What’s New in Exabeam Product Development – May 2024

Our May product release introduces three new major features: Threat Center API (read), Self-service CrowdStrike collector migration, and Proofpoint Targeted Attack Protection (TAP) support.

Threat Center API (Read) for third-party integrations

This frequently requested feature provides connectivity into Threat Center via API for the reading of data. Writing to the API will be coming in the near future.

With this feature, users can query Threat Center and receive a list of matched specific criteria such as threats that contain a specific rule, MITRE ATT&CK^® tactics, or risk scores. Additionally, you can access comprehensive details of an alert or case, including all relevant fields and identification markers. If you haven’t seen Threat Center in action yet, here’s a handy video.

This new capability adds value to our customers and MSSPs looking to integrate Exabeam into third-party security workflows such as external security orchestration, automation, and response (SOAR) and ticketing systems. Threat Center data is now available outside of the Exabeam Security Operations Platform, eliminating the need to switch into the platform to look something up.

Need some additional support for API integrations with Exabeam? We’ve got you covered. Visit developers.exabeam.com.

Improved threat overview layout for rapid investigations

The May update enhances the Threat Overview experience in Threat Center, offering a full-page dashboard with detailed threat summaries, timelines, risk scores, and collaborative tools for comprehensive case management.

• Full-page threat overview: Analysts can now access a comprehensive dashboard displaying all key information relevant to each case.
• Exabeam Copilot GenAI threat summary: Provides a detailed summary of the case, explains each potential threat, and recommends next steps for a consistent response.
• Threat Timeline tab: Allows rapid pivot to a complete Threat Timeline.
• Risk score: Includes a detailed explanation and calculation of the risk score.
• Timeframe: Displays timestamps for first detection and case creation.
• Rules triggered: Lists all rules triggered within the case.
• Detection groupings: Shows associated rules and detection groupings.
• Users and device listing: Identifies all users and devices linked to the case.
• Latest notes: Facilitates easy collaboration and note-taking within the case.

The newly redesigned Threat Overview for each case allows analysts to view key information of the case in a single pane, resulting in rapid investigations and optimized threat hunting. 

Self-service migration to updated Exabeam platform collector(s)

When updating Exabeam collectors to the cloud-native Exabeam platform, it’s important to ensure there is no data loss or data duplication. Previously, Exabeam technical services would work closely with the customer for a smooth transition. 

With the May release, Exabeam now provides customers with a self-service experience for API collector migration to the cloud platform. Self-service migration will initially support both Microsoft 365 and CrowdStrike alerts ingestion, with support for all collectors coming soon.

Microsoft 365 Collectors have also been simplified and grouped, reducing the number of endpoints from 14 to 4. On the Exabeam platform, Microsoft 365 Collectors are grouped by Microsoft 365 Management Activity, Azure Active Directory, Microsoft 365 Exchange Admin Reports, and Microsoft Defender XDR.

Self-service collector migration allows Exabeam customers to take advantage of the ease of use and scalability benefits of the cloud-native Exabeam platform with a simplified migration process that does not require scheduling and assistance of Exabeam technical services. Additionally, collector migration status is shown in the management UI, and can easily be rolled back to the legacy collector by simply deleting the new collector.

Proofpoint Targeted Attack Protection (TAP) support (Early Access)

Proofpoint Targeted Attack Protection (TAP) can detect, analyze, summarize, and block advanced threats targeting organization email users. It’s been estimated that the majority of cyberattacks start with email. For this reason, it’s no surprise that Proofpoint TAP has been one of the most popular Exabeam data sources over time.

For the May release, a prebuilt Proofpoint TAP Collector is now available on the Exabeam Security Operations Platform for Early Access. With the Proofpoint TAP Collector, Exabeam can ingest email log data including messages delivered, messages blocked, clicks permitted, and clicks blocked. This Proofpoint log is then normalized into the Exabeam Common Information Model (CIM) and used to strengthen machine learned user behavioral analytics, threat investigations, and threat hunting.

Coming soon, we will be adding support for Proofpoint On-Demand, an additional Proofpoint data source focused on data loss prevention (DLP), data exfiltration, and detailed email activity.

If you’re an existing Exabeam customer and would like early access to the new collector, use the established Collector Early Access process.

For a detailed list and descriptions of the features introduced in the Exabeam May release, please refer to the Exabeam Security Operations Platform Release Notes.