Skip to main content

Context ManagementContext Management Administration Guide

Default Device Attribute Mapping for Active Directory

When an Active Directory context table is onboarded, of type Device, it processes a predetermined set of device attributes that are collected from a Microsoft Active Directory server. This set of attributes is mapped to a set of Exabeam target attributes that are compliant with a common device information model. This model defines a standardized device object for security content across Exabeam products.

Note

License Requirement for Device Context Tables

Currently, device context data can only be accessed if you have the New-Scale Analytics license. Access to device data will be available to other licenses in the near future.

The table below lists the predetermined set of source Active Directory attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:

  • * (asterisk) – Indicates attributes that are selected for display by default when onboarding an Active Directory context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (icon-visible.png).

  • (Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.

  • (Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.

Active Directory Source Attribute

Exabeam Target Attribute

Example

Description

netbootGUID + netbootMachineFilePath

Boot Path

(Calculated)

{4C4C4544-0038-4610-8042-B9C04F544331}\server.domain\ RemoteBoot\computer\startrom.com

If the value of netbootInitialization is netboot, this attribute value is a concatenation of netbootGUID + netbootMachineFilePath.

This is a calculated field that cannot be mapped to a different source attribute.

whenCreated

Created Time

1970-01-19T19:41:27

The date and time when the device was created.

description

Description

Computer123ABC

A description for the device.

dn

Domain FQDN

(Calculated)

corp.acmecorp.com

A fully qualified domain name.

Calculated by extracting a list of DC values from the Distinguished Name attribute. The list is concatenated using periods (.) between values.

This is a calculated field that cannot be mapped to a different source attribute.

enabled

Enabled

(Calculated)

True

Indicates whether the device is enabled. True = enabled. False = disabled.

Calculated based on the userAccountControl attribute.

memberOf

Group Name

(Calculated)

Cert Publishers:Users:Pre-Windows 2000 Compatible Access:Builtin

Groups to which a device belongs.

Calculated by extracting a list of the CN values from the DN strings of the Group Name attribute. Concatenated with colons (:).

dNSHostName

Hostname*

ad.ad.acme.com

The name of the device.

objectGUID

ID

(Primary Key)

(Calculated)

04f4c719-5e5b-4ee0-90bf-6f167f24132e

The unique identifier for a device. This field is the key attribute and cannot be remapped.

Calculated based on the objectGUID attribute.

networkAddress

IP Addresses (v4/v6)*

135.1.157.231,

2001:db8:0:1234:0:567:8:1

A list of IP addresses for the device. Can include IPv4, IPv6, and external or local addresses.

lastLogonTimestamp

Last Seen

1970-01-19T19:41:27Z

The date and time the device was last active in the network.

location

Location

Engg Lab 301

The manually-entered, physical location for the device, not based on a geographic location.

whenChanged

Modified Time

1970-01-19T19:41:27Z

The date and time when the device was last changed.

operatingSystem

Operating System*

Windows Server 2019 Datacenter

The operating system of the device.

operatingSystemVersion

Operating System Version

10.0 (17763)

The version of the device's operating system.

dn

Organizational Unit

(Calculated)

Application Platform:Engineering

Organizations to which a device belongs.

Calculated by extracting a list of OU values from the DN attribute. Concatenated with colons (:).

This is a calculated field that cannot be mapped to a different source attribute.

managedBy

Owned By

(Calculated)

Jim Smith

The user that is assigned to manage the device.

Calculated by extracting the CN value from the DN string of the managedBy attribute.

This is a calculated field that cannot be mapped to a different source attribute.

userAccountControl

Purpose

(Calculated)

Domain Controller

A hexadecimal field that indicates the role of the device.

Calculated by mapping the device role from the hexadecimal field. A value is assigned only if the device is a domain controller. Otherwise the value is empty.

This is a calculated field that cannot be mapped to a different source attribute.

* Attribute is selected for display by default.