Exabeam

The Observo AI Exabeam destination enables secure transmission of observability events to Exabeam’s cloud-based platform for advanced security analytics, threat detection, and incident response, supporting JSON or text encoding, Gzip compression, and Basic or Bearer authentication.

Purpose

The Observo AI Exabeam destination enables users to send observability events to Exabeam for advanced security analytics, threat detection, and incident response. This integration leverages Exabeam’s cloud-based platform to process and analyze log data, providing insights into potential security threats. It ensures seamless and secure data transmission from your observability pipeline to Exabeam with customizable encoding and authentication options.

Prerequisites

Before configuring the Exabeam destination in Observo AI, ensure the following requirements are met to facilitate seamless data ingestion:

Exabeam Account:
- Create an Exabeam account if one does not already exist. This account serves as the hub for your observability and security event data.
- Ensure the account is active and configured to accept data via the Exabeam cloud connector URL.
Authentication Credentials:
- Depending on the chosen authentication strategy (Basic or Bearer), prepare either a username and password or an authentication token.
- For Basic authentication, obtain the username and password from the Exabeam platform and securely store these credentials.
- For Bearer authentication, generate an authentication token in the Exabeam platform and securely store its value.
Network Access:
- Verify that the Observo AI instance can communicate with the Exabeam cloud connector URL over HTTPS.
- Check for firewall rules or network policies that may block outbound HTTPS traffic to Exabeam’s endpoint.
Exabeam Tags (Optional):
- Prepare tags for organizing events in Exabeam (e.g., env:production, service:security).
- Tags can be configured in Observo AI to align with Exabeam’s tagging conventions for event filtering.

Prerequisite

Description

Notes

Exabeam Account

Hub for observability and security event data

Must be active and configured for event ingestion

Authentication Credentials

Authenticates data ingestion

Securely store username/password or token

Network Access

Enables communication with Exabeam

Ensure HTTPS connectivity to Exabeam cloud connector

Exabeam Tags

Organizes events in Exabeam

Optional, but recommended for filtering

Integration

The Integration section outlines default configurations for the Exabeam destination. To tailor the setup to your environment, consult the Configuration Parameters section in the Exabeam documentation for advanced options. To configure Exabeam as a destination in Observo AI, follow these steps:

Log in to Observo AI:
- Navigate to the Destinations tab.
- Click the Add Destinations button and select Create New.
- Choose Exabeam from the list of available destinations to begin configuration.
General Settings:
- Name: Add a unique identifier, such as exabeam-events-1.
- Description (Optional): Provide a description, e.g., “Sends observability and security events to Exabeam.”
- URL / URI: Enter the Exabeam cloud connector URL.
  Example
  https://your-exabeam-connector.exabeam.com.
Encoding:
- Encoding Codec: Select the codec (Text, JSON). Use JSON for complete payload, Text for message field only (Default: JSON).
Authentication:
- Auth Strategy: Select either Basic or Bearer.
  - Basic: Provide Auth Username and Auth Password as configured in Exabeam.
  - Bearer: Provide Auth Token generated from the Exabeam platform.
Request Configuration (Optional):
- Request Headers: Add any required HTTP headers
  Example
  {"Content-Type": "application/json"}
- Request Concurrency: Select either Adaptive Concurrency or A fixed concurrency of 1. Default: Adaptive Concurrency.
- Request Rate Limit Duration Secs: Set the time window for rate limiting
  Example
  1 second
- Request Rate Limit Num: Set the maximum number of requests allowed in the rate limit window.
- Request Retry Attempts: Set the maximum number of retries for failed requests. Default: Unlimited.
- Request Retry Initial Backoff Secs: Set the initial wait time before retrying. Default: 1.
  Example
  1 second
- Request Retry Max Duration Secs: Set the maximum wait time between retries. Default: 3600.
  Example
  3600 seconds
- Request Timeout Secs: Set the request timeout. Default: 60
  Example
  60 seconds
TLS Configuration (Optional):
- TLS CA: Provide the CA certificate as an inline string in PEM format, if using a custom certificate authority.
- TLS CRT: Provide the certificate as a string in PEM format, if applicable.
- TLS Key: Provide the key as a string in PEM format, if applicable.
- TLS Verify Certificate: Enable certificate verification (True/False).
  - Default: False (set to True for secure connections).
- TLS Verify Hostname: Enable hostname verification (True/False).
  - Default: False (set to True for secure connections).
Batching Configuration:
- Max Bytes in Batch: Set to 1 MB (1048576 bytes) by default to optimize event delivery.
- Batch Timeout Secs: Set to 1 second by default to ensure timely delivery.
Framing:
- Framing Method: Select the framing method (Raw Event data, Single Character Delimited, Newline Delimited).
  - Default: Newline Delimited.
Advanced Settings:
- Compression: Select the compression algorithm (Gzip compression, No compression).
  - Default: No compression.
Save and Test Configuration:
- Save the configuration settings in Observo AI.
- Send sample log data and verify it appears in the Exabeam platform under the specified tags or event type.

Example Scenario

To illustrate the Exabeam destination’s functionality, consider a scenario where you configure Observo AI to send security log events to Exabeam for threat analysis:

In Observo AI, create a pipeline with a Source for collecting security logs from a network service. Then add a destination with the following settings, using your specific Exabeam values:

General Settings

Field

Value

Description

Name

exabeam-security-events

Unique identifier for the destination.

Description

Send security events logs to Exabeam.

Provides context for the destination's purpose.

URL / URI

https://your-exabeam-connector.exabeam.com

Specify the base URL of the Exabeam cloud connector

HTTP Method

Post

Define the action a client wants to perform on a resource

Encoding

Field

Value

Description

Encoding Codec

json

Select json for the codec.

Authentication

Field

Value

Description

Auth Strategy

Bearer

Select Bearer for authentication strategy.

Auth Token

<EXABEAM_TOKEN>

Enter your Exabeam Token for the cloud connector.

Advanced Settings

Field

Value

Description

Compression

GZIP

Use GZIP compression algorithm

Test Configuration:

Save settings, route the pipeline’s output to the Exabeam destination
Send sample security log data (e.g., failed login attempts) through the pipeline..
In Exabeam, navigate to the event analysis interface, filter by service:security, and verify that the logs are displayed with the expected metadata.
This setup enables real-time security event monitoring with compressed data transfer to optimize bandwidth.

Troubleshooting

If issues arise with the Exabeam destination, use the following steps to diagnose and resolve them:

Verify Configuration Settings:
- Ensure the URL / URI and authentication credentials (username/password or token) are correctly entered and match the Exabeam account configuration.
- Confirm that the HTTP Method (POST or PUT) is supported by your Exabeam endpoint.
Check Authentication:
- For Basic authentication, verify that the username and password are valid and not expired.
- For Bearer authentication, ensure the token is valid and has not been revoked.
- Regenerate credentials in Exabeam if necessary and update the Observo AI configuration.
Monitor Logs:
- Check Observo AI logs for errors or warnings related to event data transmission to Exabeam.
- In the Exabeam platform, navigate to the event analysis interface to confirm that events are arriving with the expected tags or type.
Validate Network Connectivity:
- Ensure that the Observo AI instance can reach the Exabeam cloud connector URL over HTTPS.
- Check for firewall rules or network policies blocking HTTPS traffic.
Test Data Flow:
- Send sample event data through Observo AI and monitor its arrival in Exabeam’s event analysis interface.
- Use the Analytics tab in the targeted Observo AI pipeline to monitor data volume and ensure expected throughput.
Check Quotas and Limits:
- Verify that the Exabeam account is not hitting event ingestion limits or quotas (refer to Exabeam documentation).
- Adjust batching settings (e.g., Max Bytes in Batch, Batch Timeout Secs) if backpressure or slow data transfer occurs.
- Issue Possible Cause Resolution Incorrect URL or authentication credentials Verify URL and credentials in configuration Authentication errors Expired or invalid username/password or token Regenerate credentials and update configuration Connection failures Network or firewall issues Check network policies and HTTPS connectivity Slow event transfer Backpressure or rate limiting Adjust batching settings or check Exabeam quotas

Issue

Possible Cause

Resolution

Events not appearing in Exabeam

Incorrect URL / URI or authentication credentials

Verify URL and credentials in configuration

Authentication errors

Expired or invalid username/password or token

Regenerate token and update configuration

Connection failures

Network or firewall issues

Check network policies and HTTPS connectivity

Slow event transfer

Backpressure or rate limiting

Adjust batching settings or check Exabeam quotas

Resources

For additional guidance and detailed information, refer to the following resources:

PreviousElasticsearch NextFile

Last updated 4 months ago

Was this helpful?