- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Exabeam Event Building
Event building is the process by which a parsed message is categorized into an Exabeam event. Event building takes in a parsed message and outputs an event written as an evt.gz
file.
In order to convert parsed messages into events, every parser is matched to an event builder definition. Exabeam products are delivered with a large set of default event builder definitions which are stored in a configuration file. You can view or modify event builder definitions in Log Stream.
Events are the basic unit used by downstream Exabeam processes, including enrichment, model training, rule creation, search, and handling UI components. If there is no event builder for a given parser, the parsed output from the log cannot be used to build an Exabeam event.
Event building provides the following benefits:
Reduces the number of parsers – A single parser can be used to create multiple types of events. For example, a Windows login event can include either a successful or failed outcome. Instead of capturing these two types of events with two separate parsers, the outcome value can be parsed and conditioned so the event builder can handle either event.
Combines information from multiple logs – Some log sources provide the information needed in an Exabeam event in multiple separate log files. In order to combine the information in all these logs into a single event, the necessary logic can be defined in the event builder.