Skip to main content

Purpose

This guide explains how to integrate Exabeam with AirMDR by securely connecting the two platforms using Exabeam’s API credentials. Once integrated, AirMDR can pull relevant incident, behavioral, and analytic data from Exabeam into automated detection and triage playbooks.

Supported Versions

  • Exabeam Advanced Analytics (Cloud / On-Prem)
  • Exabeam Fusion (Cloud)
  • API Versions: v1, v2

Authentication Method

This integration uses OAuth2 Client Credentials to authorize secure communication between AirMDR and Exabeam. You will need the following credentials from Exabeam:
  • API URL
  • Client ID
  • Client Secret
These must be generated via the Exabeam UI portal as detailed below.

Pre-requisites

Before setting up the Exabeam integration in AirMDR, ensure the following requirements are met: Access and Permissions
  • 🔐 You have Admin access to the Exabeam UI (Cloud or On-Prem) with permissions to:
    • Create API Clients (OAuth2 Client Credentials)
    • View or configure scopes for incidents, user behavior, and analytics modules
    • 👤 You are logged in to AirMDR as an Org Super Admin to configure integrations and connections.
Exabeam Environment Details
  • 🌐 Exabeam tenant or server hostname
    (e.g., yourcompany.exabeam.com or exabeam.internal.local)
  • 📥 Network access from AirMDR to the Exabeam API endpoint over HTTPS (443)

Generate Exabeam API Base URL, Client ID & Secret

1

Log into Exabeam Admin Console

  1. Open your browser and log in to your Exabeam instance:
    • https://<your-instance>.exabeam.com
  2. Use your admin credentials with appropriate permissions to create OAuth clients.
2

Navigate to API Management

  1. After login, go to the Admin Tools or Settings section.
  2. Click on API Management or Client Credentials (naming may vary by version).
    • In some versions, you can also search for OAuth2 Clients or API Clients from the top search bar.
3

Create a New API Client

  1. Click “Create New Client” or “Add Client Credentials”.
  2. Fill in the following details:
FieldValue
Client NameAirMDR-Integration (or any recognizable name)
Grant TypeClient Credentials
Permissions / ScopesSelect read-only scopes for: incidents, users, analytics, audit logs (as per your use case)
Redirect URINot required for client credentials grant
  1. Click Save / Generate.
4

Copy and Save Credentials

  1. After saving, Exabeam will show the generated credentials:
    • Client ID
    • Client Secret
    Copy and save these credentials immediatelythe Client secret is shown only once.
5

Locate Your API URL

  • The API URL will depend on your deployment type:
    • Cloud Deployment
      https://<your-tenant>.api.exabeam.com
    • On-Prem Deployment
      Check your server documentation or reach out to your Exabeam admin. Typically:
      https://<exabeam-server-host>/api
    Test the endpoint by visiting /api/v1/incidents using tools like Postman or cURL with a valid token.
6

Configure Exabeam API in AirMDR

Done! now you have the required credentials
  • Client ID → For API authentication
  • Client Secret → Used only once to get an access token
  • API URL → Endpoint for all API calls
    Share the Client ID, Client Secret and API URL securely to AirMDR.
    (or)
    Self Configure Crowdstrike API in the AirMDR Integrations Dashboard.

Skills Provided by this Integration

Skill IDPurpose
Update Exabeam Alert DetailsUpdates the details of a specific alert in Exabeam Threat Center. Allows modification of alert name, description, priority, and tags.
Get Exabeam Threat SummaryRetrieves an AI-generated threat summary for a specific alert from Exabeam. Optionally provide a prompt to direct and focus the threat summary content.
Search Exabeam CasesSearches for cases in Exabeam Threat Center based on specified filters, time range, and other criteria. Returns a list of cases matching the search parameters.
Search Exabeam AlertsSearches for alerts in Exabeam Threat Center based on specified filters, time range, and other criteria. Returns a list of alerts matching the search parameters.
Get Exabeam Alert DetailsRetrieves detailed information about a specific alert from Exabeam Threat Center using the alert ID.
To view the details of Input Parameters and Output for the respective skills
  • Go to AirMDR → Exabeam Integration page.
  • Select the Skills tab and click on the required listed skills.

Data Flow & Security

✅ What’s Collected
  • Incidents
  • UBA scores
  • User activity logs
🔐 Security
  • OAuth2 (client credentials flow)
  • TLS 1.2+ enforced
  • No interactive user credentials are stored

Monitoring & Logs

  • Integration runs and API responses are logged in the AirMDR Playbook Execution History.
  • View response payloads and errors in step output preview.

Error Handling

IssueResolution
Invalid client credentialsRecreate or reissue client in Exabeam
API timeoutValidate endpoint and reduce fetch window/limit
No data returnedEnsure scope includes required Exabeam modules

Support & Maintenance

  • 📧 Contact AirMDR Support through your designated support channel.
  • 🔁 Rotate credentials regularly in Exabeam → API Clients.
  • 🔄 Reconnect in AirMDR when secrets are changed.

Configure Exabeam API in AirMDR Integrations Dashboard

  1. Navigate to AirMDR, provide the credentials and click Login.
  2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations.
  3. Use the search option, enter the keyword “Exabeam”, select the Connections tab, and click Add New Connection.
  4. Enter an unique name to the Instance (e.g., your org name-Exabeam) and brief Description to easily identify the user connection by AirMDR.
  5. Enter the generated client_id, client_secret, API base_url and Expiry (optional) in the Authentication Details field params, and click Save.

Evaluate Exabeam API

Open cURL and run the following command to check if your API Key is working: Test Exabeam API Using cURL 

# Step 1: Get Access Token using OAuth2 Client Credentials
curl -X POST https://<your-tenant>.api.exabeam.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=<YOUR_CLIENT_ID>" \
  -d "client_secret=<YOUR_CLIENT_SECRET>"
✅ This will return a response with an access_token. 

# Step 2: Use the Access Token to Call Exabeam API (e.g., List Incidents)
curl -X GET https://<your-tenant>.api.exabeam.com/api/v1/incidents \
  -H "Authorization: Bearer <ACCESS_TOKEN>" \
  -H "Content-Type: application/json"
Response
  • HTTP 200 with a JSON payload listing Exabeam incidents
  • If invalid credentials are used, you’ll receive a 401 Unauthorized or token error
Replace <your-tenant> with your Exabeam domain, and ensure the token endpoint is correct for your environment (Cloud or On-Prem).

Always use HTTPS for secure communication.