Exabeam Advanced Analytics

Integration version: 5.0

Use Cases

  1. Perform active actions - create/delete watchlists, add entities towatchlists, add comments to entities.
  2. Perform enrichment - enrich information about entities using informationfrom Exabeam.

Configure Exabeam Advanced Analytics integration in Google Security Operations

For detailed instructions on how to configure an integration inGoogle SecOps, seeConfigureintegrations.

Generate Cluster Authentication Token

  1. In Exabeam, selectSettings> Core> AdminOperations> Cluster Authentication Token. The ClusterAuthorization Token page is displayed.
  2. Click the add symbol. The Setup Token dialog is displayed.
  3. Enter the Token Name and Expiry Date in the relevant fields.
  4. In thePermission Level section, selectDefault Roles for the token.
    1. ClickAdd Token. Use the generated file to allow your APIs toauthenticate by token.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display NameTypeDefault ValueIs MandatoryDescription
API RootStringhttps://{api root}YesAPI root of the Exabeam Advanced Analytics instance.
API TokenSecretN/AYesAPI token of the Exabeam Advanced Analytics instance.
Verify SSLCheckboxCheckedYesIf enabled, verifies that the SSL certificate for the connection to the Exabeam Advanced Analytics server is valid.
Note: You can make changes at a later stage if needed. Once configured, theInstances can be used in Playbooks. For detailed information on configuring andsupporting multiple instances, please seeSupporting multiple instances.

Actions

Ping

Description

Test connectivity to the Exabeam Advanced Analytics with parameters provided atthe integration configuration page in the Google Security Operations Marketplace tab.

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:
if successful: "Successfully connected to the Logpoint server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful: "Failed to connect to the Logpoint server! Error is {0}".format(exception.stacktrace)

General

Enrich Entities

Description

Enrich entities using the information from Exabeam Advanced Analytics. Supportedentities: Hostname, IP and User. Event time frame parameter works with hours.

Parameters

Parameter Display NameTypeDefault ValueIs MandatoryDescription
Return Entity TimelineCheckboxTrueYesIf enabled, action will return the timeline for the entity.
Event Time FrameInteger24NoSpecify the time frame for the events that you want to see in hours.
Only Anomaly EventsCheckboxTrueNoIf enabled, action will only return events that are considered to be anomalies.
Lowest Event Risk Score To FetchIntegerN/ANoSpecify what should be the lowest risk score of the event in order to ingest it. If nothing is specified, action will not do any filtering.
Return CommentsCheckboxTrueNoIf enabled, action will return comments related to the entity.
Create InsightCheckboxTrueNoIf enabled, action will create an insight per entity.
Max Events To ReturnIntegerNoSpecify how many events should be returned. If nothing is specified, action will return all of the events.
Max Comments To ReturnInteger10NoSpecify how many comments to return.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • User

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
JSON Result For User
{"username":"root","userInfo":{"username":"root","riskScore":0.0,"averageRiskScore":0.0,"pastScores":[0.0,0.0,0.0,0.0,0.0,0.0],"lastSessionId":"root-20201010000111","firstSeen":1601510468890,"lastSeen":1602298872682,"lastActivityType":"Account deleted","lastActivityTime":1602288071248,"info":{},"labels":["service_account"],"pendingRiskTransfers":[]},"isExecutive":false,"accountNames":[],"peerGroupFieldName":"Peer Groups","peerGroupType":"","isMultiPeerGroup":true,"commentCount":0,"isOnWatchlist":false,"hasDisabledModel":false,"hasDisabledEventType":false,"comments":[{"commentId":"6002d31b130b3800072d1c1d","commentType":"user","commentObjectId":"sysadmin","text":"asd","exaUser":"admin","createTime":1610797851298,"updateTime":1610797851298,"edited":false}],"events":[{"risk_score":"{value if available}","source":"systemd","session_id":"root-20201009000110","rawlog_time":1602201670967,"host":"centos-002","session_order":1,"hash":1013256238,"event_type":"local-logon","account":"root","time":1602201670967,"event_id":"4602@m","user":"root","event_code":"Started Session","nonmachine_user":"root","is_session_first":true}]}
JSON Result For Asset
{"username":"root","userInfo":{"username":"root","riskScore":0.0,"averageRiskScore":0.0,"pastScores":[0.0,0.0,0.0,0.0,0.0,0.0],"lastSessionId":"root-20201010000111","firstSeen":1601510468890,"lastSeen":1602298872682,"lastActivityType":"Account deleted","lastActivityTime":1602288071248,"info":{},"labels":["service_account"],"pendingRiskTransfers":[]},"isExecutive":false,"accountNames":[],"peerGroupFieldName":"Peer Groups","peerGroupType":"","isMultiPeerGroup":true,"commentCount":0,"isOnWatchlist":false,"hasDisabledModel":false,"hasDisabledEventType":false,"comments":[{"commentId":"6002d31b130b3800072d1c1d","commentType":"user","commentObjectId":"sysadmin","text":"asd","exaUser":"admin","createTime":1610797851298,"updateTime":1610797851298,"edited":false}],"events":[{"risk_score":"{value if available}","event_category":["user-events","asset-events"],"source":"UNIX","session_id":"sysadmin-20201009125727","rawlog_time":1602248247376,"host":"centos-002","src_ip":"172.30.202.187","session_order":1,"getvalue('zone_info', src)":"siemplify","dest_host":"centos-002","hash":1236616962,"event_type":"remote-logon","src_network_type":"LAN","account":"sysadmin","time":1602248247376,"event_id":"4619@m","user":"sysadmin","event_code":"ssh","nonmachine_user":"sysadmin","is_session_first":true,"entity_asset_id":"asset@centos-002-20201009"}]}
Entity Enrichment For User
Enrichment Field NameLogic - When to apply
EXBAA_riskScoreWhen available in JSON
EXBAA_pastScoresWhen available in JSON
EXBAA_lastSessionIdWhen available in JSON
EXBAA_firstSeenWhen available in JSON
EXBAA_lastSeenWhen available in JSON
EXBAA_lastActivityTypeWhen available in JSON
EXBAA_lastActivityTimeWhen available in JSON
EXBAA_labelsWhen available in JSON
EXBAA_isExecutiveWhen available in JSON
EXBAA_commentCountWhen available in JSON
EXBAA_accountNamesWhen available in JSON
EXBAA_isNotableWhen available in JSON
Entity Enrichment For Asset
Enrichment Field NameLogic - When to apply
EXBAA_riskScoreWhen available in JSON
EXBAA_hostnameWhen available in JSON
EXBAA_ipAddressWhen available in JSON
EXBAA_assetTypeWhen available in JSON
EXBAA_lastSessionIdWhen available in JSON
EXBAA_firstSeenWhen available in JSON
EXBAA_lastSeenWhen available in JSON
EXBAA_labelsWhen available in JSON
EXBAA_commentCountWhen available in JSON
EXBAA_accountNamesWhen available in JSON
EXBAA_isNotableWhen available in JSON
Entity Insight for User

Insightexample

Entity Insight for Asset

Insightexample

Case Wall
Result typeValue/DescriptionType
Output message*

The action should not fail nor stop a playbook execution:
if success for entities (is_success = true): "Successfully returned information about the following entities from Exabeam Advanced Analytics:\n{0}".format(entity.identifier)

If unsuccess for some (is_success = true): "Action wasn't able to return information about the following entities from Exabeam Advanced Analytics:\n {0}".format(entity.identifier)

If not success for all (is_success = false): No entities were enriched using information from Exabeam.

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Case Wall table based on the enrichment table, but without prefixes.

The idea is that we have one column called "Key" and second column is called "Value"

Entity

Case Wall Table

For User Events (if available)

Table Name: "{entity.identifier} Events"

Columns:

Time

Risk Score

Type

Host

Source

General

Case Wall Table

For Asset Events (if available)

Table Name: "{entity.identifier} Events"

Columns:

Time

Type

User

Risk Score

Source

General

Case Wall Table

For comments

Table Name: "{entity.identifier} Comments"

Columns:

User

Comment

General
Case Wall Link{link}

List Watchlists

Description

List available watchlists in Exabeam Advanced Analytics.

Parameters

Parameter Display NameTypeDefault ValueIs MandatoryDescription
Max Watchlists To ReturnInteger100NoSpecify how many watchlists should be returned.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
JSON Result
[{"watchlistId":"5e66f85c8fe56e9a122ccb45","title":"Service Accounts","category":"UserLabels"},{"watchlistId":"5e66f85c8fe56e9a122ccb44","title":"Executive Users","category":"UserLabels"},{"watchlistId":"5ffd9686130b3800072d1bef","title":"user watchlist","category":"Users"},{"watchlistId":"5ffb0fc0130b3800072d1bd3","title":"testdan","category":"Assets"},{"watchlistId":"5f7c37a2130b38000701691f","title":"linux","category":"Assets"},{"watchlistId":"5f7adc46130b38000701690d","title":"Test-UBA","category":"AssetLabels"},{"watchlistId":"5f22851d130b3800070168ff","title":"DM Test","category":"Users"},{"watchlistId":"5eb27c20130b3800077954e2","title":"PrivilegedUsers-SailPoint","category":"Users"},{"watchlistId":"5eb27ab6130b3800077954df","title":"DisabledUsers-SailPoint","category":"Users"},{"watchlistId":"5eb27a92130b3800077954dc","title":"ServiceAccountsList-SailPoint","category":"Users"},{"watchlistId":"5e9495d8130b380007795476","title":"DANOTEST","category":"Assets"}]
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:
if 200 and data is available(is_success = true): "Successfully retrieve available watchlists from Exabeam Advanced Analytics".

if 200 and data is not available: "No watchlists were found in Exabeam Advanced Analytics".

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Watchlist Items". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: "Available Watchlists"

Columns

Watchlist ID

Title

Category

General

List Watchlist Items

Description

List available items in watchlists from Exabeam Advanced Analytics.

Parameters

Parameter Display NameTypeDefault ValueIs mandatoryDescription
Watchlist TitlesCSVN/AYesSpecify a comma-separated list of watchlist titles for which you want to return items.
Max Days BackwardsInteger1NoSpecify how many days backwards to list watchlists. Default: 1.
Max Items To ReturnInteger100NoSpecify how many watchlist items should be returned.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
JSON Result
{"title":"Test-UBA","creator":"admin","accessControl":"public","category":"AssetLabels","description":"Testing for dev purpose","isOutOfBox":false,"items":[],"criteria":["Server","Workstation","LdifFile","Domain Controller","TopTalker","EducatedGuess"],"totalNumberOfItems":3,"accessControlRoles":[],"numberOfNotableItems":0}
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:
if data is available(is_success = true): "Successfully retrieve available items for the following watchlists in Exabeam Advanced Analytics:\n{0}".format(list of watchlist titles)

if data is not available for some(is_success = true): "Action wasn't able to retrieve available items for the following watchlists in Exabeam Advanced Analytics:\n{0}".format(list of watchlist titles)

if data is not available for all: "No items were found for the provided watchlists in Exabeam Advanced Analytics".

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Watchlists". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table
(for users)

Table Name: "Watchlists {0} Items".format(watchlist title)

Columns

Username

Risk Score

General

Case Wall Table
(for assets)

Table Name: "Watchlists {0} Items".format(watchlist title)

Columns

Type

Endpoint

Risk Score

General

Add Entity To Watchlist

Description

Add entities to the watchlist in Exabeam Advanced Analytics.

Note: Watchlists with category 'AssetLabels' and 'UserLabels' are not supportedin this action.

Parameters

Parameter Display NameTypeDefault ValueIs MandatoryDescription
Watchlist TitleStringN/AYesSpecify the title of the watchlist to which you want to add entities.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • User

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:

if data is available(is_success = true): "Successfully added the following entities to the watchlist {0}in Exabeam Advanced Analytics:\n{1}".format( watchlist title, entity identifier)

if some were not added(is_success = true): "Action wasn't able to add the following entities to the watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(watchlist title, entity identifier)

If none were added: "No entities were added to the watchlist {0} in Exabeam Advanced Analytics".format(watchlist title)

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Add Entity To Watchlist". Reason: {0}''.format(error.Stacktrace)

If watchlist not found: "Error executing action "Add Entity To Watchlist". Reason: Watchlist {0} was not found in Exabeam Advanced Analytics''.format(watchlist title)

If watchlist category == "AssetLabel" or "UserLabel": "Error executing action "Add Entity To Watchlist". Reason: Watchlists with category 'AssetLabels' and 'UserLabels' are not supported in this action.''

General

Remove Entity From Watchlist

Description

Remove entities from the watchlist in Exabeam Advanced Analytics.

Note: Watchlists with category 'AssetLabels' and 'UserLabels' are not supportedin this action.

Parameters

Parameter Display NameTypeDefault ValueIs MandatoryDescription
Watchlist TitleStringN/AYesSpecify the title of the watchlist from which you want to remove entities.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • User

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:

if removed(is_success = true): "Successfully removed the following entities from the watchlist{0} in Exabeam Advanced Analytics:\n{1}".format(title, entity identifier)

if some were not added(is_success = true): "Action wasn't able to remove the following entities from watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(title, entity identifier)

If none were added: "No entities were removed from the watchlist {0} in Exabeam Advanced Analytics".format(watchlist title)

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Remove Entity From Watchlist". Reason: {0}''.format(error.Stacktrace)

If watchlist not found: "Error executing action "Remove Entity From Watchlist". Reason: Watchlist {0} was not found in Exabeam Advanced Analytics''.format(watchlist title)

If watchlist category == "AssetLabel" or "UserLabel": "Error executing action "Remove Entity From Watchlist". Reason: Watchlists with category 'AssetLabels' and 'UserLabels' are not supported in this action.''

General

Add Comments To Entity

Description

Add comments to entities in Exabeam Advanced Analytics. Supported entities:Hostname, IP and User.

Parameters

Parameter Display NameTypeDefault ValueIs MandatoryDescription
CommentStringN/AYesSpecify the comment that needs to be added to the entity.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • User

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
JSON Result
{"newComment":{"commentId":"6003e6e8130b3800072d1c35","commentType":"asset","commentObjectId":"centos-002","text":"qwe","exaUser":"admin","createTime":1610868456906,"updateTime":1610868456906,"edited":false}}
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:

if status code 200 for some(is_success = true): "Successfully added comment to the following entities {0} in Exabeam Advanced Analytics:\n{1}".format(entity identifier)

If entity is not found: "Action wasn't able to add comment to the following entities {0} in Exabeam Advanced Analytics:\n{1}".format(entity identifier)

If not entities: "No comments were added to the provided entities."

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Add Comments To Entity". Reason: {0}''.format(error.Stacktrace)

General

Сreate Watchlist

Description

Create a watchlist in Exabeam Advanced Analytics.

Parameters

Parameter Display NameTypeDefault ValueIs MandatoryDescription
TitleStringN/AYesSpecify the title for the watchlist.
CategoryDDL

User

Possible Values:

User

Asset

YesSpecify the category for the watchlist.
Access ControlDDL

Private

Possible Values:

Public

YesSpecify the access control for the watchlist.
DescriptionStringN/ANoSpecify description for the watchlist.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
JSON Result
{"watchlistId":"6003ed61130b3800072d1c37","title":"Keke","category":"Users"}
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:

if status code 200(is_success = true): "Successfully created watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(title)

If response contains "_apiErrorCode" (is_success=false): "Action wasn't able to create a watchlist in Exabeam Advanced Analytics. Reason: {0}".format(internalError)

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Create Watchlist". Reason: {0}''.format(error.Stacktrace)

General

Delete Watchlist

Description

Delete a watchlist in Exabeam Advanced Analytics.

Parameters

Parameter Display NameTypeDefault ValueIs MandatoryDescription
Watchlist TitleStringN/ATrueSpecify the title of the watchlist that needs to be deleted.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result NameValue Options
is_successis_success=False
is_successis_success=True
Case Wall
Result TypeValue / DescriptionType
Output message*

The action should not fail nor stop a playbook execution:

if status code 200(is_success = true): "Successfully deleted watchlist {0} in Exabeam Advanced Analytics:\n{1}".format(title)

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Delete Watchlist". Reason: {0}''.format(error.Stacktrace)

General

Need more help?Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.