Exabeam Rules
Once a log has passed the event building and enrichment phase it is now ready to be processed against the "risk engine", where it will get evaluated against a set of rules that automatically ship with Exabeam.
Rules contain the logical expressions that define unwanted and malicious behavior (or behavior you want to be alerted on). They provide scoring to the timeline and all the values in the UI.
Every single definition that recognizes a specific malicious behavior that you would like to add points to a timeline are defined in a Rule.
Rules are mainly defined by a logical expression, set in the RuleExpression
field, and when this expression evaluates to true, the rule "triggers" and points are added to the relevant session or sequence. For example,
"""InList(process_name, 'evil.exe', 'ransomware.exe')"""
For overview information about working with rules, see Types of Rules and Create Rules. For information about the attributes contained in rules, see the table in Rule Attributes.