Skip to main content

Advanced AnalyticsAdvanced Analytics Administration Guide

Table of Contents

Syslog Notifications Key-Value Pair Definitions

The Incident Notifications sent via Syslog to your SIEM use the following parameters in their key-value pairs. The pairs are separated by a space (for example, reasons_count="3" score="135").

The following tables define each extension field key in Syslog messages by Event Type for Advanced Analytics v.i48 and later.

Event Type: System Health

Key Name

Key Value

Description

Syslog Key

Value Example

service

Service of the system health

The service of the system health.

service="Analytics Log Ingestion"

status

Status of the system health

The status of the system health, either "running" or "stopped".

status="stopped"

Event Type: Notable Sessions / Anomalies

Key Name

Key Value

Description

Syslog Key

Value Example

id

Session, sequence, or asset sequence ID

The ID of the session, sequence, or asset sequence ID.

Also the triggered rule containerId of a session or sequence.

id="npage-201905151524"

url

URL to the session, sequence, or asset sequence

The URL to the session, sequence, or asset sequence in the timeline.

url="https://<ExabeamAA>:8484/uba/ #user/admin/ timeline/admin- 201906241700"

entity_value

Asset sequence entity value

The asset sequence entity value.

entity_value="dev_kr"

score

Session, sequence, or asset sequence risk score

The session, sequence, or asset sequence risk score.

Also the triggered rule risk score.

score="316"

sequence_type

Type of sequence

The type of sequence or asset sequence entity name.

sequence_type="lockout"

start_time

loginTime in UTC format

The loginTime for the session or sequence.

Also the day for the asset sequence.

start_time="2019-05- 25T08:05:24-07:00"

end_time

logoutTime in UTC format

The logoutTime for the session or sequence.

Also the start_time + 24 hours for the asset sequence.

end_time="2019-05- 25T18:26:24-07:00"

status

Status of the session or sequence

The status of the session or sequence, either "open" or "closed". It is closed if logoutTime is != 0, otherwise it is open.

status="closed"

user

Session or sequence username

The session or sequence user.

Also the triggered rule username.

user="admin"

src_host

Session or sequence loginHost

The session or sequence loginHost.

Also the triggered rule src host. (optional)

src_host="dc_464"

src_ip

Session src_ip

The session src_ip.

Also the triggered rule src_ip. (optional)

src_ip="10.55.0.123"

accounts

Session or sequence accounts

The session or sequence accounts.

accounts="achan, tmiles, dgreen, mbridges"

labels

Session or sequence labels

The session or sequence labels.

labels="TIME"

assets_count

Session or sequence assets count

The total number of assets recorded for the session or sequence.

assets_count="23"

assets

Session or sequence assets

The names of all unique assets for the session or sequence.

assets="srv_123_dev, 10.23.123.56, tks_en_0b_jt"

zones

Session zones

The session zones.

Also the asset sequence zones. (optional)

zones="atlanta office"

reasons

All unique rule definition descriptions for any triggered rules for the session

By default, only takes the top three by triggered rule risk score. Configurable through exabeam_custom_config ScoreManager. IncidentReasonsLimit.

reasons="It is abnormal for this user to perform account management activities (a user created and added to a group) on this day of the week. Account management events are notable because they can provide a path for an attacker to move laterally through a system."

reasons_count

Session or sequence reasons count

The total number of reasons recorded for the session or sequence.

reasons_count="8"

events_count

Session or sequence events count

The total number of events recorded for the session or sequence.

events_count="779"

alerts_count

Session or sequence alerts count

The total number of security events recorded for the session or sequence.

alerts_count="7"

asset_labels (optional)

Labels for the asset

The labels for the asset.

asset_labels="SOURCE HOST"

asset_locations

Locations for the asset

The locations for the asset.

asset_locations="los angeles office"

top_users

Top users for the asset

The top users for the asset.

top_users="adonald"

host_name (optional)

Hostnames for the asset

The hostnames for the asset.

host_name="adonald-win7"

ip_address (optional)

IP addresses for the asset

The IP addresses for the asset.

ip_address="10.0.0.3"

dest_host (optional)

dest_host of the triggered rule

The dest_host of the triggered rule.

dest_host="It-adonald-123"

dest_ip (optional)

dest_ip of the triggered rule

The dest_ip of the triggered rule.

dest_ip="10.23.121.87"

event_time

Time of the event

When the event took place.

event_time="8:26:00"

event_type

Type of the event

The type of the event.

event_type="remote-access"

host (optional)

Host for the triggered rule

The host for the triggered rule.

host="atl-file-01"

domain (optional)

Domain for the triggered rule

The domain for the triggered rule.

domain="kt_cloud"

raw (optional)

Raw "payload"

The raw "payload" for the triggered rule or event.

raw="http: //exampleurl"

rule_id

Rule definition ID

The rule definition ID for the triggered rule.

rule_id="WL-HG-F"

rule_name

Rule definition name

The rule definition name for the triggered rule.

rule_name="Account switch by new user"

rule_description

Rule definition description

The rule definition description for the triggered rule.

rule_description="User for which we have insufficient data logged onto a Domain Controller"

Event Type: Advanced Analytics/Case Manager/OAR Audit

Key Name

Key Value

Description

Syslog Key

Value Example

time

Time in Unix timestamp

When the event took place.

time="1559076154132"

user

Admin or user’s username

The user performing the activity in Exabeam.

user="admin"

host

Hostname, and if not available, IP address

The machine logging the event.

host="10.0.0.4"

src_ip

Client IP address

The IP from which the user connected to Exabeam.

src_ip="10.0.0.6"

event_type

Event type

The event type, such as “app-activity”, “remote-logon”, and “logout”.

event_type="failed-app-login"

app

Name of the application

The name of the application that logs the event, such as “Exabeam Advanced Analytics”. If it is not possible to get the app type then “Exabeam” is used.

app="Exabeam"

event_subtype

Exabeam Audit Event

The Exabeam Audit Event identifier.

event_subtype="Exabeam Audit Event"

activity

Activity type

The activity type, such as “User added”, “Role updated”, and “LDAP server removed”.

activity="Failed log in"

additional_info

Activity details

The activity details, such as those pertaining to user, role, and LDAP updates.

additional_info="User 'admin' failed to login"

Event Type: Job Status

Key Name

Key Value

Description

Syslog Key

Value Example

job_status

Job status

The job status, either “Started”, “Failed”, or “Completed”.

job_status="Started"

job_details

Job details

The job details, which includes modified rules and reprocess times.

job_details="Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC)."

job_id

Job ID

The job ID string.

job_id="5c1ace5c123 b3801207481f"

created_by

Admin or user’s username

The user who created the job in Exabeam.

created_by="admin"

timestamp

Timestamp in UTC format

When the event took place.

timestamp="December 19 2018, 11:05PM (UTC)"

start_time (optional)

Timestamp in UTC format

When the event started.

start_time="March 12 2019, 10:05PM (UTC)"

end_time (optional)

Timestamp in UTC format

When the event ended.

end_time="March 13 2018, 12:05AM (UTC)"