Skip to main content

Event SelectionEvent Selection Guide

Create an Event Selection Policy Statement

To manually create an event statement:

  1. On the Event Selection home page, click Add Event Statement.

    The Add Event Selection Policy Statements dialog displays.

    ESAddEventSelectionStatements.png

    The ESCreateEnabledIcon.png icon indicates that this statement will automatically be enabled when you save. Click the icon to have the statement automatically disabled.

  2. Select a subject from the drop-down menu. A panel on the right displays a list of vendors and products that have recently provided Exabeam with information about the selected subject.

    Note

    The drop-down menu will only contain subjects for which an event statement has not yet been defined, as there cannot be more than one event statement for a subject.

  3. Click Add Activity Type, and select an activity type from the drop-down menu.

    Note

    The drop-down menu will contain the activity types parsed for the subject of this event statement, and conforms to the Common Information Model (CIM) 2.0. For more information, see Common Information Model.

    In the panel on the right, you can view a list of vendors and products that have recently provided Exabeam with information about the selected subject and activity type combination. Click the selected activity type, as shown in the image below. If you want to toggle the vendor and product list back to all sources for the subject, click the selected subject.

    ESVendorProductPanel.png

  4. To add exclusions to this activity type, click Add Exclusion.

    1. Select a field from the drop-down menu.

      Note

      The field list will contain all fields that have been parsed for this activity type, including those that conform to the Common Information Model (CIM) 2.0, as well as any custom or TIS enriched IOC fields selected in Parser Manager.

    2. Select an operator from the drop-down menu.

    3. Define the value and press Enter.

    Note

    To add multiple exclusions to an activity, click Add Exclusion again and define as above (expression added with an or operator), or click the ESAddExclusionIcon.png icon and define as above (expression added with an and operator). Events that match these selections will be excluded.

  5. Repeat steps 3 and 4 until the event statement is defined to your satisfaction. Click the ESTrashCanIcon.png icon to delete any parts of the statements you do not want. If you are creating an exclusion when you click the ESTrashCanIcon.png icon, the full statement line is deleted.

    ESAddEventSelectionStatements2.png

  6. Click Save.

    Note

    The system validates the statement as you build it, and will not let you save if the statement is invalid in anyway. For example, you must add at lease one activity type to the statement, or the system will not let you save.

    Your newly created event statement will appear in the event statements list.