Skip to main content

Context ManagementContext Management Administration Guide

Default Device Attribute Mapping for CrowdStrike

When a CrowdStrike device context table is onboarded, it processes a predetermined set of device attributes that are collected from a CrowdStrike source. This set of attributes is mapped to a set of Exabeam target attributes that are compliant with a common device information model. This model defines a standardized device object for security content across Exabeam products.

The table below lists the predetermined set of source CrowdStrike attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:

  • * (asterisk) – Indicates attributes that are selected for display by default when onboarding a CrowdStrike context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (icon-visible.png).

  • (Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.

  • (Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.

CrowdStrike Source Attribute

Exabeam Target Attribute

Example

Description

first_seen

Created Time*

1970-01-19T19:41:27

The date and time when the device was created.

chassis_type_desc

Device Type

Laptop

The physical type of the device, such as VM, desktop, or printer.

groups

Group Name*

group1, group2

Groups to which a device belongs.

hostname

Hostname*

ad.ad.acme.com

The name of the device.

device_id

ID*

(Primary Key)

0037989aec5749c0bfc26f11fb1901XX

The unique identifier for a device. This field is the key attribute.

external_ip

local_ip

IP Addresses (v4/v6)*

135.1.157.231,

2001:db8:0:1234:0:567:8:1

A list of IP addresses for the device. Can include IPv4, IPv6, and external or local addresses.

last_seen

Last Seen*

1970-01-19T19:41:27Z

The date and time the device was last active in the network.

mac_address

MAC Address*

01:23:45:67:89:AB

A MAC address for the device.

modified_timestamp

Modified Time*

1970-01-19T19:41:27Z

The date and time when the device was last changed.

platform_name

Operating System*

Windows Server 2019 Datacenter

The operating system of the device.

os_version

Operating System Version*

10.0 (17763)

The version of the device's operating system.

os_build

Patch Version*

9600

The latest patch version installed on the device.

product_type_desc

Purpose*

Workstation

Indicates the role of the device.

tags

Tags*

my-custom-tag-1, my-custom-tag-2

Manually-entered tags that can represent user-defined fields.