This page demonstrates how to initialize the Exabeam Case beat using the command line.
Prerequisites
-
Requires an API Key ID and Key Secret, obtained during the steps outlined in NewScale Configuration for Exabeam Case Beat.
-
System Monitor version 7.18 or higher is installed.
-
JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.
-
The following port is open:
|
Direction |
Port |
Protocol |
Source |
|---|---|---|---|
|
Outbound |
443 |
HTTPS |
Exabeam Beat |
Initialize the Beat via the Web Console (Recommended)
-
Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.
-
Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.
Initialize the Beat via Command Line (Legacy)
-
Start the beat:
./lrctl exabeam start -
Use the Up and Down Arrow keys to select New exabeambeat instance from the list, and then press Enter.
-
Enter the base URL for your NewScale instance.
If the prepopulated value does not match your base URL, update it.
More information related to base URLs can be found here.
-
In the Enter the client ID field, enter the Key ID saved after creating the API key, and then press Enter.
The value is encrypted before being stored.
-
In the Enter the client secret field, enter the Key Secret saved after creating the API key, and then press Enter.
The value is encrypted before being stored.
-
The Enter the search URL field is prepopulated, and no action is required. Press Enter to move to the next step.
-
Enter the Limit to the number of results returned from a search request, and then press Enter. The default value is 3000.
The Limit value must be between 0 and 10000.
-
In the Enter the filter for the search request field, the value is prepopulated and configured to fetch all cases.
This filter can be updated to limit the cases fetched. -
In the Do you want to sort the search results field, to retrieve search results that are sorted, type Y and then press Enter. Otherwise, type N.
-
If you entered Y, the Enter the field to sort the search results by: field displays. By default, the prepopulated value is “risk_score“. This value can be changed to your liking.
-
Select the direction of the Sort Order; by default it is “DESC“ (descending), but can be changed to ASC (ascending).
-
-
In the Specify the timeframe for the Beat application to request data from Exabeam field, enter how often data should be requested via the Exabeam beat.
The default value is 60s. -
Enter the hostname or IP address of the System Monitor Agent that has been Configured for JSON Parsing, and then press Enter.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Enter the port on which the System Monitor Agent is configured to listen for JSON data (the default is 5044), and then press Enter.
The exabeambeat service started message appears. -
Check the status of the service to confirm that it’s running:
./lrctl exabeam status -
(Optional) Edit the exabeambeat configuration to update the values set above if needed. Ensure that you have all the needed information for each step available as you will need to re-enter it:
./lrctl exabeam config edit