- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Rule Dependency and Chaining
Rules can have relationships with other rules through the use of the DependencyExpression attribute and expressions like WasRuleFired.
When DependencyExpression is used, Rule A can be conditioned to trigger only if rule B has triggered for the same event. Complex sets of rules can be created by using and, or, and not operators to define combinations of rule dependencies.
The WasRuleFired expression can be used in a RuleExpression attribute to determine if a specific rule has previously triggered in the session or sequence, and optionally, whether a specific value was seen. Here are some examples of WasRuleFired conditions:
WasRuleFired('Rule_Z')– The rule will trigger only if rule_Z has previously triggered.WasRuleFired('Rule_Z', dest_host)– The rule will trigger only if rule_Z has previously triggered and the value of thedest_hostin the event it triggered on is the same as the value in the current event.
The WasRuleFired expression can also be used to negate a rule. For example, !WasRuleFired('rule_X') indicates that a rule should only trigger if rule_X has not triggered. This expression can often be used to ensure that a rule triggers only once per session or sequence.