- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Multi-Log Event Building
n some scenarios, the data required to build a single event is spread across multiple logs. Exabeam supports multi-log event building, also known as event stitching, to extract the relevant information from different parsed logs and create a single event.
You can view event builder definitions in Log Stream by opening the Parser Details for a specific parser and viewing the event_builder.conf file on the Configuration Files tab. For more information about event builder parameters, see Anatomy of an Event Builder
Two types of multi-log event builders are currently available and they support only default Exabeam parsers:
Binary Merger – Used to combine information from exactly two log messages into a single event. This type of event builder can be identified by a tracker parameter with the value
ContivityMultiEventTracker. This type of event builder extracts information, based on a specified ID, from two parsed messages. When both messages have been received, a single event is built.Sequence Merger – Used to combine information from a variable number of parsed messages into a single event. This type of event builder can be identified by a tracker parameter with the value
VariableMessageMultiEventTracker. This type of event builder extracts information from multiple parsed messaged, based on a specified ID, until it receives a message with the same ID that contains asequence-stopper. Then collection stops and the extracted information is stitched together and a single event is built.