Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Common Information Model Impact on Event Classification

The introduction of the common information model represents a shift in the way events are defined and built across Exabeam products. It's important to note the following points about the transition to the common information model event structure:

  • No events have been lost in the new structure.

    The new event structure is based on a combination of three context elements: subject, activity, and outcome. Legacy event types that did not conform to this structure have been reworked and some new event have been added. The new structure is more readable, consistent across Exabeam products, and facilitates the addition of new events as needed.

  • All existing security content has been migrated.

    You don't need to migrate any of your existing security content in order to begin using the common information model. All parsers, event builders, models, rules, and fields have been migrated for you, including any existing custom content.

The common information model is designed around a central task: defining events. It uses a layered approach that relies on a hierarchy of context elements to form a minimalist but detailed structure. This contextual granularity ensures accurate and consistent event classification. The layered approach also provides a framework that allows for future augmentation across all data and metadata elements within the common information model.

For background information about the benefits of, and the rationale behind the common information model, see Common Information Model.

New Event Structure

Events in the common information model framework are defined via a rich, multi-level hierarchy of context elements. They are not confined to a single title or description. However, a rigid event-naming convention is necessary to ensure that events are readable and manageable. Such a convention also makes it possible to create new types of events that conform to the common information model structure.

The new Exabeam event-naming format is based on the three context elements; subject, activity, and outcome. In this new structure, events are represented using the following syntax: subject-sub_subject-activity:outcome. The list below defines each component of this event naming format.

  • Subject (optional) – Listed first, the subject is the main target of an event.

  • Sub_subject (optional) – The sub_subject describes properties of the subject that are the target of an activity.

  • Activity – The active operation that was performed against the subject.

  • Outcome – An indication of whether the event had the intended outcome. Was it a success or a fail?

To enforce consistency with the new common information model event format, certain changes have been made to legacy event types. Some legacy event types did not include a subject and they've been reworked to match the new event format. Other legacy event types have been recreated completely in order to leverage the common information model context elements. In addition, note that activities in the new format are always phrased in the present tense.

Be sure to observe the new naming format and phrasing when creating new events. It will ensure that identifying, searching, and creating events remains accurate and intuitive.

Sample Events – Legacy vs. Common Information Model

The following table shows a few examples of what legacy event types look like when rewritten using common information model context elements.

Legacy Events

Common Information Model Events

account-creation

user-create:success

local-logon

endpoint-login:success

member-added

group-member-add:success

network-connection-failed

network-traffic:fail

The new common information model event format also makes some completely new types of events possible. Here are a few examples:

  • email_rule-create:success

  • network-start:success

  • vm_template-delete:success

New Event Building Process

The common information model context element structure requires that a level of granularity be maintained during the event building process. For this reason, some changes have been made to the process so that context elements are populated with values at the event builder level. The new event building process includes the following.

  • During event building, each event builder assigns values for subject, activity type, outcome, and platform elements:

    • The subject and activity type fields are populated automatically based on the event type.

    • Event builders are split to accommodate both success and fail variations.

    • To populate the platform values, a special splitting process creates separate event builders for every platform that a parser can provide logs for. This process is required infrequently, but when necessary, it ensures normalization across platforms.

  • After event building, landscape and product fields are populated automatically based on information in the common information model structure.