- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Anatomy of a Parser
A parser definition contains the following types of information:
Common Parameters – Provide information about the parser and its source, such as the parser name, the source vendor and product, and the time format. For a description of each parameter, see the table of Parser Parameter Definitions below the sample parser.
Parser Conditions – Strings that must be matched in order for a log to be associated with a specific parser. For more information about these fields, see Associating a Log with a Parser.
Mapping Fields – Regular expressions (regexes) that tell the parsing engine which values to extract from the log and how to map them to Exabeam fields. For more information about these fields, see Extracting and Mapping Values.
Viewing Parser Definitions
To view an Exabeam parser definition:
Open Log Stream.
Click the options icon () to the right of a specific parser and select View Details. A Parser Details page opens.
Select the Configuration Files tab. The
parser.conf
file is displayed.
Sample Parser
The sample parser definition below is designed to parse a log that describes an attempt to modify a Microsoft Windows account password.
{ Name = "microsoft-evsecurity-cef-user-password-modify-4723" Vendor = "Microsoft" Product = "Event Viewer - Security" TimeFormat = "epoch" Conditions = [ """|Microsoft|Microsoft Windows|""" """An attempt was made to change""" """externalId=4723""" ] Fields = [ """({event_name}An attempt was made to change an account's password)""" """\sexternalId=({event_code}\d+)""" """\srt=({time}\d{13})""" """\sdvc=({host}[a-fA-F:\d.]+)""" """\sdvchost=({host}[^\s]+)""" """\ssuser=({user}.+?)\s+\w+=""" """\sduser=({dest_user}.+?)\s+\w+=""" """Security_,ID=({user_sid}[^\s]+?)(\s|\||$)""" """\ssntdom=({domain}.+?)\s\w+=""" """\sdeviceSeverity=({result}.+?)\s\w+=""" """\sdntdom=({dest_domain}.+?)\s\w+=""" """\sduid=({login_id}[^\s]+)""" """\sdvc=(?:-|({src_ip}[\w:.]+))\s+\w+=""" ] DupFields = [ "host->dest_host" ] ParserVersion = "v1.0.0" },
Parser Parameters
The following table defines all of the parameters included in the parser content.
Parameter | Description |
---|---|
Name | The name of the parser. Each parser name must be unique, otherwise a subsequent parser with the same name will overwrite the previous parser. For more information, see Parser Naming Conventions. Use the parser name when creating an event builder. When the event builder outputs an |
Vendor | The name of the company that builds or sells the source product that logged the activity. |
Product | The name of the product that generated the log. |
TimeFormat | A regex-style definition that represents the structure of the parser time field. Unix timestamp formats are supported as well as any other Unix-readable format. If a ten-digit numerical time format is used, such as epoch time, use NoteIf time is not available in the raw log, the parsed message will use the time that the log was ingested. |
Conditions | A set of one or more strings that define the exact conditions the log must match in order to be associated with a specific parser. If a parser contains multiple conditions, a log must match all of them in order to be parsed by that parser. |
Fields | A set of regular expressions (regexes) that tell the parsing engine what values to extract from the log and how to map them to Exabeam fields. |
DupFields | An array that allows a parsed field to be duplicated with another field name. This strategy can be more performant than duplicating the regex string for both fields. In the sample parser above, the |
ParserVersion | The version of the parser definition. |