- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Extracting and Mapping Values
Regular expressions, or regexes, allow Exabeam to identify specific patterns of information in a log. One or more regexes can be included in the Fields array of a parser. Together, these expressions tell the parsing engine which values to extract from a log and how to map the values to Exabeam fields. For more information about the elements of a parser, see Anatomy of a Parser.
Each regex statement is evaluated, consecutively according to their order in the parser, against the entire log. If a value is mapped to a certain field in one expression and then a different value is mapped to the same field in a subsequent expression, the second mapping overwrites the first.
What's in a Regex Statement?
A regex statement for a value of interest is surrounded by parentheses. The first value inside the parentheses is a field name, enclosed in curly brackets, to which the extracted value will be assigned. The curly brackets are followed by the regular expression that tells the parsing engine how to identify the value to extract from the log.
For example, consider the following simple expression: ABC({my_field}...). Based on this expression, when the parsing engine identifies the string ABC in a log, it will extract the three characters immediately following the string and map them to a field called my_field.
So, if the source log contains the string ABC123XYZ, the parsing engine will map the value 123 to a field called my_field. If the string ABC does not exist in the log, the field my_field is not created.
In some cases, a single regex statement can contain multiple field names in curly brackets. This structure makes sense when the values from one element in the log need to be assigned to different fields. For example, an email address could supply values to both a user and a domain field.
In other cases, multiple regexes might be required to capture the value for a single field. This possibility occurs when the format of a field varies within a log. Multiple regexes can be used to ensure that one of them will parse the field correctly. If multiple regexes are matched in the log, the regex that appears lowest in the Fields array, will take precedence.
Working with Regex Statements
Creating effective regex statements is crucial for leveraging the full value of Exabeam security functionality. Regex statements must be designed to capture all of the possible variations of data in a log, including edges cases. Failing to capture data can prevent Exabeam functionality from providing all of the security value it's capable of. For example, failing to extract a certain value could prevent Exabeam from modeling a specific field.
At the same time, the need to create broadly-tuned regexes must be balanced with the need to limit how far a regex can capture. If a regex statement is designed to look through an entire log line, parsing engine performance will be slowed down when the parser evaluates a high volume log. To find the right balance, design and text your regex statements carefully.
For more information about creating custom parsers and designing balanced regex statements, see the Log Stream Parser Manager Guide.
Note
You can use regex101.com to help you create and test regex syntax.