Skip to main content

Context ManagementContext Management Administration Guide

Table of Contents

Built-In Threat Intelligence Context Tables

icon-built-in.png

The Context Management service includes the following built-in context tables that provide curated threat intelligence data:

  • Exabeam Threat Intelligence Domains – Collects data about known malicious domains.

  • Exabeam Threat Intelligence IPs – Collects data about known malicious IP addresses.

These context tables streamline the collection of threat intelligence data from ZeroFox or from the TOR open source network. These built-in context tables can contain as many records as the threat intelligence source provides.

The fact that these context tables are built-in means that their schemas are already defined. Data collection occurs automatically with no user action required to schedule or launch the collection. The predefined schemas ensure that the context tables that hold the collected threat intelligence data include all of the columns necessary to detect various categories of threat indicators.

Together, these context tables include data about IP addresses or domains that are known sources of malicious activity. Support for the following threat types is included:

  • Ransomware

  • Dropper

  • Loader

  • Installer

  • Trojan

  • RAT

  • Spyware

  • Stealer

  • Miner

  • Infostealer

  • Backdoor

  • Adware

  • Exploit

  • Banker

  • Metasploit

  • Macro

  • Botnet

  • Cobaltstrike

  • Keylogger

  • Bootkit

  • Cryptbot

  • Worm

  • Phishing

  • Pyinstaller

  • Downloader

  • C2

  • C2 Andromeda

  • C2 Nymaim

  • C2 Tinba

  • C2 Ranbyus

  • C2 Matsnu

  • TOR IP

View the Details Panel for a Built-in Context Table

In the Overview tab of the Context Management service, find a specific built-in context table and click the Options icon (icon-options.png) on the far right. Select Details. A panel opens on the right and displays the following information about the selected context table:

  • At the top of the panel, an overview is provided that includes the following information about the context table:

    • Context Table Type – The category of context data provided by the source.

    • Total Items – The number of records the context table contains.

    • Last Updated – How long ago records were fetched from the source.

  • Processing – Shows the number of records the context table processed in its last run, as well as how long ago the context table was last updated. The status indicates the state of the context table in the Context Management service.

  • Error Messages – Displays the most recent error messages that occurred either in the configuration or processing of the data in this context table on the Context Management side.

View Built-in Context Table Data

In the Overview tab of the Context Management service, click the name of a built-in context table to display the threat intelligence data the table contains. Depending on the selected table type, the table lists rows of specific domains or IP addresses. Built-in tables include the following columns with information about each domain or IP address:

  • Domain or IP Address – The domain or IP address for the data entity in a specific row.

  • IOC First Added – Date that the threat intelligence provider added a specific domain or IP address to their feed.

  • Metadata Last Updated – Indicates how long ago the threat intelligence provider updated or added new metadata to a specific domain or IP address. As a result, the tags associated with the domain or IP address might change. Changes can include the addition of a malware variant name, a threat actor group, or other relevant information.

  • IOC Last Detected – Indicates how long ago the domain or IP address entity was last detected by the threat intelligence provider.

  • First Added in Exabeam – Indicates how long ago a specific domain or IP address entity first appeared in Exabeam Context Management (was first polled from the threat intelligence provider).

  • Last Added in Exabeam – Indicates how long ago the domain or IP address entity was updated in Exabeam Context Management.

  • Threat Category – The type of threat the data entity represents.

Unlike other context tables, you cannot delete or configure the built-in context tables. You can, however, view the configured attributes of the table and interact with the threat intelligence data in the following ways:

  • Export as CSV – To export the the data from a context table, click icon-export.pngExport as CSV in the top right corner of the table. The context data is exported in a comma-separated value (CSV) format that can be downloaded. When the export is complete, you will receive a notification with a link to download the file to your local computer. The downloadable CSV file is available for seven days.

    export-notification.png

    Alternately, you can click the notifications icon (icon-notification.png) in the top right corner of any window in the Exabeam Security Operations Platform. The Your Notifications pane is displayed and you can find the download link in the notification there.

    Note

    The exported file contains all of the columns in the context table, including columns that are hidden in the display.

  • Filter by Domain or IP Address – Click the filter icon (icon-filter.png) in the Domain or IP Address column header, enter an exact name, and select Apply. The table is filtered to display only the domain or IP address that matches your search.

    To clear the filter, click the filter icon (icon-filter-on.png) and select Clear.

  • View Attributes – To view the values for all the attributes of a single domain or IP address, click anywhere in a specific row on the detail page. An Attributes panel opens on the right.