Skip to main content

Context ManagementContext Management Administration Guide

Default IP Attribute Mapping for STIX/TAXII

When a STIX/TAXII context table is onboarded, of type IP, it processes a predetermined set of IP attributes that are collected from an external threat intelligence source. These attributes are mapped to a set of Exabeam target attributes that are compliant with a common information model. This model defines a standardized security content across Exabeam products.

The table below lists the predetermined set of source Recorded Future attributes and the Exabeam target attributes to which they are mapped. The table is organized alphabetically by the Target Attributes column and contains the following notations:

  • * (asterisk) – Indicates attributes that are selected for display by default when onboarding a STIX/TAXII context table. During onboarding, you can choose to display or not display any of the available predetermined attributes by toggling the visibility icon (icon-visible.png).

  • (Calculated) – Indicates attributes that are calculated, either in format or in value. During onboarding, you can hover over the Calculated Attribute tag in the Source Attributes column to view a description of the attribute and its calculation.

  • icon-key.png (Primary Key) – Indicates the attribute that is designated as the key attribute for the context table. The key and its mapping cannot be changed.

STIX/TAXII Source Attribute

Exabeam Target Attribute

Example

Description

confidence

Confidence*

68

A numerical value from 0 to 99 that indicates the amount of potential risk associated with a specific threat intelligence indicator of compromise.

created

Created Time*

2025-03-19T16:47:13.163000000Z

The date that the threat intelligence provider added the threat to their feed.

description

Description*

Current risk: Malicious. Triggers 5 of 52 risk rules

Information that describes the threat intelligence indicator of compromise.

(calculated)

First Added in Exabeam

(Calculated)

2025-03-11T14:27:30.275851470Z

This is a calculated field.

pattern

IP*

(Primary Key)

1.0.168.129

The IP address for a specific data entity.

labels

Labels*

{"EvidenceDetails":[{"CriticalityLabel":"Unusual","Rule":"Previously Validated Malicious Relay Server","Name":"validatedMaliciousRelayServer"},{"CriticalityLabel":"Malicious","Rule":"Recent Validated Malicious Relay Server","Name":"recentValidatedMaliciousRelayServer"}]}

Label for the threat intelligence indicator of compromise. This label can contain any additional information the vendor chooses to provide.

(calculated)

Last Added in Exabeam

(Calculated)

2025-03-19T16:47:14.765172000Z

This is a calculated field.

modified

Modified Time*

2025-03-19T16:47:13.163000000Z

The date and time the threat intelligence provider last updated the threat.

indicator_types

malicious

The threat category of the threat intelligence indicator of compromise.

valid_from

Valid From*

2025-03-06T10:06:28.529000000Z

The date and time from which the indicator of compromise is valid.

valid_until

Valid Until*

2025-03-20T16:47:13.163000000Z

The date and time until which the indicator of compromise is valid.

* Attribute is selected for display by default.