- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Fact-based Rules
Fact-based rules can be focused either on user behavior or on asset activity. In the sections below, each example includes a fact-based rule, one based on user actions and the other on asset activity.
The user-based example describes a simple rule commonly seen in traditional SIEMs. It specifies that for a parsed field x
in an event, trigger the rule if x
= some_string
.
The asset-based example describes a rule using the DistinctCountBy
expressions to check for occurrences of three types of alerts on a specific asset. The DistinctCountBy
expression on the source_host
field returns the number of each type of alert observed in a session.
Fact-based Rule - User
This example shows a rule based on user behavior. It is used to detect suspicious activity on .pst or .ost files. Because the rule focuses only on the files, and not on any historical model data, it is considered a fact-based rule. The fact-based nature of the rule is also clear from the value of the Model
attribute. For more information about the rule attributes, see the table below the example.
FA-Outlook-pst { RuleName = "A file ends with either pst or ost" RuleDescription = "A file copied ends with either pst or ost" ReasonTemplate = "PST/OST file copied" AggregateReasonTemplate = "PST/OST file copied" RuleType = "file" RuleCategory = "File Activity" ClassifyIf = """TRUE""" RuleEventTypes = [ "file-write" ] Disabled = "FALSE" Deprecated = "FALSE" Model = "FACT" FactFeatureName = "src_file_name" Score = "20.0" RuleLabels { mitre = ["T1114.001"] scenario = ["Data Leak via Email"] } PercentileThreshold = "0.1" RuleExpression = """sequenceCount(src_file_name,'file-write')=1 && (endsWith(toLower(src_file_name), '.pst') || endsWith(toLower(src_file_name), '.ost'))""" DependencyExpression = "FA-Outlook" }
Rule Attribute | Description |
---|---|
RuleType | Indicates the type of session the rule should be triggered in. The value |
RuleCategory | A free text description of the category or classification for the rule. The value |
ClassifyIf | An expressions that indicates when the rule should trigger. The value |
RuleEventTypes | An array that indicates which events can trigger the rule. In this example, the rule is triggered when a |
FactFeatureName | This value is displayed when the |
Score | Indicates how the rule should be scored based on its criticality. In this example, the value is |
RuleLabels | Used for rule tagging to show MITRE ATT&CK and use case coverage. In this example, the rule is tagged for MITRE technique |
PercentileThreshhold | The percentile below which values are considered anomalous. In this example, the value |
RuleExpression | Expression that defines under what conditions the rule should trigger. This expression includes the following two conditions and the
|
DependencyExpression | Indicates that triggering the rule is dependent on whether or not another rule for the same event has triggered. In this example, the rule will only trigger if rule |
For definitions and examples of other Exabeam rule attributes, see Rule Attributes.
Fact-based Rule - Asset
This example shows a rule based on asset activity. It is used to detect three types of security alerts on a specific source host. Because the rule focuses only on the alerts, and not on any historical model data, it is considered a fact-based rule. The fact-based nature of the rule is also clear from the value of the Model
attribute. For more information about the rule attributes, see the table below the example.
A-ALERT-DISTINCT-NAMES { RuleName = "Various security alerts on asset" RuleDescription = "At least three distinct security alerts were reported for the asset. This raises the probability that the asset is compromised." ReasonTemplate = "Third distinct security alert on asset" AggregateReasonTemplate = "" RuleType = "asset" RuleCategory = "Security Alert" ClassifyIf = """TRUE""" RuleEventTypes = [ "security-alert" ] Disabled = "FALSE" Deprecated = "TRUE" Model = "FACT" FactFeatureName = """src_host""" Score = "25.0" RuleLabels { mitre = ["T1027.005"] scenario = ["3rd Party Security Alerts"] } PercentileThreshold = "0.1" RuleExpression = """DistinctCountBy(alert_name, asset, 'security-alert')=3 && !WasRuleFired('A-ALERT-DISTINCT-NAMES')""" DependencyExpression = "NA" Aggregation { DataExpr = """DistinctCountBy(alert_name, asset, 'security-alert')=3 && !WasRuleFired('A-ALERT-DISTINCT-NAMES')""" EventExpr = "TRUE" } }
Rule Attribute | Description |
---|---|
RuleType | Indicates the type of session the rule should be triggered in. The value |
RuleCategory | A free text description of the category or classification for the rule. The value |
ClassifyIf | An expression that indicates when the rule should trigger. The value |
RuleEventTypes | An array that indicates which events can trigger the rule. In this example, the rule is triggered when |
FactFeatureName | This value is displayed when the |
Score | Indicates how the rule should be scored based on its criticality. In this example, the value is |
RuleLabels | Used for rule tagging to show MITRE ATT&CK and use case coverage. In this example, the rule is tagged for MITRE technique |
PercentileThreshhold | The percentile below which values are considered anomalous. In this example, the value |
RuleExpression | Expression that defines under what conditions the rule should trigger. This expression includes the following two conditions and the
|
DependencyExpression | The value |
Aggregation | This attribute is required for asset-based rules. It includes the following parameters:
|
For definitions and examples of other Exabeam rule attributes, see Rule Attributes.