Security ContentExabeam Security Content in the Common Information Model

Enrichers often use fields from the parser output message to create new fields based on some conditions defined in logical expressions.

Example 1

In this example a user_type field is created, which holds an attribute about the user, such as whether the user is a local user.

local-user {
      EventTypes =
['batch-logon','file-delete','file-read','file-write','privileged-access','privileged-object-access','process-created','service-logon','workstation-locked','workstation-unlocked','local-logon','remote-access','remote-logon','account-password-change','account-password-reset','account-lockout','account-unlocked','account-enabled','account-disabled','account-deleted','account-creation','member-added','member-removed']
      Condition = "exists(domain) && ((exists(dest_host) && dest_host = domain) || InList(toLower(domain),'workgroup', 'window manager', 'font driver host')) && vendor='Microsoft Windows' && !InList(event_code,'4648','4769','673','676','552') and not EndsWith(user, '$') and !InList(toLower(user),'system','local service','network service','anonymous logon')"
      Map = [
        {
          Field = "user_type"
          Value = """'local'"""
        },
        {
          Field = "user"
          Value = "concat(user, ' (', dest_host, ')')"
        }
      ]
    }

Example 2

In this example, the alert-based event types are reviewed and a determination is made about which field is the local asset, based on priority and the isSiteLocal() function.

security-alert-local_asset {
      EventTypes = 
['security-alert','dlp-alert','process-alert','network-alert','database-alert']
      Condition = "exists(src_host) || exists(src_ip) || exists(dest_host) || exists(dest_ip)"
      Map = [
        {
          Field = "local_asset"
          Value =
"""if(isSiteLocal(src_ip),first(src_host,src_ip),if(isSiteLocal(dest_ip),first(dest_host,dest_ip),first(src_host,src_ip,dest_host,dest_ip)))"""
        }
      ]
    }