- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
PrevNext
How to Persist a Field
In order to persist a new field associated with an event on the UI, the new field entry must be added to the PersistedEventFields section of the custom_exabeam_config.conf file.
Note
Be sure to define this configuration in the custom configuration file (/opt/exabeam/config/custom/custom_exabeam_config.conf). Do not change the default configuration file.
For example, to persist a new field, vpn_source_location, that's associated with a parsed and enriched vpn-login event, add it to PersistedEventFields as shown in the sample below. Don't forget to enclose the entry within PersistedEventFields { } as shown below.
PersistedEventFields {
----------------------
----------------------
vpn-login = [_id,
vendor,
src_ip,
src_host,
"GetValue('country_code',src_ip)",
"GetValue('isp',src_ip)",
"GetValue('zone_info',dest)",
src_translated_ip,
dest_host,
dest_ip,
src_network_type,
realm,
os,
vpn_source_location]
----------------------
----------------------
}