Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Identifying the Platform

A platform is the virtual environment or application in which an event took place. To identify the platform in an event, ask the following questions:

  1. Was the log collected from an external environment? If so, the source environment is the platform.

  2. Is the product contained in the application or environment? If so, the environment that contains the product is the platform.

  3. If neither of these is the case, then the product is the platform.

platform-id.png

Platform Example 1

Check Point NGFW – Network Connection

platform-ex1.png

In this example, the event was logged by a Check Point Next Generation Firewall (NGFW), but the source of the event is identified as the network. Therefore, the event platform for this log is network.

Platform Example 2

GCP UpdateRole – Role Permission Modification

platform-ex2.png

In this example, the event was logged by GCP CloudAudit. But CloudAudit is a logging product inside the Google Cloud Platform (GCP) environment. In this case, the platform is actually gcp.

Platform Example 3

CheckPoint NGFW – Application Login

platform-ex3.png

As in Example 1, this log shows an event that was logged by a Check Point Next Generation Firewall (NGFW). However, in this case, the event is both monitored by the firewall and represents an operation on the firewall. Therefore, the platform is check point ngfw.

Tips for Unique Platform Cases

If you're still unsure about the event platform, consider the following questions:

  • What is the purpose of the product?

  • Is it possible that the product could audit other environments?

    Products like centralized logging services, EDRs, firewalls, and other security products are designed to monitor multiple platforms. These types of cases may require a deeper investigation to identify the platform.