Secondary Menu Item
Main Menu Item
Advanced Analytics Use Case Adoption Guide
In this Adoption Guide you will find a comprehensive guide to help understand Advanced Analytics concepts and leverage use cases to prioritize and validate protection against threat vectors.
It serves as a guide for how to think about engaging with Advanced Analytics and a reference to get under the hood of Advanced Analytics dependencies and concepts.
Follow this guide from start to finish to ensure prioritized and comprehensive coverage in your environment.
Advanced Analytics Adoption Guide: What is it?
Within this document, links categorized as Mandatory are required elements of configuration. This label does not necessarily imply action required on your part, but rather contains information crucial to the understanding of how to prosecute the use case within your environment.
Links within this document with a categorization of Informational are not required reading, but will help facilitate greater awareness of how Exabeam tools work under-the-hood and will help with self-service efforts.
Items with a label of Further Reading are for users seeking ExaNinja status and could lead to professional excellence.
What is this Adoption Guide?
This adoption guide contains best practices for how to think about working with Advanced Analytics, as well as helpful reference material for every Exabeam Use Case. In this guide you will find:
• Guides on how to think about interacting with the Advanced Analytics interface.
• Use Case Content: Rules and models mapped to the use case. Tuning, creating and validating rules.
• Content Dependencies: Understanding and using contextual enrichment in Advanced Analytics. Relevant user and asset labels, context tables, threat intel and model dependencies.
• Vendor Logs: The vendor logs with the potential to show use case related activity, ranked from most likely to least likely.
• Dataflow Concepts: The use case event types to validate proper dataflow and the mandatory populated fields for each event type.
• Rule Tuning Info: Everything you need to know to keep your system tuned to reflect your use case risk priorities.
• Model Validation: How to make sure the models you deem critical are populated with data and triggering rules properly.
• Threat Hunter: Use case related Threat Hunter searches. Getting creative with Threat Hunter. Building and saving searches.
The material in this guide is designed to provide assurance your system will detect high priority threats and provide assurance that your system is tuned and configured correctly.
What is an Exabeam Use Case?
Exabeam Use Cases are prepackaged, tailored content intended to detect risks on a network. They consist of curated content in Advanced Analytics related to specific techniques used by attackers and insider threats.
Use Cases are helpful to categorize Exabeam content for validation purposes. There are currently over 1700 out of the box rules in Advanced Analytics. Use Cases can be used to prioritize the threats your organization feels are the most dangerous. Once prioritized, this guide serves as a reference to ensure dependencies are met for maximum assurance that content will show the threats you need to see.
This content is primarily a set of rules related to attack vectors known to present risks in all environments. It also includes the dependencies for the rules, to include corresponding data modeled baselines, context tables, user and asset labels, threat intel functions and more.
How to Use this Guide
How To Use the Use Case Adoption Guide
This guide is intended to be a short form instructional guide to quickly enable adoption and operationalization of Exabeam Use Cases. It is logically arranged in workflow that facilitates a comprehension of the support and dependencies in Use Cases.
The steps in this Adoption Guide are in a logical order of use case implementation. Most of the time these steps, however, will have already been completed. The guide is structured so that if a particular step is already accomplished and validated it can be skipped and the next step can be tackled.
In many cases the information will be presented as a reference to ensure that users have a comprehensive understanding of how the content works and what dependencies exist. No network is static. When aspects of a network change it's important to know how to adjust fire to be fully prepared for the unknown unknowns that can occur in an environment.
This guide contains what a user or admin needs to know to prosecute the Exabeam Use Cases most efficiently and effectively.
For pages where use content is unique to the use case there will be a menu of use cases that direct you to a different page. You can navigate back to where you were using the BACK button in the upper left corner
Use Case Packages
Use Cases are parceled out into Use Case Packages.
Hover over each Package below for more information
Behavior that would potentially occur if you had an insider threat on your network.
Data Access Abuse
Destruction of Data
Abnormal Authentication & Access
Techniques, tactics and procedures that would be used if an account on your network was compromised by a savvy attacker.
Threats posed by outside actors with malicious intent.
Brute Force Attack
Most of the configuration of use cases is done during a Professional Services engagement. This is true whether your engagement was prior to the roll out of Use Cases.
Helps users learn what they didn’t know they didn’t know
All content contains dependencies and logical arguments to detect and respond to badness on your network. Use case documentation systematically walks through the scope of protection, requisite vendor log, data processing workflow awareness, context table and user/asset label dependencies, threat intelligence feeds and functions and response techniques and tricks.
This is all configured on installation, but log sources can change, network zones are ever evolving and context tables need updating from time to time. Use Case documentation provides all you need to know about what you may not have previously known.
It facilitates prioritization and validation of use case modalities
It is a best practice to sit down with information security stakeholders and identify what would pose the greatest risk should it occur on your network. By assessing which use case has the potential to do the greatest damage and ranking the use cases accordingly it provides a method of systematically working through threats to your network one at a time.
Attempting to tune and validate your system reactively is not the best manner to protect against the tactics in these use cases. Proactively identifying which threats are greatest, then verifying that nothing has changed on your network that could cause analysts to miss threats is the best way to ensure air tight coverage.
Additionally, boiling the ocean to verify your instance is ingesting and adding context is an overwhelming and exhausting exercise. It’s the quickest way to lose sight of the path to a comprehensive security posture.
Hover over each icon to the right to see the benefits
Exabeam Use Case Documentation: A Primer
Each Exabeam Use Case has a corresponding use case document in the Exabeam Community. Each document follows an Introduction-> Collect-> Detect -> Triage -> Investigate -> Respond workflow. Check this short video out to see the benefits of pivoting between the Adoption Guide and the long form use case documents. Leveraging both is the quickest way to becoming a use case InfoSec Ninja.
All of these factors leads to a more comprehensive understanding of the network. Roll out each use case and on completion you will be your information security department’s lead security ninja.
It allows them to understand most of the security solutions in the environment and feed back to them with the critical insights gained from looking at your network through the lens of anomalies from analytical baselines rather than looking at the network through one security vendor coffee straw at a time.
Additionally, using the response methodologies will inevitably result in discovery of further threats to monitor and will also uncover misconfigurations in other vendor solutions. Because of the nature of aggregative data processing of multiple log types, and processing them in one stateful session, gives an analyst a full view of the coverage in your environment.
Operationalizing these use cases establishes a proactive security posture and will likely lead to better sleep for InfoSec analysts. Getting a look under the hood provides greater comprehension of what drives the content in a use case. It facilitates a better comprehension of how to manage specific threats to your network as well.
Step 1: Get to Know AA Content
Security practitioners are no strangers to getting woken up in the middle of the night with some urgent alert that needs attention. The best way to prevent those calls is to have a prioritized risk assessment strategy that has been implemented properly. No one wants to receive that call, the one about the threat you had coverage for but didn't know you should be looking for.
Understanding and awareness of Exabeam's pre-packaged security content helps create a better understanding of what your network is covered against in the case of a threat on your network. Prioritizing the threats to validate coverage for can be done via prioritizing Exabeam Use Cases, leveraging MITRE ATT&CK framework, or some proprietary method of risk prioritization.
The link below contains all Advanced Analytics content, grouped by use case. For most use cases there are scenarios which serve as a further way to prioritize the threats you want to shore up your network against. Think of scenarios as sub-use cases, with content grouped by activity type.
Click the image below for a list of content for all Exabeam Use Case content.
Vendor Product Log Mapping
Step 2: Get to Know Content Dependencies
Advanced Analytics uses other rules and sets of identifier groupings to optimize its analytics. The links below are to the specific content dependencies within rule logic for every use case. These are configured on installation but if things change in your environment it’s a good idea to know where these dependencies live in order to edit them should that be needed.
Rule and Model Dependencies: Organized by Use Case
Rules can be used as arguments in rule logic. Some rules are dependent on other rules firing in the session in order to fire.
A majority of rules depend on models that baseline a user or asset's normal behavior. If a rule is not firing that you expect to see firing it might be because the model doesn't have enough confidence to trigger a rule. Knowing which model a rule is dependent on can be very helpful in the troubleshooting process.
Step 2: Context Dependencies
Use Case Context Dependencies
Context dependencies are grouping of identifiers that are required to be fulfilled for a rule to fire. These are groupings or arrays of identifiers. In real terms, these are context tables, user or asset labels, threat intelligence information or config items within the product that are called as arguments by AA.
It is important to be aware of these dependencies to update if any changes occur in your network or new log feeds are added. The link below contains all context dependencies arranged by use case. The image below links to a complete list of context dependencies, organized by Use Case.
Step 2: Maximize Content with Context
In this video, learn how to think about context to maximize coverage with minimum effort. This video shows how to maximize efficiency by using context tables and user and asset labels to power Advanced Analytics content.
Step 3: Vendor Product Log Mapping
Log Source Onboarding: A Guide
Detecting threats starts with ingesting the proper logs. The image below links to a list of vendor logs that show a specific type of behavior, organized by use case.
The vendor products are listed in descending order of which log could trigger the greatest amount of rules in Advanced Analytics to which log source is least likely to trigger rules related to specific behavior. Click the image to see all use case vendor log mappings.
Step 3: Quick Start: Thinking About Log Sources
Detection starts with good data. The video below explains how to think about logs in Advanced Analytics and what types of logs show threats most clearly in Advanced Analytics
Step 4: Event Types and Required Fields
Advanced Analytics comes with parsing of common vendor log sources out-of-the-box. However, rare log sources, custom logs and logs with errors can cause problems in the data processing pipeline and may require troubleshooting. To make sure you’ve got correct data flowing through the pipeline it may be necessary to verify that the correct fields are being parsed for the event types that occur in each use case.
Event Types and Required Fields: Organized by Use Case
Event Types and Required Fields
Event Types and their respective required fields are found in the document below as a download for reference:
Exabeam Content Common Information Model
For an always current list of required and optional fields, see the document below:
Getting to Know the Advanced Analytics User Interface
Video: Creating and Managing Watchlists
Admin Guide: Smart Timelines
Admin Guide: Watchlists
Video: Working in Smart Timelines
Exabeam Smart Timelines are prebuilt timelines that automatically reconstruct the events underlying security incidents so analysts can stop spending time combing through raw logs. Smart Timelines display the full scope of a user’s or device’s activity in an easy-to-use and graphical manner, identifying anomalous behavior and risk.
Smart Timelines are much more than a collection of logs sorted by their timestamp. They reduce the time and specialization required to detect, investigate, and respond to security incidents by taking machine-generated data and converting them into a narrative that makes sense to security analysts.
Get started quickly with the Smart Timelines: Quick Start Guide.
This video demonstrates how to effectively create and manage watchlists in Advanced Analytics.
This video has chapters. Click the button in the navigation menu to jump to specific sections of the video.
Rule Tuning and Model Convergence
Advanced Analytics offers the option of custom tuning rules in your environment. This allows you to display levels of risk as your organization defines it in their risk matrix. It also allows you to tune down noisy alerts specific to your instance. Everything you need to know about tuning rules is in the Landing Page for Tuning Rules in Advanced Analytics on the Exabeam Community Knowledge Base.
In order for rules to trigger and models to reach a high confidence in its baseline there has to be sufficient data. It’s possible to check the confidence levels of each model in the Advanced Analytics UI.
Landing Page for Tuning Rules in Advanced Analytics
Since Exabeam Use Cases often contain hundreds of rules, it’s a best practice to take a sample of models from each use case scenario and verify them in the Advanced Analytics UI. Click these links for lists of data models in the Account Manipulation Use Case by scenario.
How to Check Model Confidence Document
Video: Tuning Your System Deep Dive
Video: Rule Tuning: Quick Start Guide
Tuning Your System
System tuning is a way to optimize security coverage to ensure incidents your organization needs to see are surfaced efficiently and in a timely manner. The videos below demonstrate how this happens and how to tune your rules to get the precise results your organization is after.
This video describes, in depth, the many ways Exabeam Advanced Analytics is configurable to highlight precisely the types of incidents your organization wants to see. It is a deep dive into all things tuning.
Tuning Rules: Quick Start Guide
Learn the essentials of tuning rules quickly and easily. Explore the basics of modifying rules to include or exclude entities to customize your security posture.
Overview: Threat Hunter
Threat Hunter is a great way to proactively search Advanced Analytics for threats in your environment. Watch the video below to get a high level overview of Threat Hunter functionality.
AA User Guide Threat Hunter
Threat Hunter: Demo
The video below explores functionality and buttonology in the Advanced Analytics user interface for beginners.
The Threat Hunter function in Advanced Analytics is a great way to search for sessions with suspicious activity. Threat Hunter is an effective tool to proactively seek out threats in your environment
Creating and saving Threat Hunter searches is an effective way to find risky behavior on your network.
AA User Guide: Threat Hunter
Description of Video Contents: Coming Soon