Introduction
Exabeam has three different products (a datalake, an advanced analytics module, and an incident response platform). Recorded Future offers two integrations for Exabeam: Recorded Future For Exabeam Advanced Analytics (Detection) and Recorded Future for Incident Response (Response and Triage).
Exabeam Advanced Analytics
Exabeam Advanced Analytics uses Recorded Future data to help with detection use cases, pushing Recorded Future's data in Exabeam context tables. Exabeam context tables are lists of resources that can be used to Enrich logs to help with the anomaly detection process and/or are used directly by the risk engine layer for fact-based rules. These resources can range from assets (i.e. computers, servers) or users (employees of the company) to a list of IPs and Internet domains. While logs show what users and entities are doing, context tables show who the users and entities are. Context tables are used to enrich logs to help with the anomaly detection process. Click here to learn more about Exabeam context tables.
Recorded Future's risk lists map to a handful of context tables in Exabeam Advanced Analytics to enrich logs to help with the anomaly detection process. The specific context tables Recorded Future is pushing to include:
- is_ransomware_ip
- is_tor_ip
- is_dynamicdns_domain
- web_phishing
- recent covid 19 domain
- recent
- is_ip_threat
You can view the different context tables available in Exabeam by navigating to 'Settings' in the Exabeam Menu --> Accounts & Groups --> Context Tables.
Setting Up Recorded Future for Exabeam AA
Exabeam Advanced Analytics leverages the Recorded Future push service to bring Recorded Future data into Exabeam context tables. This service is owned by Recorded Future and a new configuration will be created by the Recorded Future team once the integration is purchased. Clients who purchase this integration will need to supply their Recorded Future Intelligence Services Consultant with their Exabeam server URL and a valid Exabeam API Key.
Otherwise, A support ticket should be submitted via our Integration Support ticket form with the following information:
- Integration Partner Category: Recorded Future Owned Integration
- Premier Integration: Exabeam AA (Push)
- Integration Platform Version: Exabeam AA v1.1 (Push)
-
Ticket Description - Please include the following prerequisites:
- Valid Recorded Future API token
- Exabeam Server URL
- Exabeam API Key
Once the configuration is complete, clients will see Recorded Future Data flowing into client Exabeam context tables. Clients can check if data has populated from Recorded Future in their Exabeam AA environment by going to Settings --> Context Tables --> clicking one of the context tables listed above (ie. reputation_domains).