- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Active Directory Context Tables
- Anomali Context Tables
- Prerequisites to Onboard an Anomali Context Table
- Create an Anomali Context Table
- View and Interact with an Anomali Context Table
- View the Details Panel for an Anomali Context Table
- Edit the Configuration of an Anomali Context Table
- Default IP Attribute Mapping for Anomali
- Default Domain Attribute Mapping for Anomali
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Okta Context Tables
- Recorded Future Context Tables
- STIX/TAXII Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Default Domain Attribute Mapping for Anomali
When an Anomali context table is onboarded, of type Domain, it processes a predetermined set of domain attributes that are collected from an external threat intelligence source. These attributes are mapped to a set of Exabeam target attributes that are compliant with a common information model. This model defines a standardized security content across Exabeam products.
The table below lists the predetermined set of source Anomali attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:
* (asterisk) – Indicates attributes that are selected for display by default when onboarding an Anomali context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (
).
(Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.
(Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.
Anomali Source Attribute | Exabeam Target Attribute | Example | Description |
---|---|---|---|
confidence | Confidence* |
| A numerical value from 0 to 99 that indicates the amount of potential risk associated with a specific threat intelligence indicator of compromise. |
created | Created Time* |
| The date that the threat intelligence provider added the threat to their feed. |
description | Description* |
| Information that describes the threat intelligence indicator of compromise. |
pattern | Domain* (Primary Key) |
| The domain for a specific data entity. |
(calculated) | First Added in Exabeam (Calculated) |
| This is a calculated field. |
labels | Labels* |
| Label for the threat intelligence indicator of compromise. This label can contain any additional information the vendor chooses to provide. |
(calculated) | Last Added in Exabeam (Calculated) |
| This is a calculated field. |
modified | Modified Time* |
| The date and time the threat intelligence provider last updated the threat. |
indicator_types | Threat Category* |
| The threat category of the threat intelligence indicator of compromise. |
valid_from | Valid From* |
| The date and time from which the indicator of compromise is valid. |
valid_until | Valid Until* | 2025-03-20T19:49:39.023000000Z | The date and time until which the indicator of compromise is valid. |
* Attribute is selected for display by default.