Parsing for Advanced Analytics
In Advanced Analytics, only parsed logs can be ingested. However, only logs related to an event type that Advanced Analytics can process and analyze should be parsed. For a list of possible Advanced Analytics events and the content in which they are used, see the Exabeam Content Library.
In logs that support Advanced Analytics event types, only the specific fields that are used for display or for processing need to beparsed. For example, in Entity Analytics logs, like network connection, events do not require a user. Only IP, host, port, and similar information should be parsed.
If logs are required for Advanced Analytics (UBA), they must have a user or a way to identify the user, such as a badge to a user list. Without a user, Advanced Analytics cannot process the log and it does not make sense to create a parser.
Note
In Entity Analytics, events without a user can be processed, such as network connection status and net flow connection. Any event type can be part of an asset timeline as long as it has a host name. It is still necessary to make sure the log falls into one of the Advanced Analytics security related event types.