Exabeam

The Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics, and SOAR. This integration was integrated and tested with version xx of Exabeam11

Configure Exabeam on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Exabeam.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g https://192.168.0.1:{port})
    • Username
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Returns notable users in a period of time: exabeam-get-notable-users
  2. Returns all watchlist IDs and titles: exabeam-get-watchlists
  3. Returns all peer groups: exabeam-get-peer-groups
  4. Returns user information data for the username: exabeam-get-user-info
  5. Returns all labels of the user: exabeam-get-user-labels
  6. Returns sessions for the given username and time range: exabeam-get-user-sessions
  7. Deletes a watchlist: exabeam-delete-watchlist
  8. Returns asset data: exabeam-get-asset-data

1. exabeam-get-notable-users


Returns notable users in a period of time.

Base Command

exabeam-get-notable-users

Input
Argument Name Description Required
time_period The time period for which to fetch notable users, such as 3 months, 2 days, 4 hours, 1 year, and so on. Required
limit The maximum number of returned results. Required

Context Output
Path Type Description
Exabeam.User.RiskScore Number The risk score of the notable user.
Exabeam.User.UserFullName String The full name of the user.
Exabeam.User.AverageRiskScore Number The average risk score of the user.
Exabeam.User.FirstSeen Date The date the user was first seen.
Exabeam.User.NotableSessionIds String The ID of the notable session.
Exabeam.User.AccountsNumber Number The number of accounts.
Exabeam.User.LastSeen Date The date the user was last seen.
Exabeam.User.Location String The location of the user.
Exabeam.User.UserName String The name of the user.
Exabeam.User.Labels String The labels of the user.
Exabeam.User.LastActivityType String The last activity type of the user.
Exabeam.User.NotableUser Boolean Whether the user is a notable user.

Command Example

!exabeam-get-notable-users limit=3 time_period="1 year"

Context Example
{
    "Exabeam.User": [
        {
            "Department": "IT",
            "EmployeeType": "employee",
            "FirstSeen": "2018-08-01T11:50:16",
            "HighestRiskSession": {
                "accounts": [
                    "account_name"
                ],
                "endTime": 1535991695000,
                "initialRiskScore": 9,
                "label": "",
                "loginHost": "login_host",
                "numOfAccounts": 1,
                "numOfAssets": 5,
                "numOfEvents": 6,
                "numOfReasons": 9,
                "numOfSecurityEvents": 0,
                "numOfZones": 0,
                "riskScore": 265,
                "sessionId": "session_id",
                "startTime": 1535973498000,
                "username": "username",
                "zones": []
            },
            "Labels": [
                "privileged_user"
            ],
            "LastActivity": "Account is active",
            "LastSeen": "2018-09-09T16:36:13",
            "Location": "Atlanta",
            "NotableSessionIds": [
                "session_id"
            ],
            "NotableUser": true,
            "RiskScore": null,
            "Title": "Network Engineer",
            "UserFullName": "full_name",
            "UserName": "username"
        },
        {
            "Department": "HR",
            "EmployeeType": "employee",
            "FirstSeen": "2018-07-03T14:26:26",
            "HighestRiskSession": {
                "accounts": [
                    "account_name"
                ],
                "endTime": 1538233298000,
                "initialRiskScore": 14,
                "label": "vpn-in",
                "loginHost": "login_host",
                "numOfAccounts": 2,
                "numOfAssets": 14,
                "numOfEvents": 15,
                "numOfReasons": 9,
                "numOfSecurityEvents": 1,
                "numOfZones": 0,
                "riskScore": 169,
                "sessionId": "session_id",
                "startTime": 1538222645000,
                "username": "username",
                "zones": []
            },
            "Labels": [],
            "LastActivity": "Account is active",
            "LastSeen": "2018-09-30T16:27:01",
            "Location": "Chicago",
            "NotableSessionIds": [
                "session_id"
            ],
            "NotableUser": true,
            "RiskScore": null,
            "Title": "Human Resources Coordinator",
            "UserFullName": "full name",
            "UserName": "username"
        },
        {
            "Department": "Sales",
            "EmployeeType": "employee",
            "FirstSeen": "2018-08-10T15:55:25",
            "HighestRiskSession": {
                "accounts": [
                    "hosborne"
                ],
                "endTime": 1538281057000,
                "initialRiskScore": 0,
                "label": "",
                "loginHost": "",
                "numOfAccounts": 1,
                "numOfAssets": 3,
                "numOfEvents": 62,
                "numOfReasons": 8,
                "numOfSecurityEvents": 1,
                "numOfZones": 0,
                "riskScore": 132,
                "sessionId": "session_id",
                "startTime": 1538250305000,
                "username": "username",
                "zones": []
            },
            "Labels": [
                "privileged_user"
            ],
            "LastActivity": "Account is active",
            "LastSeen": "2018-09-30T16:27:01",
            "Location": "Atlanta",
            "NotableSessionIds": [
                "session_id"
            ],
            "NotableUser": true,
            "RiskScore": null,
            "Title": "Sales Representative",
            "UserFullName": "fullname",
            "UserName": "username"
        }
    ]
}
Human Readable Output

Exabeam Notable Users:

UserName UserFullName Title Department Labels NotableSessionIds EmployeeType FirstSeen LastSeen LastActivity Location
username fullname Network Engineer IT privileged_user session_id employee 2018-08-01T11:50:16 2018-09-09T16:36:13 Account is active Atlanta
username fullname Human Resources Coordinator HR session_id employee 2018-07-03T14:26:26 2018-09-30T16:27:01 Account is active Chicago
username fullname Sales Representative Sales privileged_user session_id employee 2018-08-10T15:55:25 2018-09-30T16:27:01 Account is active Atlanta

2. exabeam-get-watchlists


Returns all watchlist IDs and titles.

Base Command

exabeam-get-watchlists

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
There are no input arguments for this command.

Context Output
Path Type Description
Exabeam.Watchlist.Category String The watchlist category.
Exabeam.Watchlist.Title String The watchlist title.
Exabeam.Watchlist.WatchlistID String The watchlist ID.

Command Example

!exabeam-get-watchlists

Context Example
{
    "Exabeam.Watchlist": [
        {
            "Category": "UserLabels",
            "Title": "Executive Users",
            "WatchlistID": "5c869ab0315c745d905a26d9"
        },
        {
            "Category": "UserLabels",
            "Title": "Service Accounts",
            "WatchlistID": "5c869ab0315c745d905a26da"
        },
        {
            "Category": "Users",
            "Title": "user watchlist",
            "WatchlistID": "5dbaba2dd4e62a0009dd7ae4"
        },
        {
            "Category": "PeerGroups",
            "Title": "VP Operations",
            "WatchlistID": "5d8751723b72ea000830066a"
        }
    ]
}
Human Readable Output

Exabeam Watchlists:

WatchlistID Title Category
5c869ab0315c745d905a26d9 Executive Users UserLabels
5c869ab0315c745d905a26da Service Accounts UserLabels
5dbaba2dd4e62a0009dd7ae4 user watchlist Users
5d8751723b72ea000830066a VP Operations PeerGroups

3. exabeam-get-peer-groups


Returns all peer groups.

Base Command

exabeam-get-peer-groups

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
There are no input arguments for this command.

Context Output
Path Type Description
Exabeam.PeerGroup.Name String The name of the peer group.

Command Example

!exabeam-get-peer-groups

Context Example
{
    "Exabeam.PeerGroup": [
        {
            "Name": "Marketing"
        },
        {
            "Name": "usa"
        },
        {
            "Name": "101"
        },
        {
            "Name": "Program Manager"
        },
        {
            "Name": "Channel Administrator"
        },
        {
            "Name": "Chief Marketing Officer"
        },
        {
            "Name": ""
        },
        {
            "Name": "Chief Strategy Officer"
        },
        {
            "Name": "CN=Andrew Bautista,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "BitLockerUsersComputers"
        },
        {
            "Name": "trinet"
        },
        {
            "Name": "Admin Operations"
        },
        {
            "Name": "118"
        },
        {
            "Name": "Corp"
        },
        {
            "Name": "102"
        },
        {
            "Name": "CN=Emery Santiago,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "105"
        },
        {
            "Name": "Computer Scientist"
        },
        {
            "Name": "Electrical Engineer"
        },
        {
            "Name": "VP Business Development"
        },
        {
            "Name": "Hardware Engineer"
        },
        {
            "Name": "Executive Assistant"
        },
        {
            "Name": "GenCouncil"
        },
        {
            "Name": "Consulting"
        },
        {
            "Name": "109"
        },
        {
            "Name": "Legal Secretary"
        },
        {
            "Name": "VP Operations"
        },
        {
            "Name": "106"
        },
        {
            "Name": "Washington"
        },
        {
            "Name": "Operations Director"
        },
        {
            "Name": "Process Engineer"
        },
        {
            "Name": "104"
        },
        {
            "Name": "Account Manager"
        },
        {
            "Name": "Shop Floor Supervisor"
        },
        {
            "Name": "IT Operations"
        },
        {
            "Name": "VP Marketing"
        },
        {
            "Name": "HR"
        },
        {
            "Name": "design,milling"
        },
        {
            "Name": "superUsers"
        },
        {
            "Name": "WIFI IL"
        },
        {
            "Name": "ProgramMgmt"
        },
        {
            "Name": "Engagement Manager"
        },
        {
            "Name": "InfoSec"
        },
        {
            "Name": "Sales Operations"
        },
        {
            "Name": "Security Systems Engineer"
        },
        {
            "Name": "design"
        },
        {
            "Name": "CN=Tracee Weber,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "sap"
        },
        {
            "Name": "CN=May Mcconnell,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "jobvite"
        },
        {
            "Name": "Sales"
        },
        {
            "Name": "partners"
        },
        {
            "Name": "CN=Emely Blanchard,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "Corporate Marketing Strategist"
        },
        {
            "Name": "Web Developer"
        },
        {
            "Name": "Domain Admins"
        },
        {
            "Name": "VP Information Systems"
        },
        {
            "Name": "CN=Raelene Thompson,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "VP Engineering"
        },
        {
            "Name": "Marketing Coordinator"
        },
        {
            "Name": "VP Sales"
        },
        {
            "Name": "103"
        },
        {
            "Name": "Product Manager"
        },
        {
            "Name": "Welder"
        },
        {
            "Name": "milling"
        },
        {
            "Name": "VP Human Resources"
        },
        {
            "Name": "Partner Corrdinator"
        },
        {
            "Name": "execs"
        },
        {
            "Name": "117"
        },
        {
            "Name": "Engineering"
        },
        {
            "Name": "Seattle"
        },
        {
            "Name": "107"
        },
        {
            "Name": "Program Director"
        },
        {
            "Name": "Chief Council"
        },
        {
            "Name": "Machinist"
        },
        {
            "Name": "Software Developer"
        },
        {
            "Name": "Office365-Users"
        },
        {
            "Name": "CN=Harris Oliver,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "CN=Tu Petersen,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "ITServiceUsersDomainAdmins"
        },
        {
            "Name": "root"
        },
        {
            "Name": "IT"
        },
        {
            "Name": "Atlanta"
        },
        {
            "Name": "autocad"
        },
        {
            "Name": "Building Engineer"
        },
        {
            "Name": "Dallas"
        },
        {
            "Name": "Security Security Coordinator"
        },
        {
            "Name": "salesforce"
        },
        {
            "Name": "Software Engineer"
        },
        {
            "Name": "110"
        },
        {
            "Name": "Saless"
        },
        {
            "Name": "CN=Marianne Hughes,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "Civil Engineer"
        },
        {
            "Name": "CN=Vince Andrade,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "Security Analyst"
        },
        {
            "Name": "Sales Representative"
        },
        {
            "Name": "Operations"
        },
        {
            "Name": "Jobvite-users"
        },
        {
            "Name": "Chicago"
        },
        {
            "Name": "Los Angeles"
        },
        {
            "Name": "New York"
        },
        {
            "Name": "councilApp"
        },
        {
            "Name": "VP Information Security"
        },
        {
            "Name": "Direct Support"
        },
        {
            "Name": "MA/DCG"
        },
        {
            "Name": "orch_admins"
        },
        {
            "Name": "Chief Operating Officer"
        },
        {
            "Name": "ITInfraAdmins"
        },
        {
            "Name": "Manager, IT Corporate Services"
        },
        {
            "Name": "VP Council"
        },
        {
            "Name": "CN=Felipe Pennington,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "CN=May Mcconnell,OU=US,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local"
        },
        {
            "Name": "Public Relations Officer"
        },
        {
            "Name": "Human Resources Coordinator"
        },
        {
            "Name": "Chief Information Secuity Officer"
        },
        {
            "Name": "Marketing Strategist"
        },
        {
            "Name": "Front Desk Receptionist"
        },
        {
            "Name": "CEO"
        },
        {
            "Name": "IT Administrator"
        },
        {
            "Name": "Sales Coordinator"
        },
        {
            "Name": "Network Engineer"
        },
        {
            "Name": "108"
        }
    ]
}
Human Readable Output

Exabeam Peer Groups:

Name
Marketing
usa
101
Program Manager
Channel Administrator
Chief Marketing Officer
Chief Strategy Officer
CN=Andrew Bautista,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
BitLockerUsersComputers
trinet
Admin Operations
118
Corp
102
CN=Emery Santiago,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
105
Computer Scientist
Electrical Engineer
VP Business Development
Hardware Engineer
Executive Assistant
GenCouncil
Consulting
109
Legal Secretary
VP Operations
106
Washington
Operations Director
Process Engineer
104
Account Manager
Shop Floor Supervisor
IT Operations
VP Marketing
HR
design,milling
superUsers
WIFI IL
ProgramMgmt
Engagement Manager
InfoSec
Sales Operations
Security Systems Engineer
design
CN=Tracee Weber,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
sap
CN=May Mcconnell,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
jobvite
Sales
partners
CN=Emely Blanchard,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
Corporate Marketing Strategist
Web Developer
Domain Admins
VP Information Systems
CN=Raelene Thompson,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
VP Engineering
Marketing Coordinator
VP Sales
103
Product Manager
Welder
milling
VP Human Resources
Partner Corrdinator
execs
117
Engineering
Seattle
107
Program Director
Chief Council
Machinist
Software Developer
Office365-Users
CN=Harris Oliver,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
CN=Tu Petersen,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
ITServiceUsersDomainAdmins
root
IT
Atlanta
autocad
Building Engineer
Dallas
Security Security Coordinator
salesforce
Software Engineer
110
Saless
CN=Marianne Hughes,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
Civil Engineer
CN=Vince Andrade,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
Security Analyst
Sales Representative
Operations
Jobvite-users
Chicago
Los Angeles
New York
councilApp
VP Information Security
Direct Support
MA/DCG
orch_admins
Chief Operating Officer
ITInfraAdmins
Manager, IT Corporate Services
VP Council
CN=Felipe Pennington,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
CN=May Mcconnell,OU=US,OU=Users,OU=Ktenergy,DC=ktenergy,DC=local
Public Relations Officer
Human Resources Coordinator
Chief Information Secuity Officer
Marketing Strategist
Front Desk Receptionist
CEO
IT Administrator
Sales Coordinator
Network Engineer
108

4. exabeam-get-user-info


Returns user information data for the username.

Base Command

exabeam-get-user-info

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
username The username of the user to fetch. Required

Context Output
Path Type Description
Exabeam.User.RiskScore Number The risk score of the user.
Exabeam.User.AverageRiskScore Number The average risk score.
Exabeam.User.PeerGroupFieldName String The field name of the peer group.
Exabeam.User.FirstSeen Date The date when the user was first seen.
Exabeam.User.PeerGroupDisplayName String The display name of the Peer group.
Exabeam.User.LastSeen Date The date the user was last seen.
Exabeam.User.PeerGroupFieldValue String The field value of the peer group.
Exabeam.User.Label String The labels of the user.
Exabeam.User.Username String The name of the user.
Exabeam.User.PeerGroupType String The type of the peer group.
Exabeam.User.LastSessionID String The last session ID of the user.
Exabeam.User.LastActivityType String The last activity type of the user.
Exabeam.User.AccountNames String The account name of the user.

Command Example

!exabeam-get-user-info username={username}

Context Example
{
    "Exabeam.User": {
        "AccountNames": [
            "account_name"
        ],
        "AverageRiskScore": 102.53,
        "FirstSeen": "2018-08-01T11:50:16",
        "Label": [
            "privileged_user"
        ],
        "LastActivityType": "Account is active",
        "LastSeen": "2018-09-09T16:36:13",
        "LastSessionID": "session_id",
        "PeerGroupDisplayName": "root",
        "PeerGroupFieldName": "Peer Groups",
        "PeerGroupFieldValue": "root",
        "PeerGroupType": "Group",
        "RiskScore": 163,
        "Username": "username"
    }
}
Human Readable Output

User jmontoya information:

Username RiskScore AverageRiskScore LastSessionID FirstSeen LastSeen LastActivityType AccountNames PeerGroupFieldName PeerGroupFieldValue PeerGroupDisplayName PeerGroupType
{username} 163 102.53 {session_id} 2018-08-01T11:50:16 2018-09-09T16:36:13 Account is active {account_name} Peer Groups root root Group

5. exabeam-get-user-labels


Returns all labels of the user.

Base Command

exabeam-get-user-labels

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
There are no input arguments for this command.

Context Output
Path Type Description
Exabeam.UserLabel.Label String The label of the user.

Command Example

!exabeam-get-user-labels

Context Example
{
    "Exabeam.UserLabel": [
        {
            "Label": "privileged_user"
        },
        {
            "Label": "service_account"
        }
    ]
}
Human Readable Output

Exabeam User Labels:

Label
privileged_user
service_account

6. exabeam-get-user-sessions


Returns sessions for the given username and time range.

Base Command

exabeam-get-user-sessions

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
username The username for which to fetch data. Required
start_time The Start time of the time range. For example, 2018-08-01T11:50:16). Optional
end_time The end time of the time range. For example, 2018-08-01T11:50:16. Optional

Context Output
Path Type Description
Exabeam.User.Session.EndTime Date The end time of the session.
Exabeam.User.Session.InitialRiskScore Number The initial risk score of the session.
Exabeam.User.Session.Label String The label of the session.
Exabeam.User.Session.LoginHost String The login host.
Exabeam.User.Session.RiskScore Number The risk score of the session.
Exabeam.User.Session.SessionID String The ID of the session.
Exabeam.User.Session.StartTime Date The start time of the session.
Exabeam.User.Username String The username of the session.

Command Example

!exabeam-get-user-sessions username={username} start_time=2018-08-01T11:50:16

Context Example
{
    "Exabeam.User": {
        "Session": [
            {
                "EndTime": "2018-08-01T20:00:17",
                "InitialRiskScore": 0,
                "Label": "",
                "LoginHost": "login_host",
                "RiskScore": 0,
                "SessionID": "session_id",
                "StartTime": "2018-08-01T14:05:46"
            },
            {
                "EndTime": "2018-08-02T02:37:51",
                "InitialRiskScore": 0,
                "Label": "vpn-in",
                "LoginHost": "login_host",
                "RiskScore": 0,
                "SessionID": "seesion_id",
                "StartTime": "2018-08-01T23:17:00"
            },
        ],
        "Username": "username"
    }
}
Human Readable Output

User {username} sessions information:

SessionID RiskScore InitialRiskScore StartTime EndTime LoginHost Label
session_id 0 0 2018-08-01T14:05:46 2018-08-01T20:00:17 login_host
session_id 0 0 2018-08-01T23:17:00 2018-08-02T02:37:51 login_host vpn-in

7. exabeam-delete-watchlist


Deletes a watchlist.

Base Command

exabeam-delete-watchlist

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
watchlist_id The watchlist ID. Required

Context Output
There are no context output for this command.

Command Example

!exabeam-delete-watchlist watchlist_id=5de50f82088c6a000865408d

Context Example
{}
Human Readable Output

The watchlist 5de50f82088c6a000865408d was deleted successfully.

8. exabeam-get-asset-data


Returns asset data.

Base Command

exabeam-get-asset-data

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
asset_name The name of the asset. Required

Context Output
Path Type Description
Exabeam.Asset.HostName String The host name of the asset.
Exabeam.Asset.IPAddress String The IP address of the asset.
Exabeam.Asset.AssetType String Thr type of the asset.
Exabeam.Asset.FirstSeen Date The date the asset was first seen.
Exabeam.Asset.LastSeen String The date the asset was last seen.

Command Example

!exabeam-get-asset-data asset_name={host_name}

Context Example
{
    "Exabeam.Asset": {
        "AssetType": "Windows",
        "FirstSeen": "2018-07-03T14:21:00",
        "HostName": "host_name",
        "IPAddress": "ip_address",
        "Labels": null,
        "LastSeen": "2018-09-30T16:23:17"
    }
}
Human Readable Output

Exabeam Asset Data:

AssetType FirstSeen HostName IPAddress LastSeen
Windows 2018-07-03T14:21:00 host_name ip_address 2018-09-30T16:23:17