Outgoing feed - Exabeam Outgoing Feed#

Note

This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.

Specifications

Transport type

Exabeam Outgoing Feed

Content type

Exabeam JSON model

Published data

Create a context table on your Exabeam instance, and push observable data to it.

Requirements#

  • Exabeam instance URL

  • Exabeam user account with permissions to access:

    • Context Table API

  • For that user account:

    • Exabeam client key/ID

    • Exabeam client secret

Configure the outgoing feed#

  1. Create or edit an outgoing feed.

  2. Set a name for this outgoing feed in Outgoing feed name. This determines the Exabeam context table name used. See Context table names.

  3. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Datasets*

    Select one or more existing datasets from the drop-down menu. The menu only displays datasets that contain observables supported by the Transport type you’ve selected.

    See Supported observable types_ for more information.

    Update strategy*

    Select an update strategy.

    See Update strategies for more information.

    Transport type*

    Select Exabeam Outgoing Feed from the drop-down menu.

    Content type*

    Select Exabeam JSON model from the drop-down menu.

    API URL*

    Default: https://api.us-east.exabeam.cloud/

    Set this to the URL for your Exabeam instance.

    Client ID*

    Enter the client_id for your service application.

    See Set up service application on Azure_ for more information.

    Client Secret*

    Enter the client_secret for your service application.

    See Set up service application on Azure_ for more information.

  4. Store your changes by selecting Save.

Update strategies#

Select an update strategy to determine how this outgoing feed updates Exabeam context tables.

Important

Update strategies behave slightly differently in this outgoing feed. Read the descriptions below carefully.

Note: Starting from release version 3.5.1 the Replace strategy has been removed, and the Diff strategy will now support deleting observables from the Exabeam context table.

Append

Each time this feed runs, new and updated observables are sent to the context table.

Diff

Each time this feed runs:

  • New and updated observables are sent to the context table

  • Deletes the observables from context table which are removed/deleted from the dataset/EIQ Platform.

Appendix#

Context table names#

Each Exabeam Outgoing Feed per EclecticIQ Intelligence Center instance creates its own context table on the target Exabeam instance when it runs.

The context table is named as follows: EIQ <this outgoing feed's name> #<feed ID>

For example: EIQ Exabeam Outgoing Feed Test #8

Note

This context table naming convention is to make sure that each outgoing feed consistently writes to a context table that it owns.