What’s New in Exabeam Product Development – June 2024

Our June product release introduces three new major features: Proofpoint Targeted Attack Protection (TAP) support, GeoIP field support for visualizations, correlation rule definitions within Threat Center, and more!

Proofpoint Targeted Attack Protection (TAP) Collector

Proofpoint Targeted Attack Protection (TAP) can detect, analyze, summarize, and block advanced threats targeting organization email users. It’s been estimated that the majority of cyberattacks start with email. For this reason, it’s no surprise that Proofpoint TAP has been one of the most popular Exabeam data sources over time.

For the June release, a prebuilt Proofpoint TAP Collector is now generally available on the Exabeam Security Operations Platform. With the Proofpoint TAP Collector, Exabeam can ingest email log data including messages delivered, messages blocked, clicks permitted, and clicks blocked. This Proofpoint log is then normalized into the Exabeam Common Information Model (CIM) and used to strengthen machine-learned user and entity behavior analytics (UEBA), threat investigations, and threat hunting.

Security teams face the constant challenge of detecting email-based threats. The Proofpoint TAP Collector integrates seamlessly with Exabeam, providing a richer dataset that includes message details, user clicks, and blocking information. This empowers Exabeam machine learning-based AI to identify suspicious user behavior, ultimately improving threat investigations and threat hunting. Additionally, the prebuilt collector streamlines data collection, saving security personnel time and resources.

GeoIP field support for Dashboards

You can now add geoIP location fields to your visualizations, allowing for the display of detailed geoIP source and geoIP destination information in your dashboards. The geoIP fields you can visualize include city, country, latitude, longitude, and ISP. ​

When creating a new visualization for a dashboard, the geoIP location fields are available for selection in the lists of measures and dimensions, as shown below. 

​You can also leverage these fields from the Search application by clicking on a geoIP location field and using the​​ Visualize Field​​ option.​

GeoIP data is crucial for threat hunters as it helps identify the geographic source of attacks, correlate them with known threat actors, and detect suspicious behavior based on location. It aids in incident response through geographical blocking, enhances threat intelligence with contextual information, and supports compliance with regulatory requirements. Additionally, it assists in attack attribution, anomaly detection, and policy enforcement, making it an invaluable tool for improving defenses and effectively mitigating cyberthreats.

For more information about creating visualizations, see ​Create a Visualization​ in the ​Dashboards Guide​​.

Correlation rule definitions within Threat Center

A highly requested Threat Center enhancement, analysts now have the ability to view correlation rule definitions directly from the Threat Timeline while investigating alerts and cases. Previously, there was no capability for analysts to interact with correlation rule triggers within Threat Timelines, leaving them without insights into how a rule worked or why it was triggered. This improvement allows analysts to better understand threats and expedite their investigations, eliminating the need to leave Threat Center to reference rule definitions. This streamlined access enhances threat hunting efficiency and ensures that analysts can conduct thorough investigations with streamlined workflows.

SSL interception

SSL interception, also known as HTTPS interception, allows Exabeam customers to decrypt, inspect, and re-encrypt SSL/TLS encrypted traffic between on-premises Site Collector and Exabeam Security Operations Platform. This process enables users to monitor and secure data that would otherwise be hidden from traditional security measures.

Why is SSL interception valuable?

1. Enhanced security: Detect and block hidden threats within encrypted traffic, providing an additional layer of defense against cyberattacks.
2. Data loss prevention (DLP): Prevent unauthorized exfiltration of sensitive information, ensuring your critical data stays protected.
3. Regulatory compliance: Meet industry standards and regulatory requirements by ensuring encrypted traffic is inspected and logged.
4. Complete visibility: Gain full visibility across all log sources, enabling better monitoring and anomaly detection.
5. Optimized performance: Identify and mitigate performance bottlenecks, ensuring efficient and secure data transmission.

Enterprise specifications for Windows Event Log Collection

A WELC (Windows Event Log Collection) agent is a software component that runs on Windows systems to collect and forward event log data to a centralized system, such as the Exabeam Security Operations Platform, for analysis and monitoring. Scalable support for Windows Event Log Collection (WELC) agents from an on-prem site ensures comprehensive, scalable security monitoring by collecting detailed logs from numerous endpoints at scale, enhancing threat detection and providing early warning of potential incidents.

For June, Exabeam has increased enterprise level WELC support from 100 agents up to 500 agents. This allows organizations to easily accommodate growth and increased data volumes without significant infrastructure changes. Supporting an increased number of WELC agents also aids regulatory compliance by providing complete audit trails and detailed reports, crucial for meeting security standards. Operational efficiency is improved with centralized management, simplifying administration and offering a unified view of security events. Scaling up to 500 WELC agents (17K events per second) not only enhances security posture but also optimizes resource utilization, reducing operational costs and overhead. 

For a detailed list and descriptions of the features introduced in the Exabeam June release, please refer to the Exabeam Security Operations Platform Release Notes.