Event Builder Field Descriptions
All of the fields below are required.
Field | Description |
|---|---|
Event Builder ID | netskope-file-write This can be any value but it must be identical to the name parameter. |
Input-message | This contains the expression(s) that should be considered by this event builder. Similar parsers that should create the same type of event based on the same conditions seen across logs can be grouped into a single event builder as shown in the above Event Builder Definition example. "InList(type, 'parser_name_1','parser_name_2')" This expression matches a parser to an event builder. The type field contains the name of the parser that created the message. NoteThis type refers to the parser message type, which happens to be the parser name. Everything parsed by the parsers defined in this expression only get evaluated by this event builder definition (unless the parser also exists in another event builder) and set of conditions. "InList(toLower(activity),'edit','move','create')" The rest of the conditions involve using logical expressions that check against parsed fields to decide whether a message becomes an event. |
Name | This is the name of this specific event builder definition. It must be the same as the key given to the entire config/hocon block. If not, the analytics engine will not start. If another event builder contains the same name further down the file, the first one will be overwritten. |
Output-Type | This is the Exabeam event type assigned to this event. It has to match one of Exabeam events and will determine how this event will be handled by downstream analytics. NoteThis type refers to the event type. |
Source | The specific software/OS/product name that generates the log. This field will typically be visible in the UI. |
Vendor | The name of the vendor of the system that generated the log. |