- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Pre-Built Threat Intelligence Context Tables
The Context Management service includes the following pre-built context tables that provide curated threat intelligence data:
Exabeam Threat Intelligence Domains – Collects data about known malicious domains.
Exabeam Threat Intelligence IPs – Collects data about known malicious IP addresses.
These context tables streamline the collection of threat intelligence data from ZeroFox or from the TOR open source network. These pre-built context tables can contain as many records as the threat intelligence source provides.
The fact that these context tables are pre-built means that their schemas are already defined. Data collection occurs automatically with no user action required to schedule or launch the collection. The predefined schemas ensure that the context tables that hold the collected threat intelligence data include all of the columns necessary to detect various categories of threat indicators.
Together, these context tables include data about IP addresses or domains that are known sources of malicious activity. Support for the following threat types is included:
|
|
|
|
View Pre-Built Threat Intelligence Context Table Data
In the Overview tab of the Context Management service, click the name of a pre-built context table to display the threat intelligence data the table contains. Depending on the selected table type, the table lists rows of specific domains or IP addresses. Pre-built threat intelligence tables include the following columns with information about each domain or IP address:
Domain or IP Address – The domain or IP address for the data entity in a specific row.
IOC First Added – Date that the threat intelligence provider added a specific domain or IP address to their feed.
Metadata Last Updated – Indicates how long ago the threat intelligence provider updated or added new metadata to a specific domain or IP address. As a result, the tags associated with the domain or IP address might change. Changes can include the addition of a malware variant name, a threat actor group, or other relevant information.
IOC Last Detected – Indicates how long ago the domain or IP address entity was last detected by the threat intelligence provider.
First Added in Exabeam – Indicates how long ago a specific domain or IP address entity first appeared in Exabeam Context Management (was first polled from the threat intelligence provider).
Last Added in Exabeam – Indicates how long ago the domain or IP address entity was updated in Exabeam Context Management.
Threat Category – The type of threat the data entity represents.
Unlike other context tables, you cannot delete or configure the pre-built threat-intelligence context tables. You can, however, do the following: