- Introduction to Context Management
- Onboarding a Context Table
- Custom Context Tables
- Create a Custom Context Table by Importing a CSV File
- Create a Custom Context Table Using the Add Custom Option
- Working with Filtered Context Tables
- View and Interact with a Custom or Filtered Context Table
- View the Details Panel for a Custom or Filtered Context Table
- Edit the Configuration of Custom or Filtered Context Tables
- Active Directory Context Tables
- Prerequisites to Onboard an Active Directory Context Table
- Create an Active Directory Context Table
- View and Interact with an Active Directory Context Table
- View the Details Panel for an Active Directory Context Table
- Edit the Configuration of an Active Directory Context Table
- Default Active Directory Attribute Mapping
- Microsoft Entra ID Context Tables
- Prerequisites to Onboard a Microsoft Entra ID Context Table
- Create a Microsoft Entra ID Context Table
- View and Interact with a Microsoft Entra ID Context Table
- View the Details Panel for a Microsoft Entra ID Context Table
- Edit the Configuration of a Microsoft Entra ID Context Table
- Default Microsoft Entra ID Attribute Mapping
- Okta Context Tables
- Custom Context Tables
- Add Data to an Existing Context Table
- Using Context Data in Downstream Applications
- Built-In Threat Intelligence Context Tables
- Context Management APIs
- Troubleshooting Context Management
Context in Search and Correlation Rules
In Search and Correlation Rules, context data can be looked up and used to build search queries, which can also be used to create correlation rules. Context data can be looked up either from context tables or from event fields enriched with threat intelligence context data.
For information about the mechanics of creating search queries, using either the Query Builder feature or Advanced Search, see Performing Searches in the Search Guide.
For information about the different ways context data can be used in Search and Correlation Rules, see the appropriate sections below.
Context Table Lookup
In Search and Correlation Rules, context data is available by specifying a custom context table using the Add Context List option. You can add a custom context table of type Other or User. You can also add a filtered context table.
In the Query Builder, this option is available for any common event field that contains string or numerical data. For example, in the image below, when the dest_ip field is selected, the Add Context List option is available. Click the arrow to display a list of the available context tables and select a table to add to the query. A preview of the first few rows of the table data are displayed.
When the query runs, it searches for events that include a dest_ip field and a value that is found in the key field column of the selected context table.
Note
Certain restrictions apply to query building when a context table lookup is included:
The context table can be included with an AND but not with an OR operator.
Only one context table can be included per query.
Active Directory context tables cannot be included directly. However, you can include a filtered context table that is created with an Active Directory context table as its source.
Threat intelligence context tables are not available for inclusion in a query.
Context tables that contain more than 100,000 entries are not available for inclusion in a query.
Enriched Threat Intelligence Field Lookup
In Search and Correlation Rules, context data is available by looking up events enriched with threat intelligence data in the following ways:
Search for any event that could be considered malicious.
As events are ingested they are validated against the threat intelligence data collected in the built-in threat intelligence context tables. When known indicators of compromise (IOCs) are matched, the event is marked as containing malicious content. To find these events, search for
is_ioc:true.Sample query:
Search for events enriched with specific threat intelligence context data.
Beyond identifying malicious content, you might want to drill into your event data with more granular searches. You can search on event fields
ioc_typesandioc_fieldsto find events that match specific threat intelligence data, like a threat category or other specific fields. For example, you can create a search query that includes bothis_ioc:trueandioc_types:"botnet"to find events marked as containing malicious botnet activity.Sample query:
For information about the specific threat intelligence data available for use in Search, see Threat Intelligence Enrichment.