- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default User Attribute Mapping for Active Directory
- Default Device Attribute Mapping for Active Directory
- CrowdStrike Context Tables
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default User Attribute Mapping for Microsoft Entra ID
- Default Device Attribute Mapping for Microsoft Entra ID
- Okta Context Tables
- Recorded Future Context Tables
- Prerequisites to Onboard a Recorded Future Context Table
- Create a Recorded Future Context Table
- View and Interact with a Recorded Future Context Table
- View the Details Panel for a Recorded Future Context Table
- Edit the Configuration of a Recorded Future Context Table
- Default IP Attribute Mapping for Recorded Future
- Default Domain Attribute Mapping for Recorded Future
- STIX/TAXII Context Tables
- Prerequisites to Onboard a STIX/TAXII Context Table
- Create a STIX/TAXII Context Table
- View and Interact with a STIX/TAXII Context Table
- View the Details Panel for a STIX/TAXII Context Table
- Edit the Configuration of a STIX/TAXII Context Table
- Default IP Attribute Mapping for STIX/TAXII
- Default Domain Attribute Mapping for STIX/TAXII
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Pre-Built Context Tables
- Context Management APIs
- Troubleshooting Context Management
Context in Dashboards
In Dashboards, context data is available for use both via a pre-built IOC Statistics dashboard and by filtering on context table data in custom dashboards. For more information about each method, see the appropriate sections below.
IOC Statistics Dashboard
The IOC Statistics dashboard reflects information about the context data being collected in the pre-built threat intelligence tables. This dashboard includes information about the numbers and types of IOCs found over time, as well as IOC trend analysis. For more information about this dashboard, see Indicator of Compromise (IOC) Statistics in the Dashboards Guide.
Filtering on Context Table Data When Creating a Custom Dashboard Visualization
When defining a custom dashboard visualization, context data is available by specifying a custom context table using the Context Filter option. You can filter on a custom context table of type Other, Device, or User. You can also filter on a filtered context table. For more information about adding a context table filter to a dashboard visualization, see Include Context Filtering in Visualizations in the Dashboards Guide.
The Context Filter option is available at the bottom of the Query Filters section.
When you select the Context Filter option, you have the opportunity to select a Context Field, an Operator, and a Context Table to filter on. For example, in the image below, the condition is filtering on User values that are included in the PM IPs context table. For more information about building dashboards, see Add a Visualization in the Dashboards Guide.
Note
Certain restrictions apply to dashboard visualization filtering when a context table lookup is included:
The context table can be included with an AND but not with an OR operator.
Up to two context tables can be included per dashboard visualization.
Active Directory context tables cannot be included directly. However, you can include a filtered context table that is created with an Active Directory context table as its source.
Context tables that contain more than 100,000 entries are not available for filtering a dashboard visualization.
An empty context table can be included in a search query but it will not generate any search results until at least one record is added to the table.