- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Recorded Future Context Tables
- Prerequisites to Onboard a Recorded Future Context Table
- Create a Recorded Future Context Table
- View and Interact with a Recorded Future Context Table
- View the Details Panel for a Recorded Future Context Table
- Edit the Configuration of a Recorded Future Context Table
- Default IP Attribute Mapping for Recorded Future
- Default Domain Attribute Mapping for Recorded Future
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
CrowdStrike Context Tables
The CrowdStrike option is designed to streamline the process of creating a new CrowdStrike device context table. When a CrowdStrike context table is onboarded, it processes device attributes from a CrowdStrike source. These attributes can be mapped to Exabeam target attributes.
By default, CrowdStrike tables map a set of specific device attributes that are compliant with the Exabeam common information model. This model defines standardized device objects for security content across Exabeam products.
Tip
Only one CrowdStrike context table can be created per Exabeam subscription. The name of the CrowdStrike context table is fixed and cannot be changed because it supports the following downstream enrichment rules:
CrowdStrike asset ID to Source Host Lookup
CrowdStrikeNetwork Connection Assets in
CrowdStrikeNetwork Connection Assets Out
CrowdStrike asset ID to User Lookup
The CrowdStrike device option is available on the Context Library tab. If you want the CrowdStrike table to populate automatically with device data from a CrowdStrike source, you must onboard the CrowdStrike context table in one of the following ways:
Via the Exabeam Ingester for CrowdStrike – You can use the ingester add-on license to ingest the data directly from your CrowdStrike source and make it available for processing in a Context Management table.
Via Cloud Collector – You can create a CrowdStrike Context cloud collector that will ingest the data from your CrowdStrike source and make it available for processing in a Context Management table.
Note
Early Release Program
Onboarding a CrowdStrike context table via a cloud collector is a part of an early access program that offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide.
If you do not want the CrowdStrike table to populate automatically when you create it in the Context Management service, you can populate it with data manually or via CSV file.
For more information, see the following sections: