- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
PrevNext
Context Retrieval
Enrichers that provide contextual enrichment use a parsed field value as a key to extract a value for a new field from a context table.
In the example below, the user field is created from a context table called user_email. When the email_user field is parsed from the log, the AD user value is fetched from the context table and mapped to the email_user which will stitch the event to the user timeline.
user-email {...
Map = [
{
Field = "user"
Value = """GetValue('email_user',toLower(user_email))"""
}...