Skip to main content

Context ManagementContext Management Administration Guide

Default Domain Attribute Mapping for STIX/TAXII

When a STIX/TAXII context table is onboarded, of type Domain, it processes a predetermined set of domain attributes that are collected from an external threat intelligence source. These attributes are mapped to a set of Exabeam target attributes that are compliant with a common information model. This model defines a standardized security content across Exabeam products.

The table below lists the predetermined set of source STIX/TAXII attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:

  • * (asterisk) – Indicates attributes that are selected for display by default when onboarding a STIX/TAXII context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (icon-visible.png).

  • (Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.

  • icon-key.png (Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.

STIX/TAXII Source Attribute

Exabeam Target Attribute

Example

Description

confidence

Confidence*

69

A numerical value from 0 to 99 that indicates the amount of potential risk associated with a specific threat intelligence indicator of compromise.

created

Created Time*

2025-03-19T19:49:39.023000000Z

The date that the threat intelligence provider added the threat to their feed.

description

Description*

Current risk: Malicious. Triggers 6 of 52 risk rules

Information that describes the threat intelligence indicator of compromise.

pattern

Domain*

(Primary Key)

009923gn.000webhostapp.com

The domain for a specific data entity.

(calculated)

First Added in Exabeam

(Calculated)

2025-03-11T14:30:22.847453542Z

This is a calculated field.

labels

Labels*

{"EvidenceDetails":[{"CriticalityLabel":"Unusual","Rule":"Historically Detected Phishing Techniques","Name":"phishingSiteDetected"},{"CriticalityLabel":"Unusual","Rule":"Historically Suspected Phishing Techniques","Name":"phishingSiteSuspected"},{"CriticalityLabel":"Unusual","Rule":"Historically Detected Malware Operation","Name":"malwareSiteDetected"},{"CriticalityLabel":"Unusual","Rule":"Historically Suspected Malware Operation","Name":"malwareSiteSuspected"},{"CriticalityLabel":"Suspicious","Rule":"Frequently Abused Free DNS Provider","Name":"frequentlyAbusedDnsProvider"},{"CriticalityLabel":"Malicious","Rule":"Recently Active Weaponized Domain","Name":"recentWeaponizedDomain"}]}

Label for the threat intelligence indicator of compromise. This label can contain any additional information the vendor chooses to provide.

(calculated)

Last Added in Exabeam

(Calculated)

2025-03-19T19:49:41.740835000Z

This is a calculated field.

modified

Modified Time*

2025-03-19T19:49:39.023000000Z

The date and time the threat intelligence provider last updated the threat.

indicator_types

Threat Category*

malicious

The threat category of the threat intelligence indicator of compromise.

valid_from

Valid From*

2025-03-19T08:15:05.520000000Z

The date and time from which the indicator of compromise is valid.

valid_until

Valid Until*

2025-03-20T19:49:39.023000000Z

The date and time until which the indicator of compromise is valid.

* Attribute is selected for display by default.