Exabeam AA v2

the exabeam aa v2 connector facilitates seamless integration with swimlane turbine, enabling automated security incident response and rule management exabeam aa v2 is an advanced analytics platform that enhances security operations by identifying complex threats and improving incident response this connector allows swimlane turbine users to automate the creation, deletion, and management of correlation rules, as well as to search for events within exabeam by integrating with exabeam aa v2, users can streamline their security workflows, enforce consistent security policies, and rapidly respond to potential threats with precision and efficiency prerequisites to effectively utilize the exabeam aa v2 connector with swimlane turbine, ensure you have the following oauth 2 0 client credentials for secure authentication, which include url the endpoint url for the exabeam aa v2 api api key your unique identifier to authenticate with the exabeam aa v2 api api key secret a secret key paired with your api key for enhanced security capabilities this connector provides the following capabilities create a new correlation rule delete a correlation rule get a list of all correlation rules get correlation rule details search for events update a correlation rule notes for more information on exabeam https //docs exabeam com/apis/ configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id api key string required client secret api key secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create a new correlation rule initiates the creation of a new correlation rule in exabeam aa v2 using the provided json body endpoint url /correlation rules/v2/rules method post input argument name type required description severity string optional parameter for create a new correlation rule enabled boolean optional parameter for create a new correlation rule testmode boolean optional parameter for create a new correlation rule sequencesconfig object optional parameter for create a new correlation rule sequencesconfig sequences array optional parameter for create a new correlation rule sequencesconfig sequences condition object required parameter for create a new correlation rule sequencesconfig sequences condition groupbyoption boolean required parameter for create a new correlation rule sequencesconfig sequences condition functiontype string required type of the resource sequencesconfig sequences condition subject string required parameter for create a new correlation rule sequencesconfig sequences condition operator string required parameter for create a new correlation rule sequencesconfig sequences condition unit string required parameter for create a new correlation rule sequencesconfig sequences condition triggeronanymatch string optional parameter for create a new correlation rule sequencesconfig sequences condition groupby array optional parameter for create a new correlation rule sequencesconfig sequences condition field string optional parameter for create a new correlation rule sequencesconfig sequences condition value string required value for the parameter sequencesconfig sequences condition time number required time value sequencesconfig sequences name string required name of the resource sequencesconfig sequences query string required parameter for create a new correlation rule sequencesconfig commonproperties object optional parameter for create a new correlation rule sequencesconfig commonproperties groupby array optional parameter for create a new correlation rule sequencesconfig commonproperties time number required time value sequencesconfig commonproperties unit string required parameter for create a new correlation rule sequencesconfig outcomes object optional parameter for create a new correlation rule sequencesconfig outcomes sendemail boolean optional parameter for create a new correlation rule sequencesconfig outcomes createcase boolean optional parameter for create a new correlation rule input example {"json body" {"severity" "medium","enabled"\ true,"testmode"\ true,"sequencesconfig" {"sequences" \[{"condition" {"groupbyoption"\ true,"functiontype" "value","subject" "field","operator" "not in","unit" "hours","triggeronanymatch" "false","groupby" \["string"],"field" "string","value" "string","time" 3},"name" "single sequence rule","query" "vendor \\"exabeam\\""}],"commonproperties" {"groupby" \["string"],"time" 3,"unit" "hours"},"outcomes" {"sendemail"\ true,"createcase"\ true,"sendalerttriage"\ false,"case" {"description" "rule is triggered when any event match the sequence query"},"email" {"recipients" \["string"],"subject" "string","description" "rule is triggered when any event match the sequence query","attachcsv"\ true},"alerttriage" {"name" "single sequence rule"}}},"suppressconfig" {"suppressoption"\ true,"suppressunit" "hours","suppresstime" 4},"delayconfig" {"delay"\ true,"delaytimeinminutes" 5},"name" "single sequence rule","description" "rule is triggered when any event match the sequence query"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource description string output field description severity string output field severity enabled boolean output field enabled type string type of the resource author string output field author lastmodifier string output field lastmodifier createdat string output field createdat updatedat string output field updatedat autodisabled boolean output field autodisabled lasttriggeredat string output field lasttriggeredat timestriggered number output field timestriggered timessuppressed number output field timessuppressed sequencesconfig object output field sequencesconfig sequencesconfig sequences array output field sequencesconfig sequences sequencesconfig sequences name string name of the resource sequencesconfig sequences query string output field sequencesconfig sequences query sequencesconfig sequences condition object output field sequencesconfig sequences condition sequencesconfig sequences condition groupbyoption boolean output field sequencesconfig sequences condition groupbyoption sequencesconfig sequences condition groupby array output field sequencesconfig sequences condition groupby sequencesconfig sequences condition functiontype string type of the resource sequencesconfig sequences condition subject string output field sequencesconfig sequences condition subject output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6","name" "string","description" "string","severity" "none","enabled"\ true,"type" "string","author" "string","lastmodifier" "string","createdat" "2023 09 06t10 08 31 303z","updatedat" "2023 09 06t10 08 31 303z","autodisabled"\ true,"lasttriggeredat" "2023 09 06t10 08 31 303z","timestriggered" 0,"t delete a correlation rule deletes a specific correlation rule in exabeam aa v2 using the provided rule id endpoint url /correlation rules/v2/rules/{{rule id}} method delete input argument name type required description path parameters rule id string required parameters for the delete a correlation rule action input example {"path parameters" {"rule id" "016dbc1d a727 4"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get a list of all correlation rules retrieve a comprehensive list of all correlation rules available in exabeam aa v2 endpoint url /correlation rules/v2/rules method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" "4e775ff5 78c1 4b2d 81fd 26be2632f042","name" "rule triggered when a certain field does not match values in the list","enabled"\ true,"description" "rule is triggered when none of the defined values are present ","severity" "none","author" "admin","lastmodifier" "standard user","createdat" "2023 06 25t14 48 00 000z","updatedat" "20 get correlation rule details retrieve detailed information for a specific correlation rule in exabeam aa v2 using the rule id endpoint url /correlation rules/v2/rules/{{rule id}} method get input argument name type required description path parameters rule id string required parameters for the get correlation rule details action input example {"path parameters" {"rule id" "016dbc1d a727 4"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource enabled boolean output field enabled description string output field description severity string output field severity author string output field author lastmodifier string output field lastmodifier createdat string output field createdat updatedat string output field updatedat autodisabled boolean output field autodisabled lasttriggeredat string output field lasttriggeredat timestriggered number output field timestriggered timessuppressed number output field timessuppressed sequencesconfig object output field sequencesconfig sequencesconfig sequences array output field sequencesconfig sequences sequencesconfig sequences name string name of the resource sequencesconfig sequences query string output field sequencesconfig sequences query sequencesconfig sequences condition object output field sequencesconfig sequences condition sequencesconfig sequences condition groupbyoption boolean output field sequencesconfig sequences condition groupbyoption sequencesconfig sequences condition functiontype string type of the resource sequencesconfig sequences condition subject string output field sequencesconfig sequences condition subject sequencesconfig sequences condition field string output field sequencesconfig sequences condition field sequencesconfig sequences condition operator string output field sequencesconfig sequences condition operator output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "4e775ff5 78c1 4b2d 81fd 26be2632f042","name" "rule with more than one sequence that triggers when the conditions of both seque ","enabled"\ true,"description" "rule is triggered when the conditions of both sequences are met in this example ","severity" "none","author" "admin","lastmodifier" "standard user","createdat" "2023 06 search for events performs a search across logs and events within a specified time range using exabeam aa v2, requiring fields, starttime, endtime, and filter endpoint url /search/v2/events method post input argument name type required description limit number optional limit the number of events returned from the search request groupby array optional list of fields to group by orderby array optional order fields by asc or desc distinct boolean optional include or exclude distinct from the select clause defaults to false starttime string optional timestamp to start the search (iso 8601 format) endtime string optional timestamp to end the search (iso 8601 format) filter string optional filter for specific events input example {"json body" {"limit" 3000,"groupby" \["string"],"orderby" \["asc"],"distinct"\ true,"starttime" "2024 04 01t00 00 00z","endtime" "2024 04 01t00 00 00z","filter" "id \\"123\\" and src ip \\"00 00 000 000\\""}} output parameter type description status code number http status code of the response reason string response reason phrase timestartedmillis number output field timestartedmillis timecompletedmillis number output field timecompletedmillis rows array output field rows rows additionalprop object output field rows additionalprop totalrows number output field totalrows output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"timestartedmillis" 0,"timecompletedmillis" 0,"rows" \[{}],"totalrows" 0}} update a correlation rule updates an existing correlation rule in exabeam aa v2 using the specified rule id requires path parameters and json body endpoint url /correlation rules/v2/rules/{{rule id}} method put input argument name type required description path parameters rule id string required parameters for the update a correlation rule action severity string optional parameter for update a correlation rule enabled boolean optional parameter for update a correlation rule testmode boolean optional parameter for update a correlation rule sequencesconfig object optional parameter for update a correlation rule sequencesconfig sequences array optional parameter for update a correlation rule sequencesconfig sequences condition object optional parameter for update a correlation rule sequencesconfig sequences condition groupbyoption boolean required parameter for update a correlation rule sequencesconfig sequences condition functiontype string required type of the resource sequencesconfig sequences condition subject string required parameter for update a correlation rule sequencesconfig sequences condition operator string required parameter for update a correlation rule sequencesconfig sequences condition unit string required parameter for update a correlation rule sequencesconfig sequences condition triggeronanymatch string optional parameter for update a correlation rule sequencesconfig sequences condition groupby array optional parameter for update a correlation rule sequencesconfig sequences condition field string optional parameter for update a correlation rule sequencesconfig sequences condition value string required value for the parameter sequencesconfig sequences name string optional name of the resource sequencesconfig sequences query string required parameter for update a correlation rule sequencesconfig commonproperties object optional parameter for update a correlation rule sequencesconfig commonproperties time number optional time value sequencesconfig commonproperties unit string optional parameter for update a correlation rule sequencesconfig outcomes object optional parameter for update a correlation rule sequencesconfig outcomes sendemail boolean optional parameter for update a correlation rule sequencesconfig outcomes createcase boolean optional parameter for update a correlation rule sequencesconfig outcomes sendalerttriage boolean optional parameter for update a correlation rule input example {"json body" {"severity" "high","enabled"\ false,"testmode"\ true,"sequencesconfig" {"sequences" \[{"condition" {"groupbyoption"\ true,"functiontype" "value","subject" "field","operator" "in","unit" "days","triggeronanymatch" "false","groupby" \["string"],"field" "string","value" "string","time" 3},"name" "single sequence rule","query" "vendor \\"exabeam\\""},{"condition" {"triggeronanymatch" "true"},"name" "single sequence rule","query" "vendor \\"exabeam\\""},{"condition" {"groupbyoption"\ true,"functiontype" "value","subject" "field","operator" "more than","unit" "days","triggeronanymatch" "false","groupby" \["string"],"field" "string","value" "string"},"name" "single sequence rule","query" "vendor \\"exabeam\\""}],"commonproperties" {"time" 2,"unit" "hours"},"outcomes" {"sendemail"\ true,"createcase"\ true,"sendalerttriage"\ true,"case" {"description" "rule is triggered when any of the events match the search query "},"email" {"recipients" \["string"],"subject" "string","description" "rule is triggered when any of the events match the search query ","attachcsv"\ false},"alerttriage" {"name" "single sequence rule"}}},"suppressconfig" {"suppressoption"\ true,"suppressunit" "hours","suppresstime" 2},"delayconfig" {"delay"\ true,"delaytimeinminutes" 7},"name" "single sequence rule","description" "rule is triggered when any of the events match the search query "},"path parameters" {"rule id" "016dbc1d a727 43df a143 9546dcc81a5a"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource description string output field description severity string output field severity enabled boolean output field enabled type string type of the resource author string output field author lastmodifier string output field lastmodifier createdat string output field createdat updatedat string output field updatedat autodisabled boolean output field autodisabled lasttriggeredat string output field lasttriggeredat timestriggered number output field timestriggered timessuppressed number output field timessuppressed sequencesconfig object output field sequencesconfig sequencesconfig sequences array output field sequencesconfig sequences sequencesconfig sequences name string name of the resource sequencesconfig sequences query string output field sequencesconfig sequences query sequencesconfig sequences condition object output field sequencesconfig sequences condition sequencesconfig sequences condition groupbyoption boolean output field sequencesconfig sequences condition groupbyoption sequencesconfig sequences condition groupby array output field sequencesconfig sequences condition groupby sequencesconfig sequences condition functiontype string type of the resource sequencesconfig sequences condition subject string output field sequencesconfig sequences condition subject output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 sep 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6","name" "string","description" "string","severity" "none","enabled"\ true,"type" "string","author" "string","lastmodifier" "string","createdat" "2023 09 09t07 57 00 686z","updatedat" "2023 09 09t07 57 00 686z","autodisabled"\ true,"lasttriggeredat" "2023 09 09t07 57 00 686z","timestriggered" 0,"t response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 5 sep 2023 20 37 23 gmt