Types of Rules

Welcome to Exabeam Security Content
- Security Content in the Legacy Structure
What is Security Content?
- The Security Content Pipeline
- The Content Library
Understanding the Log
- Do You Need a Parser?
  - Parsing for Data Lake
  - Parsing for Advanced Analytics
- Log Process Example
Exabeam Parsers
Exabeam Event Building
Exabeam Enrichment
Exabeam Persistence and Templates
Exabeam Models
Exabeam Rules

There are two types of rules:

Fact Based Rules

These rules use only the field values from the current event in order to determine whether to trigger or not. This is opposed to relying on historical data in models. Think of these as your simple correlation rules. If x is seen in field y, trigger rule.

Model Based Rules

These rules use historical information stored in models. The rules typically trigger when the event being evaluated is considered anomalous within the context of the model. Exabeam, by default, ships a large number of rules that are separated into different rules_*.conf files based on the type of malicious behavior they trigger on. For example, rules relating to web activity are stored in a dedicated rules_webactivity.conf file. Rules are separated this way for organizational purposes, but rules can be placed in any referenced rule file.

Security ContentExabeam Security Content in the Legacy Structure

Table of ContentsTable of Contents

Types of Rules

Fact Based Rules

Model Based Rules