Exabeam Event Building
The event builder stage is the part of the analytics engine pipeline that categorizes a parsed message into an Exabeam event type. Event types are the basic units that are used by the rest of the processing engine (enrichment, models, rules, and UI components).
Every parser is matched to an event builder definition. If there is no event builder for a parser, nothing is done with the parsed output of that log event. Parsed messages that do become events are written into evt.gz files.
The event building stage introduces several advantages:
Reduces the number of parsers – Different event types can be created based on a single parser. For example, a Windows login event will indicate the successful or failed outcome of a login in a field, which will have the value 0x0 in case of a successful login and another value in case of a failed login. This value can be parsed and conditioned on the event builder to create a local-logon or a failed-logon event. This eliminates the need for two parsers to capture these two event types.
Combines information in two logs – Some log sources provide all the information needed in an Exabeam event in two separate log events. For example, one VPN log could indicate the user's session and the source IP, and another log could provide the user's session ID, user name, and assigned IP. In order to create a meaningful vpn-login event, the information from both logs have to be combined into a single event. This can be achieved in the event builder based on the session ID field that would be identical in both logs.
Complex combination of multiple logs – Some email sources can generate hundreds of logs for a single email. In order to combine information in all these messages into a single event, a complex logic is needed which can be defined in the event builder.