What’s New in Exabeam Product Development – May 2022

Here we are, poised on the edge of May moving into June, and it’s time to catch up on all the activity and innovation from the Exabeam Engineering, UI, and Product Management teams over the last few months. Our team has been innovating and launching new products, releasing upgrades to improve the user experience. Here’s a short summary of six cool new updates:

Alert triage — dynamic alert prioritization

Last year, Exabeam rolled out Exabeam Alert Triage to help categorize, aggregate, and enrich third-party and data lake security alerts. This year, we further refined our customer triage capability with Dynamic Alert Prioritization to allow analysts to more confidently and efficiently dismiss or escalate third-party vendor events from a single screen. 

Security vendors apply their own categories (usually something like low to critical) to their alerts, indicating the gravity of the detected vulnerability. Exabeam applies behavioral analytics and context to these alerts to better understand the rarity and threat potential of each, while automating their prioritization and classification. With this feature, Exabeam now categorizes alerts across your log repository, SIEM, or data lake as high priority, low priority, or observational, to make the triage experience faster and more precise. Analysts can filter their view to display alerts by priority.

Classifying repetitive alerts as observational reduces the volume of alerts that need to be reviewed, filtering out informational events from actionable signals. Classifying alerts as high priority identifies which alerts are most critical to your organization and need to be reviewed first, providing a starting point for the triage process. The Exabeam analytics engine does the manual and repetitive work, so analysts can focus on alerts with high severity, while ignoring alerts with little security significance.

Universal role-based access

Also available for Exabeam Fusion SIEM and Exabeam Fusion XDR customers is simplified access to all Exabeam applications.

From the Exabeam SOC Platform homepage, Exabeam Fusion customers can quickly access all of their Exabeam applications. A single access point for all Exabeam applications enables analysts to easily navigate between Exabeam products, simplifying their TDIR workflows.

Once again, Exabeam is refining the security operations workflow, this time with a simple and unified login experience. 

With universal role-based access, all Exabeam functions can be reached from a single navigation page. This improved navigation between products helps simplify Threat Detection, Investigation, and Response (TDIR) workflows. 

In addition to the analyst workflow enhancements, administrators now can add users, assign roles, manage their IdPs, and handle user permissions across all Exabeam capabilities. Standardizing permissions and entitlements from a single identity store helps prevent credential misuse from a departed employee whose credentials have not been revoked, or a malicious insider accessing information that should be restricted.

Improved monitoring for cloud connectors

In the past, Cloud Connector monitoring was limited to alerts on a system level — but an individual connector issue could go undetected. Troubleshooting and mitigating connector errors required in-depth knowledge, sometimes even calls to Exabeam Support.

With this update, Exabeam has enhanced our Cloud Connectors’ monitoring, tracking individual connector health aspects including:

• Sizing issues
• Data lag
• Unexpected volume drop
• Data sync stopped
• Downstream ingestion issue (Advanced Analytics or Data Lake)

New metrics are monitored on a system (environment) level, including constrained CPU and syslog failures to forward events. Alerts are triggered after a grace period (2-8 hours depending on the alert), in order to reduce false positives due to normal activity level differences and Cloud Connectors’ ability to self-heal in many scenarios. The alerts are surfaced via the status page, which is accessible within the customer Community > My Account section.

Threat Intelligence Service enhancement

This year, we have further enhanced our Threat Intelligence capabilities to include four important Threat Intelligence feeds from ZeroFox. Categories of the indicator of compromise (IoC) threat feeds available via the Threat Intelligence Service include: 

1. IP addresses associated with ransomware or malware attacks
2. Domain names associated with sites that often contain malware, drive-by compromises, etc.
3. URLs associated with sites that often contain malware, drive-by compromises, and more
4. Domain names associated with phishing or ransomware

This enhancement aids Advanced Analytics to offer more accurate risk ratings with improved IoC information. Data Lake customers also will find improvements into their context tables. Read more about the Exabeam Threat Intelligence Service. 

Data Lake i40.4 is live

Highlights: 

• Scheduled reports can be exported as a CSV with all the search results, which supports up to 10,000 line entries. This improves visibility and export capabilities.
• The Data Lake application now offers a more convenient user interface for upgrading site collectors.
• Fixes: DL i40.3 GUI font issue was fixed. 
• Fixes: The context menu was not properly displaying for all fields — now it is.

Stay tuned and watch this space! We have an exciting set of June upgrades and improvements we’re looking forward to sharing with you!

Visit the Exabeam Community for webinars and announcements.