- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Add a Field in an Event Template
Adding a new field to an event template involves finding the existing template in the default configuration file, copying it to a custom configuration file, and editing the custom file. In the steps below, a new vpn_source_location field is added to a template associated with a vpn-login event.
In the
EventFormatssection of the default configuration file, search forvpn-login.To find the name of the template associated with the
vpn-loginevent, look for theDetailsTemplateparameter in thevpn-loginentry. The associated template isVpnLoginTemplate.To find the template configuration for
VpnLoginTemplate, search forVpnLoginTemplatein theTemplatessection of the default configuration file.Copy the
VpnLoginTemplateentry and paste it as a new entry in a custom configuration file.Note
This step is necessary so that the default configuration file remains unchanged.
Add the new field with the following parameters:
label – The name of the field when it's displayed in a UI
value – The persisted field whose value should be displayed in the UI.
Note that fields are added as column in a template. Each template row can contain only three columns. When adding a new field, if there is no open column in an existing row, add a new row and then add the new field as the first column in the new row.
In the example below, the new
vpn_source_locationfield has been added as the third column to an existing row. Don't forget to enclose the entry withinTemplates { }as shown below.
Templates {
-----------------------------
-----------------------------
VpnLoginTemplate {
rows = [
{
columns = [
{
label = "TIME"
value = "time|event.time"
},
{
label = "USER"
value = "user|event.user"
},
{
label = "ACCOUNT"
value = "user|event.account"
icon = "AccountSwitch"
}
]
},
--------------------
--------------------
{
columns = [
{
label = "VPN SERVER"
value = "default|event.dest_host"
},
{
label = "VPN SERVER IP"
value = "default|event.dest_ip"
},
{
label = "VPN SRC LOCATION"
value = "default|event.vpn_source_location"
}
]
},
--------------------
--------------------
}
----------------------
----------------------
}As shown in the above case, vpn_source_location was added to columns = [ section ] in which only two entries existed, and which there was an option to add a third entry for a new field.
Please note that the parameter label defines the name of the field displayed on the UI and value parameter should contain the field for which you need the value to be displayed. Most importantly, the field which you want to display has to be persisted as described in the earlier section. If not, you will not be able to display the value for your field. In this case, vpn_source_location has to be persisted in Mongo, and then added to the template in order to display it with respect to the vpn-login event.