Security ContentInstall Security Content

Table of Contents

Security Content Configuration Files

Security content are tools, like parsers, event builders, rules, and models, that help ingest, parse, and analyze data. All security content is located and defined in a configuration file that ends in .conf. If you use Content Installer to install new security content, ensure the ZIP file you download from the Exabeam Community or your case ticket contains at least one of these configuration files.

Advanced Analytics Security Content Configuration Files

Configuration file

Security content

Syntax

parsers.conf

Parsers

Parsers = [
    {
        Name = test-parser
        Vendor = Exabeam
        Product = Exabeam UBA
        Lms = Direct
        DataType = "alert"
        TimeFormat="yyy-MM-dd HH:mm:ss
        Conditions=["""Test Conditions"""]
        Fields= [
            """exabeam_host=({host})[^\s]+""",
            """exabeam_time=({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)"""
        ]
    }
]

event_builder.conf

event-builder.events

event-builder = {
    event = {
    test-custom-event ={
    input-message = [{
        expression = """InList(type, 'custom-parser')"""
    }]
    name = test-custom-event
    output-type = custom
    source = Test
    vendor = Test
    }
}

rules.conf

Rules

Rules {
    Test {
    RuleName = "Test Rule"
    RuleDescription = "Test Rule"
    ReasonTemplate = "Test Rule"
    AggregateReasonTemplate = "Test Rule"
    RuleType = "session"
    RuleCategory = "Activity Monitoring"
    ClassifyIf = """TRUE"""
    RuleEventTypes = [
        "custom-event"
    ]
    Disabled = "FALSE"
    Model = "Test-Model"
    FactFeatureName = "dest_host"
    Score = "5.0"
    PercentileThreshold = "0.1"
    RuleExpression =       """ConfidenceFactorAboveOrEqual() && num_observations=0"""
    DependencyExpression = "NA"
    }
}

models.conf

Models

Models {
    Test-Model {
    ModelTemplate = "Test Model"
    Description = "Test Model"
    Category = "Activity Monitoring"
    IconName = ""
    ScopeType = "ORG"
    Scope = "org"
    Feature = "dest_host"
    FeatureName = "host"
    FeatureType = "asset"
    TrainIf = """count(dest_host,'custom-event')=1"""
    ModelType = "CATEGORICAL"
    BinWidth = "5"
    AgingWindow = ""
    CutOff = "10"
    Alpha = "2"
    ConvergenceFilter =    "confidence_factor>=0.8"
    HistogramEventTypes = [
        "custom-event"
    ]
    Disabled = "FALSE"
    }
}

custom_exabeam_config.conf

EventEnricher.Entries

EventEnricher {
    Entries {
        test-field {
        EventTypes = ['custom-event']
        Condition = "exists(field)"
            Map = [
            {
                Field = "custom_field"
                Value = """'testvalue'"""
            }
            ]
        }
    }
}

PersistedEventFields

PersistedEventFields {
    test-custom-event =[_id, vendor, src_ip, src_host, "GetValue('country_code',src_ip)", "GetValue('isp',src_ip)", "GetValue('zone_info',dest)", src_translated_ip, dest_host, dest_ip, src_network_type, realm,os]
}

event_templates.conf

EventTemplates.EventFormats

EventTemplates {
    EventFormats {
        test-custom-event {
            Description = "This is a test event."
            HeaderTemplate = "Test event"
            DisplayName = "Test event"
            DetailsTemplate = "TestTemplate"
        }
    }
}

EventTemplates.Templates

EventTemplates {
    Templates {
        TestTemplate {
    rows = [
    columns = [ label = "TIME" value = "time|event.time" } label = "USER" value = "user|event.user" } label = "DOMAIN" value = "default|event.domain" }
columns = [ label = "DEST HOST" value = "asset|event.dest_host" } label = "DEST IP" value = "asset|event.dest_ip" } label = "DEST ZONE" value = "location.zone|event.getvalue('zone_info', dest)" }
    columns = [ label = "SOURCE HOST" value = "asset|event.src_host" } label = "SOURCE IP" value = "asset|event.src_ip" } label = "EVENT CODE" value = "default|event.event_code"
        }
    }
}

application.conf

EDS.Collections

EDS {
    Collections {
        test_user_id {
            Sources = ["lookup/test_user_id.csv"] KeyType = lowerCaseKey ValueType = lowerCaseValue

        }
    }
}

custom_lime_config.conf

Lime

LogFetcher = {
  Queries = {
    test_windows_query {
      Query = "MY QUERY STRING"
      Loggers = ["Splunk"]
      LastModified = 1586551482
      IsDraft = false
      StartDate = """2020-03-22"""
    }
  }
}

custom_exabeam_config.conf

DynamicLookup

DynamicLookup = {
  Entries = {
    "10" = {
      //EXAMPLE DYNAMIC LOOKUP
      Expression = "event_type='network-alert' AND !InList(toLower(some_field), 'zzzz')"
      Key = ["user", "user_type"]
      Values = ["src_ip"]
    }
  }
}

Data Lake Security Content Configuration Files

Configuration file

Security content

Syntax

custom_mojito.conf

Parsers

Parsers = [
    ${PMPParserTemplates.pmp-events}{
    Name = test-parser
    DataType = "authentication-successful"
    Conditions = [ """ Password_Approved """,""" Success """ ]
    Fields = ${PMPParserTemplates.pmp-events.Fields} [ """\sSuccess\s[^\s]+\s+({safe_value}[^:]+):(N\/A|({account}[^:\s]+))""",
]

Categorization

Categorization {
    pmp-auth-success {
    messages = ["pmp-auth-successful"]
    exa_activity_type = [
    {value = "authentication", condition = "true"}
    ]
}

custom_mojito.conf

Categories

Categories = {
    "System Event": {
    Name = "System Event"
    Expression = "InList(data_type, 'system-event', 'system-info')"
    Fields = ["event_name", "log_source", "host", "dest_host"]
    Icon = "/plugins/dataui/assets/category_icons/default_icon.svg"
}