- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
PrevNext
Context Retrieval
Enrichers that provide contextual enrichment use a parsed field value as a key to extract a value for a new field from a context table.
In the example below, the user field gets its value from a user_email field in a context table called user_email_mapping. When the user_email field is parsed from the log, the AD username is fetched from the context table and mapped to the user field which will stitch the event to the user timeline.
user_email {...
Map = [
{
Field = "user"
Value = """GetValue('user_email_mapping',toLower(user_email))"""
}...