Security ContentExabeam Security Content in the Common Information Model

In some instances, the activity type is unclassified or generic. For example, in the case of some parsers or event builders, the type of data streaming through them is unknown, making a granular classification impossible. For such cases, the following catch-all activity types can be used:

These activity types are completely legitimate but should be used sparingly. Chances are that dedicated parsers or event builders already have identifiable subjects and activity types, so check the common information model structure before assigning a catch-all activity type.

An event can be classified as a login when the user fully completes a successful login to a system. An authentication event occurs when a user completes a single part of the login process. For example, a kerberos request is an authentication, while a 4624 event is a complete login.

Login activity types are named based on the system being logged into (endpoint, app, etc.). Multiple variations of the login type can be classified as part of the same activity type, so a login_type field is used to indicate the type of login. This convention allows the accurate classification of the event without losing any of the useful context.

When assigning network activity types, the distinction between sessions and traffic is important. A session is a summary of multiple packets logged at the conclusion of multiple communications between two devices. Traffic pertains to a single packet. For example, firewall logs most likely describe a session, while packet capture logs generally describe individual packets.

If a log indicates that a "packet was dropped," it means that a specific traffic event failed, not an entire session. Conversely, if a log indicates that a "connection occurred, total bytes ...," it's describing an entire session because summary attributes are already available.

Sessions and traffic both exist as activities and can be connected to any network protocol, or if the protocol is unknown, simply to network. The following are some examples of session and traffic activity types:

Additional activities can be associated with network protocols. When included in a log, they can describe specific parts of the connection or state. Consider the following examples:

Informational notification activity types are reserved for generic informational or system-related pop-ups and messages. These types of activities don't necessarily describe an event. Rather, they provide informational data about the system, without any correlation to a specific activity or operation. For such cases, the following generic activity types can be used:

For example, if a log says, "exception thrown, continuing," it's a notification. It doesn't describe an activity but, rather, provides information about the status of a running state. Note however that if the log said "exception thrown, shutting down," it would be describing an activity and would not be a notification. The following are some examples of notifications:

Because notification activity types are so generic, they should be used sparingly. Overuse will dilute the accuracy and consistency of your data.