- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Parser Field Extractions and Enrichment Mapping
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Host to IP Enrichment
The host to IP enrichment feature ensures that all Exabeam-generated events are associated with a relevant source and/or destination host, even when the raw log is missing the hostnames. It also does the reverse and can provide the relevant source and/or destination IP addresses when they are missing from the raw log. To implement this enrichment, the system uses a HostToIP enrichment rule that includes a set of default mapping conditions.
Default Mapping Condition
When logs are ingested that include both the hostname and the IP address, and the log satisfies internal CIM field filters, the system stores the host and IP information in a dynamic host-IP mapping table. This table allows hostnames to be identified from IP addresses (or vice versa) at any point in time so that events can be enriched with missing information. In this way, when ingested logs are missing a hostname or an IP address, the system relies on the dynamic host-IP mapping table to enrich the logs with missing information.
Host to IP mappings in the dynamically-generated table expire after 14 days.
You can see when host or IP fields have been enriched by viewing events in the query results of the Search application. Select an event and view the Event Details. Fields that have been enriched are marked with an enriched field icon (
). Hover over the icon to see a message about the enrichment process.
Note
New-Scale Host to IP enrichment is available to the following New-Scale licenses: New-Scale SIEM, New-Scale Fusion, New-Scale Analytics. The New-Scale default mapping condition covers all of the mapping functionality that was available in Advanced Analytics static mapping.
If you are not using a New-Scale license, Advanced Analytics has its own method of mapping hosts to IP addresses. For information, see Configure Static Mappings of Hosts to/from IP Addresses in the Advanced Analytics Administration Guide.
Early Access Opportunity
Two early access opportunities are available to manage host to IP mapping functionality:
Customize the Default Condition – If you want to modify the default condition used to map hostnames and IP addresses, you can request access to a platform enrichment rule called
HostToIP. When your access to this enricher is activated, you can interact with the rule on the Log Stream Enrichment tab. Like any other enrichment rule, you can click the options menu (
) and select View to view the mapping conditions. To modify the mapping conditions, first disable the rule then click the options menu () and select Edit. For information about editing conditions, see Define an Enrichment Rule.Exclude Hosts from Enrichment – If you want to exclude domain controllers or other specific host servers from the host to IP enrichment process, you can use an exclusion context table called Host To IP Excluded Hosts. This context table is a Pre-Built New-Scale Analytics table available in the Context Management application. It can be populated manually or via an automated process that loads domain controllers based on your Active Directory. For the automated process to work, you must ensure that the most recent content package has been installed in your environment and that the appropriate script has been run. For general information about interacting with pre-built context tables, see View and Interact with a Pre-Built Context Table, in the Context Management Guide.
To take advantage of either of the above early access opportunities, email the following group: [email protected].