- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Host to IP Enrichment
The host to IP enrichment feature ensures that all Exabeam-generated events are associated with a relevant source and/or destination host, even when the raw log is missing the hostnames. It also does the reverse and can provide the relevant source and/or IP addresses when they are missing from the raw log. To implement this enrichment, the system uses a dynamic host-IP mapping table that allows the New-Scale detection engine, or other consuming services, to identify a hostname from an IP address at any point in time (or vice versa). Host to IP mappings expire after 14 days in the dynamically-generated table.
Note
This New-Scale Host to IP enrichment is available to the following New-Scale licenses: New-Scale SIEM, New-Scale Fusion, New-Scale Analytics.
If you are not using New-Scale, Advanced Analytics has its own method of mapping hosts to IP addresses. For information, see Configure Static Mappings of Hosts to/from IP Addresses in the Advanced Analytics Administration Guide.
When logs are ingested, they are evaluated to determine if they meet the conditions necessary for host to IP enrichment. By default, host to IP enrichment takes place if the log includes one of the specific set of activity types listed below. For example, if a log is ingested with an activity type of alert-trigger, and it includes a src_ip field but not a src_host, the parsed event is enriched with a source hostname, if the mapping is currently available in the dynamically-generated mapping table.
You can see when host or IP fields have been enriched by viewing events in the query results of the Search application. Select an event and view the Event Details. Fields that have been enriched are marked with an enriched field icon (
). Hover over the icon to see a message about the enrichment process.
The table below lists the default set of activity types that qualify an incoming log for host to IP enrichment.
alert-trigger | endpoint-lock | file-upload | user-lock |
app-activity | endpoint-login | file-write | user-mfa-disable |
app-authentication | endpoint-unlock | group-member-list | user-modify |
app-login | file-copy | group-member-remove | user-password-delete |
configuration-modify | file-delete | log-search | user-password-modify |
database-login | file-download | message-send | user-password-reset |
database-query | file-list | printer-activity | user-permission-modify |
ds_object-activity | file-move | rule-trigger | user-role-modify |
email-receive | file-permissions-modify | user-create | user-switch |
email-send | file-read | user-delete | user-unlock |
endpoint-authentication |
Note
Early Access Opportunity
An early access opportunity is available to customize the host to IP enrichment functionality. You may want to take advantage of this opportunity for either of the following reasons:
You find that the default enrichment condition is providing inaccurate host to IP mapping. The early access feature provides a different set of enrichment conditions that could result in more accurate mapping.
You want to limit host to IP enrichment to specific scenarios. You can work with Exabeam to develop a custom condition for deciding which logs to enrich. Instead of using the default set of activity types listed above, you can condition the enrichment to be implemented on a more limited set of activity types, in combination with specific outcomes, vendors, or other fields.
If you would like to take advantage of this early access customization, email the following group: [email protected].