This page demonstrates how to initialize the Exabeam Case beat using the command line.
Prerequisites
-
Requires an API Key ID and Key Secret, obtained during the steps outlined in NewScale Configuration for Exabeam Case Beat.
-
System Monitor version 7.18 or higher is installed.
-
JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.
-
The following port is open:
|
Direction |
Port |
Protocol |
Source |
|---|---|---|---|
|
Outbound |
443 |
HTTPS |
Exabeam Beat |
Initialize the Beat
-
Run the following command:
./lrctl exabeam start -
Select New exabeambeat instance from the options, and then press Enter.
-
Enter the base URL for your NewScale instance.
If the prepopulated value does not match your base URL, update it.
More information related to base URLs can be found here.
-
In the Enter the client ID field, enter the Key ID saved after creating the API key.
The value is encrypted before being stored. -
In the Enter the client secret field, enter the Key Secret saved after creating the API key.
The value is encrypted before being stored. -
The Enter the search URL field is prepopulated, and no action is required. Press Enter to move to the next step.
-
Enter the Limit to the number of results returned from a search request. The default value is 3000.
The Limit value must be between 0 and 10000.
-
In the Enter the filter for the search request field, the value is prepopulated and configured to fetch all cases.
This filter can be updated to limit the cases fetched. -
In the Do you want to sort the search results field, to retrieve search results that are sorted, type Y and then press Enter. Otherwise, type N.
-
If you entered Y, the Enter the field to sort the search results by: field displays. By default, the prepopulated value is “risk_score“. This value can be changed to your liking.
-
Select the direction of the Sort Order; by default it is “DESC“ (descending), but can be changed to ASC (ascending).
-
-
In the Specify the timeframe for the Beat application to request data from Exabeam field, enter how often data should be requested via the Exabeam beat.
The default value is 60s. -
In the What is the hostname or IP address of the Sysmon JSON Parser? field, enter the IP of the machine upon which System Monitor version 7.18 or greater is installed.
-
Enter the Port where data should be sent.
By default, 5044 is prepopulated. This value can be updated if necessary. -
Press Enter.
The configuration is saved and the service is started successfully. -
To check the status of the service, run the following command:
./lrctl exabeam status