Security ContentExabeam Security Content in the Common Information Model

To track how often a specific activity has occurred, the count field values pairs can be tracked. This information can also be used to determine whether different field values should be stored in a single field value.

Enrichers often include a concat logical expression to put two field values together.

In the example below, a target_user field is created that either begins with root – if target_user_id = '0' – or begins with the actual target_user_id field if the value is not equal to 0.

unix-target-id {
      EventTypes = 
['account-deleted','account-password-change','account-password-reset']
      Condition = """!exists(target_user) && exists(target_user_id) && exists(dest_host) && vendor='Unix'"""
      Map = [
        {
          Field = "target_user"
          Value = "ReturnIf(target_user_id = '0', concat('root (', dest_host, ')'), concat(target_user_id, ' (', dest_host, ')'))"
        }
      ]
    }

netflow-scanhost {
      EventTypes = ['netflow-connection']
      Condition = "exists(src_host)"
      Map = [
        {
          Field = "src_host_time"
          Value = """concat(src_host, '-', take(time,9))"""
        }
      ]
    }

A rule can use the following syntax to track whether a host (src_host) reached out to another host (dest_host) 20 times within a second. This expression works because the time value is concatenated to the src_host value. Because src_host will not change, then the time is reliably the same for the different events.

"""DistinctCountByIf(dest_host, src_host_time, src_locality = 'internal', 'netflow-connection') = 20"""