- Get Started with Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Get Notified About Threat Center
Get automatically notified about important Threat Center activity.
You can get automatically notified about important case and alert changes using global notifications or Automation Management playbooks.
Threat Center Global Notifications
Global notifications automatically send messages about Threat Center to third-party applications, like Microsoft Teams or Slack, in real time whenever specific events occur, including when:
A case has been assigned to someone
A case has been assigned to a queue
A case has been closed
A previously closed case has been reopened
A new case has been created
By default, global notifications for Threat Center are disabled. To enable them, ensure that you add your desired webhook connection, then select your notification options.
Threat Center Notifications Using Automation Management Playbooks
To get notified about situations and conditions you specify, configure Automation Management playbooks so they send relevant case or alert information to an email address or webhook when they're triggered.
The email contains:
The person or playbook that sent the email
The case or alert ID
The date and time the case or alert was last updated
The field by which related detections are grouped
The case or alert URL
A summary of the case or alert, including the number of related detections, triggered rules, MITRE ATT&CK® tactics and techniques, users, endpoints; and the case or alert risk score[11]
A more detailed summary of the case or alert, including a list of related users, endpoints, tags, ATT&CK tactics and techniques, Exabeam use cases; the case or alert severity; and, for cases, the case stage, the case closed reason if the case stage is Closed, queue, and assignee.
The entire threat timeline.
To configure a playbook so it automatically sends case or alert information to an email address when triggered, use the Send all threat details via email action.
The webhook message contains case or alert attributes in a key-value JSON format. Case or alert attributes sent include:
When the case or alert was last updated
Case or alert ID
A summary of the case or alert, including the number of related detections, triggered rules, MITRE ATT&CK® tactics and techniques, users, endpoints; the case or alert risk score; and the attribute by which related detections are grouped
Associated tags
Associated ATT&CK tactics and techniques
Associated Exabeam use cases
Associated users
Associated endpoints
Case or alert severity
Case stage; and, if the case is closed, the case closed reason
Queue
Assignee
Details for every related detection, including the detection type, associated Exabeam use case, associated triggered rules, approx_log_time, description, detection ID, associated source and destination users, associated source and destination IP addresses, and associated source and destination host names
To configure a playbook so it automatically sends case or alert information to a webhook when triggered, use the Send all threat details via webhook action.
[11] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.