- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Internal Rules
Internal rules are used by other rules to create dependencies. These rules do not add scoring points and are not displayed in the UI. They are used to identify events that have no security value (and therefore no score), but are useful to identify a situation that could be significant for another rule.
For example, the internal NEW_USER rule is used to identify a new user in the environment. It is used as a dependency for different rules that identify access to privileged machines, executive machines, etc. Together they identify a situation in which a new user is accessing a privileged machine. In order to change how a new user is identified, simply change the NEW_USER rule and the change is propagated to all the rules that depend on it.
Another use for internal rules is to set conditions that require information from more than one model. Since a single rule can be triggered by conditions in only one model, multiple internal rules can be used to set conditions in different models. They can be linked to a single score-generating rule that uses the internal rules as dependencies to provide the score if all conditions are met.