Exabeam Threat Center API

the exabeam threat center api enables organizations to manage and respond to security incidents through advanced threat detection and case management exabeam threat center is a comprehensive security platform designed to enhance threat detection and response capabilities this connector allows seamless integration with swimlane turbine, enabling users to automate alert and case management tasks such as creating, updating, and retrieving details for alerts and cases by leveraging this integration, security teams can streamline their workflows, reduce manual effort, and enhance their incident response efficiency within the swimlane turbine environment supported version the exabeam threat center connector supports the latest api version limitations none to date prerequisites before you can use the exabeam threat center api connector for turbine, you'll need access to the exabeam api this requires the following oauth 2 0 client credentials authentication using the following parameters url the endpoint for accessing the exabeam api client id the unique identifier for your application client secret the secret key associated with your client id token url the url used to obtain the oauth token capabilities this connector provides the following capabilities create a new case create a note for a case get alert details get case details get case notes get threat summary search for alerts search for cases update alert details update case details create a new case creates a new case associated with an alert and updates case details like stage, priority, queue, assignee, closedreason exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center create case v2 create a note for a case add a new note to the specified case exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center create case note get alert details get details for a specific alert, as identified by an alert id exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center get alert by id get case details get details for a specific case, as identified by a case id exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center get case by id get case notes retrieve a list of notes associated with the specified caseid exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center list case notes get threat summary retrieve the copilot threat summary for an individual alert exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center get threat explanation search for alerts search for alerts that match one or more search criteria exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center search alerts search for cases search for cases that match one or more search criteria exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center search cases update alert details update details for a specific alert, as identified by an alert id exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center update alert by id update case details update details for a specific case, as identified by case id exabeam's documentation for this action can be found here https //developers exabeam com/exabeam/reference/threat center update case by id v2 configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create a new case create a new case in exabeam threat center linked to an alert, updating details such as stage, priority, queue, assignee, and closed reason requires alertid and priority endpoint url /threat center/v2/cases method post input argument name type required description priority string optional the priority of the case allowed values are low, medium, high, critical alertid string optional alert uuid assignee string optional assignee for the case stage string optional case stage queue string optional queue assigned for the case closedreason string optional reason for case closure supportingreason string optional additional details for the closedreason input example {"json body" {"priority" "critical","alertid" "adafff9a 0669 460b ba2b 8bffda64a968","assignee" "no reply\@exabeam com","stage" "closed","queue" "tier 1","closedreason" "already mitigated or resolved","supportingreason" "the issue identified by the threat has already been addressed or resolved "}} output parameter type description status code number http status code of the response reason string response reason phrase alertcreationtimestamp string output field alertcreationtimestamp alertid string unique identifier approxlogtime string time value assignee string output field assignee creationtimestamp string output field creationtimestamp caseid string unique identifier casenumber number output field casenumber creationby string output field creationby stage string output field stage closedreason string response reason phrase supportingreason string response reason phrase alertdescription string output field alertdescription hasattachments boolean output field hasattachments isdeleted boolean output field isdeleted lastmodifiedby string output field lastmodifiedby lastmodifiedtimestamp string output field lastmodifiedtimestamp mitres array output field mitres mitres tactickey string output field mitres tactickey mitres tactic string output field mitres tactic mitres techniquekey string output field mitres techniquekey mitres technique string output field mitres technique alertname string name of the resource priority string output field priority output example {"status code" 200,"reason" "ok","json body" {"alertcreationtimestamp" "2024 03 18t09 35 36 179","alertid" "adafff9a 0669 460b ba2b 8bffda64a968","approxlogtime" "2024 03 18t09 26 17 192","assignee" "no reply\@exabeam com","creationtimestamp" "2024 06 12t16 41 04 841","caseid" "0ba39dc8 718b 4e71 98ab 81a61a8ecd89","casenumber" 10,"creationby" "system","stage" "closed","closedreason" "already mitigated or resolved","supportingreason" "the issue identified by the threat has already been addressed create a note for a case add a new note to a specified case in exabeam threat center api using the caseid as a path parameter endpoint url /threat center/v1/cases/{{caseid}}/notes method post input argument name type required description path parameters caseid string required the unique identifier of the case to which the note will be added note string optional the content of the note to be added to the case input example {"json body" {"note" "this is a note "},"path parameters" {"caseid" "e77e5002 bd35 4e7b a532 cd76341ef6f3"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"noteid" "5b6f2b9c 9c7a 4c1a 8b32 2b8e5f1d2a10","caseid" "e77e5002 bd35 4e7b a532 cd76341ef6f3","creationby" "si user 1\@exabeam com","creationtimestamp" "2024 06 12t09 15 30z","lastmodifiedby" "si user 1\@exabeam com","lastmodifiedtimestamp" "2024 06 12t09 15 30z","text" "investigating login anomalies "},{"noteid" "7a1d8c2e 3b9a 4e15 9b1f 4f2d1a7c3b55","caseid" "e77e5002 bd35 4e7b a532 cd76341ef6f3","creationby" "si user 2\@exabeam com","creationtimes get alert details retrieve detailed information for a specific alert in exabeam threat center using the alert id endpoint url /threat center/v1/alerts/{{alertid}} method get input argument name type required description path parameters alertid string required the unique identifier of the alert for which details are being requested input example {"path parameters" {"alertid" "96de8f5c ae11 48e8 ace9 c38bb6e056d3"}} output parameter type description status code number http status code of the response reason string response reason phrase creationtimestamp string output field creationtimestamp alertid string unique identifier approxlogtime string time value creationby string output field creationby alertdescription string output field alertdescription lastmodifiedby string output field lastmodifiedby lastmodifiedtimestamp string output field lastmodifiedtimestamp mitres array output field mitres mitres tactickey string output field mitres tactickey mitres tactic string output field mitres tactic mitres techniquekey string output field mitres techniquekey mitres technique string output field mitres technique alertname string name of the resource priority string output field priority riskscore number score value status string status value tags array output field tags usecases array output field usecases products array output field products vendors array output field vendors srchosts array output field srchosts srcips array output field srcips desthosts array output field desthosts output example {"status code" 200,"reason" "ok","json body" {"creationtimestamp" "2024 04 10t09 16 09 915","alertid" "5119d712 1d4c 4da4 9ae5 fd8ea7d88c20","approxlogtime" "2024 04 10t09 11 30 934","creationby" "system","alertdescription" "multiple anomalies detected for user","lastmodifiedby" "si user 1\@exabeam com","lastmodifiedtimestamp" "2024 04 17t08 32 02 522","mitres" \[{"tactickey" "ta0004","tactic" "privilege escalation","techniquekey" "t1078","technique" "valid accounts"},{"tactickey" "ta0011","tactic get case details get details for a specific case in exabeam threat center using the provided case id endpoint url /threat center/v1/cases/{{caseid}} method get input argument name type required description path parameters caseid string required the unique identifier of the case for which details are being requested input example {"path parameters" {"caseid" "bfd46b02 9a78 4808 a0d7 9db1a5b6e239"}} output parameter type description status code number http status code of the response reason string response reason phrase alertcreationtimestamp string output field alertcreationtimestamp alertid string unique identifier approxlogtime string time value assignee string output field assignee assigneeid string unique identifier creationtimestamp string output field creationtimestamp caseid string unique identifier casenumber number output field casenumber creationby string output field creationby stage string output field stage closedreason string response reason phrase alertdescription string output field alertdescription hasattachments boolean output field hasattachments isdeleted boolean output field isdeleted lastmodifiedby string output field lastmodifiedby lastmodifiedtimestamp string output field lastmodifiedtimestamp mitres array output field mitres mitres tactickey string output field mitres tactickey mitres tactic string output field mitres tactic mitres techniquekey string output field mitres techniquekey mitres technique string output field mitres technique alertname string name of the resource priority string output field priority output example {"status code" 200,"reason" "ok","json body" {"alertcreationtimestamp" "2024 04 17t11 45 54 421","alertid" "c867bae5 3c21 4c98 a142 953c01dce1df","approxlogtime" "2024 04 17t11 41 47 564","assignee" "si user 1\@exabeam com","assigneeid" "64f9e3ef1793b179824a8961","creationtimestamp" "2024 04 17t11 48 47 559","caseid" "e77e5002 bd35 4e7b a532 cd76341ef6f3","casenumber" 10,"creationby" "system","stage" "closed","closedreason" "closed via automation","alertdescription" "suspicious activity detected get case notes retrieve a list of notes associated with the specified caseid from the exabeam threat center api endpoint url /threat center/v1/cases/{{caseid}}/notes method get input argument name type required description path parameters caseid string required parameters for the get case notes action input example {"path parameters" {"caseid" "e77e5002 bd35 4e7b a532 cd76341ef6f3"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"reason" "ok","json body" \[{"noteid" "5b6f2b9c 9c7a 4c1a 8b32 2b8e5f1d2a10","caseid" "e77e5002 bd35 4e7b a532 cd76341ef6f3","creationby" "si user 1\@exabeam com","creationtimestamp" "2024 06 12t09 15 30z","lastmodifiedby" "si user 1\@exabeam com","lastmodifiedtimestamp" "2024 06 12t09 15 30z","text" "investigating login anomalies "},{"noteid" "7a1d8c2e 3b9a 4e15 9b1f 4f2d1a7c3b55","caseid" "e77e5002 bd35 4e7b a532 cd76341ef6f3","creationby" "si user 2\@exabeam com","creationtimes get threat summary retrieve the copilot threat summary for an individual alert in exabeam threat center api using the alertid endpoint url /threat center/v1/alerts/threat explainer/prompt method post input argument name type required description parameters alertcreationtimestamp string optional parameters for the get threat summary action alertid string optional unique id that identifies an alert prompt string optional provide relevant data or details about a specific threat to provide additional context and input for the ai generated summary input example {"parameters" {"alertcreationtimestamp" "2024 06 01t00 00 00z"},"json body" {"alertid" "cb00d8ca a4fa 490b a5a8 9dca5e61d19b","prompt" "when is the rule web oc f triggered?"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 200,"reason" "ok","json body" {"message" "the rule web oc f is triggered when a web request results in a failure spec "}} search for alerts search for alerts in exabeam threat center api that match specified criteria, including starttime, endtime, fields, and filter endpoint url /threat center/v1/search/alerts method post input argument name type required description limit number optional limit the number of results returned from the search request orderby array optional order results by a specified field in asc or desc order starttime string optional timestamp to start the search (iso 8601 format) endtime string optional timestamp to end the search (iso 8601 format) filter string optional filter for specific results fields array optional list of fields to be returned from the search use to return all applicable fields input example {"json body" {"limit" 3000,"orderby" \["riskscore desc"],"starttime" "2024 05 01t00 00 00z","endtime" "2024 06 01t00 00 00z","filter" "caseid\ null","fields" \["alert 123"]}} output parameter type description status code number http status code of the response reason string response reason phrase timestartedmillis number output field timestartedmillis timecompletedmillis number output field timecompletedmillis rows array output field rows totalrows number output field totalrows output example {"status code" 200,"reason" "ok","json body" {"timestartedmillis" 0,"timecompletedmillis" 0,"rows" \[{}],"totalrows" 0}} search for cases search for cases in exabeam threat center api that match specified criteria, including starttime, endtime, fields, and filter endpoint url /threat center/v1/search/cases method post input argument name type required description limit number optional limit the number of results returned from the search request orderby array optional order results by a specified field in asc or desc order fields array optional list of fields to be returned from the search use to return all applicable fields starttime string optional timestamp to start the search (iso 8601 format) endtime string optional timestamp to end the search (iso 8601 format) filter string optional filter for specific results input example {"json body" {"limit" 3000,"orderby" \["riskscore desc"],"fields" \["alert 123"],"starttime" "2024 05 01t00 00 00z","endtime" "2024 06 01t00 00 00z","filter" "not stage \\"closed\\""}} output parameter type description status code number http status code of the response reason string response reason phrase timestartedmillis number output field timestartedmillis timecompletedmillis number output field timecompletedmillis rows array output field rows totalrows number output field totalrows output example {"status code" 200,"reason" "ok","json body" {"timestartedmillis" 0,"timecompletedmillis" 0,"rows" \[{}],"totalrows" 0}} update alert details update details for a specific alert in exabeam threat center using the alert id as a path parameter endpoint url /threat center/v1/alerts/{{alertid}} method post input argument name type required description path parameters alertid string required unique id that identifies an alert alertdescription string optional alert description in either plaintext or html format alertname string optional name of the alert priority string optional priority level of the alert tags array optional list of tags associated with the alert input example {"json body" {"alertdescription" "suspicious activity detected on host","alertname" "multiple anomalies detected","priority" "critical","tags" \["log4j"]},"path parameters" {"alertid" "eab6bb52 7686 43c2 ba7e 304cae0b75dd"}} output parameter type description status code number http status code of the response reason string response reason phrase creationtimestamp string output field creationtimestamp alertid string unique identifier approxlogtime string time value creationby string output field creationby alertdescription string output field alertdescription lastmodifiedby string output field lastmodifiedby lastmodifiedtimestamp string output field lastmodifiedtimestamp mitres array output field mitres mitres tactickey string output field mitres tactickey mitres tactic string output field mitres tactic mitres techniquekey string output field mitres techniquekey mitres technique string output field mitres technique alertname string name of the resource priority string output field priority riskscore number score value status string status value tags array output field tags usecases array output field usecases products array output field products vendors array output field vendors srchosts array output field srchosts srcips array output field srcips desthosts array output field desthosts output example {"status code" 200,"reason" "ok","json body" {"creationtimestamp" "2024 03 18t09 40 01 972","alertid" "eab6bb52 7686 43c2 ba7e 304cae0b75dd","approxlogtime" "2024 03 18t09 30 42 312","creationby" "system","alertdescription" "suspicious activity detected on host","lastmodifiedby" "si user 1\@exabeam com","lastmodifiedtimestamp" "2024 05 29t12 26 17 670","mitres" \[{}],"alertname" "failed login attempts to application initiated multiple times","priority" "low","riskscore" 10,"status" "read","tags" \[ update case details update details for a specific case in exabeam threat center using the case id as a path parameter endpoint url /threat center/v2/cases/{{caseid}} method post input argument name type required description path parameters caseid string required unique id that identifies a case alertdescription string optional alert description in either plaintext or html format alertname string optional name of the alert priority string optional priority level of the case tags array optional tags to group cases stage string optional current stage of the case closedreason string optional reason for closing the case, if applicable supportingreason string optional additional context for the closed reason, if applicable assignee string optional user assigned to the case for investigation and resolution queue string optional queue for the case input example {"json body" {"alertdescription" "suspicious activity detected on host","alertname" "multiple anomalies detected","priority" "critical","tags" \["log4j"],"stage" "investigation","closedreason" "false positive or duplicate","supportingreason" "the issue identified by the threat has already been addressed or resolved ","assignee" "si user 1\@exabeam com","queue" "tier 1"},"path parameters" {"caseid" "ab10c168 7f62 4892 b8e7 d4ee73c82f08"}} output parameter type description status code number http status code of the response reason string response reason phrase alertcreationtimestamp string output field alertcreationtimestamp alertid string unique identifier approxlogtime string time value assignee string output field assignee creationtimestamp string output field creationtimestamp caseid string unique identifier casenumber number output field casenumber creationby string output field creationby stage string output field stage closedreason string response reason phrase supportingreason string response reason phrase alertdescription string output field alertdescription hasattachments boolean output field hasattachments isdeleted boolean output field isdeleted lastmodifiedby string output field lastmodifiedby lastmodifiedtimestamp string output field lastmodifiedtimestamp mitres array output field mitres mitres tactickey string output field mitres tactickey mitres tactic string output field mitres tactic mitres techniquekey string output field mitres techniquekey mitres technique string output field mitres technique alertname string name of the resource priority string output field priority output example {"status code" 200,"reason" "ok","json body" {"alertcreationtimestamp" "2024 04 05t20 11 41 528","alertid" "4331d707 7cbd 4d48 a689 cb230827a442","approxlogtime" "2024 04 05t20 03 000","assignee" "no reply\@exabeam com","creationtimestamp" "2024 04 05t20 17 41 226","caseid" "ab10c168 7f62 4892 b8e7 d4ee73c82f08","casenumber" 10,"creationby" "system","stage" "closed","closedreason" "already mitigated or resolved","supportingreason" "the issue identified by the threat has already been addressed or response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt