Skip to main content

Context ManagementContext Management Administration Guide

Create a STIX/TAXII Context Table

Before beginning this procedure, review the prerequisites.

The procedure below lets you create the context table from inside the Context Management application. However, you must have a STIX/TAXII cloud collector running in the Cloud Collector service that is not already connected to a context table.

Note

Early Access

Currently, the context table must be created manually. In a future release, an auto-create option will be introduced to create the context table automatically when you create the STIX/TAXII cloud collector.

  1. Log into the New-Scale Security Operations Platform with your registered credentials.

  2. Find the Security Management tab and click the Context Management tile.

  3. Navigate to the Context Library tab and click the STIX/TAXII tile. The STIX/TAXII panel opens.

  4. In the Configuration section, complete the Definition step by entering the following information:

    • Context Table Name – Enter a name for the new STIX/TAXII context table you're creating.

    • Context Table Type – Select the type of context data the new table will contain. Options include:

      • IP – Context data about known malicious IP addresses

      • Domain – Context data about known malicious domains

    • STIX/TAXII Collector – In the Data Source section, choose a data source for your new context table. The drop down menu displays a list of the STIX/TAXII collectors that are currently configured and running in the Cloud Collector service. From the list, select a collector that your new context table will process IP or domain attribute data from.

      If no STIX/TAXII cloud collectors are listed, follow the instructions in the STIX/TAXII Cloud Collector section of the Cloud Collector Administrative Guide.

  5. Click Next.

  6. In the Review Attributes step, review the mapping of available STIX/TAXII attributes to the target attributes in the new context table you are creating.

    The attribute mapping table has the following columns (as shown in the image below):

    • icon-visible.png – Shows whether a specific attribute is visible as a column in the context table. Use the icon next to each attribute to toggle the display on or off.

    • Source Attribute – Shows a default set of attributes available from your STIX/TAXII source. Some source attributes are listed simply as Calculated attribute. These are attributes that are calculated, either in format or in value. To view a description of an attribute and its calculation, hover over the Calculated attribute tag in the Source Attribute column.

    • Target Attribute – The Target Attributes column shows the Exabeam common information model attributes that are mapped to the STIX/TAXII attributes in your context table. For an easy-to-read table of the default attribute mapping, see one of the following:

    • icon-key.png – Indicates that an attribute is designated as the key attribute for the context table. The designated key and its mapping cannot be changed.

    • icon-lock.png – Indicates that an attribute and its mapping cannot be changed.

    attribute-map-stix.png

    The only modification you can make to the attribute mapping is to decide whether or not an attribute should be visible as a column when the context table is displayed. Use the visibility icon (icon-visible.png) to toggle the display on or off for a specific attribute.

  7. Click Create to onboard the new STIX/TAXII context table. A success message is displayed.

  8. Click Go to Overview to return to the Overview tab that lists all the context tables currently available. The new context table should appear in the list. When you open the table, it displays the IP or domain objects processed from the source Cloud Collector.