Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Identifying the Subject

The subject is the target entity in an event. To identify the subject of an event, ask the following questions:

  1. Is there one entity that is the target of the operation? If so, that entity is the subject.

  2. Are there multiple possible entities that are the target? If so, the subject is the most manipulated entity.

  3. If neither of these questions identifies the subject, see Tips for Unique Subject Cases.

subject-id.png

Subject Example 1

Symantec SIEM – File Write

subject-ex1.png

In this straight-forward example, the activity is performed on a file. Therefore, file is the subject and there is no need to reference the platform or the product.

Subject Example 2

Logrhythm – Office 365 Password Change

subject-ex2.png

In this example, the password modification was performed on a user. This means that user is the subject. Notice that the user is the subject because the activity was performed on a user, not because it was performed by a user.

Subject Example 3

Unix – Group Member Addition

subject-ex3.png

In this example, identifying the subject is less straight forward. From different perspectives, either the user or the group might serve as the subject. In this type of scenario, either refer to the common information model structure to find a similar case or identify which entity is the most manipulated. In this example, the group is the logical subject because it's the entity being modified. The user is a passive entity in this activity.

Tips for Unique Subject Cases

  • In network events, the subject is the network protocol, or simply network if a protocol is not specified.

  • In authorization and login events, the subject is the target of the identification attempt, usually an endpoint or an app.

  • Some landscapes double as subjects, such as endpoint, vpn, or database.

  • If you're unsure of the subject, leverage the common information model structure to your advantage. Try to find a similar event already defined in the information model. To validate your selection, check the predefined subjects in the Subject Interface of the Common Information Model Library.