DataBee collections helps your security team work smarter by enabling you to use collections of selected information, like a list of 100 IP addresses or specific email addresses, in your operations. You can use these custom lists to quickly spot threats, reduce false alarms by suppressing alerts for known safe activities, highlight risky users, or tune down unnecessary alerts from service accounts. Simply upload a file with your values or use a DataBee query to create a list, give it a name (alias), and then use that alias across various DataBee features like Detection Chains, Suppression Lists, and Search, saving you time and effort.
Creating a Collection
From the top navigation bar, click on Security and from the dropdown menu, select Collections.
The "Collections" page displays a list of all existing collections.
To create a new collection, click on the Add New Collection button. This takes you to the “Create Collection” page. Follow the steps below and fill in the following fields with suitable data.
Step 1: Define
Name: enter a unique name for your collection.
Type: select the type of data this collection will hold from the drop-down list (e.g., User, Device, Application, IP, Hash or String).
Description: provide a brief description of the collection's purpose.
Click Next to continue.
Step 2: Add Content
Source Content From: choose how you want to add content to your collection- either by using the DataBee Search and filter option or by importing a CSV or Excel file.
Use DataBee Search
Select the Use DataBee Search option to populate your collection using results from DataBee search against a data lake. You can click on the From Saved Search button and select a saved search query from the list.
Create Collection from: select the relevant event or entity type from the list.
Search Parameters: use the filter options to refine the content for your collection.
Automatic Updates: choose Yes if you want your collection to automatically update with new matching data as it's ingested. This means you won't need to manually re-create or update it. This is helpful for dynamic environments like watching for new users tagged as “terminated” based on real-time logs. Choose No if you want the collection to remain static after creation. It won't pull in new data unless you manually update or re-create it. This is helpful for fixed datasets such as a list of users affected by a phishing campaign in June 2024.
Import From File
Select the Import From File option to upload content directly from a file.
Click on Attach File to upload your collection content. Supported formats are CSV and Excel.
Click Next to proceed.
Step 3: Review
Review the total content you've selected for your collection. You can also use the search option on this page to confirm that all desired entities are included.
The image below displays a list of user collection.
Here is another collection of a raw value list for IP addresses.
Click Save to finalize and add your collection to the Collections table. Once saved, you can view your collection displayed on the “Collections” page with information about the collection type, name, description, suppressions, detection chains, and modification information.
Manage Collections
Once you've created collections, you can easily manage them from the "Collections" page.
Under the ‘ACTIONS’ column for each collection, you'll find several icons:
View Details: Click the info icon (i) to see the full details of a specific collection.
Edit Collection: Click the pencil icon to make changes to an existing collection.
Delete Collection: Click the trash can icon to remove an individual collection. A confirmation dialog will appear; click Yes to proceed.
Reviewing a Collection
By clicking the info icon (i) in the ‘ACTIONS’ Column, you can review a Collection. This will pop out a tray on the right side.
At the top of the tray, there is the definition of the Collection:
Description: User inputted description of the Collection.
Type: User selected type of the collection that impacts how the Collection can used.
Created By: DataBee User that created the Collection.
Date Created: Date the Collection was first saved.
Last Updated: Date the Collection was last changed.
Total Content: Searchable list of items in the Collection
As you continue to scroll, you will reach the operational insights of how the Collection is being used across the DataBee platform. You can easily navigate to and review the content that is leveraging the Collection from the view. This is helpful when investigating how a change may impact current operations.
Suppressions: Count and list of Suppressions that reference the Collection.
Detection Chains: Count and list of Detection Chains that reference the Collection.
Deleting Multiple Collections
To delete more than one collection at once:
Select the checkboxes on the left side of each collection you wish to delete. Click the Delete Collections button. A confirmation dialog box will appear; click Yes to proceed with the deletion.
Filter Collections
You can easily narrow down the list of collections displayed by applying filters.
Use existing parameters like Type, Name, or Description at the top of the page. To add more filter options, select additional parameters from the Add Parameter dropdown list.
Click the Apply button to update the table and show only the collections that match your filters.
To remove all filters and view the complete list of collections again, click the Reset button.
Using a Collection
Collections are intended to simplify taking actions on groups of items. They can be used in Searches, Saved Searches, Detection Chains, and Suppressions to accomplish a variety of use cases.
Searches
Collections can be used within the Search page to simplify operations and use of the DataBee platform. They can be used to reduce the level of effort to input a list of items into our search experience. They can be used to create shared definitions in the team and leverage during investigations. Available Collections will appear in the filter options for relevant OCSF fields based on the Collection Type.
Type | OCSF Fields | Example Values |
|---|---|---|
User | DataBee User ID | 4232,1231 |
Device | DataBee Device ID | 432,121 |
Application | DataBee Application ID | 32,121 |
Hash | Hash.value | a606bb931c5ec8dc17755b6355b37a70c1701e01cf500e447834ee26069bf588 |
IP | IP, X-Forwarded-For, X-Originating-IP | 32.121.12.3 |
String | All String Type fields | List of email accounts, domains, urls, commands, etc. |
Saved Searches
Collections can be used in Saved Searches for repeated use in workflows.
Save as Default
Collections can be used in the Default view that is presented when navigating to the Search Page to align to the customized needs of the user.
Detection Chains
Collections can be used within the Links of a Detection Chain to automate the management of lists of things to take action on. Each Type of Collection opens the door to automating security operations tasks:
User Collections: Create Collections of high-risk employees that can be automatically updated based on DataBee Search criteria to elevate severity and kick off investigations:
Administrator Accounts
Executives
Recently Resigned Employees
Device Collections: Create Collections of mission critical assets that can be automatically updated based on DataBee Search criteria to elevate severity and kick off investigations:
Compliance Required Assets, such as PCI
Externally facing production assets
Executives’ devices
Application Collections: Create Collections of mission critical applications that can be automatically updated based on DataBee Search criteria to elevate severity and kick off investigations:
Compliance Required Applications, such as PCI
Externally facing production applications
Security controls and tools
Hashes Collections: Upload a Collections of hashes to hunt for specific threat types:
Known Threat Actor’s malicious hashes based on the latest threat blog
List of hashes related exploiting know software in the environment
IP Collections: Upload a Collections of IP either internal or external to:
Elevate severity for externally facing IP space
Hunt for HTTP activity to a list of IPs used in the latest threat intel report
String Collections: Upload a Collection of Strings to look for exact text matches and unlock uses cases like:
Hunt for process commands associated with known threat activity
Elevate severity for phishing attempts sent to shared email accounts
For example, to elevate the severity of Detection Findings for high risk Collections, create a new detection chain with the desired Severity level to increase to.
Navigate to the Links section in the “Create Detection Chain” page. From the ‘Create Link For’ field, select Detection Finding from the dropdown. From the ‘Add Parameter’ filter dropdown select ‘DataBee User ID’ or ‘DataBee Device ID’ based on the collection desired. Set the ‘In’ operator to include the name of your collection. This will be in the format of name(%unique_identifier%). Update the ‘Search Parameters’ to include other desired filters such as filtering on the security tool source or severities to upgrade. Once completed, click Add/ Update Link, and then click Save Chain to apply the changes.
Collections will appear in the format of %unique_identifier% when used in a Detection Chain Link.
Suppressions
Collections can be used within Suppressions to quiet down the noise for collections of users, devices, or strings:
User Collections: Create Collections of accounts that can be automatically updated based on DataBee Search criteria to reduce the severity for normal business operations such as:
Service Accounts that run updates on a schedule and trigger false positives consistently during the upgrade window
IT Support accounts that trigger a set of detections during common troubleshooting activities
Device Collections: Upload Collections of devices to reduce the severity for normal business operations such as:
Guest Wifi Activity
Honeypot Activity
String Collections: Upload a list of known “Analytics Names” or “Rule UIDs” to reduce the severity for normal business operations.
