Exabeam AA

the exabeam aa connector enables seamless integration with exabeam's siem platform, facilitating automated data analysis and incident response workflows exabeam advanced analytics (aa) is a leading user and entity behavior analytics platform that helps security teams detect, investigate, and respond to advanced threats this connector enables swimlane turbine users to integrate with exabeam aa, allowing them to automate the enrichment of security event data, manage context tables, and track ingestion progress by leveraging exabeam's powerful analytics and swimlane's automation capabilities, users can enhance their security operations with efficient data management and real time threat detection prerequisites to effectively utilize the exabeam aa connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication url endpoint url for the exabeam aa api api key unique identifier to authenticate api requests api key secret confidential key used in conjunction with the api key for authentication capabilities this connector provides the following capabilities add context records to an existing table add context records to an existing table from a csv file create a context table with metadata get metadata for a single context table get metadata for all existing context tables get table records by id get the available attributes for a specific table type search audit events track ingestion progress configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id api key string required client secret api key secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add context records to an existing table append context records to a specified table in exabeam aa using the 'id' path parameter and 'operation' in the request body endpoint url /context management/v1/tables/{{id}}/addrecords method post input argument name type required description id string required unique identifier data array optional response data operation string required parameter for add context records to an existing table output parameter type description status code number http status code of the response reason string response reason phrase jsonentries number output field jsonentries totalduplicates number output field totalduplicates totalignoredmissingkey number output field totalignoredmissingkey trackerid string unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "jsonentries" 1000, "totalduplicates" 100, "totalignoredmissingkey" 10, "trackerid" "fbbc124ada3c4ffa94c3c60457512dd3" } } ] add context records to an existing table from csv appends data to an existing exabeam aa table from a csv file with header row mapping requires 'id' and 'operation' parameters endpoint url /context management/v1/tables/{{id}}/addrecordsfromcsv method post input argument name type required description id string required unique identifier sourceattribute string optional parameter for add context records to an existing table from csv operation string required parameter for add context records to an existing table from csv attachments array required file to be uploaded file name string required name of the resource file string required parameter for add context records to an existing table from csv output parameter type description status code number http status code of the response reason string response reason phrase csventries number output field csventries totalduplicates number output field totalduplicates totalignoredmissingkey number output field totalignoredmissingkey trackerid string unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "csventries" 1000, "totalduplicates" 100, "totalignoredmissingkey" 10, "trackerid" "fbbc124ada3c4ffa94c3c60457512dd3" } } ] create a context table with metadata generates a new custom context table in exabeam aa with specified schema attributes, requiring name, contexttype, and source endpoint url /context management/v1/tables method post input argument name type required description name string required name of the resource contexttype string required type of the resource source string required parameter for create a context table with metadata attributes array optional parameter for create a context table with metadata iskey boolean required parameter for create a context table with metadata id string required unique identifier displayname string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase table object output field table attributemapping array output field attributemapping sourceattribute string output field sourceattribute targetattributeid string unique identifier attributes array output field attributes displayname string name of the resource id string unique identifier iskey boolean output field iskey type string type of the resource contexttype string type of the resource id string unique identifier lastupdated number output field lastupdated name string name of the resource source string output field source status string status value totalitems number output field totalitems url string url endpoint for the request example \[ { "status code" 201, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "table" {}, "url" "https //example com/context management/v1/tables/eic5oloacm" } } ] get metadata for a single context table retrieve metadata for a specific context table in exabeam aa, including source, operational status, and attribute mapping, using the table's id endpoint url /context management/v1/tables/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase attributemapping array output field attributemapping sourceattribute string output field sourceattribute targetattributeid string unique identifier attributes array output field attributes displayname string name of the resource id string unique identifier iskey boolean output field iskey type string type of the resource contexttype string type of the resource id string unique identifier lastupdated number output field lastupdated name string name of the resource source string output field source status string status value totalitems number output field totalitems example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "attributemapping" \[], "attributes" \[], "contexttype" "other", "id" "eic5oloacm", "lastupdated" 1676018946, "name" "public api example", "source" "custom", "status" "running", "totalitems" 10 } } ] get metadata for all existing context tables retrieve metadata for all exabeam aa context tables, detailing source, operational status, and attribute mapping endpoint url /context management/v1/tables method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" \[ {} ] } ] get table records by id retrieve records from a specific exabeam aa context table using the provided unique identifier endpoint url /context management/v1/tables/{{id}}/records method get input argument name type required description id string required unique identifier limit number optional parameter for get table records by id offset number optional parameter for get table records by id output parameter type description status code number http status code of the response reason string response reason phrase paging object output field paging count number count value limit number output field limit next array output field next file name string name of the resource file string output field file offset number output field offset pages number output field pages prev array output field prev file name string name of the resource file string output field file records array output field records attr 1 string output field attr 1 attr 11 string output field attr 11 attr 2 string output field attr 2 attr 22 string output field attr 22 attr 3 string output field attr 3 attr 33 string output field attr 33 example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "paging" {}, "records" \[] } } ] search audit events perform rapid search queries on audit events within a specified time range using fields, starttime, and endtime endpoint url /audit/v1/events method post input argument name type required description fields array required list of fields to be returned from the audit search starttime string required iso 8601 utc timestamp to start the audit search endtime string required iso 8601 utc timestamp to end the audit search limit number optional limit the number of events returned from the audit search request groupby array optional list of fields to group by orderby array optional order fields by asc or desc distinct boolean optional include or exclude distinct from the select clause defaults to false filter string optional filter for specific audit events output parameter type description status code number http status code of the response reason string response reason phrase timestartedmillis number output field timestartedmillis timecompletedmillis number output field timecompletedmillis rows array output field rows additionalprop object output field additionalprop totalrows number output field totalrows example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "timestartedmillis" 0, "timecompletedmillis" 0, "rows" \[], "totalrows" 0 } } ] track ingestion progress poll the status of an add records job in exabeam aa using a provided tracker id endpoint url /context management/v1/tables/uploadstatus/{{trackerid}} method get input argument name type required description trackerid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase totalerrors number error message if any totaluploaded number output field totaluploaded uploadstatus string status value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 sep 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "totalerrors" 10, "totaluploaded" 100, "uploadstatus" "inprogress" } } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 5 sep 2023 20 37 23 gmt notes for more information on exabeam exabeam aa bi directional api documentation https //docs exabeam com/apis/