- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Types of Enrichment
There are multiple types of enrichment available.
System-Defined Enrichment
This type of enrichment is performed automatically by Advanced Analytics in the backend, and can be tuned slightly in the custom_exabeam_config.conf
file. It includes the following features:
Host-Ip Mapping – If a user or hostname is detected without the other, this enrichment feature populates the missing field based on previously seen data.
Security/Dlp-Alerts-to-User Mapping – When security or DLP alerts do not include the user information, this enrichment feature populates the user field based on previously seen data.
User-Defined Enrichment
This type of enrichment can be manually controlled. It includes the following types of enrichment activities:
Context Enrichment – Populates fields based on data-lookup from a context table.
Event Enrichment – Modifies, adds, or removes fields based on data-lookup from a context table. This is the most common type of enrichment. All logical expressions available in the analytics engine, excluding model and session expressions, can be used in event enrichment.
Event Duplicator – Duplicates an event for the purpose of adding it to a different user or asset timeline.
Threat Intelligence Enrichment
This type of enrichment is collected from threat intelligence services. Depending on the Exabeam applications in use, threat intelligence can be collected in the following ways:
Cloud-native applications – The Context Management service collects data about known malicious domains and IP addresses. This data is stored in context tables and can be accessed by Exabeam cloud-native applications. In Search, logs can be queried for indicators of compromise (IOCs) and related fields. In Dashboards, data about IOCs can be charted and visualized. For more information, see Built-in Threat Intelligence Tables in the Context Management Administration Guide.
On-premises and legacy SaaS applications – The Threat Intelligence Service delivers threat indicator data to Advanced Analytics via a set of threat intelligence feeds. Each feed provides a specific category of IOCs and is mapped to specific rules. The data is stored in context tables. For more information, see Exabeam Threat Intelligence Service.