- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- Anomali Context Tables
- Prerequisites to Onboard an Anomali Context Table
- Create an Anomali Context Table
- View and Interact with an Anomali Context Table
- View the Details Panel for an Anomali Context Table
- Edit the Configuration of an Anomali Context Table
- Default IP Attribute Mapping for Anomali
- Default Domain Attribute Mapping for Anomali
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Recorded Future Context Tables
- Prerequisites to Onboard a Recorded Future Context Table
- Create a Recorded Future Context Table
- View and Interact with a Recorded Future Context Table
- View the Details Panel for a Recorded Future Context Table
- Edit the Configuration of a Recorded Future Context Table
- Default IP Attribute Mapping for Recorded Future
- Default Domain Attribute Mapping for Recorded Future
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Pre-Built Detection Context Tables
The Context Management service includes a set of pre-built context tables used mainly to provide context for detection activities related to the New Scale Analytics engine, the Attack Surface Insights application, or to correlation rules. The data contained in these tables can be used to support various detection and enrichment rules that are part of specific use cases.
Follow the links below to view the different types of detection context tables available:
New-Scale Analytics Context Tables
This table shows which New-Scale Analytics context tables can be used to support detection or enrichment rules and which use cases are covered by each table.
Note
License Requirement
Currently, New-Scale Analytics context tables can only be accessed if you have the New-Scale Analytics license. Access to these tables will be available to other licenses in the near future.
Context Table | Used by Pre-Built New-Scale Analytics Detection Engine Rules | Used by Pre-Built Enrichment Rules | Use Cases |
|---|---|---|---|
System Enumeration Processes | Yes | Malware, Privilege Escalation | |
Account Enumeration Processes | Yes | Malware, Privilege Escalation | |
Pentesting Processes | Yes | Malware, Compromised Credentials | |
Net Sniffer Processes | Yes | Malware, Compromised Credentials | |
Malicious Websites | Yes | Malware | |
Malicious Website Categories | Yes | Malware | |
Temporary Directories | Yes | Malware | |
Threat Windows Commands | Yes | Malware | |
Administrative Windows Privilege Constants | Yes | Privileged Activity | |
Source Code File Extensions | Yes | Compromised Credentials, Data Access | |
Competitor Company Names | Yes | Workforce Protection | |
Job Search Categories | Yes | Yes | Workforce Protection |
Job Search Websites | Yes | Yes | Workforce Protection |
File Storage Categories | Yes | Data Exfiltration | |
File Storage Websites | Yes | Data Exfiltration | |
Network Zones | Yes | Geo-location Based Detection | |
IOT Device Types | – | – | Future use case |
Threat PowerShell Commands | – | – | Future use case |
Per-User Windows Service Names | – | – | Future use case |
Windows Control Panel Items | – | – | Future use case |
Attack Surface Insights Context Tables
This table shows which Attack Surface Insights context tables can be used to support detection or enrichment rules and which use cases are covered by each table.
Note
License Requirement
Currently, Attack Surface Insights context tables can only be accessed if you have the New-Scale Analytics license. Access to these tables will be available to other licenses in the near future.
Context Table | Used by Pre-Built Attack Surface Insights Tagging Rules | Used by Pre-Built Enrichment Rules | Use Cases |
|---|---|---|---|
Departing Employees | Yes | Workforce Protection Used by the Departing Employees pre-built tagging rule | |
Internal Domains | Yes | Ignore external email domains when discovering user entities |
Correlation Rules Context Tables
This table shows which correlation rules context tables are available for use.
Context Table | Context Types | Description |
|---|---|---|
Vulnerability Scanners | Other | Populate this context table with IP addresses for authorized vulnerability scanners that are used for either internal or external assessments. |