New Data Categorization

In the Data Lake categorization structure, data is classified either by exa_category or on the basis of the following three components: exa_activity_type, exa_device_type, exa_outcome. By contrast, in the Exabeam Security Operations Platform, data is categorized according to a hierarchy of contextual elements that are defined in the common information model, including subject, activity type, outcome, vendor, product, product category, platform, and landscape. This layered approach allows all of the contextual granularity in your data to be retained.

For more information about these elements, see Common Information Model Context Elements in the Security Content Guide. To view lists of these elements, you can explore the Common Information Model Library (a GitHub repository).

Mapping specific Data Lake categorization components to their common information model counterparts is not a direct one-to-one exercise. The following sections provide some guidelines and examples.

Exa_Categories

This table details how certain Data Lake exa_categories can be mapped to specific common information model context elements.

Data Lake Category	Common Information Model Context Element
Account Management	`subject:"user"`
Account Switch	`activity_type:"user-switch"` Note Activity_type is represented by the combination of subject + activity.
Active Directory	`platform:"microsoft ad"`
Application	`subject:"application"` Note The `application` field is falling out of use in favor of the more accurate `platform` field.
Audit Change	`subject:"audit_policy"`
Authentication	`activity:"authentication"`
Badge	`subject:"physical_location"`
Configuration Change	`subject:"configuration"`
DHCP	`subject:"dhcp"`
DLP	`product_category:"dlp"`
Database	`landscape:"database"`
Endpoint	`landscape:"endpoint"`
Failed Logons and Lockouts	`(activity:"login" AND outcome:"fail") OR activity_type:"user-lock"`
File	`subject:"file"`
Logout	`activity:"logout"`
Network	`landscape:"network"`
Network Alert	Deprecated
Print Activity	`subject:"printer"`
Privileged Access	Deprecated
Security Alerts	`activity_type:"alert-trigger"` Note Activity_type is represented by the combination of subject + activity.
System Event	Activity included in this category is represented by a range of `landscape` values. The `landscape` entity is an umbrella entity that can capture a broad scope of activities happening on various platforms. Examples: `landscape:"cloud"`, `landscape:"endpoint"`, `landscape:"database"`, `landscape:"vpn"`.
VPN	`landscape:"vpn"` or `subject:"vpn"` Note Landscape VPN captures a broad scope of activities that happen on a VPN platform, whether or not the activity concerns the VPN itself. In contrast, Subject VPN is reserved for more granular activities that involve interaction with a VPN itself, such as logging in or out.
Web	`subject:"http"`
Windows Authentication	`activity:"authentication" AND platform:"windows"`

Exa_Activity_Type, Exa_Device_Type, Exa_Outcome

As previously noted, there is not a direct one-to-one mapping of Data Lake components to the elements of the common information model. However, this table shows a high-level view of how the elements of the common information model correspond to the Data Lake categorization components.

Common Information Model Context Element	Description	Data LakeComponent
Subject	Identifies the entity being targeted by an event. Examples include `user`, `file`, `email`, `process`, `endpoint`. Use to query a type of entity. Examples: Show all events that occurred on files. Create a report on activities for a process.	`exa_activity_type` `exa_device_type` `exa_category`
Activity Type	Identifies the type of operation represented in the event. Examples include `file-write`, `process-create`, `user-password-modify`, `endpoint-login`. Use to query events of a similar activity and subject. Examples: Find all file-delete events Generate a report on peripheral_storage-insert activities.	`exa_activity_type` `exa_category`
Outcome	Identifies the result status of the event. Outcome options are `success` or `fail`. Use to query whether an activity had its intended effect.	`exa_outcome`
Vendor	Identifies the owner of the product that recorded the event.	`vendor` field
Product	Identifies the service or application that recorded the event. Examples include `falcon`, `event viewer - security`, `aws cloudtrail`. Use to query what was monitored or triggered by a product. Examples: Show all events generated by the palo alto ngfw. Show what is contained in the event viewer security logs.	`product` field (partially)
Product Category	Identifies an umbrella category for the product. Examples include `email`, `firewall`, `siem`. Use to query what was monitored or triggered by a general type of product. Examples: Create a report on data from all firewalls. Show data collected by all SIEMs.	`exa_device_type` `exa_category`
Platform	Identifies the virtual environment or application in which the event occurred. Examples include `windows`, `okta`, `o365`, `github`. Use to query activity in specific environments. Examples: Filter a search to show all activities that took place in a Windows environment. Generate a report on activities that occurred on Zoom.	`product` field (partially)
Landscape	Identifies an umbrella category for the platform. Examples include `cloud`, `endpoint`, `database`, `vpn`. Use to query activity in general types of environments. Examples: Show activity on file sharing applications. Show all events from endpoints.	`exa_device_type` `exa_category`

Data LakeData Lake Migration Guide

Table of ContentsTable of Contents