Edit-Role-Dialog.png
    • To delete the role, click Delete, and then confirm that you want to delete the role.

Local Users

Local user accounts are created and managed within the Exabeam SOC Platform. To create a local account, you must have a unique user email address. When a new account is created, the user receives an email to activate the account and create a login password.

Add Local Users

  1. On the lower-left side of the page, click Settings SOC-Platform-Settings-Icon.png, and then click Users.

    The Users page opens.

    ULE-Users-Page.png
  2. Click + New User.

    The Invite User dialog box appears.

    ULE-Invite-User-Dialog.png
  3. In the appropriate boxes, enter the user's first name, last name, and email address, and then select the appropriate roles for the user from the drop-down list.

  4. Click Invite.

    An email is sent to the user with a link to confirm the account and create a login password. The account status is listed as "Pending" until the user confirms the account, at which time the status changes to "Active."

Manage Local Users

From the Users page in the Exabeam SOC Platform, you can edit local user names, email addresses, and roles. You can also activate and deactivate accounts, delete accounts, and send users links for resetting their passwords.

  • On the lower-left side of the page, click Settings SOC-Platform-Settings-Icon.png, and then click Users.

    Do any of the following as needed:

    • To edit local users:

      1. For the user that you want to edit, click the vertical ellipsis icon (Vertical-Ellipsis-ECP.png) on the right, and then click Edit.

        The Edit User dialog box appears.

        Edit-User-Dialog.png
      2. Edit the user names, email address, and/or roles as needed, and then click Update.

    • To activate or deactivate a user account:

      1. For the user whose account you want to activate or deactivate, click the vertical ellipsis icon (Vertical-Ellipsis-ECP.png) on the right, and then click Edit.

        The Edit User dialog box appears.

      2. Click the Active toggle to activate or deactivate the user's account.

        A blue toggle indicates an active account; a gray toggle indicates a deactivated account.

        Active-Unactive-Account.png
    • To send a password reset email:

      1. For the user whose password you want to reset, click the vertical ellipsis icon (Vertical-Ellipsis-ECP.png) on the right, and then click Reset Password.

        The Reset Password confirmation box appears.

        Reset-Password-Confirm-Box.png
      2. Click Send.

        An email containing a password reset link is sent to the user.

Third-Party Identity Providers

The Exabeam SOC Platform supports integration with SAML 2.0 compliant third-party identity providers (IdPs) for single sign-on (SSO), multi-factor authentication, and access control. You can integrate more than one IdP provided that the IdPs do not use the same email domains.

Add a Third-Party Identity Provider

Note

To complete this procedure, you need administrative access to both Exabeam and your identity provider (IdP).

  1. Log in to your IdP and do the following:

    1. Begin the procedure to add a new application in your IdP for Exabeam (if needed, refer to your IdP's user guide for instructions).

    2. In the attribute mapping section, enter descriptive values for the IdP user attributes.

      You need to provide values for the following user attributes:

      • Email address

      • First name

      • Last name

      • Group

      • Username (this attribute is optional)

      For example, if Primary email is the user email attribute in your IdP, you could enter EmailAddress as the descriptive value. The following is an example of an attribute map in Google IdP:

      Example-IdP-Attribute-Mapping.png

      Important

      In step 2g, you need to use the same descriptive values to map the Exabeam query attributes with corresponding IdP user attributes.

    3. Do one of the following:

      • Download the IdP metadata file. (Preferred)

      • Copy the Entity ID and Login URL (sometimes referred to as the "SSO URL"), and then download the SAML certificate (the exact names of these items may vary between IdPs).

      Note

      The information obtained in this step needs to be entered into Exabeam.

  2. Log in to the Exabeam SOC Platform and do the following:

    1. On the lower-left side of the page, click Settings SOC-Platform-Settings-Icon.png, and then click Single sign-on.

      The Single Sign-On (SSO) page opens.

    2. On the upper-right side of the page, click Add new provider.

      Add-New-IdP-Dialog-Box.png
    3. In the Identity provider name box, enter a name for the IdP.

    4. In the Email domains box, enter any user email domains in the IdP (example: exabeam.com).

      Important

      The email domains must be unique. They cannot be the same as the domains used in another IdP or by local user accounts.

    5. Do one of the following:

      • Click Upload XML metadata file, navigate to the IdP metadata file that you downloaded in step 1b, and click to upload it.

        The uploaded metadata file populates the required configuration fields.

      • Click Manual Configuration, and then use the information that you obtained in step 1b to do the following:

        1. Enter values for the SAML Entity ID and Login URL.

        2. Click Upload IdP Certificate, navigate to the certificate and click to upload it.

    6. (Optional) Enter values for the Logout URL and Logout redirect URL.

    7. In the Query Attributes table, map the Exabeam query attributes to the corresponding IdP user attributes by entering the same descriptive values that you did in step 1b, as demonstrated in the following example:

      Query-Attributes-Mapping.png
    8. Click Add Identity Provider.

      The idpDisplayName box appears.

    9. Do one of the following:

      • Download the Metadata URL file by moving your pointer over the URL and clicking the download icon on the right.

        IdPDisplayName.png
      • Copy the Entity ID and Assertion Consumer URL values.

      Note

      The information obtained in this step needs to be added into your IdP.

  3. Log in to your IdP to complete the Exabeam application configuration:

    1. From the information obtained in step 2i, enter the Entity ID and Assertion Consumer (ACS) URL values into their appropriate fields. You can also input these values by uploading the Metadata URL file if your IdP provides the option.

    2. Complete any additional steps in your IdP that are necessary to finish the configuration. Refer to your IdP user guide for details.

  4. Log in to the Exabeam SOC Platform, click Settings SOC-Platform-Settings-Icon.png, and then click Single sign-on.

    The IdP is listed on the Single Sign-On page.

    Single-Sign-On-Listed-IdP.png
  5. To enable the IdP, click the Enabled toggle.

    The Enabled toggle turns blue.

  6. Click Group Mapping and then do the following:

    Note

    The purpose of group mapping is to map the user groups in your IdP to the appropriate user roles in Exabeam. For example, if your IdP includes an "Advanced Analyst" user group that needs the permissions included in the Tier 3 Analyst (Advanced Analytics) role, you can map the group to that role. Each group can be mapped to one or more roles as needed.

    1. Click Add new mapping.

      The Add Group Mapping dialog box appears.

    2. In the Group name box, enter the name of an IdP group.

    3. Click the Roles drop-down list, and then select the Exabeam roles that you want to assign to the group.

    4. After you have selected all the roles that you want assigned to the group, click Add Mapping.

      Add-Group-Mapping-Completed.png
    5. Repeat steps a–d as needed to map your other IdP groups.

    Users from your third-party IdP and their assigned roles are displayed on the Users page.

Manage Third-Party IdPs

You can edit IdP group mappings, enable or disable IdPs, edit IdP details and attributes, and delete IdPs from the Exabeam SOC Platform.

  • On the lower-left side of the page, click Settings SOC-Platform-Settings-Icon.png, and then click Identity Providers.

    Do any of the following as needed:

    • To edit group mappings:

      1. Click Group Mapping for the IdP that you modify.

        The Group Mapping dialog box appears.

      2. Do either of the following as needed:

        • To add a new group mapping, click Add new mapping to open the Add Group Mapping dialog box. In the Group name box, enter the group name, and then select the roles that you want to assign to it from the Roles drop-down list. When you are done, click Add Mapping.

        • To edit an existing mapping, click the corresponding vertical ellipsis (Vertical-Ellipsis-ECP.png) and then edit the group name and/or user roles as needed. When you are done, click Update Mapping.

    • To enable or disable an IdP, click the corresponding Enabled toggle.

      When the toggle is blue, the IdP is enabled; when the toggle is gray, the IdP is disabled.

    • To edit an IdP's details and/or attributes, click the corresponding edit icon (IdP-Edit-Icon.png) and then edit the information as needed. When you are done, click Update Identity Provider.

    • To delete an IdP from the SOC Platform, click the corresponding delete icon (IdP-Delete-Icon.png).