- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Default IP Attribute Mapping for STIX/TAXII
When a STIX/TAXII context table is onboarded, of type IP, it processes a predetermined set of IP attributes that are collected from an external threat intelligence source. These attributes are mapped to a set of Exabeam target attributes that are compliant with a common information model. This model defines a standardized security content across Exabeam products.
The table below lists the predetermined set of source Recorded Future attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:
* (asterisk) – Indicates attributes that are selected for display by default when onboarding a STIX/TAXII context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (
).(Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.
(Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.
STIX/TAXII Source Attribute | Exabeam Target Attribute | Example | Description |
|---|---|---|---|
confidence | Confidence* |
| A numerical value from 0 to 99 that indicates the amount of potential risk associated with a specific threat intelligence indicator of compromise. |
created | Created Time* |
| The date that the threat intelligence provider added the threat to their feed. |
description | Description* |
| Information that describes the threat intelligence indicator of compromise. |
(calculated) | First Added in Exabeam (Calculated) |
| This is a calculated field. |
pattern | IP* (Primary Key) |
| The IP address for a specific data entity. |
labels | Labels* |
| Label for the threat intelligence indicator of compromise. This label can contain any additional information the vendor chooses to provide. |
(calculated) | Last Added in Exabeam (Calculated) |
| This is a calculated field. |
modified | Modified Time* |
| The date and time the threat intelligence provider last updated the threat. |
indicator_types |
| The threat category of the threat intelligence indicator of compromise. | |
valid_from | Valid From* |
| The date and time from which the indicator of compromise is valid. |
valid_until | Valid Until* |
| The date and time until which the indicator of compromise is valid. |
* Attribute is selected for display by default.