Showing the Value of Exabeam - Exabeam

Showing the Value of Exabeam

December 09, 2022


Reading time
4 mins

An important job of the security engineer is to understand the following:

  • Where is the data being sent to Exabeam coming from?
  • How much volume and how many events are coming from each data source?
  • Which vendors and products comprise that total ingested data?
  • Is the customer getting value from that data?

“What?” is a more important question than “How much?”

It is a common pitfall for security directors or architects to want to log and send their security information and event management (SIEM) solution as much data as possible until the licensed capacity is reached. This can give a false sense of security and “coverage”, but what is being logged and analyzed is far more important than how much. It can be challenging to answer the “what” question — particularly if you are trying to add a new data source and are at or beyond your current license storage limits.

As part of the new Exabeam Security Operations Platform, we are introducing simple, self-service dashboards to answer the “what” question. The dashboards start with high-level overviews of license capacity and actual consumption, and allow for quick filtering to understand specific use cases. This allows you to quickly answer questions like:

  • What is my top data source?
  • Why is this vendor contributing so many gigabytes and which products make up that volume?
  • Do I have enough capacity to add more data sources?
Showing the Value of Exabeam
Figure 1. Sankey diagram with an example of filtering by vendor

Understand the value of the data

The next step is to understand the value of what is being sent. This means verifying those logs are being ingested and parsed successfully, and understanding how they map directly to business risk and use case coverage. When SIEMs were introduced years ago, most of what they analyzed were firewall logs and Intrusion Detection System (IDS) logs, along with the occasional host-based IDS log. Today, many organizations focus myopically on only endpoint solutions, and ignore Active Directory (AD) or VPN traffic entirely. The truth is that, for most use cases, you need to see a variety of logs from many different security systems — but not every field of every log contributes equally to seeing the complete attack picture.

Exabeam Outcomes Navigator is a new feature that first provides a high-level view of how the data you are sending to Exabeam enables coverage for use cases and maps to the MITRE ATT&CK framework. The use cases are organized into three main categories: Compromised Insiders, Malicious insiders, and External Threats.

Showing the Value of Exabeam
Figure 2. Outcomes Navigator example showing the Ransomware category 

For each use case, you can get a detailed view that shows:

  • Which other use cases are in the same category
  • What is your current log coverage for each category (None, Good, Better, Best)
  • Which data sources support each use case, and which data sources you are currently bringing in and parsing
  • How well those data sources are being parsed in support of that use case

Outcomes Navigator will provide recommendations for improving your coverage of each use case, including:

  • Which additional data sources would add to your visibility and coverage
  • Which data sources would benefit from improved field parsing
  • Verifying that your data sources are not being inadvertently excluded by filtering


Traditional SIEM and XDR solutions require complicated searching and reports to answer these basic questions. Exabeam has a new approach to greatly simplify this process: New-Scale SIEMTM.

This new approach allows you to quickly understand where your data is coming from, how much room you have for growth, and how much value you’re getting from that data — all with 100% self-service tools provided by Exabeam.

Using both the Service and Consumption Dashboard and Outcomes Navigator, security leaders are able to show they are getting value immediately from Exabeam. They can quickly answer both questions:

  1. Am I sending enough data?
  2. Am I sending the right data?

All of this is completely self-service, allowing our customers to independently and confidently prove the value of the Exabeam platform and their configurations.

Similar Posts

Exabeam Survey: Prevention Prioritized Over Detection While Breaches Rise

Fourth-gen SIEM is New-Scale SIEM: Cloud-native SIEM at Hyperscale

Introducing Exabeam SIEM: A Hyperscale Cloud-native SIEM

Recent Posts

Exabeam News Wrap-up – February 1, 2023

What’s New in Exabeam Product Development – January 2023

Exabeam Survey: Prevention Prioritized Over Detection While Breaches Rise

See a world-class SIEM solution in action

Most reported breaches involved lost or stolen credentials. How can you keep pace?

Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.

Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.

Get a demo today!