Incoming feed - Exabeam Event Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport type

Exabeam Event Feed

Content type

Exabeam Event JSON

Description

Uses the Exabeam Event Search API to retrieve Exabeam events that match a given search query and ingests them as Sighting entities.

Overview#

Requirements#

  • Exabeam instance URL

  • Exabeam user account with permissions to access:

    • Event search API

  • For that user account:

    • Exabeam client key/ID

    • Exabeam client secret

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. (Recommended) Exclude unstructured data. Select Advanced options > Skip extraction of observables from unstructured text.

  3. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Exabeam Event Feed from the drop-down menu.

    Content type*

    Select Exabeam Event JSON from the drop-down menu.

    API URL*

    Default: https://api.us-east.exabeam.cloud/

    Set this to the URL for your Exabeam instance.

    Client ID*

    Enter your Exabeam client key/ID.

    Client Secret*

    Enter your Exabeam client secret.

    Filter value*

    Enter an Exabeam search query.

    See the Exabeam documentation.

    Event Limit *

    Default: 3000

    Enter the maximum number of events to retrieve from Exabeam. This is the maximum number of events that this feed will retrieve from Exabeam each time it runs.

    Note

    Limitation: Each time this feed runs, it retrieves the most recent Event limit number of Exabeam events since Start ingestion from. If you expect to ingest more events for a given Start ingestion from date and time, running the feed again without changing the Event limit will not retrieve the “next” chunk of events.

    For example, for the period where Start ingestion from is 2023-11-01T00:00:00 and we run the feed now (2023-11-25T00:00:00), and Event limit is 3000, running the feed repeatedly will ingest (and deduplicate) the same 3000 events for the same Filter value (search query).

    In this example, new events are ingested in 3 cases (provided there are available Exabeam event):

    • New events have been triggered since the last time the feed was run (2023-11-25T00:00:00).

    • The Start ingestion from is changed to an earlier timestamp.

    • Event limit is increased.

  4. Store your changes by selecting Save.

Ingested data#

Exabeam events are ingested as Sighting entities with:

  • Titles formatted as Exabeam event #<event.id>. Example: Exabeam Event #75d4c995-39f4-4cd8-bfba-9f72f141c625.

  • IoCs identified by event are ingested as related observables.