Exabeam Security Operations Platform Architecture
 |
The Exabeam Security Operations Platform ingests logs using Exabeam Cloud Connectors, Site Collectors, and Context Management.
Cloud Collectors – Previously known as cloud connectors, both services provide prebuilt, turnkey connectors for over 30 cloud applications and services. In addition, the services facilitate log ingestion into Exabeam Data Lake, Exabeam Advanced Analytics, or any other SIEM. To minimize blind spots within your organization, cloud connectors also provide additional custom connectors for services not natively supported. For more information, see the Cloud Collectors Guide.
Site Collectors – Securely and efficiently upload event data from on-premises services such as external servers, systems, data centers, or Exabeam collectors (including Windows, File, and GZip) to Exabeam cloud-delivered services in the Exabeam Security Operations Platform. For more information, see the Site Collector Guide.
Depending on your License, Exabeam can also provide additional capabilities for security management, threat detection investigation and response (TDIR), and platform insights. These services can include:
Security Management:
Action Editor – Create your own Incident Responder service and actions using Action Editor. This application is included on the Exabeam Security Operations Platform to all Incident Responder users. It guides you through the process to customize a prebuilt service and actions or create your own custom service and actions from scratch. For more information, see the Action Editor documentation.
Auto Parser Generator – Similar to Log Stream, you can use Auto Parser Generator to set up custom parsers to ingest logs and events within the original content information model. For the latest Exabeam products developed on the Common Information Model, use Log Stream. For more information, see the Auto Parser Generator documentation.
Correlation Rules – Develop fact-based rules that correlate to events matching specific criteria. Create automated outcomes to supplement behavioral analytics. Using the Correlation Rules app, you can easily build rules based on search queries. You can refine those rules with additional conditions and determine what outcomes should occur when the rule is triggered. For more information, see the Correlation Rules documentation.
Log Stream – Enables you to visualize, create, deploy, and monitor parsers within a unified ingestion pipeline for all Exabeam products and features. For more information, see the Log Stream documentation.
Context Management – Provides a single point of access for managing context data, such as data from threat intelligence services or identity providers. Supports the processing of context data from multiple sources and normalizes the data into a standardized schema for use by downstream applications. For more information, see the Context Management Guide.
Threat Detection and Incident Response (TDIR):
Advanced Analytics – Advanced behavioral analytics platform that automatically links and analyzes user and entity activity to better inform security analysts about threats and remediation options. Advanced Analytics provides a powerful analytics layer on top of existing SIEM and log management technologies, to detect new attacks, prioritize incidents, and guide you to provide a more effective response. For more information, see the Advanced Analytics Administration Guide and the Advanced Analytics User Guide.
Threat Center – A triage and ticketing solution that centralizes all alerts and cases so you address potential threats with a streamlined workflow. Threat Center collects alerts from Exabeam Correlation Rules and third-party alerts in one place and provides case creation capabilities so you move seamlessly from triage to response. For more information, see the Threat Center documentation.
Alert Triage – A cloud-delivered application that categorizes, aggregates and enriches security alerts that enables you to dismiss or escalate security alerts confidently and efficiently. Alert Triage provides visibility into all of the alerts that security tools trigger through a centralized view, reducing the likelihood of missing a security alert. For more information, see the Alert Triage documentation.
Case Manager – Organize, track, and streamline your investigation with Case Manager. Case Manager is a customizable case management solution with ticketing, messaging, and Key Performance Indicator (KPI) dashboards. It organizes and tracks investigations so you are more efficient and productive. For more information, see the Case Manager documentation.
Data Lake – A log management system that provides collection, indexing, search, and visualization across your logs. The goal of Data Lake is to present log data to the user in a clear and consumable manner. For more information, see the Data Lake Administration Guide and the Data Lake User Guide.
Incident Responder – Provides automated, repeatable investigation and response capabilities. To reduce human error and manual investigation effort, Incident Responder also provides semi and fully-automated incident investigation and response actions with repeatable pre-built playbooks for common incidents. For more information, see the Incident Responder documentation.
Search – Provides a single interface to enable you to quickly perform advanced search queries across multiple years-worth of events, IoCs, and Exabeam-generated anomalies. For more information, see the Search documentation.
Platform Insights:
Outcomes Navigator – A cloud-delivered application that provides visibility into the efficacy of your environment's configuration to protect against Exabeam use cases. Outcomes Navigator analyzes your environment and suggests configuration changes to align your environment with your goals and improve security posture. For more information, see the Outcomes Navigator documentation.
Service Health and Consumption – Visualize the key metrics for monitoring data ingestion, system health, license consumption, and security budget needs. For more information, see the Service Health and Consumption documentation.