Exabeam Aa V2

exabeam aa v2 is a next generation siem platform that utilizes behavioral analytics to enhance threat detection and response exabeam advanced analytics (aa) v2 is a powerful platform for security intelligence and management, offering advanced capabilities for threat detection and response the exabeam aa v2 connector for swimlane turbine enables seamless integration with exabeam's robust analytics and correlation rule management, event search, and context table management this integration empowers swimlane turbine users to automate complex security workflows, enhance threat detection accuracy, and streamline incident response processes, ultimately improving the efficiency and effectiveness of security operations prerequisites before you can use the exabeam aa v2 connector for turbine, you'll need access to the exabeam api this requires the following oauth 2 0 client credentials authentication using the following parameters url the endpoint for accessing the exabeam api api key a unique key provided by exabeam for api access api key secret a secret associated with the api key for secure authentication capabilities this connector provides the following capabilities add context records create a new correlation rule create context table delete a correlation rule get a list of all correlation rules get context table metadata get context table records get correlation rule details search for events update a correlation rule add context records add one or more context records directly to an existing context table use the operation parameter to append the added data or replace the existing data exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/postcontext managementv1tablesidaddrecords create context table create a custom context table (only custom tables are supported) with attributes that define the schema use the iskey property to designate the key attribute exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/postcontext managementv1tables get context table metadata retrieve metadata for all existing context tables, including source, operational status, and attribute mapping exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/getcontext managementv1tables get context table records retrieve the records for a specific context table supports pagination via the limit and offset query parameters exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/getcontext managementv1tablesidrecords notes for more information on exabeam exabeam aa bi directional api documentation https //docs exabeam com/apis/ additional documentation exabeam aa v2 connector documentation https //docs swimlane com/connectors/exabeam aa v2exabeam aa v2 api documentation https //docs exabeam com/apis/ configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id api key string required client secret api key secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add context records add context records to an existing table in exabeam aa v2 using the context management api requires 'id' as path parameter and 'operation' in json body to append or replace data endpoint url /context management/v1/tables/{{id}}/addrecords method post input argument name type required description path parameters id string required id of an existing context table operation string optional options for how data should be uploaded to an existing table use append to add data or replace to overwrite existing data data array optional string data records each record is an object that maps attribute ids to their values input example {"json body" {"operation" "append","data" \[{"xym85gfp" "john","gsqqbm5h" "doe","eic5oloacm" "email1\@server com"},{"xym85gfp" "jane","gsqqbm5h" "smith","eic5oloacm" "email2\@server com"}]},"path parameters" {"id" "eic5oloacm"}} output parameter type description status code number http status code of the response reason string response reason phrase trackerid string tracker id for the upload operation that can be used to poll ingestion progress jsonentries number number of json entries received totalduplicates number number of duplicate entries detected totalignoredmissingkey number number of records ignored because the key attribute was missing output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"jsonentries" 1000,"totalduplicates" 100,"totalignoredmissingkey" 10,"trackerid" "fbbc124ada3c4ffa94c3c60457512dd3"}} create a new correlation rule initiate the creation of a new correlation rule in exabeam aa v2 using the provided json body endpoint url /correlation rules/v2/rules method post input argument name type required description severity string optional parameter for create a new correlation rule enabled boolean optional parameter for create a new correlation rule testmode boolean optional parameter for create a new correlation rule sequencesconfig object optional parameter for create a new correlation rule sequencesconfig sequences array optional parameter for create a new correlation rule sequencesconfig sequences condition object required parameter for create a new correlation rule sequencesconfig sequences condition groupbyoption boolean required parameter for create a new correlation rule sequencesconfig sequences condition functiontype string required type of the resource sequencesconfig sequences condition subject string required parameter for create a new correlation rule sequencesconfig sequences condition operator string required parameter for create a new correlation rule sequencesconfig sequences condition unit string required parameter for create a new correlation rule sequencesconfig sequences condition triggeronanymatch string optional parameter for create a new correlation rule sequencesconfig sequences condition groupby array optional parameter for create a new correlation rule sequencesconfig sequences condition field string optional parameter for create a new correlation rule sequencesconfig sequences condition value string required value for the parameter sequencesconfig sequences condition time number required time value sequencesconfig sequences name string required name of the resource sequencesconfig sequences query string required parameter for create a new correlation rule sequencesconfig commonproperties object optional parameter for create a new correlation rule sequencesconfig commonproperties groupby array optional parameter for create a new correlation rule sequencesconfig commonproperties time number required time value sequencesconfig commonproperties unit string required parameter for create a new correlation rule sequencesconfig outcomes object optional parameter for create a new correlation rule sequencesconfig outcomes sendemail boolean optional parameter for create a new correlation rule sequencesconfig outcomes createcase boolean optional parameter for create a new correlation rule input example {"json body" {"severity" "medium","enabled"\ true,"testmode"\ true,"sequencesconfig" {"sequences" \[{"condition" {"groupbyoption"\ true,"functiontype" "value","subject" "field","operator" "not in","unit" "hours","triggeronanymatch" "false","groupby" \["string"],"field" "string","value" "string","time" 3},"name" "single sequence rule","query" "vendor \\"exabeam\\""}],"commonproperties" {"groupby" \["string"],"time" 3,"unit" "hours"},"outcomes" {"sendemail"\ true,"createcase"\ true,"sendalerttriage"\ false,"case" {"description" "rule is triggered when any event match the sequence query"},"email" {"recipients" \["string"],"subject" "string","description" "rule is triggered when any event match the sequence query","attachcsv"\ true},"alerttriage" {"name" "single sequence rule"}}},"suppressconfig" {"suppressoption"\ true,"suppressunit" "hours","suppresstime" 4},"delayconfig" {"delay"\ true,"delaytimeinminutes" 5},"name" "single sequence rule","description" "rule is triggered when any event match the sequence query"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource description string output field description severity string output field severity enabled boolean output field enabled type string type of the resource author string output field author lastmodifier string output field lastmodifier createdat string output field createdat updatedat string output field updatedat autodisabled boolean output field autodisabled lasttriggeredat string output field lasttriggeredat timestriggered number output field timestriggered timessuppressed number output field timessuppressed sequencesconfig object output field sequencesconfig sequencesconfig sequences array output field sequencesconfig sequences sequencesconfig sequences name string name of the resource sequencesconfig sequences query string output field sequencesconfig sequences query sequencesconfig sequences condition object output field sequencesconfig sequences condition sequencesconfig sequences condition groupbyoption boolean output field sequencesconfig sequences condition groupbyoption sequencesconfig sequences condition groupby array output field sequencesconfig sequences condition groupby sequencesconfig sequences condition functiontype string type of the resource sequencesconfig sequences condition subject string output field sequencesconfig sequences condition subject output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6","name" "string","description" "string","severity" "none","enabled"\ true,"type" "string","author" "string","lastmodifier" "string","createdat" "2023 09 06t10 08 31 303z","updatedat" "2023 09 06t10 08 31 303z","autodisabled"\ true,"lasttriggeredat" "2023 09 06t10 08 31 303z","timestriggered" 0,"t create context table create a custom context table in exabeam aa v2 with attributes defining the schema requires json body including name, contexttype, and source endpoint url /context management/v1/tables method post input argument name type required description name string optional table display name contexttype string optional a valid context type for creating a table source string optional the vendor from which the table will be sourced only custom is supported attributes array optional table metadata attributes each attribute may either reference an existing attribute by id or define a new attribute by displayname attributes id string optional id of an existing attribute (use either id or displayname) attributes displayname string optional attribute display name (used when creating a new attribute) attributes iskey boolean required indicates whether the attribute is the key for the table input example {"json body" {"name" "example custom table of type other","contexttype" "other","source" "custom","attributes" \[{"displayname" "custom attribute","iskey"\ false},{"id" "id of existing attribute","iskey"\ true}]}} output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request table object output field table table id string unique identifier table name string name of the resource table contexttype string type of the resource table source string output field table source table totalitems number output field table totalitems table status string status value table lastupdated number output field table lastupdated table attributes array output field table attributes table attributes id string unique identifier table attributes displayname string name of the resource table attributes type string type of the resource table attributes iskey boolean output field table attributes iskey table attributemapping array output field table attributemapping table attributemapping sourceattribute string output field table attributemapping sourceattribute table attributemapping targetattributeid string unique identifier output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "created","json body" {"url" "https //example com/context management/v1/tables/eic5oloacm","table" {"id" "eic5oloacm","name" "public api example","contexttype" "other","source" "custom","totalitems" 10,"status" "running","lastupdated" 1676018946,"attributes" \[],"attributemapping" \[]}}} delete a correlation rule delete a specific correlation rule in exabeam aa v2 using the provided rule id endpoint url /correlation rules/v2/rules/{{rule id}} method delete input argument name type required description path parameters rule id string required parameters for the delete a correlation rule action input example {"path parameters" {"rule id" "016dbc1d a727 4"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get a list of all correlation rules retrieve a comprehensive list of all correlation rules available in exabeam aa v2 endpoint url /correlation rules/v2/rules method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" "4e775ff5 78c1 4b2d 81fd 26be2632f042","name" "rule triggered when a certain field does not match values in the list","enabled"\ true,"description" "rule is triggered when none of the defined values are present ","severity" "none","author" "admin","lastmodifier" "standard user","createdat" "2023 06 25t14 48 00 000z","updatedat" "20 get context table metadata retrieve metadata for all existing context tables in exabeam aa v2 via the context management api, including source, operational status, and attribute mapping endpoint url /context management/v1/tables method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" "eic5oloacm","name" "public api example","contexttype" "other","source" "custom","totalitems" 10,"status" "running","lastupdated" 1676018946,"attributes" \[],"attributemapping" \[]}]} get context table records retrieve records for a specific context table in exabeam aa v2 using the context management api with the table id as a path parameter endpoint url /context management/v1/tables/{{id}}/records method get input argument name type required description path parameters id string required id for the specified context table query parameters limit number optional the number of records to return per page query parameters offset number optional the number of rows to skip before beginning to return records input example {"path parameters" {"id" "eic5oloacm"},"query parameters" {"limit" 25,"offset" 0}} output parameter type description status code number http status code of the response reason string response reason phrase paging object output field paging paging count number count value paging limit number output field paging limit paging offset number output field paging offset paging pages number output field paging pages paging next array output field paging next paging prev array output field paging prev records array output field records output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"paging" {"count" 3,"limit" 25,"next" \[],"offset" 0,"pages" 1,"prev" \[]},"records" \[{},{},{}]}} get correlation rule details retrieve detailed information for a specific correlation rule in exabeam aa v2 using the rule id path parameter endpoint url /correlation rules/v2/rules/{{rule id}} method get input argument name type required description path parameters rule id string required parameters for the get correlation rule details action input example {"path parameters" {"rule id" "016dbc1d a727 4"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource enabled boolean output field enabled description string output field description severity string output field severity author string output field author lastmodifier string output field lastmodifier createdat string output field createdat updatedat string output field updatedat autodisabled boolean output field autodisabled lasttriggeredat string output field lasttriggeredat timestriggered number output field timestriggered timessuppressed number output field timessuppressed sequencesconfig object output field sequencesconfig sequencesconfig sequences array output field sequencesconfig sequences sequencesconfig sequences name string name of the resource sequencesconfig sequences query string output field sequencesconfig sequences query sequencesconfig sequences condition object output field sequencesconfig sequences condition sequencesconfig sequences condition groupbyoption boolean output field sequencesconfig sequences condition groupbyoption sequencesconfig sequences condition functiontype string type of the resource sequencesconfig sequences condition subject string output field sequencesconfig sequences condition subject sequencesconfig sequences condition field string output field sequencesconfig sequences condition field sequencesconfig sequences condition operator string output field sequencesconfig sequences condition operator output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "4e775ff5 78c1 4b2d 81fd 26be2632f042","name" "rule with more than one sequence that triggers when the conditions of both seque ","enabled"\ true,"description" "rule is triggered when the conditions of both sequences are met in this example ","severity" "none","author" "admin","lastmodifier" "standard user","createdat" "2023 06 search for events perform a search across logs and events within a specified time range using exabeam aa v2, requiring fields, starttime, endtime, and filter endpoint url /search/v2/events method post input argument name type required description limit number optional limit the number of events returned from the search request groupby array optional list of fields to group by orderby array optional order fields by asc or desc distinct boolean optional include or exclude distinct from the select clause defaults to false starttime string optional timestamp to start the search (iso 8601 format) endtime string optional timestamp to end the search (iso 8601 format) filter string optional filter for specific events input example {"json body" {"limit" 3000,"groupby" \["string"],"orderby" \["asc"],"distinct"\ true,"starttime" "2024 04 01t00 00 00z","endtime" "2024 04 01t00 00 00z","filter" "id \\"123\\" and src ip \\"00 00 000 000\\""}} output parameter type description status code number http status code of the response reason string response reason phrase timestartedmillis number output field timestartedmillis timecompletedmillis number output field timecompletedmillis rows array output field rows rows additionalprop object output field rows additionalprop totalrows number output field totalrows output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"timestartedmillis" 0,"timecompletedmillis" 0,"rows" \[{}],"totalrows" 0}} update a correlation rule update an existing correlation rule in exabeam aa v2 using the specified rule id requires path parameters and a json body endpoint url /correlation rules/v2/rules/{{rule id}} method put input argument name type required description path parameters rule id string required parameters for the update a correlation rule action severity string optional parameter for update a correlation rule enabled boolean optional parameter for update a correlation rule testmode boolean optional parameter for update a correlation rule sequencesconfig object optional parameter for update a correlation rule sequencesconfig sequences array optional parameter for update a correlation rule sequencesconfig sequences condition object optional parameter for update a correlation rule sequencesconfig sequences condition groupbyoption boolean required parameter for update a correlation rule sequencesconfig sequences condition functiontype string required type of the resource sequencesconfig sequences condition subject string required parameter for update a correlation rule sequencesconfig sequences condition operator string required parameter for update a correlation rule sequencesconfig sequences condition unit string required parameter for update a correlation rule sequencesconfig sequences condition triggeronanymatch string optional parameter for update a correlation rule sequencesconfig sequences condition groupby array optional parameter for update a correlation rule sequencesconfig sequences condition field string optional parameter for update a correlation rule sequencesconfig sequences condition value string required value for the parameter sequencesconfig sequences name string optional name of the resource sequencesconfig sequences query string required parameter for update a correlation rule sequencesconfig commonproperties object optional parameter for update a correlation rule sequencesconfig commonproperties time number optional time value sequencesconfig commonproperties unit string optional parameter for update a correlation rule sequencesconfig outcomes object optional parameter for update a correlation rule sequencesconfig outcomes sendemail boolean optional parameter for update a correlation rule sequencesconfig outcomes createcase boolean optional parameter for update a correlation rule sequencesconfig outcomes sendalerttriage boolean optional parameter for update a correlation rule input example {"json body" {"severity" "high","enabled"\ false,"testmode"\ true,"sequencesconfig" {"sequences" \[{"condition" {"groupbyoption"\ true,"functiontype" "value","subject" "field","operator" "in","unit" "days","triggeronanymatch" "false","groupby" \["string"],"field" "string","value" "string","time" 3},"name" "single sequence rule","query" "vendor \\"exabeam\\""},{"condition" {"triggeronanymatch" "true"},"name" "single sequence rule","query" "vendor \\"exabeam\\""},{"condition" {"groupbyoption"\ true,"functiontype" "value","subject" "field","operator" "more than","unit" "days","triggeronanymatch" "false","groupby" \["string"],"field" "string","value" "string"},"name" "single sequence rule","query" "vendor \\"exabeam\\""}],"commonproperties" {"time" 2,"unit" "hours"},"outcomes" {"sendemail"\ true,"createcase"\ true,"sendalerttriage"\ true,"case" {"description" "rule is triggered when any of the events match the search query "},"email" {"recipients" \["string"],"subject" "string","description" "rule is triggered when any of the events match the search query ","attachcsv"\ false},"alerttriage" {"name" "single sequence rule"}}},"suppressconfig" {"suppressoption"\ true,"suppressunit" "hours","suppresstime" 2},"delayconfig" {"delay"\ true,"delaytimeinminutes" 7},"name" "single sequence rule","description" "rule is triggered when any of the events match the search query "},"path parameters" {"rule id" "016dbc1d a727 43df a143 9546dcc81a5a"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource description string output field description severity string output field severity enabled boolean output field enabled type string type of the resource author string output field author lastmodifier string output field lastmodifier createdat string output field createdat updatedat string output field updatedat autodisabled boolean output field autodisabled lasttriggeredat string output field lasttriggeredat timestriggered number output field timestriggered timessuppressed number output field timessuppressed sequencesconfig object output field sequencesconfig sequencesconfig sequences array output field sequencesconfig sequences sequencesconfig sequences name string name of the resource sequencesconfig sequences query string output field sequencesconfig sequences query sequencesconfig sequences condition object output field sequencesconfig sequences condition sequencesconfig sequences condition groupbyoption boolean output field sequencesconfig sequences condition groupbyoption sequencesconfig sequences condition groupby array output field sequencesconfig sequences condition groupby sequencesconfig sequences condition functiontype string type of the resource sequencesconfig sequences condition subject string output field sequencesconfig sequences condition subject output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6","name" "string","description" "string","severity" "none","enabled"\ true,"type" "string","author" "string","lastmodifier" "string","createdat" "2023 09 09t07 57 00 686z","updatedat" "2023 09 09t07 57 00 686z","autodisabled"\ true,"lasttriggeredat" "2023 09 09t07 57 00 686z","timestriggered" 0,"t response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 5 sep 2023 20 37 23 gmt