- Get Started with Threat Center
- Group Detections
- Work on Cases
- Triage Alerts in Threat Center
- Edit and Collaborate in Threat Center
- Find Cases or Alerts
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- Sort Cases or Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
Threat Center Detections
A detection represents an indicator of a potential threat.
A detection is a record of risky activity symptomatic of a threat. A detection contains attributes from related events that define the property of the risky activity.
Detections are created when events trigger correlation rules or Advanced Analytics rules. After detections are created, they're automatically grouped into cases and alerts according to detection grouping rules.
View detections and their attributes in an alert or case Threat Timeline, where they're organized in chronological order from oldest to latest.
Correlation Rules Detections
Correlation rules create detections when the rule triggers and a Threat Center alert or case is the outcome.
For a correlation rule detection, you can:
1 View the date and time the detection was created.
2 Navigate to the event in Search.
3 View all detection details, including the assigned risk score, MITRE ATT&CK® tactics and techniques, Exabeam use cases, tags, and event fields associated with the detection.[3]
4 View the detection risk score.
5 View the number of correlation rules associated with the detection.
6 View the Exabeam use case the detection best describes.
7 View the ATT&CK tactics and techniques the detection best describes.
8 View the parsed event fields associated with the detection.
9 View all event fields associated with the detection.
10 View the name and description of the correlation rule that created the detection.
11 View information about the triggered correlation rule:
1 Whether the rule is enabled or disabled.
2 How many times the rule has triggered.
3 The date and time the rule was last triggered.
4 The rule sequences, including the search query that defines which events the events trigger the correlation rule and the conditions that must be satisfied for the rule to trigger.
5 What happens when the correlation rule triggers.
6 Other information about the rule, including:
Name – The correlation rule name.
Author – Who created the correlation rule.
Severity – The rule severity: None, Low, Medium, High or Critical.
Use Case – The Exabeam use case most relevant to the rule.
MITRE Properties – The ATT&CK techniques most relevant to the rule.
Tags – Tags associated with the rule.
Repeating Triggers – The field values by which the rule is suppressed if the rule is over-triggered.
Advanced Analytics Detections
Advanced Analytics detections are created when an event triggers one or more Advanced Analytics fact-based or model-based rules.
For an Advanced Analytics detection, you can:
1 View the date and time the detection was created.
2 Navigate to the event in Search.
3 View all detection details, including the assigned risk score, MITRE ATT&CK® tactics and techniques, Exabeam use cases, tags, and event fields associated with the detection.[4]
4 View the detection risk score.
5 View the number of Advanced Analytics rules associated with the detection.
6 View the Exabeam use case the detection best describes.
7 View the ATT&CK tactics and techniques the detection best describes.
8 View the parsed event fields associated with the detection.
9 View all event fields associated with the detection.
10 Navigate to the Advanced Analytics Smart Timeline™ to view all user or asset events.
11 View a triggered Advanced Analytics rule associated with the event.
12 View the triggered rule risk score.
13 For model-based Advanced Analytics rules, view information about the model associated with the triggered rule:
1 The triggered Advanced Analytics rule name.
2 The triggered Advanced Analytics rule risk score.
3 Name and description of the behavior modeled and the date and time the model was last updated.
4 The percentage confidence Exabeam has in the model's accuracy.
5 The number of events the model has evaluated.
6 The number of unique feature values the model has evaluated; for example, the number of unique hosts the Account creation hosts in organization model has evaluated.
7 Find a specific feature value the model has evaluated.
8 All unique feature values the model has evaluated, the number of times the model evaluated the feature value, and how often the feature value in events appears as a percentage of all events. The percentage is calculated by:
Equation 1.where P is the percentage, C is the number of number of times the model evaluated the feature value, and E is the number of event the model has evaluated.
When you restart the Advanced Analytics Analytics Engine, Threat Center automatically reprocesses Advanced Analytics detections and ensures Threat Center stays in sync with Advanced Analytics. When Threat Center starts reprocessing Advanced Analytics detections, you receive a notification. During reprocessing, Threat Center may remove obsolete Advanced Analytics detections from open cases and alerts or close cases that contain only obsolete Advanced Analytics detections. After Threat Center reprocesses Advanced Analytics detections, it groups them according to your detection grouping rules.
[3] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.
[4] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.