Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Anatomy of a Parser

A parser definition contains the following types of information:

  • Common Parameters – Provide information about the parser and its source, such as the parser name, the source vendor and product, and the time format. For a description of each parameter, see the table of Parser Parameter Definitions below the sample parser.

  • Parser Conditions – Strings that must be matched in order for a log to be associated with a specific parser. For more information about these fields, see Associating a Log with a Parser.

  • Mapping Fields – Regular expressions (regexes) that tell the parsing engine which values to extract from the log and how to map them to Exabeam fields. For more information about these fields, see Extracting and Mapping Values.

Viewing Parser Definitions

To view an Exabeam parser definition:

  1. Open Log Stream.

  2. Click the options icon (icon-options.png) to the right of a specific parser and select View Details. A Parser Details page opens.

  3. Select the Configuration Files tab. The parser.conf file is displayed.

Sample Parser

The sample parser definition below is designed to parse a log that describes an attempt to modify a Microsoft Windows account password.

{
Name = "microsoft-evsecurity-cef-user-password-modify-4723"
Vendor = "Microsoft"
Product = "Event Viewer - Security"
TimeFormat = "epoch"
Conditions = [
  """|Microsoft|Microsoft Windows|"""
  """An attempt was made to change"""
  """externalId=4723"""
]
Fields = [
  """({event_name}An attempt was made to change an account's password)"""
  """\sexternalId=({event_code}\d+)"""
  """\srt=({time}\d{13})"""
  """\sdvc=({host}[a-fA-F:\d.]+)"""
  """\sdvchost=({host}[^\s]+)"""
  """\ssuser=({user}.+?)\s+\w+="""
  """\sduser=({dest_user}.+?)\s+\w+="""
  """Security_,ID=({user_sid}[^\s]+?)(\s|\||$)"""
  """\ssntdom=({domain}.+?)\s\w+="""
  """\sdeviceSeverity=({result}.+?)\s\w+="""
  """\sdntdom=({dest_domain}.+?)\s\w+="""
  """\sduid=({login_id}[^\s]+)"""
  """\sdvc=(?:-|({src_ip}[\w:.]+))\s+\w+="""
]
DupFields = [
  "host->dest_host"
]
ParserVersion = "v1.0.0"
},

Parser Parameters

The following table defines all of the parameters included in the parser content.

Parameter

Description

Name

The name of the parser. Each parser name must be unique, otherwise a subsequent parser with the same name will overwrite the previous parser. For more information, see Parser Naming Conventions.

Use the parser name when creating an event builder. When the event builder outputs an evt.gz file, this parser name will be included as the value of the msg_type parameter.

Vendor

The name of the company that builds or sells the source product that logged the activity.

Product

The name of the product that generated the log.

TimeFormat

A regex-style definition that represents the structure of the parser time field. Unix timestamp formats are supported as well as any other Unix-readable format. If a ten-digit numerical time format is used, such as epoch time, use epoch as the TimeFormat value.

Note

If time is not available in the raw log, the parsed message will use the time that the log was ingested.

Conditions

A set of one or more strings that define the exact conditions the log must match in order to be associated with a specific parser. If a parser contains multiple conditions, a log must match all of them in order to be parsed by that parser.

Fields

A set of regular expressions (regexes) that tell the parsing engine what values to extract from the log and how to map them to Exabeam fields.

DupFields

An array that allows a parsed field to be duplicated with another field name. This strategy can be more performant than duplicating the regex string for both fields. In the sample parser above, the host field is already parsed but it can be duplicated by a field called dest_host that will contain the same value when parsed.

ParserVersion

The version of the parser definition.