- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Parsing for Advanced Analytics
In Advanced Analytics, parsing is based on the Exabeam common information model and is performed according to the following criteria:
Logs must be related to an event that can be processed and analyzed.
For a list of the currently supported events, see the Activity Type Interface in the Common Information Model Library.
The log must contain the minimum required fields.
For each activity type, subject, and other elements in a log, the required field information is defined in the common information model. The information model interface uses CDI classifications (Core, Detection, Informational) to enforce field compliance. A log that does not contain the required core fields cannot be processed for analysis. For more information about this methodology, see Common Information Model Interface.
Parsing is necessary only for the specific fields used to process or display the logs.
It's not necessary to parse and map every field in a log. Only those fields which facilitate detection capabilities or add informational value should be parsed. As with the minimum required core fields, these useful fields are classified according to the CDI methodology. For more information, see Common Information Model interface.
You can create or tune parsers in Log Stream. When considering how a log should be parsed for Advanced Analytics, keep in mind that the eventual goal of parsing logs is to output well-formed events. In the Exabeam common information model, events are composed of multi-layered context elements that, when taken together, accurately describe the activity represented in the logs.
To determine which fields to parse, use the common information model structure to identify the subject, activity type, and other context elements from the log. Consulting the information model can also indicate which fields in the log are core, which are for detection, and which are simply informational. Compliance to the information model is enforced through the CDI methodology. For more information, consider the example in the Sample Log section.