Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Context Retrieval

Enrichers that provide contextual enrichment use a parsed field value as a key to extract a value for a new field from a context table.

In the example below, the user field is created from a context table called user_email. When the email_user field is parsed from the log, the AD user value is fetched from the context table and mapped to the email_user which will stitch the event to the user timeline.

user-email {...
      Map = [
        {
          Field = "user"
          Value = """GetValue('email_user',toLower(user_email))"""
        }...