- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Rule Dependency and Chaining
Rules can have relationships with other rules through the use of the DependencyExpression
attribute and expressions like WasRuleFired
.
When DependencyExpression
is used, Rule A can be conditioned to trigger only if rule B has triggered for the same event. Complex sets of rules can be created by using and
, or
, and not
operators to define combinations of rule dependencies.
The WasRuleFired
expression can be used in a RuleExpression
attribute to determine if a specific rule has previously triggered in the session or sequence, and optionally, whether a specific value was seen. Here are some examples of WasRuleFired
conditions:
WasRuleFired('Rule_Z')
– The rule will trigger only if rule_Z has previously triggered.WasRuleFired('Rule_Z', dest_host)
– The rule will trigger only if rule_Z has previously triggered and the value of thedest_host
in the event it triggered on is the same as the value in the current event.
The WasRuleFired
expression can also be used to negate a rule. For example, !WasRuleFired('rule_X')
indicates that a rule should only trigger if rule_X has not triggered. This expression can often be used to ensure that a rule triggers only once per session or sequence.