Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Field Modification

In the following example, an existing field is modified to create a field that can be used for detection by existing Advanced Analytics content.

bytes-domain {
      EventTypes = 
['dlp-email-alert-out','dlp-email-alert-out-failed','dlp-alert','usb-insert','usb-write','usb-read','dlp-email-alert-in','share-access','print-activity','file-write','file-delete']
      Condition = "exists(bytes_unit) && !exists(bytes)"
      Map = [
        {
          Field = "bytes_num" 
          Value = """replaceAll(bytes_num, ",","")"""
        },
        {
          Field = "bytes"
          Value = """Multiply(bytes_num,ReturnIf(ToLower(bytes_unit)='kb',1024,ReturnIf(ToLower(bytes_unit)='mb',1048576,ReturnIf(ToLower(bytes_unit)='gb',1073741824,0))))"""
        }
      ]
    }

Note

Advanced Analytics content, related to data transfer sizes, operates using bytes (not kilobytes, megabytes, or gigabytes). So, when a value is parsed from a log that is not represented in bytes, the parsed value is modified accordingly. The parsed bytes value (bytes_num) is multiplied by 1024 when the bytes_unit value is in kilobytes, or by 1024*1024=1048576, if the value is in megabytes, and so on.