What’s New in Exabeam Product Development – July 2024

Our July product release introduces three new major features: Proofpoint Targeted Attack Protection (TAP) support, GeoIP field support for visualizations, and correlation rule definitions within Threat Center.

Proofpoint on Demand Collector

Proofpoint on Demand is a cloud-based platform offering security services to protect businesses against threats. This Collector includes email security, threat intelligence, information protection, and compliance solutions. It contains detailed Proofpoint email activity and data exfiltration logs and alerts. 

For the July release, a pre-built Proofpoint on Demand Collector is now generally available (GA) on the Exabeam Security Operations Platform. It integrates seamlessly with Exabeam, providing a richer dataset that includes message details, user clicks, and blocking information. This helps Exabeam machine learning-based AI identify suspicious user behavior, improving threat investigations and threat hunting. 

SentinelOne Alerts and Threats Collectors

Exabeam ingests threat and incident data directly from SentinelOne to baseline normal behavior. SentinelOne is a next-gen solution that autonomously defends every endpoint against every type of attack at every stage in the threat lifecycle. Joint customers can now ingest threat and incident data directly from SentinelOne into the Exabeam Security Operations Platform to baseline normal behavior. This data, combined with other IT and security solutions, provides security analysts with greater visibility against advanced attacks.

Exabeam has migrated the older SentinelOne Threats Collector to the new infrastructure and released a new SentinelOne Alerts Collector. 

Netskope Alerts and Events Collectors

Two new Collectors for Netskope Alerts and Netskope Events are now GA, offering customized data sources and increased URL visibility to improve threat detection. From the previous instance, the Netskope Alerts Collector improves scalability and reliability into the Exabeam platform. The Netskope Events Collector gathers in data from Netskope’s cloud applications monitoring, helping prevent shadow IT activity and allowing analysts to pinpoint and correlate unexpected activity or anomalies against other threat activity across their ecosystem. 

Advanced Query Language—Now With Pipe! 

Our engineers and product team have been working on this one and testing it all summer, and I’m thrilled to announce that Advanced EQL now includes Pipe (|) options for building complex queries. The pipe function allows analysts and threat hunters to build much more powerful, complex search queries for analyzing log data during investigations.

Example of using pipe to group, sort, and order:

SELECT src_ip, dest_port ​

GROUP-BY src_ip, dest_port ​

ORDER-BY src_ip, dest_port 

  | SELECT src_ip, count(dest_port)  

AS port_scanned_count ​

  GROUP-BY src_ip ​

| port_scanned_count > 5

ORDER-BY port_scanned_count DESC

Users can create up to 1,000 pipe operator queries per month, per tenant. 

Webhook Support in Three New Regions

Exabeam now supports Webhook in Singapore, Canada, and Switzerland. Previously, these regions could not support Webhook due to external API Gateway limitations. With the new platform and regional tenant level modification, Webhook support is now available in any Exabeam Security Operations Platform instance, and will be in future instances as we expand our global presence. If Webhook is the best path to ingesting your data into the Exabeam platform, we have you covered.

For a detailed list and descriptions of the features introduced in the Exabeam July release, please refer to the Exabeam Security Operations Platform Release Notes.

Stay up to date with Exabeam Community

Dig into the new release in the Exabeam Community. Engage in live ExaExpert Q&A sessions every other week, or join technical discussions at your convenience. Your curiosity and questions are always welcome.