New Field Mapping
In an effort to standardize fields across the Exabeam Security Operations Platform, the common information model has introduced some changes to fields. In certain cases, the names or definitions of fields have changed. In other cases, brand new fields have been defined. Mapping old fields to common information model fields often depends on the activity type they are part of. For this reason, there is no single, one-to-one mapping list available.
To determine which new field to use, follow the process below. The links below open specific Migration Resources found in the Common Information Model Library (a GitHub repository).
Look for the Data Lake field in the Field Mapping by Events tables. This set of tables represents the most complete field mapping available. The initial table presents a mapping of old event types to new-scale activity types. Look for the old event type in which your Data Lake field occurs and click on it to view a mapping table of old to new-scale field names for that specific event. If your Data Lake field is listed in this table, use the new field it's mapped to. If not, continue with the next step.
Check to see if the Data Lake field appears in the Metadata Field Mapping table. This table maps old metadata fields to new metadata fields. New metadata field names are all prefixed with
m_. If your Data Lake field is listed in the metadata field table, use the new metadata field name. If not, continue with the next step.Look for the Data Lake field in the Field Descriptions table. This table contains a list of all common information model fields and their descriptions. If the Data Lake field appears in this list, it can be used as is, otherwise, continue with the next step.
If the Data Lake field does not appear in any of the previous sources, it is likely a custom field and can be used by prefixing it with
c_.