Security ContentExabeam Security Content in the Legacy Structure

When an event builder creates an event from a log, it matches certain information in the log to an event type's informational fields, if the information exists. In both Advanced Analytics and Data Lake, these fields are used to correlate important data, like host and IP addresses, and enrich events with contextual information so you can easily search for logs, events, users, or assets.

For example, user_sid is an informational field for the event type kerberos-login. Data Lake maps user_sid to account_id so you can search for either user_sid or account_id and find the same log.

In Advanced Analytics, Smart Timeline™ events also display certain information based on these informational fields. If the event builder can't find the information for informational fields in the log, the informational fields appear blank in the Smart Timeline.