- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Get Notified About Threat Center
Get automatically notified about important Threat Center activity.
You can get automatically notified about important case and alert changes using global notifications or Automation Management playbooks.
Threat Center Global Notifications
Global notifications automatically send messages about Threat Center to third-party applications, like Microsoft Teams or Slack, in real time whenever specific events occur, including when:
A case has been assigned to someone
A case has been assigned to a queue
A case has been closed
A previously closed case has been reopened
A new case has been created
By default, global notifications for Threat Center are disabled. To enable them, ensure that you add your desired webhook connection, then select your notification options.
Threat Center Notifications Using Automation Management Playbooks
To get notified about situations and conditions you specify, configure Automation Management playbooks so they send relevant case or alert information to an email address or webhook when they're triggered.
The email contains:
The person or playbook that sent the email
Vendor – The vendor who sent the email notification, Exabeam
ID – The case or alert UUID
Case Number – The case ID
Last update time – The date and time the case or alert was last updated
Grouped By –The field by which related detections are grouped
URL –The case or alert URL
A summary of the case or alert, including the number of related detections, triggered rules, MITRE ATT&CK® tactics and techniques, users, endpoints; and the case or alert risk score[12]
A more detailed summary of the case or alert, including a list of related users, endpoints, tags, ATT&CK tactics and techniques, Exabeam use cases; the case or alert severity; and, for cases, the case stage, the case closed reason if the case stage is Closed, queue, and assignee.
The entire threat timeline.
To configure a playbook so it automatically sends case or alert information to an email address when triggered, use the Send all threat details via email action.
The webhook message contains case or alert attributes in a key-value JSON format. Case or alert attributes sent include:
last_update_time– The date and time the case or alert was last updatedcase_idoralert_id– Case or alert IDcase_number– The case numberalert_name– The alert namethreat_summary– A summary of the case or alert, including the number of related detections, triggered rules, MITRE ATT&CK® tactics and techniques, users, endpoints; the case or alert risk score; and the attribute by which related detections are groupedtags– Associated tagsmitres– Associated ATT&CK tactics and techniquesuse_cases– Associated Exabeam use casesusers– Associated usersendpoints– Associated endpointspriority– Case or alert severitystage– Case stagequeue– The queue assigned to respond to the caseassignee– The assignee assigned to respond to the casedetections– Details for every related detection, including the detection type, associated Exabeam use case, associated triggered rules, approx_log_time, description, detection ID, associated source and destination users, associated source and destination IP addresses, and associated source and destination host namescase_closed_reason– If the case is closed, the selected pre-defined case closed reasoncase_close_supporting_reason– If the case is closed, the comment added to the pre-defined case closed reasonalert_created_time– The date and time the alert was createdcase_created_time– The date and time the case was createdcase_closed_time– The date and time the case stage was changed to Closed
To configure a playbook so it automatically sends case or alert information to a webhook when triggered, use the Send all threat details via webhook action.
[12] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.