- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Identifying the Product
A product is the service or application that records an event. To identify the product in an event, ask the following questions:
Are there signs of an auditing component for which a logging service can be identified? If so, the logging service is the product. Signs of an auditing component include:
The application's logging documentation mentions a named component that generated the event.
Multiple log schemas or event templates are present.
Is the application's function to audit, provide, or centralize logs? If so, the application is the product.
If the application has an unnamed audit service, the application is the product.
Product Example 1
Windows Event ID 4624 – Login
In this example, there is an auditing component. Based on knowledge of the schema and the log source, the logging service can be identified as event viewer - security
. Because the logging service is identifiable, the logging service is the product, rather than windows
.
Product Example 2
AWS RunInstances – Virtual Machine Creation
For this example, a check in the AWS documentation shows that an auditing service called aws cloudtrail
is the source of this log. Because the logging service is identifiable, the logging service is the product, rather than aws
.
Product Example 3
Singularity XDR (SentinelOne) - Security Alert
In this example, a logging service is not present but the application, Singularity XDR, is itself an auditing application. It's fundamental purpose is to provide logs. For this reason, the application is the product.