Default Domain Attribute Mapping for STIX/TAXII

When a STIX/TAXII context table is onboarded, of type Domain, it processes a predetermined set of domain attributes that are collected from an external threat intelligence source. These attributes are mapped to a set of Exabeam target attributes that are compliant with a common information model. This model defines a standardized security content across Exabeam products.

The table below lists the predetermined set of source STIX/TAXII attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:

* (asterisk) – Indicates attributes that are selected for display by default when onboarding a STIX/TAXII context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon ().
(Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.
(Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.

STIX/TAXII Source Attribute	Exabeam Target Attribute	Example	Description
confidence	Confidence*	`69`	A numerical value from 0 to 99 that indicates the amount of potential risk associated with a specific threat intelligence indicator of compromise.
created	Created Time*	`2025-03-19T19:49:39.023000000Z`	The date that the threat intelligence provider added the threat to their feed.
description	Description*	`Current risk: Malicious. Triggers 6 of 52 risk rules`	Information that describes the threat intelligence indicator of compromise.
pattern	Domain* (Primary Key)	`009923gn.000webhostapp.com`	The domain for a specific data entity.
(calculated)	First Added in Exabeam (Calculated)	`2025-03-11T14:30:22.847453542Z`	This is a calculated field.
labels	Labels*	{"EvidenceDetails":[{"CriticalityLabel":"Unusual","Rule":"Historically Detected Phishing Techniques","Name":"phishingSiteDetected"},{"CriticalityLabel":"Unusual","Rule":"Historically Suspected Phishing Techniques","Name":"phishingSiteSuspected"},{"CriticalityLabel":"Unusual","Rule":"Historically Detected Malware Operation","Name":"malwareSiteDetected"},{"CriticalityLabel":"Unusual","Rule":"Historically Suspected Malware Operation","Name":"malwareSiteSuspected"},{"CriticalityLabel":"Suspicious","Rule":"Frequently Abused Free DNS Provider","Name":"frequentlyAbusedDnsProvider"},{"CriticalityLabel":"Malicious","Rule":"Recently Active Weaponized Domain","Name":"recentWeaponizedDomain"}]}	Label for the threat intelligence indicator of compromise. This label can contain any additional information the vendor chooses to provide.
(calculated)	Last Added in Exabeam (Calculated)	`2025-03-19T19:49:41.740835000Z`	This is a calculated field.
modified	Modified Time*	`2025-03-19T19:49:39.023000000Z`	The date and time the threat intelligence provider last updated the threat.
indicator_types	Threat Category*	`malicious`	The threat category of the threat intelligence indicator of compromise.
valid_from	Valid From*	`2025-03-19T08:15:05.520000000Z`	The date and time from which the indicator of compromise is valid.
valid_until	Valid Until*	2025-03-20T19:49:39.023000000Z	The date and time until which the indicator of compromise is valid.

* Attribute is selected for display by default.

Context ManagementContext Management Administration Guide

Table of ContentsTable of Contents

Default Domain Attribute Mapping for STIX/TAXII