Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Add a Field in an Event Template

Adding a new field to an event template involves finding the existing template in the default configuration file, copying it to a custom configuration file, and editing the custom file. In the steps below, a new vpn_source_location field is added to a template associated with a vpn-login event.

  1. In the EventFormats section of the default configuration file, search for vpn-login.

  2. To find the name of the template associated with the vpn-login event, look for the DetailsTemplate parameter in the vpn-login entry. The associated template is VpnLoginTemplate.

  3. To find the template configuration for VpnLoginTemplate, search for VpnLoginTemplate in the Templates section of the default configuration file.

  4. Copy the VpnLoginTemplate entry and paste it as a new entry in a custom configuration file.

    Note

    This step is necessary so that the default configuration file remains unchanged.

  5. Add the new field with the following parameters:

    • label – The name of the field when it's displayed in a UI

    • value – The persisted field whose value should be displayed in the UI.

    Note that fields are added as column in a template. Each template row can contain only three columns. When adding a new field, if there is no open column in an existing row, add a new row and then add the new field as the first column in the new row.

    In the example below, the new vpn_source_location field has been added as the third column to an existing row. Don't forget to enclose the entry within Templates { } as shown below.

Templates {
 -----------------------------
 -----------------------------
VpnLoginTemplate {
  rows = [
    {
      columns = [
        {
          label = "TIME"
          value = "time|event.time"
        },
        {
           label = "USER"
           value = "user|event.user"
        },
        {
           label = "ACCOUNT"
           value = "user|event.account"
           icon = "AccountSwitch"
        }
      ]
  },
  --------------------
  --------------------
  {
      columns = [
        {
          label = "VPN SERVER"
          value = "default|event.dest_host"
        },
        {
          label = "VPN SERVER IP"
          value = "default|event.dest_ip"
        },
        {
          label = "VPN SRC LOCATION"
          value = "default|event.vpn_source_location"
        }
           ]
  },
  --------------------
  --------------------
}
----------------------
----------------------
}

As shown in the above case, vpn_source_location was added to columns = [ section ] in which only two entries existed, and which there was an option to add a third entry for a new field.

Please note that the parameter label defines the name of the field displayed on the UI and value parameter should contain the field for which you need the value to be displayed. Most importantly, the field which you want to display has to be persisted as described in the earlier section. If not, you will not be able to display the value for your field. In this case, vpn_source_location has to be persisted in Mongo, and then added to the template in order to display it with respect to the vpn-login event.