- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Create a STIX/TAXII Context Table
Before beginning this procedure, review the prerequisites.
The procedure below lets you create the context table from inside the Context Management application. However, you must have a STIX/TAXII cloud collector running in the Cloud Collector service that is not already connected to a context table.
Note
Early Access
Currently, the context table must be created manually. In a future release, an auto-create option will be introduced to create the context table automatically when you create the STIX/TAXII cloud collector.
Log into the New-Scale Security Operations Platform with your registered credentials.
Find the Security Management tab and click the Context Management tile.
Navigate to the Context Library tab and click the STIX/TAXII tile. The STIX/TAXII panel opens.
In the Configuration section, complete the Definition step by entering the following information:
Context Table Name – Enter a name for the new STIX/TAXII context table you're creating.
Context Table Type – Select the type of context data the new table will contain. Options include:
IP – Context data about known malicious IP addresses
Domain – Context data about known malicious domains
STIX/TAXII Collector – In the Data Source section, choose a data source for your new context table. The drop down menu displays a list of the STIX/TAXII collectors that are currently configured and running in the Cloud Collector service. From the list, select a collector that your new context table will process IP or domain attribute data from.
If no STIX/TAXII cloud collectors are listed, follow the instructions in the STIX/TAXII Cloud Collector section of the Cloud Collector Administrative Guide.
Click Next.
In the Review Attributes step, review the mapping of available STIX/TAXII attributes to the target attributes in the new context table you are creating.
The attribute mapping table has the following columns (as shown in the image below):
– Shows whether a specific attribute is visible as a column in the context table. Use the icon next to each attribute to toggle the display on or off.Source Attribute – Shows a default set of attributes available from your STIX/TAXII source. Some source attributes are listed simply as Calculated attribute. These are attributes that are calculated, either in format or in value. To view a description of an attribute and its calculation, hover over the Calculated attribute tag in the Source Attribute column.
Target Attribute – The Target Attributes column shows the Exabeam common information model attributes that are mapped to the STIX/TAXII attributes in your context table. For an easy-to-read table of the default attribute mapping, see one of the following:
– Indicates that an attribute is designated as the key attribute for the context table. The designated key and its mapping cannot be changed.
– Indicates that an attribute and its mapping cannot be changed.
The only modification you can make to the attribute mapping is to decide whether or not an attribute should be visible as a column when the context table is displayed. Use the visibility icon (
) to toggle the display on or off for a specific attribute.Click Create to onboard the new STIX/TAXII context table. A success message is displayed.
Click Go to Overview to return to the Overview tab that lists all the context tables currently available. The new context table should appear in the list. When you open the table, it displays the IP or domain objects processed from the source Cloud Collector.