- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Common Information Model Context Elements
In the Exabeam common information model, an event is considered more than a simple bundle of data or an information block identified by a title or string. For the Exabeam common information model, an event is a collection of context components that, when taken together, provide the minimum required data to clearly and accurately describe what has occurred.
Consider, for example, a file creation event. The name of the event implies that it describes a modification process for a file. But the log will include different content based on where the file was modified, how the modification was recorded, and whether or not the operation succeeded.
In the common information model framework, these contextual elements are key to defining the subtleties of an event. A file creation log is not simply file-write. Rather, it's a collection of elements that build a description of the event. In this example, these elements could indicate that the event describes:
A creation event...
...that occurred against a file entity...
...in a Windows system...
...recorded by Sysmon...
...which is an audit log solution.
By including context elements in its schema, the common information model provides an elegant solution to ensure that valuable event data is preserved with the event it describes.
Context elements can include the following:
Subject – Identifies the entity being targeted by an event. Examples include
email,user,file,process,endpoint. See the Subject Interface in the Common Information Model Library for a comprehensive list of predefined subjects.Activity Type – Identifies the type of operation represented in the event. In the event format of the common information model, the activity type is represented by the subject + the activity, without the outcome. This activity type naming convention indicates the activity that is performed on the subject. Examples include
email-send,file-write,process-create,user-password-modify,endpoint-login. See the Activity Type Interface in the Common Information Model Library for a comprehensive list of predefined activity types.Outcome – Identifies the result status of the event. The outcome indicates whether or not the activity had its intended effect. Outcome options are
successorfail.Vendor – Identifies the owner of the product that recorded the event. In an
email-sendexample, if the log data was streamed from the M365 logging service, the vendor can be identified asmicrosoft.Product – Identifies the service or application that recorded the event. In an
email-sendexample, if the vendor is identified as Microsoft, and the log data was streamed from the M365 logging service, the product can be identified as them365 audit log.Product Category – Identifies an umbrella category for the product. Examples include
email,firewall,siem.Platform – Identifies the virtual environment or application in which the event occurred. Examples include
Windows,Okta,O365,GitHub.Landscape – Identifies an umbrella category for the platform. Examples include
cloud,endpoint,database,vpn.