Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Exabeam Rules

UIP-pipeline-rules.png

Once a log has passed through the unified ingestion pipeline, where event building and enrichment have been completed, the log becomes available for evaluation against a set of rules. Rules contain the logical expressions that define unwanted or malicious behavior, or behavior you want to be alerted on.

Depending on the Exabeam applications in use, different types of rules are available:

  • Advanced Analytics– In this on-premises and legacy SaaS application, both fact-based rules and model-based rules are available. Each rule includes a RuleExpression attribute that contains the conditions under which the rule should trigger. These rules can generate alerts and can provide scoring so that points are added to session timelines. For overview information about working with rules in Advanced Analytics, see Types of Rules and Create Rules. For information about the attributes contained in Advanced Analytics rules, see the table in Rule Attributes.

    Note that before any rules can begin to evaluate parsed and enriched logs for Advanced Analytics, an event selection statement must be in place. The logic contained in the event selection statement helps to define which events should be passed to Advanced Analytics for analysis. For information about creating and editing these statements, see the Event Selection Guide.

  • Correlation Rules – In this cloud-native application, fact-based correlation rules are available. These correlation rules can be built from scratch or converted from search queries. These rules can trigger various alerting outcomes. For information about these rules, see the Correlation Rules Guide.