# Send data to Exabeam

## Overview <a href="#overview" id="overview"></a>

You can send logs to [Exabeam](https://www.exabeam.com/) using an [Exabeam Webhook Cloud Collector](https://docs.exabeam.com/en/collectors/all/cloud-collectors-administration-guide/onboard-cloud-collectors/webhook-cloud-collectors.html) and our [HTTP Data sink](/the-workspace/data-sinks/data-sink-integrations/send-data-using-http.md).

## Exabeam Webhook Cloud Collector configuration <a href="#cloud-collector-configuration" id="cloud-collector-configuration"></a>

Follow these steps to generate the required Exabeam webhook:

{% stepper %}
{% step %}
Log in to the New-Scale Security Operations Platform with your registered credentials as an administrator.
{% endstep %}

{% step %}
Navigate to **Collectors** > **Cloud Collectors** and click **New Collector**.
{% endstep %}

{% step %}
Click **Webhook**. Set the name for the Cloud Collector instance and select the required format. (**JSON** or **Raw**). For the Onum ingestion, we recommend selecting the **Raw** format just in case you want to keep the header of the event, but this might vary depending on your needs.
{% endstep %}

{% step %}
Click **Install**. A message will display the authentication token and the URL to which logs are sent.
{% endstep %}

{% step %}
Copy the authentication token and URL. The URL should match the following structure: `https://api2.<REGION>.exabeam.cloud/cloud-collectores/v1/logs/<FORMAT>`
{% endstep %}

{% step %}
Now, access Onum and create a [**Secret**](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management) using the **bearer token** obtained here. You will need to enter this information later in the HTTP Data sink configuration.
{% endstep %}
{% endstepper %}

## Data sink configuration <a href="#data-sink-configuration" id="data-sink-configuration"></a>

To start sending data to Exabeam, follow these steps:

{% stepper %}
{% step %}
Create a new [HTTP Data sink](/the-workspace/data-sinks/data-sink-integrations/send-data-using-http.md). To do it, go to **Data sinks > New Data sink** and double-click **HTTP**.
{% endstep %}

{% step %}
Give your Data sink a **Name** and, optionally, add a **Description** and some **Tags**. Click **Finish** when you're done.
{% endstep %}

{% step %}
Now, drag your Data sink to the required [Pipeline](/the-workspace/pipelines.md) canvas. Link it to the required [Listener](/the-workspace/listeners.md)/[Action](/the-workspace/pipelines/actions.md) and double-click it to configure it.
{% endstep %}

{% step %}
Fill the following parameters as follows:

* **HTTP method**<mark style="color:red;">**\***</mark> - Choose `POST`.
* **URL**<mark style="color:red;">**\***</mark> - Enter your Exabeam endpoint, which should have the following format: `https://api2..exabeam.cloud/cloud-collectores/v1/logs/`
* **Message -** Choose the field that contains the raw messages you would like to send to Exabeam.
  {% endstep %}

{% step %}
Set as required:

* **Content-Type**
* **Support special characters**
* **Use gzip**
* **HTTP headers**
  {% endstep %}

{% step %}
In the **Bulk configuration** section, fill in the parameters as follows:

* Set **Bulk allow**<mark style="color:red;">**\***</mark> to *true*
* If you have selected the **Raw** format, choose **Manual delimiter**<mark style="color:red;">**\***</mark> and leave it as new line (`\n`).
* **Maximum number of buffers per server URL**<mark style="color:red;">**\***</mark> - Set as required
* **Event amount**<mark style="color:red;">**\***</mark>, **Event time limit**<mark style="color:red;">**\***</mark> These would depend on the length of the messages you want to forward.

{% hint style="warning" %}
Each batch request is restricted to 32 MB for uncompressed payloads and 2 minutes. For optimal performance, batch as many messages as possible within a single HTTP POST request, with a request limit of 32 MB.
{% endhint %}
{% endstep %}

{% step %}
Set the **Authentication type**<mark style="color:red;">**\***</mark> to **Bearer** and in the **Token**<mark style="color:red;">**\***</mark> field, choose the [Secret](/administration/global-settings/organization-settings/secrets-management.md) you created before (see above for help on finding this).
{% endstep %}

{% step %}
In the [Secrets](/administration/global-settings/organization-settings/secrets-management.md) area, **New secret** to create a new one:

* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the corresponding value.
* Click **Save**.

<figure><picture><source srcset="/files/NeeWsSQzoChVxRIY76Nt" media="(prefers-color-scheme: dark)"><img src="/files/1oTccyPmgZJ1laY7IhZH" alt=""></picture><figcaption></figcaption></figure>

{% hint style="info" %}
Learn more about secrets in Onum in [this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}

You can now select the created secrets in the configuration.
{% endstep %}

{% step %}
Fill in the rest of the parameters and required, and click **Save**.
{% endstep %}
{% endstepper %}

<figure><picture><source srcset="/files/Z8cCk2m299F1mRzlg4jo" media="(prefers-color-scheme: dark)"><img src="/files/4Lpd7K7Te4rVcX7sJhuR" alt=""></picture><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/the-workspace/data-sinks/data-sink-integrations/send-data-using-http/send-data-to-exabeam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.