Exabeam Search Quick Reference Guide
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Exabeam Search Quick Reference Guide Exabeam Management Platform - Version SMP 2021.1 (DL I36) Publication date March 12, 2021 Exabeam 1051 E. Hillsdale Blvd. 4th Floor Foster City, CA 944042 1.844.392.2326 Have feedback on this guide? We'd love to hear from you! Email us at docs@exabeam.com Disclaimer: Please ensure you are viewing the most up-to-date version of this guide by visiting the Exabeam Documentation Portal.
Copyright All content in this document, including text, graphics, logos, icons, images, and video clips, is the exclusive property of Exabeam or its content suppliers and is protected by U.S. and international copyright laws. The compilation (meaning the collection, arrangement, and assembly) of all content in this document is the exclusive property of Exabeam and is also protected by U.S. and international copyright laws. The content in this document may be used as a resource. Any other use, including the reproduction, modification, distribution, transmission, republication, display, or performance, of the content in this document is strictly prohibited. Copyright ©2021 Exabeam, Inc. All Rights Reserved. Trademarks Exabeam, the Exabeam logo, Threat Hunter, Smarter SIEM, Smart Timelines and Security Management Platform are service marks, trademarks or registered marks of Exabeam, Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. The marks and logos displayed in this document may not be used without the prior written consent of Exabeam or their respective owners. Patents Exabeam owns, and reserves all rights for, patents for Exabeam products and services, which may be protected under registered patents as well as patents pending. Other Policies For information regarding Exabeam’s treatment of personally identifiable information, please review Exabeam’s current privacy policy at www.exabeam.com/privacy.
Table of Contents
1. Exabeam Data Lake Search Quick Reference Overview .............................................................. 5
2. How To Run Query Searches In Exabeam Data Lake .................................................................. 6
2.1. Syntax .......................................................................................................................... 6
2.2. Time Parameters ........................................................................................................... 8
2.3. Field Explorer ................................................................................................................ 8
2.3.1. Searches Using Exabeam Exa_category ............................................................... 9
2.3.2. Searches Using Exabeam Fields ........................................................................ 13
3. Results Views In Exabeam Data Lake ....................................................................................... 17
3.1. Timeline View ............................................................................................................. 17
3.2. Enhanced View ........................................................................................................... 17
3.3. Table View .................................................................................................................. 18
3.4. Raw View .................................................................................................................... 18
4. Time Picker In Exabeam Data Lake ......................................................................................... 19
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 4
Exabeam Data Lake Search Quick Reference Overview
1. Exabeam Data Lake Search Quick Reference Overview
Searches in Data Lake offers visual and contextual options for filtering, extracting, and honing your data
analysis. Timeline, out-of-the-box filters, and detailed queries are available.
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 5
How to Run Query Searches in Exabeam Data Lake
2. How to Run Query Searches in Exabeam Data Lake
Data Lake can be customized to search for variations and combinations in the captured data to suit
needs and circumstances. The Search UI offers an input box for customers to apply their own criteria.
Complex or heavily used queries can be saved to the local library for re-use.
NOTE
Here are additional methods to consider when handling large data volumes:
• Filtered Searches -- Narrow the amount of data to search, you can apply filters using context tables
to optimize your queries.
• Cross-cluster Searches -- In a multi-cluster deployment, you can perform searches simultaneously
across all log ingesting clusters.
2.1. Syntax
The following table shows the accepted syntax for querying in Data Lake . Data Lake query semantics
applies a limited subset of Lucene.
NOTE
Note that AND, TO, NOT, and OR are case-sensitive operators (i.e. all upper-case only).
Types Description Example
Terms Alpha-numeric text to search ”error”
for
Look for records with string error.
Fields Data type or category name Search any field by field name followed by a colon ":" and
(i.e. key within [key,value] of string to search for.
structured data)
status:”error” Look for records with string error in
category status.
Operators Joining of two or more criteria
AND Both terms must exist user:"joe" AND host:"201.45.34.24"
or + Look for records with both joe and 201.45.34.24 in
their respective fields.
OR Either term may exist user:"joe" OR country:"jane"
Look for records with either in category userjane or joe.
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 6
How to Run Query Searches in Exabeam Data Lake
Types Description Example
NOT Term must not exist user:"joe" NOT country:"US"
or - Look for records with joe but without US in their respective
fields.
NOTE
The NOT operator cannot be used with just one term
but must have a core search to apply the NOT
condition against. (i.e. The above example could not
run as just NOT country:"US".)
TO Range of values with lower num_hit: [10 TO 50]
and/or upper limits, expressed
> as numeric values num_hits: >50
< field_name: low TO logon_date: [2018-10-31 TO 2018-12-31]
high
>= date: [* TO 2012-01-01]
field_name: >low
How to Run Query Searches in Exabeam Data Lake
Types Description Example
Tokenized Fields System field names invoke Sample search for "user@domain.com"
parsing when standardized
delimiters are encountered, user.keyword: *string
such as
user:"*string", where *string contains @, . , or -.
Yields results because user.keyword is non-tokenized
user: *string
user.keyword: "*string", where *string contains
@, . , or -.
No results because user is tokenized for full-text search,
where, for example, user-engineering@domain.com
is parsed as user, engineering, domain, and com
_exists_ and !_exists_ Determine whether fields that _exists_:user
exist (have a value) or not
Yields logs where user field is populated
!_exists_:
Yields logs where field is empty
.keyword:"-" Search string qualifier when a host.keyword:”-”
keyword type field cannot be
parsed. Do not use This search will return data with a non-parsable host field.
:”-” even though
this field is a text type as well.
Otherwise, there will be no
results returned.
NOTE
The default operator in searches is OR unless you explicitly form your query to not apply it.
2.2. Time Parameters
Correctly searching and synchronizing time between log messages is critical to forming a timeline of
events you are analyzing. There are multiple ways time information is stored in log messages. It is
important to distinguish between them and use them accordingly.
Parameter Description
@timestamp This is a search value. It is the default time field that reflects the time when log message was received
at the Data Lake ingestion layer.
indexTime This is a search value. It is the time the Data Lake parser/enricher processed the log message for
indexing.
exa_adjustedEventTime This is a message log field. It is the time value derived from event itself with adjustments such as time
zone, if present in log message and parsed out.
exa_rawEventTime This is a message log field. It is the non-adjusted time value derived from log message itself. If log
message does not have a time field, it defaults to ~indexTime.
2.3. Field Explorer
In addition to using manually created search strings, users have the option to filter data using out-of-
the-box filters available in the Search UI.
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 8
How to Run Query Searches in Exabeam Data Lake
The Field Explorer is the quick pick tool for viewing captured data in known categories (both out-of-the-
box and custom filters). Click on the hyperlink for a given sub-category and menu of known values are
listed to filter further. View field visualization can be selected to immediately visually organize data from
the shown list.
2.3.1. SEARCHES USING EXABEAM EXA_CATEGORY
Out-of-the-box filters are available in the Search UI. Once data, using preliminary parameters (e.g. time
range) is gathered, a categorized Field Explorer appears below the Timeline. Information is separated by
areas of focus such as: Account Management, Failed Logon and Lockout, Windows Authentication, and
Default. Select links under each area to further filter data by sub-selection or field query. Events counts
are listed in each linked category. Each activated filter is reflected in query syntax in the Search input
field.
These categories are part of the "exa_category" set and there exist subcategories to narrow searches
with. The queries are in the form:
exa_category:"" AND :""
Category (for exa_category) Description Field
Account Management Events relating to creation, deletion, and modification of entity's • account_name
computer accounts
• dest_host
• domain
• event_code
• host
• target_user
• user
Account Switch Events indicating that user A is operating as user B (e.g. runas, sudo) • account
• dest_host
• event_code
• host
• user
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 9
How to Run Query Searches in Exabeam Data Lake
Category (for exa_category) Description Field
Active Directory Events related to Microsoft Active Directory • user
• object
• activity_type
• attribute
• object_class
• event_name
• event_code
• dest_host
• domain
• host
Application Events relating to applications (e.g. pull/sync from a code repository) • activity
• app
• host
• src_ip
• user
Audit Change Changes to the audit policy of a computer • event_code
• event_name
• host
• policy
• subcategory
• user
Authentication Events related to connection credentials • user
• event_code
• auth_method
• failure_reason
• src_ip
• dest_ip
• dest_host
• domain
• host
Badge Physical access log events • badge_id
• location_building
• location_door
• outcome user
Configuration Change Events indicating the setting of a system has changed • event_code
• event_name
• host log_type
• src_type
• user
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 10How to Run Query Searches in Exabeam Data Lake
Category (for exa_category) Description Field
DHCP Events from DHCP service • user
• dest_ip
• dest_host
• host
DLP Events from a data leak protection system • alert_name
• external_domain
• host
• protocol
• src_ip
• user
DNS Events from a DNS system • dest_ip
• dest_port
• query_id
• query_type
• src_ip
• src_port
Database Change events for database endpoints • database_name
• db_operation
• dest_host
• dest_ip
• src_host
• src_ip
• user
Endpoint Actions of interest at endpoints • command_line
• dest_host
• host
• process_name
• user
Failed Logons and Lockouts Login failure events • dest_host
• dest_ip
• domain
• event_code
• host
• user
File File access events • accesses
• dest_host
• file_name
• host
• user
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 11How to Run Query Searches in Exabeam Data Lake
Category (for exa_category) Description Field
Logout Logout events • user
• event_code
• logon_type
• dest_host
• host
• domain
Network Network traffic events • bytes_in
• bytes_out
• dest_ip
• dest_port
• host
• protocol
• rule
• src_ip
• src_port
Network Alert Network access events • dest_ip
• dest_port
• host
• protocol
• src_ip
• src_port
Print Activity Printing/Printer action events • event_code
• host
• outcome
• printer_name
• user
Privileged Access Action events connected to highly restricted assets • dest_host
• event_code
• host
• privileges
• process_name
• user
Security Alerts Actions for known malicious payloads • alert_name
• alert_type
• host
• malware_url
• src_host
• src_ip
• user
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 12How to Run Query Searches in Exabeam Data Lake
Category (for exa_category) Description Field
System Event System-level events • event_name
• log_source
• host
• dest_host
VPN VPN login events • failure_reason
• host
• src_ip
• src_translated_ip
• user
Web Web-based access events of interest • user
• protocol
• action
• category
• web domain
• bytes out
• bytes in
• src_ip
• dest_ip
• method
• result code
• host
Windows Authentication Microsoft Windows login-based events • dest_host
• dest_ip
• event_code
• host
• logon_type
• src_ip
• user
2.3.2. SEARCHES USING EXABEAM FIELDS
Exabeam parses and categorizes different values for fast searching, using the query format:
:""
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 13How to Run Query Searches in Exabeam Data Lake
Field Description Value
exa_activity_type Actions that are considered • authentication
behaviors of concern in general
• account-management
practice
• account-management/user
• object-access
• alert
• account-management/user/enable
• authentication/remote-logon
• audit-log-change
• authentication/remote-access
• password-management
• object-access/read
• cve-notice
• netflow
• object-access/write
• account-management/user/create
• account-management/user/disable
• web-access password-management/change
• network-traffic
• process-creation
• audit-log-change/delete
• authentication/logout
• account-management/user/delete
• alert/dlp
• authentication/service-logon
• print
• password-management/reset
• config-change
• alert/file
• object-access/delete
• authentication/batch-logon
• authentication/local-logon
• email
• email/inbound
exa_addRiskToAsset Incremental risk score changes • true
marking milestone triggers
• false
exa_adjustedEventTime Time offsets for event of • milliseconds
interest. It is the time value
derived from event itself with
adjustments such as time zone,
if present in log message and
parsed out
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 14How to Run Query Searches in Exabeam Data Lake
Field Description Value
exa_category Exabeam core categories of See "Searches using Exabeam exa_category" section
interest in threat detection
exa_device_type Device category • operating-system
• operating-system/file-system
exa_outcome Milestone marker for event • success
result triggers
• failed
exa_parser_name Filter by parser name • parser name
exa_rawEventTime Event time window of interest • @timestamp
(UTC). It is the non-adjusted
time value derived from log
message itself. If the message
does not have a time field, it
defaults to ~indexTime.
exa_rule_category* Filter by defined rule category category name (See "Searches using Exabeam
exa_category" section)
exa_rule_config_cardinality_field* • @timestamp
exa_rule_config_is_enabled* Events when rule is enforced or • true
disabled
• false
exa_rule_config_max_cardinality* • max value
exa_rule_config_num_events* Threshold count for events of • count value
interest
exa_rule_config_query_key* • user.keyword
exa_rule_config_realert* Threshold count for recurring • minutes:[integer]
events
exa_rule_config_terms_size* • minutes:[integer]
exa_rule_config_timeframe* Time range for events of • minutes:[integer]
interest
exa_rule_config_top_count_key* • @timestamp,user.keyword
exa_rule_description* • cardinality description
exa_rule_id* Filter for events that trigger a • ID value
specified rule, specified by rule
ID
exa_rule_name* Filter for events that trigger a • rule name
specified rule, specified by rule
name
exa_rule_search_query* See query rules in "Syntax" section
exa_rule_severity* Threshold trigger based on • HighAlertSeverity
severity level
• MediumAlertSeverity
• LowAlertSeverity
exa_rule_type* • CardinalityRuleType
• FrequencyRuleType
• Aggregation
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 15How to Run Query Searches in Exabeam Data Lake
Field Description Value
exa_security_alerts • alert_type
• alert_name
• alert_severity
• alert_id
• src_ip
• dest_ip
• src_host
• dest_host
• host
• user
• malware_url
• additional_info -- A field for providing event-specific
information that cannot be mapped directly to any
field, applying primarily to alert events.
* "exa_rule_" fields are parsed out of correlation rules triggered by Data Lake .
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 16Results Views in Exabeam Data Lake
3. Results Views in Exabeam Data Lake
Data is presented in panels below the banner menu. There are four ways to view the data. Results can
shared or exported (PDF or CSV format) by selecting the icons on the upper right of the primary pane.
NOTE
Data Lake can export up to 1 million search local query results. These results will be batched in files of
10,000 log events per file and zipped together. For cross-cluster searches, up to 10,000 query results
can be exported.
3.1. Timeline View
The Timeline is the graphically displays the volume of activity for a given timeframe.
You can collapse and expand the Timeline by selecting the Collapse/Expand icon.
You can refresh timeline at a specific pace by selecting an update interval in Time View.
3.2. Enhanced View
In Enhanced view, raw log and data from matching fields are displayed. Click Show more or View All to
expand or contract the view with Show less or Collapse.
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 17Results Views in Exabeam Data Lake
3.3. Table View
The Table view allows you to create your own tables with fields of your choosing.
On first time viewing with no established table, you select available fields listed in the left pane. Once
selections are made, click Create Table to generate a table view.
3.4. Raw View
The Timeline is the graphically displays the volume of activity for a given timeframe.
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 18Time Picker in Exabeam Data Lake
4. Time Picker in Exabeam Data Lake
Ingested data is presented as a date and time histogram at the top of the Search page, showing the
count of log entries. Select the time range for which the data should be restricted.
To set a Time Filter from the histogram, do one of the following:
1. Click the bar that represents the time interval you want to zoom in on.
2. Click and drag to view a specific timespan along the Timeline. You must start the selection with the
cursor over the background of the chart—the cursor changes to a plus sign when you hover over a
valid start point.
Exabeam Search Quick Reference Guide - Version SMP 2021.1 (DL I36)
Published Mar 12, 2021 19You can also read
