- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
What is the Common Information Model?
The Exabeam common information model defines the structure of security content across Exabeam products. The hierarchical information model framework informs every aspect of security content usage throughout the flow of Exabeam processes. During data ingestion, the common information model determines how logs are classified and which fields should be extracted for parsing. The model also indicates which fields satisfy the core, detection, and informational requirements of pre-packaged security content. When parsing data, building events, and performing analysis tasks, the information model provides a compact, accurate, and highly extensible schema that enforces consistency. For data management and presentation, the model facilitates categorization, search, and reporting that can surface the subtle details of your data
The common information model is designed around a central task: defining events. It uses a layered approach that relies on a hierarchy of context elements to form a minimalist but detailed structure. This contextual granularity ensures accurate and consistent event classification. The layered approach also provides a framework that allows for future augmentation across all data and metadata elements within the common information model.
Why is an Information Model Necessary?
Log and context data arrive from a variety of sources and in a variety of formats. In order for Exabeam products to efficiently extract full operational and security value from this data, it must be normalized according to a standard format. The common information model provides this format and enables information from ingested logs to be mapped consistently to Exabeam fields. This mapping makes data available to downstream processes in a uniform manner.
Understanding the common information model framework can facilitate creation of effective security content, including parsers, event builders, enrichers, models, and rules. In addition, Exabeam search capabilities are aligned with this framework, so understanding the common information model can also facilitate a more effective search experience.
Highlights of the Exabeam Common Information Model
At its core, the common information model is a hierarchical interface model by which security events can be classified and represented accurately. The common information model framework is designed with the following functional benefits in mind:
It's easy to read and draw conclusions from.
It follows a well-defined, minimalist schema with concise, rigid conventions that make it easy to enforce.
It preserves and represents context information within its framework.
It is product-agnostic to allow for a consistent experience regardless of the operating environment.
It has extensible interfaces that allow for future expansion.
The Common Information Model Library
The Common Information Model Library is an online repository where you can explore the Exabeam common information model. In the library, you can examine the individual interfaces that comprise the information model or you can view the hierarchical schema in a JSON format.