Event Enricher Configurations

Here is the syntax for an event enricher:

EventTypes = ["event_type"]         ### what event types should be evaluated against this enricher. Using [] means the enricher will apply to all event types.

Condition = "exists(certain_field) OR endsWith(some_field, '.bat')" .              ### conditions based on Exabeam's logical expressions

Map = [ { field = "new_field", value = "anything I want" }, { field = "new_field_2", value = """'100'""" } ]         ### new field definitions

First, restrict what events are enriched, and then define the fields and values to be created.
Restriction is done using the 'EventType' and 'Condition' field.
Make sure you only look at events that are of the type(s) specified in the 'EventTypes' field, expressed as an array of event_types.
Further restrict what gets enriched by adding the analytics engine expressions in the conditions parameter. In the above example, we only enrich the event if the field 'some_field' ends with '.bat' or we enrich the event if the field 'certain_field' already exists.

Security ContentExabeam Security Content in the Legacy Structure

Table of ContentsTable of Contents

Event Enricher Configurations