Security Content Configuration Files
Security content are tools, like parsers, event builders, rules, and models, that help ingest, parse, and analyze data. All security content is located and defined in a configuration file that ends in .conf. If you use Content Installer to install new security content, ensure the ZIP file you download from the Exabeam Community, or your case ticket, contains at least one of the configuration files listed below for Advanced Analytics or Data Lake.
Note
For releases prior to i54.5, Content Installer installs parsers into the Parsers section of Data Lake and Advanced Analytics. For release i54.5 and later, parsers are installed into the CustomLocalParsers section.
Installation of parsers into alternate Parser arrays is not supported.
Advanced Analytics Security Content Configuration Files
File Name | Syntax |
|---|---|
| Content Type: Parsers Parsers = [
{
Name = test-parser
Vendor = Exabeam
Product = Exabeam UBA
Lms = Direct
DataType = "alert"
TimeFormat="yyy-MM-dd HH:mm:ss
Conditions=["""Test Conditions"""]
Fields= [
"""exabeam_host=({host})[^\s]+""",
"""exabeam_time=({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)"""
]
}
] |
| Content Type: event-builder.events event-builder = {
event = {
test-custom-event ={
input-message = [{
expression = """InList(type, 'custom-parser')"""
}]
name = test-custom-event
output-type = custom
source = Test
vendor = Test
}
} |
| Content Type: Rules Rules {
Test {
RuleName = "Test Rule"
RuleDescription = "Test Rule"
ReasonTemplate = "Test Rule"
AggregateReasonTemplate = "Test Rule"
RuleType = "session"
RuleCategory = "Activity Monitoring"
ClassifyIf = """TRUE"""
RuleEventTypes = [
"custom-event"
]
Disabled = "FALSE"
Model = "Test-Model"
FactFeatureName = "dest_host"
Score = "5.0"
PercentileThreshold = "0.1"
RuleExpression = """ConfidenceFactorAboveOrEqual() && num_observations=0"""
DependencyExpression = "NA"
}
} |
| Content Type: Models Models {
Test-Model {
ModelTemplate = "Test Model"
Description = "Test Model"
Category = "Activity Monitoring"
IconName = ""
ScopeType = "ORG"
Scope = "org"
Feature = "dest_host"
FeatureName = "host"
FeatureType = "asset"
TrainIf = """count(dest_host,'custom-event')=1"""
ModelType = "CATEGORICAL"
BinWidth = "5"
AgingWindow = ""
CutOff = "10"
Alpha = "2"
ConvergenceFilter = "confidence_factor>=0.8"
HistogramEventTypes = [
"custom-event"
]
Disabled = "FALSE"
}
} |
| Content Type: EventEnricher.Entries EventEnricher {
Entries {
test-field {
EventTypes = ['custom-event']
Condition = "exists(field)"
Map = [
{
Field = "custom_field"
Value = """'testvalue'"""
}
]
}
} |
Content Type: PersistedEventFields PersistedEventFields {
test-custom-event =[_id, vendor, src_ip, src_host, "GetValue('country_code',src_ip)", "GetValue('isp',src_ip)", "GetValue('zone_info',dest)", src_translated_ip, dest_host, dest_ip, src_network_type, realm,os]
} | |
| Content Type: EventTemplates.EventFormats EventTemplates {
EventFormats {
test-custom-event {
Description = "This is a test event."
HeaderTemplate = "Test event"
DisplayName = "Test event"
DetailsTemplate = "TestTemplate"
}
}
} |
Content Type: EventTemplates.Templates EventTemplates {
Templates {
TestTemplate {
rows = [
columns = [ label = "TIME" value = "time|event.time" } label = "USER" value = "user|event.user" } label = "DOMAIN" value = "default|event.domain" }
columns = [ label = "DEST HOST" value = "asset|event.dest_host" } label = "DEST IP" value = "asset|event.dest_ip" } label = "DEST ZONE" value = "location.zone|event.getvalue('zone_info', dest)" }
columns = [ label = "SOURCE HOST" value = "asset|event.src_host" } label = "SOURCE IP" value = "asset|event.src_ip" } label = "EVENT CODE" value = "default|event.event_code"
}
}
} | |
| Content Type: EDS.Collections EDS {
Collections {
test_user_id {
Sources = ["lookup/test_user_id.csv"] KeyType = lowerCaseKey ValueType = lowerCaseValue
}
}
} |
| Content Type: Lime LogFetcher = {
Queries = {
test_windows_query {
Query = "MY QUERY STRING"
Loggers = ["Splunk"]
LastModified = 1586551482
IsDraft = false
StartDate = """2020-03-22"""
}
}
} |
| Content Type: DynamicLookup DynamicLookup = {
Entries = {
"10" = {
//EXAMPLE DYNAMIC LOOKUP
Expression = "event_type='network-alert' AND !InList(toLower(some_field), 'zzzz')"
Key = ["user", "user_type"]
Values = ["src_ip"]
}
}
} |
Data Lake Security Content Configuration Files
File Name | Syntax |
|---|---|
| Content Type: Parsers Parsers = [
${PMPParserTemplates.pmp-events}{
Name = test-parser
DataType = "authentication-successful"
Conditions = [ """ Password_Approved """,""" Success """ ]
Fields = ${PMPParserTemplates.pmp-events.Fields} [ """\sSuccess\s[^\s]+\s+({safe_value}[^:]+):(N\/A|({account}[^:\s]+))""",
] |
Content Type: Categorization Categorization {
pmp-auth-success {
messages = ["pmp-auth-successful"]
exa_activity_type = [
{value = "authentication", condition = "true"}
]
} | |
| Content Type: Categories Categories = {
"System Event": {
Name = "System Event"
Expression = "InList(data_type, 'system-event', 'system-info')"
Fields = ["event_name", "log_source", "host", "dest_host"]
Icon = "/plugins/dataui/assets/category_icons/default_icon.svg"
} |