Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Anatomy of an Event Builder

An Exabeam event builder definition contains the following types of information:

  • Event Builder ID – A unique identifier for the event builder.

  • Event Builder Expressions – A set of expressions that help determine which parsed messages match the event builder.

  • Event Output Parameters – Information about the type of event to build.

Viewing Event Builder Definitions

To view an event builder definition:

  1. Open Log Stream.

  2. Click the options icon (icon-options.png) to the right of a specific parser and select View Details. A Parser Details page opens.

  3. Select the Configuration Files tab. The parser.conf file is displayed.

  4. In the left panel, select event_builder.conf to view the event definition for the parser.

Sample Event Builder

The sample event builder below is designed to parse a log that describes a successful Netskope file write action.

netskope-sc-file-write-success = {
      input-message = [{
      expression = "InList(type, 'netskope-sc-cef-file-browse','netskope-sc-cef-file-write-success-create','netskope-sc-cef-file-write-success-edit','netskope-sc-cef-file-write-success-move','netskope-sc-cef-file-write-success-modifiedextended','netskope-sc-cef-file-write-success-listupdated','netskope-sc-cef-file-write-success-listcolumncreated','netskope-sc-cef-file-write-success-listcreated','netskope-sc-cef-file-write-success-listitemupdated','netskope-sc-cef-file-write-success-rename') and InList(toLower(operation),'edit','move','create','filemodifiedextended','listcolumncreated','listcreated','listitemupdated','listupdated','rename')"
      }]
      name = netskope-sc-file-write-success
      output-type = "file-write:success"
      Platform = Netskope Security Cloud
}

Event Builder Parameters

The following table defines all of the parameters included in the event builder definition.

Parameter

Description

Event Builder ID

An identifier for the event builder. Must match the name parameter.

input-message

A set of expressions that help match the event builder to a parsed message. These expressions can contain the following information:

  • A list of the parsers that can create messages that match this event builder

  • Logical expressions that condition which type of event the event builder will create

In the sample event builder definition above, the type field in the input-message shows that multiple parsers can generate messages that match this event builder, including netskope-sc-cef-file-browse, netskope-sc-cef-file-write-success-create, netskope-sc-cef-file-write-success-edit, and others.

The operation field in the sample input-message also shows that one of several activities must be present in the parsed message for an event to be created, including edit, move, create, and more.

name

A name for the event builder definition. Must match the ID parameter or the event cannot be built.

output-type

The type of Exabeam event that will be assigned to the event created by this event builder. The output-type must match a full event name as described in the Common Information Model Event-naming Format: subject-activity:outcome

Platform

Identifies the virtual environment or application in which the event occurred.