Auto Parser Generator Now Available for Customers
Exabeam recently released Auto Parser Generator, a new tool in the Exabeam Cloud Studio, for general availability. In this post, you will learn about parsers, common problems, and how Auto Parser Generator from Exabeam can help.
What are parsers?
Analysts may find the journey to harnessing their SIEM for threat detection to be a challenging one. Log feeds come in many shapes and sizes, and parsers serve to ingest and normalize these different data sources. Specifically, parsers take a specific log format and convert it to a normalized structured data, often called a common information model (CIM). SIEMs can include hundreds or thousands of parsers written to process logs for common systems.
Parsing with Exabeam
Exabeam provides thousands of out-of-the-box parsers to ingest log feeds from data sources spanning firewalls, web security, EDR platforms, identity tools, network traffic, and IoT systems. We even have developed parsers for physical access like badge readers and printers.
Parsers are particularly important to Exabeam. Unlike traditional SIEMs, we have parsers not only to index data but also, parsers specifically designed to unlock key functionality within Exabeam Advanced Analytics. Parsers must comply with our out-of-the-box security content to ensure the right values are mapped to the right fields to populate detail in timelines, enrich data, populate threat detection models, and trigger detection rules.
Parsers are painful!
Typically, building or modifying existing parsers can take days or even weeks, and often requires engaging support services. With the sheer volume of parsers needed to keep your SIEM detection accurate, automation is key.
A SOC’s only hope to achieve comprehensive, effective monitoring and analysis coverage is to leverage tools that automate the early stages of monitoring, including event collection, parsing, storage and triage.
Introducing Auto Parser Generator
Exabeam Auto Parser Generator (APG) is a tool in Cloud Studio, our offering enabling internal and external users to easily create content on Exabeam platforms. The APG guides you through creating and deploying a custom parser in a simple, intuitive user experience.
How it works
APG first analyzes a log sample uploaded by the user and attempts to match it to any existing parsers.
APG indicates the number of parsers matched immediately after analyzing for you to further review
Next, you can either build a new parser for any unmatched sample log or modify an existing one.
You can quickly and easily review matched parsers to determine if any modifications or tweaks are needed.
Then step through a simple UI to select conditions, collect details on certain parameters, and map event type fields to log values.
Use a point-and-click interface to select conditions to match the parser to. Click on the image to view the gif.
You can generate a JRegex pattern from a list of keys APG recommends by looking at common field extractions that already exist in parsers.
Map fields easily by using a point-and-click interface in the log sample.
Once you have reviewed your new parser, you can download a zip file and install your new parser in your instance of Advanced Analytics. For customers, this will soon be available via Content over Cloud, a new feature for content administration and management in our release of i54.