- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default Active Directory Attribute Mapping
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default Microsoft Entra ID Attribute Mapping
- Okta Context Tables
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Built-In Threat Intelligence Context Tables
- Context Management APIs
- Troubleshooting Context Management
Default Active Directory Attribute Mapping
When an Active Directory context table is onboarded, it processes a predetermined set of user attributes that are collected from a Microsoft Active Directory server. This set of attributes is mapped to a set of Exabeam target attributes that are compliant with a common user information model. This model defines a standardized user object for security content across Exabeam products.
The table below lists the predetermined set of source Active Directory attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:
* (asterisk) – Indicates attributes that are selected for display by default when onboarding an Active Directory context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (
).(Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.
(Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.
Active Directory Source Attribute | Exabeam Target Attribute | Example | Description |
|---|---|---|---|
userAccountCountrol | Access Status (Calculated) |
| A hexadecimal field that indicates the status of the user's account. Calculated by mapping the status of a user account to one of the following Exabeam status values:
|
accountExpires | Account Expires |
| Date when the account expires, based on the password policy of the Active Directory server. |
mailNickname | Alias |
| An email alias that represents a user in a Microsoft Exchange organization. |
l | City Name |
| A locality, such as a town or city, in a user's address. |
CN | Common Name |
| Common name attached to the user object. |
co | Country |
| Country or region where the user is located. |
department | Department* |
| Name of the department in which the user works. |
departmentNumber | Department Number |
| A number used to identify a department within an organization. |
directReports | Direct Reports (Calculated) |
| List of users who report directly to a user. Listed users all have their Calculated by extracting a list of CN values from the DN strings of |
displayName | Display Name* |
| The name displayed in the address book for a user. This attribute is usually represented by a combination of first name, middle initial, and last name. |
dn | Distinguished Name |
| The name that uniquely identifies a user object, in an organization structure, within the Active Directory. For a glossary of terms, see the Microsoft Documentation Reference |
division | Division |
| A user division. |
dn | Domain FQDN (Calculated) |
| A fully qualified domain name. Calculated by extracting a list of DC values from the This is a calculated field that cannot be mapped to a different source attribute. |
proxyAddresses, mail | Email Addresses (Calculated) |
The above examples are based on a concatenated list from the Attribute Values:
| A string value that lists a set of email addresses associated with a user. Calculated by extracting values from the NoteFrom In the UI, the resulting list is concatenated using colons (:). It is a calculated field and not modifiable. |
employeeID | Employee ID |
| Code that identifies an employee of a business. |
employeeNumber | Employee Number |
| Number assigned to an employee, other than the Employee ID. |
employeeType | Employee Type* |
| An employment category for an employee. |
givenName | First Name |
| The given first name of an employee. |
displayNamePrintable | Full Name |
| The printable display name for a user. This attribute is usually represented by a combination of first name, middle initial, and last name. |
memberOf | Group Name (Calculated) |
| Groups to which a user belongs (not including the user's primary group). Calculated by extracting a list of the CN values from the DN strings of the |
objectGUID | ID (Primary Key) (Calculated) |
| The unique identifier for a user object. This field is the key attribute and cannot be remapped. Calculated based on the objectGUID attribute. |
sn | Last Name |
| The user's surname (family name or last name). |
manager | Manager (Calculated) |
| The manager to whom a user reports. The user's name will be listed in the Calculated by extracting the CN value from the DN string of the |
mobile | Mobile Number |
| The mobile phone number for a user. |
objectSid | Object Sid (Calculated) |
| A unique security identifier for an object. Calculated based on a binary value that specifies a unique security identifier for the object. |
dn | Organizational Unit (Calculated) |
| Organizations to which a user belongs. Calculated by extracting a list of OU values from the DN attribute. Concatenated with colons (:). This is a calculated field that cannot be mapped to a different source attribute. |
operatingSystem | Operating System |
| The user's operating system. |
telephoneNumber | Phone Number |
| The primary work phone number for a user. |
userPrincipalName | Primary Login* (Email Format) | An email-formatted identifier for a user, based on standard RFC 822. | |
sAMAccountName | Primary User Name |
| A primary user name, commonly used for login purposes. (Does not include the domain.) |
thumbnailPhoto | Thumbnail Photo |
| Can be used to store a user's photo as binary data. Some applications use this photo as the user's avatar or account photo. |
title | Title* |
| A user's formal job title (not an occupation category). |
whenChanged | When Changed |
| The date that the user object was last changed. |
* Attribute is selected for display by default.