- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Parser Naming Conventions
With the introduction of the common information model, the conventions for constructing parser names have been standardized. The parser-naming structure ensures that parser names are consistent across Exabeam products and easily recognizable. All default Exabeam parsers follow the naming structure outlined below. Custom parsers should be named according to the same conventions.
Note
If you've been using Exabeam products prior to the introduction of this parser naming convention, consult the Parser Names Matrix in the New-Scale Content Library (a GitHub repository). The matrix matches old parser names with their corresponding new-scale names.
Parser Name Structure: Vendor Code – Product Code – Log Type Format – Full Event Name – Operation Code
Sample Parser Names:
microsoft-windows-cef-user-password-modify-4723
box-ccm-sk4-app-login-success-login
checkpoint-ngfw-str-network-traffic-success-allow
oracle-db-mix-database-query-success-audit
vmware-view-kv-app-login-fail-viewuserauthfailed
The table below provides descriptions for each part of the parser-naming structure.
Parser Name Element | Description |
|---|---|
Vendor Code | A code that identifies the owner of the product that recorded the event. Vendor codes must not include capital letters or hyphens. Examples: |
Product Code | A code that identifies the service or application that recorded the event. Product codes must not include capital letters or hyphens. Examples: |
Log Type Format | Indicates the type of log format the parser is designed to handle. Possible values include the following:
|
Full Event Name | Identifies the type of event. According to the common information model format, events are identified as subject-activity_type-outcome. Examples: |
Operation Code | A vendor-defined numeric or string code that identifies the type of log the parser targets . Examples: |