1. Expel Help Center
  2. Connect Your Technology
  3. SIEM Integrations
  4. Exabeam

Exabeam Threat Center Setup for Workbench

This guide covers how to set up Exabeam Threat Center with Workbench.

Prerequisites

  1. You must have admin access in Workbench to set up this integration.
  2. To create and manage users and API keys in Exabeam, you must be an administrator with full access to your Exabeam subscription. 

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create Exabeam API Credentials for Expel
  2. Create an Exabeam User for Console Access
  3. Add Exabeam Threat Center as a Security Device in Workbench
  4. Reference

Step 1: Create Exabeam API Credentials for Expel

  1. Log in to the Exabeam Security Operations Platform and in the left navigation, select Settings > Developer > API Keys.
  2. Do one of the following depending on whether there are existing API keys:
    • If there are no existing API keys, in the center of the page, select New API Keys.
    • If there are existing API keys, select New Keys
      new-keys.png
  3. Configure your new API key:
    • Key Name - enter "Expel Key".
    • Permissions - select Threat Center
      new-key-configuration.png
  4. Select Create. A confirmation message appears noting your key was created successfully.
  5. Copy and save the Key ID and Key Secret in a safe place, as you will need them to complete a later section.
    expel-key-creds.png
  6. Select Ok, great!. The API Keys list displays again, now including your new API key.

Step 2: Create an Exabeam User for Console Access

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, alerts cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. In the Exabeam Security Operations Platform left navigation, select Settings > Teams > Users.
  2. Select New User.
  3. On the Invite User screen, configure the fields as follows:
    • First Name - enter "Expel".
    • Last Name - enter "SOC".
    • Email - enter "soc+<Your_Organization_Name>@expel.io".
      • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".
    • Roles - select Tier 3 Analyst and Tier 3 Analyst (Advanced Analytics).
      invite_user_flow.png
  4. Select Invite. Expel will receive the account activation email and set a new password.

Step 3: Add Exabeam Threat Center as a Security Device in Workbench

Now that you have the necessary credentials, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Exabeam” and then select the Exabeam Threat Center integration.
    exabeam-wb-add-device.png
  5. In the configuration pane, complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Exabeam Threat Center”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Exabeam API base URL - select the base URL for your deployment region. See more information about selecting the appropriate base URL.
    • API key ID - enter the API Key ID you generated in Step 1.
    • API key secret - enter the API Key Secret you generated in Step 1.
  6. Select Save.
  7. On the console access screen, select Set up later from the dropdown, as Expel will complete console access configuration.
  8. Select Save.
  9. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device

Reference

Exabeam API Routes Expel Uses

Route Permission
/regional_base_ur/auth/v1/token Administrator
/regional_base_ur/v1/search/alerts Administrator
/regional_base_ur/v1/search/cases Administrator
 /regional_base_ur/audit/v1/events Administrator

Related articles