- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- Anomali Context Tables
- Prerequisites to Onboard an Anomali Context Table
- Create an Anomali Context Table
- View and Interact with an Anomali Context Table
- View the Details Panel for an Anomali Context Table
- Edit the Configuration of an Anomali Context Table
- Default IP Attribute Mapping for Anomali
- Default Domain Attribute Mapping for Anomali
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Recorded Future Context Tables
- Prerequisites to Onboard a Recorded Future Context Table
- Create a Recorded Future Context Table
- View and Interact with a Recorded Future Context Table
- View the Details Panel for a Recorded Future Context Table
- Edit the Configuration of a Recorded Future Context Table
- Default IP Attribute Mapping for Recorded Future
- Default Domain Attribute Mapping for Recorded Future
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Default Domain Attribute Mapping for Anomali
When an Anomali context table is onboarded, of type Domain, it processes a predetermined set of domain attributes that are collected from an external threat intelligence source. These attributes are mapped to a set of Exabeam target attributes that are compliant with a common information model. This model defines a standardized security content across Exabeam products.
The table below lists the predetermined set of source Anomali attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:
* (asterisk) – Indicates attributes that are selected for display by default when onboarding an Anomali context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (
).(Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.
(Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.
Anomali Source Attribute | Exabeam Target Attribute | Example | Description |
|---|---|---|---|
confidence | Confidence* |
| A numerical value from 0 to 99 that indicates the amount of potential risk associated with a specific threat intelligence indicator of compromise. |
created | Created Time* |
| The date that the threat intelligence provider added the threat to their feed. |
description | Description* |
| Information that describes the threat intelligence indicator of compromise. |
pattern | Domain* (Primary Key) |
| The domain for a specific data entity. |
(calculated) | First Added in Exabeam (Calculated) |
| This is a calculated field. |
labels | Labels* |
| Label for the threat intelligence indicator of compromise. This label can contain any additional information the vendor chooses to provide. |
(calculated) | Last Added in Exabeam (Calculated) |
| This is a calculated field. |
modified | Modified Time* |
| The date and time the threat intelligence provider last updated the threat. |
indicator_types | Threat Category* |
| The threat category of the threat intelligence indicator of compromise. |
valid_from | Valid From* |
| The date and time from which the indicator of compromise is valid. |
valid_until | Valid Until* | 2025-03-20T19:49:39.023000000Z | The date and time until which the indicator of compromise is valid. |
* Attribute is selected for display by default.