- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Parser Field Extractions and Enrichment Mapping
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Host to IP Enrichment
The host to IP enrichment feature ensures that all Exabeam-generated events are associated with a relevant source and/or destination host, even when the raw log is missing the hostnames. It also does the reverse and can provide the relevant source and/or destination IP addresses when they are missing from the raw log. To implement this enrichment, the system uses a default host to IP mapping condition.
Default Mapping Condition
When logs are ingested that include both the hostname and the IP address, and the log satisfies internal CIM field filters, the system stores the host and IP information in a dynamic host-IP mapping table. This table allows hostnames to be identified from IP addresses (or vice versa) at any point in time so that events can be enriched with missing information. In this way, when ingested logs are missing a hostname or an IP address, the system relies on the dynamic host-IP mapping table to enrich the logs with missing information.
Host to IP mappings in the dynamically-generated table expire after 14 days.
You can see when host or IP fields have been enriched by viewing events in the query results of the Search application. Select an event and view the Event Details. Fields that have been enriched are marked with an enriched field icon (
). Hover over the icon to see a message about the enrichment process.
Note
New-Scale Host to IP enrichment is available to the following New-Scale licenses: New-Scale SIEM, New-Scale Fusion, New-Scale Analytics. The New-Scale default mapping condition covers all of the mapping functionality that was available in Advanced Analytics static mapping.
If you are not using a New-Scale license, Advanced Analytics has its own method of mapping hosts to IP addresses. For information, see Configure Static Mappings of Hosts to/from IP Addresses in the Advanced Analytics Administration Guide.
Early Access Opportunity
Note
An early access opportunity is available to customize the host to IP enrichment functionality. You may want to take advantage of this opportunity if any of the following reasons apply to your environment:
You want to limit host to IP enrichment to specific scenarios. You can work with Exabeam to develop a custom condition for deciding which logs to enrich. Instead of using the default set of activity types listed above, you can condition the enrichment to be implemented on a more limited set of activity types, in combination with specific outcomes, vendors, or other fields.
You want to exclude domain controllers or other specific servers from the host to IP enrichment process. To implement the exclusion process, contact the Log Stream early access team for help.
If you would like to take advantage of this early access customization, email the following group: [email protected].