- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Recorded Future Context Tables
- Prerequisites to Onboard a Recorded Future Context Table
- Create a Recorded Future Context Table
- View and Interact with a Recorded Future Context Table
- View the Details Panel for a Recorded Future Context Table
- Edit the Configuration of a Recorded Future Context Table
- Default IP Attribute Mapping for Recorded Future
- Default Domain Attribute Mapping for Recorded Future
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Prerequisites to Automatically Populate a CrowdStrike Context Table
Before data can automatically populate a CrowdStrike context table in the Context Management service, you must ensure that the following prerequisites are met:
Note
If you plan to enter data into the CrowdStrike context table manually or via CSV, these prerequisites are not required.
You have completed one of the following requirements, depending on how you plan to ingest CrowdStrike data:
Via the Exabeam Ingester for CrowdStrike – Make sure that your Exabeam license includes the Exabeam Ingester for CrowdStrike add-on. It ingests data directly from your CrowdStrike source and makes it available for processing in a Context Management table. This add-on is available for all Exabeam licenses. For more information about add-on licenses, see Add Ons in the Exabeam Security Operations Platform Guide.
Via a Cloud Collector – If you do not have the ingester add-on as part of your license, you can create a CrowdStrike Context cloud collector in the Cloud Collector service. It ingests data from your CrowdStrike source and makes it available for processing in a Context Management table. For information about creating a new cloud collector, follow the steps in the CrowdStrike Context Cloud Collector section of the Cloud Collector Administrative Guide.
Note
Early Access Program
Onboarding a CrowdStrike context table via a cloud collector is a part of an early access program that offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide.
If you opt to ingest CrowdStrike data via the Exabeam Ingester, ensure that in your CrowdStrike Store, you have configured Exabeam Analytics for CrowdStrike.
If you opt to ingest CrowdStrike data via a cloud collector, and you want to leverage the full enrichment affects from your CrowdStrike data, you must also do the following to configure the appropriate enrichment rules in Log Stream:
Copy the configuration file contents found on the following page and save it as a
.conffile: Enrichment Rules for CrowdStrikeOpen the Log Stream application and import the saved
.conffile as follows:In Log Stream, click the Enrichments tab at the top of the page.
In the middle of the Enrichments page, click the Import button. The Import Enricher dialog box opens.
Click Select File and then find and select the saved
.conffile.Click Import Enricher. When asked if you want to enable the custom enrichers, click OK. The
.conffile is imported into Log Stream and the following new enrichment rules are listed as custom rules:CrowdStrike asset ID to Source Host Lookup
CrowdStrikeNetwork Connection Assets in
CrowdStrikeNetwork Connection Assets Out
CrowdStrike asset ID to User Lookup
If you want to leverage CrowdStrike data enrichments in Log Stream, but you have an Exabeam license other than the New-Scale Analytics license, you must sign up for the Log Stream Enrichments early access program. To sign up for this program, email the following Exabeam group to request access: [email protected]. For more information about working with enrichment rules, see Enrichments in the Log Stream Guide.