- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Create an Active Directory Context Table
Before beginning this procedure, review the prerequisites.
To onboard an Active Directory context table:
Log into the New-Scale Security Operations Platform with your registered credentials.
Find the Security Management tab and click the Context Management tile.
Navigate to the Context Library tab and click one of the Active Directory tiles. Options include the following:
Active Directory User – Creates a table with context information about users.
Active Directory Device – Creates a table with context information about network devices, such as computers or work stations.
Note
License Requirement for Device Context Tables
Currently, device context data can only be accessed if you have the New-Scale Analytics license. Access to device data will be available to other licenses in the near future.
When you select one of the above tiles, the Active Directory panel opens.
In the Configuration section, complete the Definition step by entering the following information:
Context Table Name – Enter a name for the new Active Directory context table you're creating.
Active Directory Collector – In the Data Source section, choose a data source for your new context table. The drop down menu displays a list of the Active Directory collectors that are currently configured and running in the Site Collectors service. From the list, select a collector that your new context table will process user or device attribute data from.
If no Active Directory site collectors are listed, follow the instructions in the Site Collectors Guide to Set up an Windows Active Directory Collector.
nETBIOSName – Enter an Active Directory domain name that will help to uniquely identify individual users. This field is applicable only for user type tables.
To retrieve the nETBIOSName, execute the following command from the Powershell command line of your domain controller:
Get-ADDomain -Identity <BaseDN>For the
<BaseDN>value, use the DN value of the source collector you selected in the Active Directory Collector field.For more information, see the Microsoft Documentation.
Note
For an existing Active Directory context table that was created before a nETBIOSName value was required, this field will appear empty. You can view the existing context table data but cannot edit or update the table until you add a nETBIOSName value.
To add a nETBIOSName value, run the following command from the Powershell command line of your domain controller:
Get-ADDomain -Identity <BaseDN>For the
<BaseDN>value, use the DN value of the Site Collector that is the source of your context data. This source collector is listed in the Active Directory Collector field of the context table.When you've retrieved the nETBIOSName value, edit the existing Active Directory context table to add the value in the nETBIOSName field.
Click Next.
In the Review Attributes step, review the mapping of available Active Directory attributes to the target attributes in the new context table you are creating.
The attribute mapping table has the following columns (as shown in the image below):
– Shows whether a specific attribute is visible as a column in the context table. Use the icon next to each attribute to toggle the display on or off.Source Attribute – Shows a default set of attributes available from your Microsoft Active Directory. Some source attributes are listed simply as Calculated attribute. These are attributes that are calculated, either in format or in value. To view a description of an attribute and its calculation, hover over the Calculated attribute tag in the Source Attribute column.
Target Attribute – The Target Attributes column shows the Exabeam common information model attributes that are mapped to the Active Directory attributes in your context table. For easy-to-read tables of the default attribute mapping, see:
– Indicates that an attribute is designated as the key attribute for the context table. The designated key and its mapping cannot be changed.
– Indicates that an attribute and its mapping cannot be changed.
You can modify the mapping of Active Directory attributes, that are not key or locked attributes, in the following ways:
Add an attribute that is not mapped by default – At the top of the Source Attributes column, click Add New Attribute. Enter a custom attribute name and click the plus icon (
) to add it to the column. It will be added with a custom icon (
) to the left of the attribute name. In the corresponding row of the Target Attributes column, click Add Target Attributes to map the newly added custom attribute to a target (see the next bullet).Add a target attribute – In the Target Attributes column click Add Target Attribute. Do one of the following to add a custom attribute:
Search for and select an existing target attribute to map it as the target.
Click Add Custom Attribute, enter a new attribute name, and click the plus icon (
) to add it to the list of available target attributes. It will be added with a custom icon () to the left of the attribute name. Then select the newly created custom attribute to map it as the target.
Remap an Active Directory attribute to a different target attribute – Hover over an attribute row where you want to change the mapping and click the delete icon (
) to remove the currently mapped target attribute. Then click Add Target Attributes to map a different target (see the previous bullet).
When you are satisfied with the attribute mapping, click Create to onboard the new Active Directory context table. A success message is displayed.
Click Go to Overview to return to the Overview tab that lists all the context tables currently available. The new context table should appear in the list. When you open the table, it displays the user or device objects processed from the source Site Collector.