Initialize the Exabeam Case Beat
This page demonstrates how to initialize the Exabeam Case beat using the command line.
Prerequisites
Requires an API Key ID and Key Secret, obtained during the steps outlined in NewScale Configuration for Exabeam Case Beat.
System Monitor version 7.18 or higher is installed.
JSON Parsing is enabled. For more information, refer to Configure Beats for JSON Parsing.
The following port is open:
Direction | Port | Protocol | Source |
|---|---|---|---|
Outbound | 443 | HTTPS | Exabeam Beat |
Initialize the Beat
Run the following command:
CODE./lrctl exabeam startSelect New exabeambeat instance from the options, and then press Enter.
Enter the base URL for your NewScale instance.
If the prepopulated value does not match your base URL, update it.
More information related to base URLs can be found here.
In the Enter the client ID field, enter the Key ID saved after creating the API key.
The value is encrypted before being stored.In the Enter the client secret field, enter the Key Secret saved after creating the API key.
The value is encrypted before being stored.The Enter the search URL field is prepopulated, and no action is required. Press Enter to move to the next step.
Enter the Limit to the number of results returned from a search request. The default value is 3000.
The Limit value must be between 0 and 10000.
In the Enter the filter for the search request field, the value is prepopulated and configured to fetch all cases.
This filter can be updated to limit the cases fetched.In the Do you want to sort the search results field, to retrieve search results that are sorted, type Y and then press Enter. Otherwise, type N.
If you entered Y, the Enter the field to sort the search results by: field displays. By default, the prepopulated value is “risk_score“. This value can be changed to your liking.
Select the direction of the Sort Order; by default it is “DESC“ (descending), but can be changed to ASC (ascending).
In the Specify the timeframe for the Beat application to request data from Exabeam field, enter how often data should be requested via the Exabeam beat.
The default value is 60s.In the What is the hostname or IP address of the open collector? field, enter the IP of the machine upon which System Monitor version 7.18 or greater is installed.
Enter the Port where data should be sent.
By default, 5044 is prepopulated. This value can be updated if necessary.Press Enter.
The configuration is saved and the service is started successfully.To check the status of the service, run the following command:
CODE./lrctl exabeam status