Exabeam AA

the exabeam aa connector enables seamless integration with exabeam's siem platform, facilitating automated data analysis and incident response workflows exabeam advanced analytics (aa) is a leading user and entity behavior analytics platform that helps security teams detect, investigate, and respond to advanced threats this connector enables swimlane turbine users to integrate with exabeam aa, allowing them to automate the enrichment of security event data, manage context tables, and track ingestion progress by leveraging exabeam's powerful analytics and swimlane's automation capabilities, users can enhance their security operations with efficient data management and real time threat detection prerequisites to effectively utilize the exabeam aa connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication url endpoint url for the exabeam aa api api key unique identifier to authenticate api requests api key secret confidential key used in conjunction with the api key for authentication capabilities this connector provides the following capabilities add context records to an existing table add context records to an existing table from a csv file create a context table with metadata get metadata for a single context table get metadata for all existing context tables get table records by id get the available attributes for a specific table type search audit events track ingestion progress notes for more information on exabeam https //docs exabeam com/apis/ configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id api key string required client secret api key secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add context records to an existing table append context records to a specified table in exabeam aa using the 'id' path parameter and 'operation' in the request body endpoint url /context management/v1/tables/{{id}}/addrecords method post input argument name type required description path parameters id string required parameters for the add context records to an existing table action data array optional response data operation string optional parameter for add context records to an existing table input example {"json body" {"data" \[{"newkey" "new value"}],"operation" "append"},"path parameters" {"id" "emp name l8pfjfsh"}} output parameter type description status code number http status code of the response reason string response reason phrase jsonentries number output field jsonentries totalduplicates number output field totalduplicates totalignoredmissingkey number output field totalignoredmissingkey trackerid string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"jsonentries" 1000,"totalduplicates" 100,"totalignoredmissingkey" 10,"trackerid" "fbbc124ada3c4ffa94c3c60457512dd3"}} add context records to an existing table from csv appends data to an existing exabeam aa table from a csv file with header row mapping requires 'id' and 'operation' parameters endpoint url /context management/v1/tables/{{id}}/addrecordsfromcsv method post input argument name type required description path parameters id string required parameters for the add context records to an existing table from csv action attachments array required file to be uploaded attachments file name string required name of the resource attachments file string required parameter for add context records to an existing table from csv sourceattribute string optional parameter for add context records to an existing table from csv operation string optional parameter for add context records to an existing table from csv input example {"json body" {"sourceattribute" "email","operation" "append"},"path parameters" {"id" "emp name l8pfjfsh"}} output parameter type description status code number http status code of the response reason string response reason phrase csventries number output field csventries totalduplicates number output field totalduplicates totalignoredmissingkey number output field totalignoredmissingkey trackerid string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"csventries" 1000,"totalduplicates" 100,"totalignoredmissingkey" 10,"trackerid" "fbbc124ada3c4ffa94c3c60457512dd3"}} create a context table with metadata generates a new custom context table in exabeam aa with specified schema attributes, requiring name, contexttype, and source endpoint url /context management/v1/tables method post input argument name type required description name string optional name of the resource contexttype string optional type of the resource source string optional parameter for create a context table with metadata attributes array optional parameter for create a context table with metadata attributes iskey boolean required parameter for create a context table with metadata attributes id string required unique identifier attributes displayname string optional name of the resource input example {"json body" {"name" "public api example","contexttype" "user","source" "custom","attributes" \[{"iskey"\ true,"id" "email qopyfk7m","displayname" "user id"}]}} output parameter type description status code number http status code of the response reason string response reason phrase table object output field table table attributemapping array output field table attributemapping table attributemapping sourceattribute string output field table attributemapping sourceattribute table attributemapping targetattributeid string unique identifier table attributes array output field table attributes table attributes displayname string name of the resource table attributes id string unique identifier table attributes iskey boolean output field table attributes iskey table attributes type string type of the resource table contexttype string type of the resource table id string unique identifier table lastupdated number output field table lastupdated table name string name of the resource table source string output field table source table status string status value table totalitems number output field table totalitems url string url endpoint for the request output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"table" {"attributemapping" \[],"attributes" \[],"contexttype" "other","id" "eic5oloacm","lastupdated" 1676018946,"name" "public api example","source" "custom","status" "running","totalitems" 10},"url" "https //example com/context management/v1/tables/eic5oloacm"}} get metadata for a single context table retrieve metadata for a specific context table in exabeam aa, including source, operational status, and attribute mapping, using the table's id endpoint url /context management/v1/tables/{{id}} method get input argument name type required description path parameters id string required parameters for the get metadata for a single context table action input example {"path parameters" {"id" "email qopyfk7m"}} output parameter type description status code number http status code of the response reason string response reason phrase attributemapping array output field attributemapping attributemapping sourceattribute string output field attributemapping sourceattribute attributemapping targetattributeid string unique identifier attributes array output field attributes attributes displayname string name of the resource attributes id string unique identifier attributes iskey boolean output field attributes iskey attributes type string type of the resource contexttype string type of the resource id string unique identifier lastupdated number output field lastupdated name string name of the resource source string output field source status string status value totalitems number output field totalitems output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"attributemapping" \[{},{},{}],"attributes" \[{},{},{}],"contexttype" "other","id" "eic5oloacm","lastupdated" 1676018946,"name" "public api example","source" "custom","status" "running","totalitems" 10}} get metadata for all existing context tables retrieve metadata for all exabeam aa context tables, detailing source, operational status, and attribute mapping endpoint url /context management/v1/tables method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"attributemapping" \[],"attributes" \[],"contexttype" "other","id" "eic5oloacm","lastupdated" 1676018946,"name" "public api example","source" "custom","status" "running","totalitems" 10}]} get table records by id retrieve records from a specific exabeam aa context table using the provided unique identifier endpoint url /context management/v1/tables/{{id}}/records method get input argument name type required description path parameters id string required parameters for the get table records by id action parameters limit number optional parameters for the get table records by id action parameters offset number optional parameters for the get table records by id action input example {"parameters" {"limit" 1,"offset" 2},"path parameters" {"id" "emp name l8pfjfsh"}} output parameter type description status code number http status code of the response reason string response reason phrase paging object output field paging paging count number count value paging limit number output field paging limit paging next array output field paging next paging next file name string name of the resource paging next file string output field paging next file paging offset number output field paging offset paging pages number output field paging pages paging prev array output field paging prev paging prev file name string name of the resource paging prev file string output field paging prev file records array output field records records attr 1 string output field records attr 1 records attr 11 string output field records attr 11 records attr 2 string output field records attr 2 records attr 22 string output field records attr 22 records attr 3 string output field records attr 3 records attr 33 string output field records attr 33 output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"paging" {"count" 3,"limit" 25,"next" \[],"offset" 0,"pages" 1,"prev" \[]},"records" \[{},{},{}]}} search audit events perform rapid search queries on audit events within a specified time range using fields, starttime, and endtime endpoint url /audit/v1/events method post input argument name type required description fields array optional list of fields to be returned from the audit search starttime string optional iso 8601 utc timestamp to start the audit search endtime string optional iso 8601 utc timestamp to end the audit search limit number optional limit the number of events returned from the audit search request groupby array optional list of fields to group by orderby array optional order fields by asc or desc distinct boolean optional include or exclude distinct from the select clause defaults to false filter string optional filter for specific audit events input example {"json body" {"fields" \["id","id2"],"starttime" "2023 04 10t22 17 36 863z","endtime" "2023 04 10t22 17 36 863z","limit" 3000,"groupby" \["a","b"],"orderby" \["asc","desc"],"distinct"\ false,"filter" "app \\\\\\"search\\\\\\" and src ip \\\\\\"00 00 000 000\\\\"}} output parameter type description status code number http status code of the response reason string response reason phrase timestartedmillis number output field timestartedmillis timecompletedmillis number output field timecompletedmillis rows array output field rows rows additionalprop object output field rows additionalprop totalrows number output field totalrows output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"timestartedmillis" 0,"timecompletedmillis" 0,"rows" \[{}],"totalrows" 0}} track ingestion progress poll the status of an add records job in exabeam aa using a provided tracker id endpoint url /context management/v1/tables/uploadstatus/{{trackerid}} method get input argument name type required description path parameters trackerid string required parameters for the track ingestion progress action input example {"path parameters" {"trackerid" "fbbc124ada3c4ffa94c3c60457512dd3"}} output parameter type description status code number http status code of the response reason string response reason phrase totalerrors number error message if any totaluploaded number output field totaluploaded uploadstatus string status value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"totalerrors" 10,"totaluploaded" 100,"uploadstatus" "inprogress"}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 5 sep 2023 20 37 23 gmt