- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Types of Rules
Depending on the Exabeam applications in use, different types of rules are available.
Fact-based Rules
These rules use only field value information to determine whether or not to trigger. Unlike model-based rules, fact-based rules do not rely on historical data in models. They are simple correlation rules. If condition x is seen in field y, trigger the rule.
Fact-based rules are available in both the cloud-native Correlation Rules and in Advanced Analytics (both on-premises and SaaS).
For information about fact-based rules in Correlation Rules, see the Correlation Rules Guide. For examples and information about fact-based rules in Advanced Analytics, see Fact-based Rules.
Model-based Rules
These rules use historical information stored in models. Model-based rules typically trigger when an event being evaluated is considered anomalous within the context of the model. Points are then added to the session in which the event occurred.
Model-based rules are available in Advanced Analytics (both on-premises and SaaS). Exabeam ships with a large number of rules that are stored in rules_*.conf
files based on the type of malicious behavior they trigger on. For examples and information about model-based rules, see Model-based Rules.