Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Types of Event Fields

When an event builder creates an event from a log, information from that log is mapped into the following three types of fields, based on the Common Information Model interface: core, detection, and informational.

An event builder always creates an event based on a specific activity type. Each activity type has unique fields that correlate to specific information in a log. For each activity type, these fields are defined with a CDI classification. CDI stands for Core, Detection, Informational, as defined below. For more information about the CDI Methodology, see Common Information Model Interface.

  • Core – The field is required for a log to be parsed meaningfully and without it the log cannot be used. Examples of core fields include time, product, subject, file_name.

  • Detection – The field is necessary for detecting a specific type of risk. Without this field, a detection capability that requires the field will not function properly. Examples of detection fields include process_command_line, file_path.

  • Informational – The field is not required or necessary, but is provided in the log. Examples of informational fields include host, process_id.

For an event builder to create an event, a log must contain information that matches at least the core (required) fields of the activity type. Information that maps to detection and informational fields is optional to create an event, but can be useful to process and display the event.

For tables of activity types and their core, detection, and informational fields, see the Activity Type Interface list in the CIM Library. It opens in a GitHub repository where you can click on links to view field information for specific activity types. The CDI information is represented in tables like the following:

CDIsample.png