- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
PrevNext
Field Modification
In the following example, an existing field is modified to create a field that can be used for detection by existing Advanced Analytics content.
bytes-domain { EventTypes = ['dlp-email-alert-out','dlp-email-alert-out-failed','dlp-alert','usb-insert','usb-write','usb-read','dlp-email-alert-in','share-access','print-activity','file-write','file-delete'] Condition = "exists(bytes_unit) && !exists(bytes)" Map = [ { Field = "bytes_num" Value = """replaceAll(bytes_num, ",","")""" }, { Field = "bytes" Value = """Multiply(bytes_num,ReturnIf(ToLower(bytes_unit)='kb',1024,ReturnIf(ToLower(bytes_unit)='mb',1048576,ReturnIf(ToLower(bytes_unit)='gb',1073741824,0))))""" } ] }
Note
Advanced Analytics content, related to data transfer sizes, operates using bytes (not kilobytes, megabytes, or gigabytes). So, when a value is parsed from a log that is not represented in bytes, the parsed value is modified accordingly. The parsed bytes value (bytes_num
) is multiplied by 1024 when the bytes_unit
value is in kilobytes, or by 1024*1024=1048576, if the value is in megabytes, and so on.