- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Model-based Rules
Every event processed by the analytics engine, goes through a classification phase, during which the event is evaluated against all existing models. In this phase, the event is triaged with corresponding models, and corresponding model data is stored with that event. This data is later used in the RuleExpressions attribute. In rules that are model-based, the model calculations used in the RuleExpression attribute are created when the event is classified. In this way, when model logic is included in a rule expression, such as percentile_threshold_value, its value has already been predetermined.
Model-based rules can be focused either on user behavior or on asset activity. In the sections below, each example includes a model-based rule, one based on user actions and the other on asset activity. For information purposes, the corresponding model for each rule is also shown.
The user-based example describes a rule that detects first-time security alerts for a user. The rule is based on a model that trains on security alerts for the user and triggers whenever a new alert is seen for that user.
The asset-based example describes a rule that determines whether a log-on failure event is anomalous for an asset. The rule is based on a model that trains on the number of failed logon events per day experienced by a specific asset. The rule triggers when the current failure event is considered anomalous.