Security ContentWhat's New in Security Content

Table of Contents

New Features in Security Content

Note

If you're looking for information about new or updated parsers, models, and rules, see the Exabeam Content Library. Scroll to the branch table and click on the relevant link in the Release Note column. Each set of release notes documents the security content updates between the selected branch and its immediate predecessor.

Introducing the CIM 2.0

June 2022

Exabeam is introducing a new common information model (CIM). The CIM will initially affect only the new Cloud Archive offerings. It will not affect customers who are currently using existing Exabeam products.

The CIM provides a multi-layered, hierarchical framework that defines the structure of security content across Exabeam products. This new data schema redefines how security events are represented.

In the CIM framework, an event is more than an information bundle with an event type name. For the Exabeam CIM, an event is a collection of context components that, when taken together, provide a clear and accurate description of what has occurred. As the threat landscape changes, this layered approach also allows for future augmentation across all data and metadata elements of the CIM.

Highlights of the CIM

  • The CIM uses a layered approach that relies on a hierarchy of context elements to form a minimalist but detailed structure.

  • In the CIM, contextual elements are the key to providing accurate and consistent event classification across Exabeam products. The context elements you will encounter in new Exabeam functionality include: Subject, Activity Type, Outcome, Vendor, Product, Product Category, Platform, and Landscape.

    By including context elements in its schema, the CIM provides an elegant solution to ensure that valuable event data is preserved with the event it describes.

  • To help enforce the CIM schema, and to track the attributes related to an event, the CIM provides a layered structure of four interfaces: Universal, Subject, Activity Type, and Extension. Each layer inherits the configuration of the previous layer and, together, they create a complete picture of an event, according to the CIM. To enforce field compliance in each layer, all fields are classified as either Core (required), Detection (needed for detecting a specific risk), or Informational (not necessary but provided in the log).

    Through this multi-layered structure, the CIM can impose conventions on activity types and fields, enforce field compliance, simplify the creation of custom content, and provide extensibility for future expansion.

  • A rigid event-naming convention ensures that events are easily readable and manageable across Exabeam products. The new event-naming format is based on CIM context elements so that every event can be represented as follows: subject-sub_subject-activity:outcome.

    This convention makes it possible to create new types of events that conform to the CIM structure.

CIM Impact on Downstream Processes

The CIM relies on context elements as the foundation for its hierarchical framework. This has the following influence on how data is ingested and how subsequent logic operates:

  • Context elements provide a way to categorize events consistently both within, and across Exabeam products. Any context element that is part of an event can function as its own pseudo-category. Categorization based on context elements allows a file creation event to be identified as such regardless of where it took place.

  • In security analysis, context is essential for evaluating the potential risk an action poses. The degree of risk can vary depending on multiple attributes associated with an action. Context elements provide a way to leverage these subtleties so that security features can be conditioned, scoped, and detected with reliability.

  • Context elements can be used to drill into your data. Like other fields, they can be used for search queries, reporting, and creating dashboards. But because context elements can serve as a categorization method, the filtering capabilities they provide ensure accuracy on a global level while still enabling a granular filtering experience.

  • Because the CIM interfaces are tied to the context elements, field compliance can be enforced for existing events. And for new events, security content (such as parsers or event builders) can be created consistently.

If you'd like to explore the the new common information model, you can visit the CIM Library.

Transitioning to the CIM

If you've been using Exabeam products prior to the introduction of the CIM, the transition to using the CIM does not require any migration effort on your part. You will, however, want to familiarize yourself with the shift the CIM represents in the way data is categorized and events are classified.

  • Data Lake Categorization:

    • Existing security content will be migrated, including custom content.

    • Although some components may be named differently or covered by different context elements, no categorization information has been lost in the new structure.

    • Exa_categories have been replaced by CIM context elements. For a matrix list, see Exa_Category Mapping to CIM Context Elements.CIM Impact on Data Lake Categorization for Search and Reporting

    • New types of filtering have been made possible by the CIM context elements. For example, it's now possible to query everything from all Windows systems (platform:"windows"). Or you can query all activity that took place in peripheral storage (subject:"peripheral_storage").

  • Event Classification:

    • Existing security content will be migrated, including custom content.

    • To enforce consistency with the new CIM event format, some changes have been made to legacy event type names. Other events have been reworked in order to leverage the CIM context elements.

    • The CIM requires that a certain level of granularity be maintained during the event building process. Some changes have been made to the process so that context elements are populated with values at the event building level.

  • Fields: Some fields have been changed, either in name or definition to conform to the CIM structure.

  • Parsers:

    • With the introduction of the CIM, the conventions for naming parser have been standardized. The new naming structure ensures that parser names are consistent across Exabeam products and are easily recognizable. For a set of alphabetized tables, see Matrix of Legacy vs. New Parser Names.Matrix of Legacy vs. New Parser Names

    • All parser definitions have been migrated to leverage new CIM field names and to include a new parser version number. This migration has been completed for all currently existing parsers, both default and custom.