Introducing the Common Information Model 2.0
June 2022
Exabeam is introducing a new common information model. The information model affects only the New-Scale cloud-native products. It will not affect customers who are currently using on-premises/SaaS Exabeam products.
The common information model provides a multi-layered, hierarchical framework that defines the structure of security content across Exabeam products. This new data schema redefines how security events are represented.
In the common information model framework, an event is more than an information bundle with an event type name. For the new information model, an event is a collection of context components that, when taken together, provide a clear and accurate description of what has occurred. As the threat landscape changes, this layered approach also allows for future augmentation across all data and metadata elements of the common information model.
Highlights of the Common Information Model
The common information model uses a layered approach that relies on a hierarchy of context elements to form a minimalist but detailed structure.
In the common information model, contextual elements are the key to providing accurate and consistent event classification across Exabeam products. The context elements you will encounter in new Exabeam functionality include: Subject, Activity Type, Outcome, Vendor, Product, Product Category, Platform, and Landscape.
By including context elements in its schema, the common information model provides an elegant solution to ensure that valuable event data is preserved with the event it describes.
To help enforce the common information model schema, and to track the attributes related to an event, the information model provides a layered structure of four interfaces: Universal, Subject, Activity Type, and Extension. Each layer inherits the configuration of the previous layer and, together, they create a complete picture of an event, according to the common information model. To enforce field compliance in each layer, all fields are classified as either Core (required), Detection (needed for detecting a specific risk), or Informational (not necessary but provided in the log).
Through this multi-layered structure, the common information model can impose conventions on activity types and fields, enforce field compliance, simplify the creation of custom content, and provide extensibility for future expansion.
A rigid event-naming convention ensures that events are easily readable and manageable across Exabeam products. The new event-naming format is based on common information model context elements so that every event can be represented as follows:
subject-sub_subject-activity:outcome.This convention makes it possible to create new types of events that conform to the common information model structure.
Common Information Model Impact on Downstream Processes
The common information model relies on context elements as the foundation for its hierarchical framework. This has the following influence on how data is ingested and how subsequent logic operates:
Context elements provide a way to categorize events consistently both within, and across Exabeam products. Any context element that is part of an event can function as its own pseudo-category. Categorization based on context elements allows a file creation event to be identified as such regardless of where it took place.
In security analysis, context is essential for evaluating the potential risk an action poses. The degree of risk can vary depending on multiple attributes associated with an action. Context elements provide a way to leverage these subtleties so that security features can be conditioned, scoped, and detected with reliability.
Context elements can be used to drill into your data. Like other fields, they can be used for search queries, reporting, and creating dashboards. But because context elements can serve as a categorization method, the filtering capabilities they provide ensure accuracy on a global level while still enabling a granular filtering experience.
Because the common information model interfaces are tied to the context elements, field compliance can be enforced for existing events. And for new events, security content (such as parsers or event builders) can be created consistently.
If you'd like to explore the the new common information model, you can visit the Common Information Model Library.
Transitioning to the Common Information Model
If you've been using Exabeam products prior to the introduction of the common information model, the transition to using it does not require any migration effort on your part. You will, however, want to familiarize yourself with the shift that the common information model represents in the way data is categorized and events are classified.
Data Lake Categorization:
Existing security content will be migrated, including custom content.
Although some components may be named differently or covered by different context elements, no categorization information has been lost in the new structure.
Exa_categories have been replaced by common information model context elements. For a matrix list, see the table called Exa_Category Mapping to Common Information Model Context Elements in Transitioning to the Common Information Model.
New types of filtering have been made possible by the common information model context elements. For example, it's now possible to query everything from all Windows systems (
platform:"windows"). Or you can query all activity that took place in peripheral storage (subject:"peripheral_storage").
Event Classification:
Existing security content will be migrated, including custom content.
To enforce consistency with the new common information model event format, some changes have been made to legacy event type names. Other events have been reworked in order to leverage the common information model context elements.
The common information model requires that a certain level of granularity be maintained during the event building process. Some changes have been made to the process so that context elements are populated with values at the event building level.
Fields: Some fields have been changed, either in name or definition to conform to the common information model structure.
Parsers:
With the introduction of the common information model, the conventions for naming parser have been standardized. The new naming structure ensures that parser names are consistent across Exabeam products and are easily recognizable. For a set of alphabetized tables, see the Parser Names Matrix in the New-Scale Content Library (a GitHub repository).
All parser definitions have been migrated to leverage new CIM field names and to include a new parser version number. This migration has been completed for all currently existing parsers, both default and custom.