- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
PrevNext
Context Retrieval
Enrichers that provide contextual enrichment use a parsed field value as a key to extract a value for a new field from a context table.
In the example below, the user
field is created from a context table called user_email
. When the email_user
field is parsed from the log, the AD user
value is fetched from the context table and mapped to the email_user
which will stitch the event to the user timeline.
user-email {... Map = [ { Field = "user" Value = """GetValue('email_user',toLower(user_email))""" }...