The first part of this series covered some of the ways analysts can use context to build custom rules in Exabeam. Teaching Exabeam to recognize network zones and asset groups enables security professionals to cluster similar behaviors together, making it easier to investigate suspicious activity.
However, there is much more you can do to get more out of Exabeam. Enhancing and enriching the data the SIEM ingests can make it much easier for analysts to keep track of their most valuable data sources.
Use Context to Craft Custom Rules That Improve Exabeam Performance: Part 1
Exabeam' centralized logging, advanced search, cloud storage, and reporting solution provides analysts with dashboard data that is vital to custom rulemaking.
For example, one of the chart views available on Data Lake' Dashboard view is called "Trend of Log Volume on an Hourly Basis". This chart shows the amount of log data ingested by Exabeam on an hourly basis and separates those logs by their source.
This chart view makes it easy to immediately determine which sources generate the most data. Some data sources will be significantly higher in volume, and possibly in value as well. The goal here is to be sure that context data is accurately mapped against all the data Exabeam ingests.
Some of the data categories that Exabeam users are used to seeing include User, Source, Destination, Action, and Outcome. The Action Detail category often goes underutilized in comparison because gleaning insight from it requires more context. However, if Exabeam already knows how to distinguish between network zones and asset groups, making connections between Action Details and specific assets becomes possible.
This gives analysts a great degree of visibility into the context surrounding any particular action. Instead of just seeing that a user failed a login, Exabeam can provide information about that user' identity, their role in the organization, and the devices they use. Now, analysts can easily compare that data against the log context and determine whether the activity is suspicious or not.
These additional elements of contextual data enable Exabeam users to build custom rules that rely on context.
Including titles, roles, and other contextual data in Exabeam Data Lake makes those data categories available when crafting custom rules and search queries. This makes it possible for analysts to quickly find data that corresponds to real-world elements of the organization' business structure, not just isolated parts of its IT environment.
Providing Exabeam Data Lake with contextual data makes it easy for analysts to interpret and communicate the results of investigations. With the wider contextual scope that enriched data provides, analysts can answer more complex questions about the events they are investigating.
In Exabeam Data Lake' Visualize tab, users can quickly generate charts and graphics to show log data trends. For example, an analyst may spin up a pie chart showing accounts whose activities correspond to the Active Directory Event ID #4726: Delete User Account
For an event like this, it' important to be able to differentiate between whose account is getting deleted and who is doing the deleting. Exabeam' data visualization engine can use contextual data to separate deleted users from administrator accounts responsible for the deletions.
This does more than streamline analysts' investigations. It also makes it much easier for analysts to communicate their findings to their colleagues, partners, and supervisors.
Castra continuously works on improving its custom rulemaking capabilities and creating high-quality visualizations to represent its analysts' findings. We provide our customers and partners with a wide range of readymade custom rule sets and can build new ones to meet unmet security demands when needed.
In the next post of this series, we'll dive deeper into Data Lake analytics and show how security professionals can use parsing to efficiently map log data values to the appropriate fields in Exabeam.