- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Parser Field Extractions and Enrichment Mapping
- Array Log Sample
- Extract Fields Using Regular Expressions
- Reserved Fields
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Parser Updates
- Live Tail
- Enrichments
- Event Filtering
Host to IP Enrichment
The host to IP enrichment feature ensures that all Exabeam-generated events are associated with a relevant source and/or destination host, even when the raw log is missing the hostnames. It also does the reverse and can provide the relevant source and/or destination IP addresses when they are missing from the raw log. To implement this enrichment, the system uses a HostToIP enrichment rule that includes a set of default mapping conditions.
Note
For the host to IP enrichment process to work, you must ensure that the most recent content package (no older than February 2026) has been installed in your environment and that the appropriate script has been run. To verify that you have the latest package installed, navigate to the Parser Updates tab at the top of the Log Stream application and note the most recent installed package. Check the New-Scale Content Package Release Notes to confirm that it is the more up-to-date package.
Default Mapping Condition
When logs are ingested that include both the hostname and the IP address, and the log satisfies internal CIM field filters, the system stores the host and IP information in a dynamic host-IP mapping table. This table allows hostnames to be identified from IP addresses (or vice versa) at any point in time so that events can be enriched with missing information. In this way, when ingested logs are missing a hostname or an IP address, the system relies on the dynamic host-IP mapping table to enrich the logs with missing information.
Host to IP mappings in the dynamically-generated table expire after 14 days.
You can see when host or IP fields have been enriched by viewing events in the query results of the Search application. Select an event and view the Event Details. Fields that have been enriched are marked with an enriched field icon (
). Hover over the icon to see a message about the enrichment process.
Note
New-Scale Host to IP enrichment is available to the following New-Scale licenses: New-Scale SIEM, New-Scale Fusion, New-Scale Analytics. The New-Scale default mapping condition covers all of the mapping functionality that was available in Advanced Analytics static mapping.
If you are not using a New-Scale license, Advanced Analytics has its own method of mapping hosts to IP addresses. For information, see Configure Static Mappings of Hosts to/from IP Addresses in the Advanced Analytics Administration Guide.
Managing Host to IP Mapping
Two opportunities are available to manage host to IP mapping functionality:
Customize the Default Condition – If you want to modify the default condition used to map hostnames and IP addresses, you can access a platform enrichment rule called
HostToIP. You can interact with this rule on the Log Stream Enrichment tab. Like any other enrichment rule, you can click the options menu (
) and select View to view the mapping conditions. To modify the mapping conditions, first disable the rule then click the options menu () and select Edit. For information about editing conditions, see Define an Enrichment Rule.Exclude Hosts from Enrichment – If you want to exclude domain controllers or other specific host servers from the host to IP enrichment process, you can use an exclusion context table called Host To IP Excluded Hosts. This context table is a Pre-Built New-Scale Analytics table available in the Context Management application. It can be populated manually or via an automated process that loads domain controllers based on your Active Directory. For general information about interacting with pre-built context tables, see View and Interact with a Pre-Built Context Table, in the Context Management Guide.