Improve threat detection, enhance ability to investigate, reduce incident response times and enhance cloud security

Security leaders are tasked with building world-class security programs capable of defending against both today’s threats and tomorrow’s attacks — all on a fixed budget.  

Elastic’s SIEM (Elastic Security) offers powerful data centralization capabilities. It is built on the Elastic Stack to visualize, search and filter security data. Elastic’s SIEM provides a platform to centralize all log data and annotate relevant events to help analysts to search and alert on threats. Elastic’s SIEM provides a library of visualizations and dashboards in Kibana, and the  SIEM app provides key metrics regarding host and network-related security events. 

The platform requires extensive customization and maintenance to be usable. Customers who deploy Elastic’s SIEM, must be prepared to do some groundwork in terms of identifying all the necessary log sources, ingesting them into the system, and setting up, tuning, and maintaining all of the required correlation rules. Also, analysts often require knowledge of what data to query and filter. And exhaustive analyst cycles are needed to perform triage and investigation directly in Elastic’s SIEM. 

Exabeam overcomes these challenges by adding intelligence to Elastic’s SIEM. With the addition of advanced analytics, security teams can make the most out of their Elastic SIEM investment. Exabeam accomplishes this by deploying alongside Elastic SIEM without needing to make architectural changes to their Elastic deployment. Exabeam ingests data from Elastic’s SIEM to provide organizations with:

  • Improved threat detection 
  • An enhanced ability to investigate
  • Visibility into activity in cloud applications, and
  • Faster incident response

Elastic SIEM and Exabeam
Figure 1: Benefits of adding intelligence to Elastic’s SIEM with Exabeam

Improve threat detection

Elastic SIEM’s threat detection relies on the use of correlation rules to help analysts identify any known indicators of compromise (IoCs). IoCs are artifacts observed on your network that indicate an intrusion — or predefined conditions which may be indicative of threats. Many SOC analysts use IoCs for alerting and guidance. However, they do suffer from a major limitation, they are only alerted on known threat indicators not unknown threats. 

Furthermore, identifying an IoC doesn’t allow an analyst to see the whole picture or to understand the intent of the attacker. For example, if an IoC pertains to a potentially rogue IP, security analysts need to know: 

  • Who is behind the IP? 
  • Is the IP still malicious?
  • Does it represent a threat targeting my organization? 
  • Are there other attack vectors at play? 
  • And various other questions…

Acquiring context around the potentially malicious  artifact is crucial for effective security management. In Elastic SIEM, it’s also a lot of work. To address this, analysts  try to enrich IoCs with available tools like HRM or Directory systems to achieve reliable correlation. But, this also requires ample manual effort, often with inconclusive results. 

In contrast, Exabeam Advanced Analytics provides advanced threat detection with user and entity behavior analytics (UEBA). Exabeam enhances your Elastic deployment by prioritizing alerts and by enriching data so that your analysts can be more efficient in protecting your network. 

Exabeam enhances security logs including Windows servers, VPNs, firewalls, endpoint devices, DNS servers and more. Logs tell you what users and entities are doing. The additional context informs you who the users and entities are — it gives them their identity. Exabeam’s patented technology is able to map the IP-to-host-to-user. For example, if you know the source IP address of a user’s workstation from the logs, and the user then VPNs from a different location, you will be able to map the IP address of the user to the hostname on record. Exabeam is also able to identify user peer groups, service accounts, and all IDs and emails related to a user.  

One of the key pieces that help in detecting threats is behavior models. Behavior models detect any deviation from normal behavior. Risk scores  are then assigned to events depending on the severity of the risk, deviation and other factors. Here is one example (see Figure 2) that models the behavior of all the assets the user can access remotely. This model detected anomalous access to an asset, atl-addc-002. 

Drive-by Compromise Technique
Figure 2: A behavior model showing all assets accessed by the user remotely.
Exabeam puts all behavior and other user events in chronological order in Exabeam Smart Timelines to make it easy to see the full attack chain. Smart Timelines (see Figure 3) contain both normal and abnormal behavior to allow analysts to follow attacks that move laterally. These timelines are automatically presented in order of highest risk to help focus analyst cycles where they matter most.

Smart Timelines are also a big time saver. A study by the Exabeam research team found that each machine-built Smart Timeline can replace as many as 700 manual queries which would otherwise be required to obtain similar visibility. 

Drive-by Compromise Technique
Figure 3: A sample Smart Timeline showing all normal and anomalous events along with the context collected for the user and assets.

Enhance your ability to investigate

Elastic’s SIEM offers KQL (Kibana Query Language) to retrieve data. The queries help to get relevant events as long as analysts know what to query. Success depends on analysts’ skill level to query and hunt for any suspicious indicator or behavior. They must also stitch together all relevant events to investigate if there is a threat to an organization. This takes a lot of effort. Exabeam automates a lot of that manual work.

Smart Timelines eliminate the need for analysts to build their own incident timelines, and reduce their need to “query and pivot” between IT and security applications to collect event details. Because the timelines are automatically created for all users and devices, analysts can review the activities of a user or device anytime, whether there is an identified incident or not. Since the dots have already been connected, threat hunting becomes very easy for analysts. 

Another important threat hunting tool is Exabeam Threat Hunter. Threat Hunter includes a simple point-and-click interface to let your analysts proactively search for incoming threats without performing any complex queries. Threat Hunter allows analysts to easily search for abnormal behaviors in their environment, which may be indicative of a threat. Unlike Elastic SIEM that returns event logs as results, Threat Hunter returns entire Smart Timelines to help analysts speed up their investigation efforts. Analysts are able to string together many conditions (see Figure 4) with drop-down menus that are pre-populated with reasons for risk, activity types, usernames, assets, and MITRE ATT&CK tactics and techniques to make it easy for analysts to hunt for relevant events. 

Drive-by Compromise Technique
Figure 4: Exabeam Threat Hunter – analysts can string together any conditions using drop-down menus to hunt for anomalous events.

Gain visibility into activity in cloud applications

Elastic’s SIEM provides cloud monitoring by sourcing logs from cloud applications and cloud infrastructure services like Google, Azure and AWS. But analysts still need to enable detection rules and enrich the data to effectively detect and investigate threats, as mentioned above. 

Exabeam extends security to the cloud via Exabeam Cloud Connectors to help organizations monitor activity in cloud services and cloud infrastructure. Cloud Connectors are pre-built connectors that enable security teams to easily collect logs from over 40 popular cloud services such as AWS, GitHub, Google, Microsoft Office 365, Salesforce and others. They allow enterprises to detect threats using behavior analytics in their cloud applications. They also extend any compliance-based security requirements to the cloud. 

All the events from cloud applications are automatically enriched with out-of-the-box behavior models and context, and are shown in timelines along with other activities. In addition, Cloud Connectors automatically adapt to any API changes, so you can rest assured that the connector is always operating as intended. 

Achieve faster response times

Elastic’s SIEM does not include security orchestration, automation and response (SOAR) capabilities. However, third-party SOAR solutions can be added directly via APIs.

In contrast to third-party integration for SOAR solutions — Exabeam Incident Responder is natively integrated with Exabeam Advanced Analytics to ensure analysts have full visibility of the attack. Seeing the whole picture is crucial for proper incident response because the ability to detect an attack is a prerequisite to its resolution; automated or otherwise. Tight integration between Exabeam’s behavior analytics and SOAR capabilities ensure that attacks aren’t overlooked. No matter how complex or sprawling their nature; and that automated response can be effective.

In conclusion

Each business environment is different. Contact us to see how you can add intelligence to your Elastic SIEM deployment with Exabeam. Visit to request a demo.

Further reading

Comparing DIY ELK vs Exabeam SIEM  

Rules vs Models 

Benefits of Detection and Investigation with Smart Timelines 

Technical Marketing

Pramod is the lead technical product marketer at Exabeam responsible for technical sales enablement. A seasoned, cross-functional product leader, Pramod has enterprise product experience across product design, technical marketing, go-to-market strategy, product launch and positioning.

Follow on Linkedin

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog