- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- Anomali Context Tables
- Prerequisites to Onboard an Anomali Context Table
- Create an Anomali Context Table
- View and Interact with an Anomali Context Table
- View the Details Panel for an Anomali Context Table
- Edit the Configuration of an Anomali Context Table
- Default IP Attribute Mapping for Anomali
- Default Domain Attribute Mapping for Anomali
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Recorded Future Context Tables
- Prerequisites to Onboard a Recorded Future Context Table
- Create a Recorded Future Context Table
- View and Interact with a Recorded Future Context Table
- View the Details Panel for a Recorded Future Context Table
- Edit the Configuration of a Recorded Future Context Table
- Default IP Attribute Mapping for Recorded Future
- Default Domain Attribute Mapping for Recorded Future
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
CrowdStrike Context Tables
The CrowdStrike option is designed to streamline the process of creating a new CrowdStrike device context table. When a CrowdStrike context table is onboarded, it processes device attributes from a CrowdStrike source. These attributes can be mapped to Exabeam target attributes.
By default, CrowdStrike tables map a set of specific device attributes that are compliant with the Exabeam common information model. This model defines standardized device objects for security content across Exabeam products.
Tip
Only one CrowdStrike context table can be created per Exabeam subscription. The name of the CrowdStrike context table is fixed and cannot be changed because it supports the following downstream enrichment rules:
CrowdStrike asset ID to Source Host Lookup
CrowdStrikeNetwork Connection Assets in
CrowdStrikeNetwork Connection Assets Out
CrowdStrike asset ID to User Lookup
The CrowdStrike device option is available on the Context Library tab. If you want the CrowdStrike table to populate automatically with device data from a CrowdStrike source, you must onboard the CrowdStrike context table in one of the following ways:
Via the Exabeam Ingester for CrowdStrike – You can use the ingester add-on license to ingest the data directly from your CrowdStrike source. Make sure that you have both the New-Scale Analytics Exabeam license and the Ingester for CrowdStrike add-on. Data will be ingested directly from your CrowdStrike source and will be available for processing in a Context Management table. For more information about add-on licenses, see Add Ons in the Exabeam Security Operations Platform Guide.
Via Cloud Collector – You can create a CrowdStrike Context cloud collector that will ingest the data from your CrowdStrike source and make it available for processing in a Context Management table. For information about creating the cloud collector, see CrowdStrike Context Cloud Collector in the Cloud Collectors Administration Guide.
Note
If you want to use the cloud collector option to ingest CrowdStrike data, the collector must be created before the context table. If you previously onboarded a CrowdStrike context table and you want to integrate with the cloud collector, you must delete the context table and recreate it after the CrowdStrike cloud collector is created and running.
If you do not want the CrowdStrike table to populate automatically when you create it in the Context Management service, you can populate it with data manually or via CSV file.
For more information, see the following sections: