Skip to main content

Context ManagementContext Management Administration Guide

CrowdStrike Context Tables

tile-crowdstrike.png

The CrowdStrike option is designed to streamline the process of creating a new CrowdStrike device context table. When a CrowdStrike context table is onboarded, it processes device attributes from a CrowdStrike source. These attributes can be mapped to Exabeam target attributes.

By default, CrowdStrike tables map a set of specific device attributes that are compliant with the Exabeam common information model. This model defines standardized device objects for security content across Exabeam products.

Tip

Only one CrowdStrike context table can be created per Exabeam subscription. The name of the CrowdStrike context table is fixed and cannot be changed because it supports the following downstream enrichment rules:

  • CrowdStrike asset ID to Source Host Lookup

  • CrowdStrikeNetwork Connection Assets in

  • CrowdStrikeNetwork Connection Assets Out

  • CrowdStrike asset ID to User Lookup

The CrowdStrike device option is available on the Context Library tab. If you want the CrowdStrike table to populate automatically with device data from a CrowdStrike source, you must onboard the CrowdStrike context table in one of the following ways:

  • Via the Exabeam Ingester for CrowdStrike – You can use the ingester add-on license to ingest the data directly from your CrowdStrike source and make it available for processing in a Context Management table.

  • Via Cloud Collector – You can create a CrowdStrike Context cloud collector that will ingest the data from your CrowdStrike source and make it available for processing in a Context Management table.

    Note

    Early Release Program

    Onboarding a CrowdStrike context table via a cloud collector is a part of an early access program that offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide.

If you do not want the CrowdStrike table to populate automatically when you create it in the Context Management service, you can populate it with data manually or via CSV file.

For more information, see the following sections: