Exabeam Security Investigation

Exabeam Security Investigation provides use-case driven threat detection, investigation, and response automation, across events from multiple security stacks and data repositories.

Advanced correlation capabilities

Exabeam Security Investigation adds content, workflows, and automation to provide outcome-focused threat detection, investigation, and response (TDIR) capabilities to ineffective products. To help standardize around TDIR best practices, Exabeam Security Investigation includes prescribed workflows for ransomware, phishing, malware, compromised insiders, and malicious insiders, and pre-built content, focusing on specific threat types and techniques.

Flexible integration to augment your security investments

Exabeam Security Investigation runs on top of a legacy SIEM or data lake to upgrade an organization’s defenses and contend with sophisticated and credential-based attacks. This enhances your existing investments and data repository.

• 200+ on-premises connectors
• 60+ cloud-delivered security product connectors
• 10+ SaaS productivity product connectors
• 20+ cloud infrastructure product connectors
• 7,937 pre-built parsers
• 65 SOAR integrations
• 576 SOAR response actions

Uplevel your security team to confidence, speed, and performance while getting more out of your existing cloud and on-premises infrastructure investments, as you unify them into a single control plane for monitoring and operations.

Understand normal behavior

The majority of today’s attacks involve compromised credentials, and most security products can’t help. To understand normal behavior and detect anomalies, even as normal keeps changing, all user and device activities get baselined and assigned a risk score. 1,800 rules, including cloud infrastructure security, and over 750 behavioral model histograms power Smart Timelines™ to convey the complete history of an incident, showing complete event flows, like lateral movement and credential use, visualizing the risk score associated with each event. The result: find and stop the threats others tools miss, and uplevel your security team speed and performance to stay ahead of your adversaries.

Detect and prioritize anomalies

Exabeam UEBA capabilities include over 1,800 fact-based correlation rules and over 750 behavioral model histograms. Smart Timelines™ visualize the complete history of an incident and highlight the risk associated with each event. Anomaly Search in Exabeam Security Investigation provides a simplified search experience with fast query results. A single interface allows analysts to search for Exabeam-triggered events across their data repository, pairing behavior-based TTP detection with known IoCs to enhance an analyst’s threat hunting capabilities.

Automated investigation and response

Exabeam Security Investigation automates the manual, time-consuming steps of performing detection, triage, and investigation while guiding the analyst through response. Machine learning-informed Smart Timelines automatically gather evidence, apply risk scoring, and assemble it into a cohesive story that can be used to perform an initial investigation. Turnkey Playbooks apply use case-centric workflow actions to guide investigations with tailored checklists that prescribe steps for resolution. Actions and response playbooks perform automated phishing, malware, and IoC lookups, and integrate with leading security and IT products, provide nearly 600 response actions to help automate the resolution of those steps.

How it works

Exabeam Security Investigation ingests, parses and stores logs, and uses a new common information model (CIM), data enrichment using threat intelligence and other context, to help create security events. To standardize around best practices, Exabeam Security Investigation includes prescriptive use case content that focuses on specific threat types (e.g., ransomware, phishing, malware, compromised credentials). With Exabeam Security Investigation, analysts are able to run their end-to-end TDIR workflows from a single control plane that performs automation of highly manual tasks such as alert triage with dynamic alert prioritization, detailed incident investigation, and incident response with options to add on hundreds of SOAR integrations. To provide a better understanding of your security posture, the Security Investigation Outcomes Navigator analyzes your use case coverage and offers data source, and parsing configuration changes to close any gaps.