Outgoing feed - Exabeam Outgoing Feed#
Note
This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.
Specifications |
|
|---|---|
Transport type |
Exabeam Outgoing Feed |
Content type |
Exabeam JSON model |
Published data |
Create a context table on your Exabeam instance, and push observable data to it. |
Requirements#
Exabeam instance URL
Exabeam user account with permissions to access:
Context Table API
For that user account:
Exabeam client key/ID
Exabeam client secret
Configure the outgoing feed#
Create or edit an outgoing feed.
Set a name for this outgoing feed in Outgoing feed name. This determines the Exabeam context table name used. See Context table names.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Datasets*
Select one or more existing datasets from the drop-down menu. The menu only displays datasets that contain observables supported by the Transport type you’ve selected.
See
Supported observable types_ for more information.Update strategy*
Select an update strategy.
See Update strategies for more information.
Transport type*
Select Exabeam Outgoing Feed from the drop-down menu.
Content type*
Select Exabeam JSON model from the drop-down menu.
API URL*
Default:
https://api.us-east.exabeam.cloud/Set this to the URL for your Exabeam instance.
Client ID*
Enter the
client_idfor your service application.See
Set up service application on Azure_ for more information.Client Secret*
Enter the
client_secretfor your service application.See
Set up service application on Azure_ for more information.Store your changes by selecting Save.
Update strategies#
Select an update strategy to determine how this outgoing feed updates Exabeam context tables.
Important
Update strategies behave slightly differently in this outgoing feed. Read the descriptions below carefully.
Append |
Each time this feed runs, new and updated observables are sent to the context table. |
|---|---|
Diff |
Each time this feed runs:
|
Replace |
(Not recommended) The REPLACE update strategy packs all entities available in selected datasets and pushes them to an Exabeam context table. Each time the feed runs, it re-packs all data from these datasets, and sends them to the context table. Limitations:
|
Appendix#
Context table names#
Each Exabeam Outgoing Feed per EclecticIQ Intelligence Center instance creates its own context table on the target Exabeam instance when it runs.
The context table is named as follows: EIQ <this outgoing feed's name> #<feed ID>
For example: EIQ Exabeam Outgoing Feed Test #8
Note
This context table naming convention is to make sure that each outgoing feed consistently writes to a context table that it owns.
Known issues:
You cannot change the name of the context table a given Exabeam Outgoing Feed writes to.
One Exabeam Outgoing Feed writes to one Exabeam context table. However, it is possible for a different EclecticIQ Intelligence Center instance with an outgoing feed with the same name and same feed ID to write to the same context table if you connect it to the same Exabeam instance.
Data is not removed from context tables#
This integration cannot remove data from context tables.
Instead, it provides an active field for context table records,
which is set to true by default.
When an observable is removed from the datasets for this outgoing feed,
its corresponding record in the context table has its active field set to false.
To remove a context table, do it through the Exabeam UI.
Context tables can become large#
Because Data is not removed from context tables, context tables can become large over time.
To remove a context table, do it through the Exabeam UI.