- Advanced Analytics
- Understand the Basics of Advanced Analytics
- Configure Log Management
- Set Up Admin Operations
- Set Up Authentication and Access Control
- Additional Configurations
- Configure Rules
- Exabeam Threat Intelligence Service
- Threat Intelligence Service Prerequisites
- View Threat Intelligence Feeds
- Threat Intelligence Context Tables
- View Threat Intelligence Context Tables
- Assign a Threat Intelligence Feed to a New Context Table
- Create a New Context Table from a Threat Intelligence Feed
- Check ExaCloud Connector Service Health Status
- Exabeam Cloud Telemetry Service
- Manage Security Content in Advanced Analytics
- Health Status Page
Azure AD Context Enrichment
Important
For the Azure AD context enrichment feature to function, your organization must have a hybrid Active Directory deployment that uses Azure AD and either Microsoft AD or Microsoft ADDS.
Organizations using Azure Active Directory (AD) can enrich their event logs by adding user context. This feature automatically pulls user attribute information from Azure AD on a daily basis and enriches logs in real time. Pulled attributes include the following:
ID
userType
userPrincipalName
mailNickname
onPremisesSamAccountName
displayName
mail
For descriptions of the attributes, see Azure Active Directory Context Tables.
Note
While context information from Azure AD is pulled daily, you can also perform manual pulls from Azure AD to immediately update information after changes to user accounts.
The following table lists the events that can be enriched with context from Azure AD:
Office 365 | Azure | Windows Defender | Windows |
|---|---|---|---|
Failed Sign in Alert Failed App Login App Login Sign in Alert Account Unlocked Account Password Changed Account Disabled Security Alert 1 Security Alert 3 Member Added Member Removed PowerBI Activity Hub Network Connection App Activity | App Activity App Login Core Directory | EventHubs Login PIM Activity Security Alert | Auth Events App Login Activity |