Exabeam Fusion XDR¶
About¶
Cloud-delivered security analytics and automation for TDIR.
Product Details¶
Vendor URL: Exabeam Fusion XDR
Product Type: XDR
Product Tier: Tier I
Integration Method: SYSLOG
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 100%
Data Label: Exabeam_Fusion_XDR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| event_code | metadata.product_event_type |
| id | metadata.product_log_id |
| dest_ip | target.asset.ip |
| dest_ip | target.ip |
| user | target.userid |
| src_ip | principal.ip |
| src_ip | principal.asset.ip |
| src_host,host | principal.hostname |
| src_host,host | principal.asset.hostname |
| dest_host | target.asset.hostname |
| dest_host | target.hostname |
| rule_id | security_result.rule_id |
| rule_name | security_result.rule_name |
| rule_description,top_reasons | security_result.description |
| failure_reason,rule_reason | security_result.summary |
| url | security_result.url_back_to_product |
| score | security_result.severity_details |
| session_id | network.session_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | GENERIC_EVENT |
| event_type contains "logon" | USER_LOGIN |
Log Sample¶
Jun 2 11:00:57 exabeam-observer Exabeam timestamp="2022-06-02T11:00:03.529Z" id="product_id-1111" score="1" user="username1" source="DC" failure_reason="Bad user name or password" session_id="NA" rawlog_time="1654153117000" exa-msg-type="raw-4776-2" conflict="FALSE" domain="us" result_code="0xc0000011" host="hostname1" is_lockout_first="true" dest_host="hostname2" lockout_order="1" event_type="failed-logon" lockout_id="product_id-1111" time="2022-06-02 10:59:09" event_code="4776" rule_id="rule1" rule_name="Failed logon due to bad credentials" rule_description="This user failed to logon because they entered incorrect credentials. This could be an indication that credentials may have been compromised." rule_reason="Failed logon due to bad credentials"
Sample Parsing¶
metadata.product_log_id = "product_id-11119"
metadata.product_event_type = "4776"
metadata.event_timestamp = "2022-06-02T15:00:57Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Exabeam"
metadata.product_name = "Fusion XDR"
target.hostname = "hostname2"
target.user.userid = "username1"
target.asset.hostname = "hostname2"
principal.hostname = "hostname1"
principal.asset.hostname = "hostname1"
observer.hostname = "exabeam-observer"
security_result.rule_name = "Failed logon due to bad credentials"
security_result.summary = "Bad user name or password"
security_result.description = "This user failed to logon because they entered incorrect credentials. This could be an indication that credentials may have been compromised."
security_result.severity_details = "1"
security_result.rule_id = "rule1"
extensions.auth.mechanism = "USERNAME_PASSWORD"
Parser Alerting¶
This product currently does not have any parser-based alerting
Rules¶
Coming Soon