- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
What is Security Content?
Security content encompasses all of the detection logic that enables Exabeam products to process security events. This content is stored in configuration files (.conf) for use by Exabeam applications.
Exabeam provides out-of-the-box security content that supports integrations with multiple third-party vendors. As the threat landscape changes, Exabeam security content is supplemented with new content.
In Exabeam, the following types of security content are available:
Parsers – Extract values of interest from logs and map them to Exabeam fields. You can create and view parsers in Log Stream.
Event Builders – Turn parsed output messages into specific events. You can view and tune event builders in Log Stream.
Enrichers – Add contextual information to events.
Models – Provide user-based and asset-based behavioral analytics so that anomalous behavior can be detected.
Rules – Contain the logical expressions that define malicious or unwanted behavior. Multiple types of rules are available, depending on the Exabeam product in use:
Advanced Analytics – Includes model-based rules and fact-based rules.
Correlation Rules – Includes fact-based rules.
Dashboards – Provide views of data and security content across your Exabeam system. You can view pre-built dashboards or create custom dashboards in Dashboard.