- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Default Device Attribute Mapping for Active Directory
When an Active Directory context table is onboarded, of type Device, it processes a predetermined set of device attributes that are collected from a Microsoft Active Directory server. This set of attributes is mapped to a set of Exabeam target attributes that are compliant with a common device information model. This model defines a standardized device object for security content across Exabeam products.
Note
License Requirement for Device Context Tables
Currently, device context data can only be accessed if you have the New-Scale Analytics license. Access to device data will be available to other licenses in the near future.
The table below lists the predetermined set of source Active Directory attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:
* (asterisk) – Indicates attributes that are selected for display by default when onboarding an Active Directory context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon ().
(Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.
(Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.
Active Directory Source Attribute | Exabeam Target Attribute | Example | Description |
---|---|---|---|
netbootGUID + netbootMachineFilePath | Boot Path (Calculated) |
| If the value of This is a calculated field that cannot be mapped to a different source attribute. |
whenCreated | Created Time |
| The date and time when the device was created. |
description | Description |
| A description for the device. |
dn | Domain FQDN (Calculated) |
| A fully qualified domain name. Calculated by extracting a list of DC values from the This is a calculated field that cannot be mapped to a different source attribute. |
enabled | Enabled (Calculated) |
| Indicates whether the device is enabled. True = enabled. False = disabled. Calculated based on the |
memberOf | Group Name (Calculated) |
| Groups to which a device belongs. Calculated by extracting a list of the CN values from the DN strings of the |
dNSHostName | Hostname* |
| The name of the device. |
objectGUID | ID (Primary Key) (Calculated) |
| The unique identifier for a device. This field is the key attribute and cannot be remapped. Calculated based on the |
networkAddress | IP Addresses (v4/v6)* | 135.1.157.231, 2001:db8:0:1234:0:567:8:1 | A list of IP addresses for the device. Can include IPv4, IPv6, and external or local addresses. |
lastLogonTimestamp | Last Seen |
| The date and time the device was last active in the network. |
location | Location | Engg Lab 301 | The manually-entered, physical location for the device, not based on a geographic location. |
whenChanged | Modified Time |
| The date and time when the device was last changed. |
operatingSystem | Operating System* |
| The operating system of the device. |
operatingSystemVersion | Operating System Version |
| The version of the device's operating system. |
dn | Organizational Unit (Calculated) |
| Organizations to which a device belongs. Calculated by extracting a list of OU values from the DN attribute. Concatenated with colons (:). This is a calculated field that cannot be mapped to a different source attribute. |
managedBy | Owned By (Calculated) |
| The user that is assigned to manage the device. Calculated by extracting the CN value from the DN string of the This is a calculated field that cannot be mapped to a different source attribute. |
userAccountControl | Purpose (Calculated) |
| A hexadecimal field that indicates the role of the device. Calculated by mapping the device role from the hexadecimal field. A value is assigned only if the device is a domain controller. Otherwise the value is empty. This is a calculated field that cannot be mapped to a different source attribute. |
* Attribute is selected for display by default.