Security ContentExabeam Security Content in the Legacy Structure

Regular expressions, or regexes, allow Exabeam to extract specific patterns from logs and map these values to fields based on the order the regexes are applied. A regex for a value of interest will be surrounded by parentheses. The first value in the parentheses will be a set of curly brackets containing the name of the field of the extracted value. The curly brackets are followed by the regular expression identifying the value.

For example, the expression ABC({my_field}...) will parse the immediate three characters after the string “ABC” in the log and will map them to a field called my_field. For example, if the received log is "ABC123XYZ" the field my_field will contain the value “123”.

If the string "ABC" does not exist in the log, the field my_field will not be created.

All regular expression statements are evaluated in consecutive order against the entire log. If a value is mapped to a certain field in one expression and then a different value is mapped to the same field, the second mapping will overwrite the first.