Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Identifying the Product

A product is the service or application that records an event. To identify the product in an event, ask the following questions:

  1. Are there signs of an auditing component for which a logging service can be identified? If so, the logging service is the product. Signs of an auditing component include:

    • The application's logging documentation mentions a named component that generated the event.

    • Multiple log schemas or event templates are present.

  2. Is the application's function to audit, provide, or centralize logs? If so, the application is the product.

  3. If the application has an unnamed audit service, the application is the product.

product-id.png

Product Example 1

Windows Event ID 4624 – Login

product-ex1.png

In this example, there is an auditing component. Based on knowledge of the schema and the log source, the logging service can be identified as event viewer - security. Because the logging service is identifiable, the logging service is the product, rather than windows.

Product Example 2

AWS RunInstances – Virtual Machine Creation

product-ex2.png

For this example, a check in the AWS documentation shows that an auditing service called aws cloudtrail is the source of this log. Because the logging service is identifiable, the logging service is the product, rather than aws.

Product Example 3

Singularity XDR (SentinelOne) - Security Alert

product-ex3.png

In this example, a logging service is not present but the application, Singularity XDR, is itself an auditing application. It's fundamental purpose is to provide logs. For this reason, the application is the product.