Exabeam Incident Response: Getting Started

Introduction

Exabeam has three different products (a datalake, an advanced analytics module, and an incident response platform).  The integration Exabeam built for Recorded Future is for the Incident Response platform, which itself has two modules: a case manager, and a module for automation and orchestration (playbooks, actions).

Integration Details

Specifically, the integration includes 4 actions:

  • get file reputation (hash lookup)
  • get ip reputation
  • get url reputation
  • get domain reputation

In the setup page, users can enter a valid Recorded Future API token and can test connectivity.

Figure 1. When configuring the Recorded Future "service", enter a valid API Token; you can test connectivity and save the configuration once it's working. 

If a created incident includes one or more artifacts (e.g., an IP address), an integration action can then be run to get Recorded Future enrichment data.  Multiple integrations may run for the same action, and a playbook can consist of multiple actions.

2__artifact_example.png

Figure 2. Example of an incident that includes an artifact

3__Recorded_Future_Action.png

Figure 3. When adding an action to an incident, you can choose from a gallery of options. Note that the Recorded Future tile here says "Configured" in the upper right.

4__Recorded_Future_action_launcher_-_IPs.png

Figure 4. The Action Launcher is where IOCs are specified and the enrichment service chosen.

 

5__Recorded_Future_ip_enrichment.png

Figure 5. An Example of the IP Reputation lookup results after the action is launched.  The results include a link to the intelligence card, a description of the risk level, summary of the triggered risk rules, count of risk rules triggered, and the overall risk score.

6__Recorded_future_action_launcher_-_URLs.png

Figure 6. Action Launcher for URL/Domain artifacts.

 

7__Recorded_Future_domain_enrichment.png

Figure 7. Example URL reputation lookup; similar to the IP Reputation lookup, here we see a link to the intelligence card, a description of the risk level, summary of the triggered risk rules, count of risk rules triggered, and the overall risk score.

 

8__Example_playbook.png

Figure 8. Example of an Exabeam IR playbook; the Recorded Future lookup could be used in such a playbook, e.g., in the action "Get URL/Domain reputation".

 

Additional Note:

Since Exabeam is viewed through a web browser, Recorded Future's web browser extension may also be used to get on-demand enrichment of IOCs on the page.  

 

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 2 found this helpful

Articles in this section

See more