Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Additional Rule Guidelines

Listed below is a list of additional guidelines and features.

  • Triggered rule info is searchable in the 'triggered_rule_db' in Mongo.

  • RuleExpressions can incorporate any parsed field into the logic. For asset based rules, if you want to use a parsed field in a 'countby' expression, that parsed field must be persisted.

    • When a Model-Based-Asset-Rule uses CountBy(field_1, field_2, event_types), both field_1 and field_2 must be persisted for that event type in the PersistedEventFields definition in the enricher content_default.conf file.

  • User based rules use Count, SequenceCount, and DistinctCount for gathering session/sequence data.

  • Asset based rules use CountBy for all purposes of gathering sequence data. All asset events are 'sequence' events, and thus CountBy can be used for gathering sequence data for any event type.