- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
PrevNext
Anatomy of an Enricher
An Exabeam enricher contains the following types of information:
Event Types – An array that defines which types of events should be enriched using the enricher. Use empty brackets
[]
to indicate that the enricher applies to all events.Enrichment Conditions – Logical expressions that define the conditions under which the enricher should be applied. For example, in the following condition, an event is enriched only if the field
some_field
ends with.bat
, or the fieldcertain_field
already exists."exists(certain_field) OR endsWith(some_field, '.bat')"
Mapping Fields – Expressions that define new fields and values to be created by the enricher.
For samples of different types of enrichers, see Enrichment Use Cases.