- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- Anomali Context Tables
- Prerequisites to Onboard an Anomali Context Table
- Create an Anomali Context Table
- View and Interact with an Anomali Context Table
- View the Details Panel for an Anomali Context Table
- Edit the Configuration of an Anomali Context Table
- Default IP Attribute Mapping for Anomali
- Default Domain Attribute Mapping for Anomali
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Recorded Future Context Tables
- Prerequisites to Onboard a Recorded Future Context Table
- Create a Recorded Future Context Table
- View and Interact with a Recorded Future Context Table
- View the Details Panel for a Recorded Future Context Table
- Edit the Configuration of a Recorded Future Context Table
- Default IP Attribute Mapping for Recorded Future
- Default Domain Attribute Mapping for Recorded Future
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Prerequisites to Automatically Populate a CrowdStrike Context Table
Before data can automatically populate a CrowdStrike context table in the Context Management service, you must ensure that the following prerequisites are met:
Note
If you plan to enter data into the CrowdStrike context table manually or via CSV, these prerequisites are not required.
You have completed one of the following requirements, depending on how you plan to ingest CrowdStrike data:
Via the Exabeam Ingester for CrowdStrike – Make sure that you have both the New-Scale Analytics Exabeam license and the Ingester for CrowdStrike add-on. Data will be ingested directly from your CrowdStrike source and will be available for processing in a Context Management table. For more information about add-on licenses, see Add Ons in the Exabeam Security Operations Platform Guide.
Via a Cloud Collector – If you do not have the ingester add-on as part of your license, you can create a CrowdStrike Context cloud collector in the Cloud Collector service. It ingests data from your CrowdStrike source and makes it available for processing in a Context Management table. For information about creating a new cloud collector, follow the steps in the CrowdStrike Context Cloud Collector section of the Cloud Collector Administrative Guide.
Note
If you want to use the cloud collector option to ingest CrowdStrike data, the collector must be created before the context table. If you previously onboarded a CrowdStrike context table and you want to integrate with the cloud collector, you must delete the context table and recreate it after the CrowdStrike cloud collector is created and running.
If you opt to ingest CrowdStrike data via the Exabeam Ingester, ensure that in your CrowdStrike Store, you have configured Exabeam Analytics for CrowdStrike.
If you opt to ingest CrowdStrike data via a cloud collector, and you want to leverage the full enrichment affects from your CrowdStrike data, you must also do the following to configure the appropriate enrichment rules in Log Stream:
Note
The Enrichments tab in Log Stream is available to the following New-Scale licenses: New-Scale SIEM, New-Scale Fusion, New-Scale Analytics
Copy the configuration file contents found on the following page and save it as a
.conffile: Enrichment Rules for CrowdStrikeOpen the Log Stream application and import the saved
.conffile as follows:In Log Stream, click the Enrichments tab at the top of the page.
In the middle of the Enrichments page, click the Import button. The Import Enricher dialog box opens.
Click Select File and then find and select the saved
.conffile.Click Import Enricher. When asked if you want to enable the custom enrichers, click OK. The
.conffile is imported into Log Stream and the following new enrichment rules are listed as custom rules:CrowdStrike asset ID to Source Host Lookup
CrowdStrikeNetwork Connection Assets in
CrowdStrikeNetwork Connection Assets Out
CrowdStrike asset ID to User Lookup