Context Management Features Introduced in 2023

November 2023

The following features were introduced in Context Management during November 2023.

Feature	Description
Microsoft Entra ID Context Tables	You can now create a context table to process user attributes from a Microsoft Entra ID cloud collector. By default, a Microsoft Entra ID context table processes a predetermined set of user attributes from the source collector and maps them to a set of standardized Exabeam target attributes. For more information, see Microsoft Entra ID Context Tables in the Context Management Administration Guide.
New Delete Context Table API	A new public API has been added to the Context Management service to allow for the deletion of specific context tables. A table ID is required to specify the table for deletion. All table records are deleted. Optionally, unused custom attributes can also be deleted. The new API endpoint is: `DELETE /context-management/v1/tables/{id}` For more information about Context Management APIs, see Context Management APIs. To try the new API, see the Exabeam API Reference Guide.
Context Table Attribute Display Enhancements	In an ongoing effort to facilitate efficient context onboarding, several user interface improvements have been implemented. For creating or editing user context tables, the following improvements have been made to the attribute mapping panel: You can click on many attributes to see drop-down descriptions and example values. You can easily see attributes that are calculated, either in form or value, because they are now identified by a Calculated attribute tag. You can also hover over a calculated attribute to see a description of how it's calculated. You can search for specific attributes in a new search bar at the top of the attribute list, either by the source or the target attribute name. You can toggle the display of specific attribute columns in your table by clicking the visibility icon () next to a specific attribute in the list. For creating or editing custom context tables, the following improvements have been made to attribute mapping dialog box: The attributes in the Available Attributes column are now presented in two categories: attributes that are most Commonly Used, and Other icons that are either less frequently used or are custom attributes that already exist in your environment. You can click on many attributes to see drop-down descriptions and example values. For more information, see the relevant sections in Onboarding a Context Table.

Feature

Description

Microsoft Entra ID Context Tables

You can now create a context table to process user attributes from a Microsoft Entra ID cloud collector. By default, a Microsoft Entra ID context table processes a predetermined set of user attributes from the source collector and maps them to a set of standardized Exabeam target attributes.

For more information, see Microsoft Entra ID Context Tables in the Context Management Administration Guide.

New Delete Context Table API

A new public API has been added to the Context Management service to allow for the deletion of specific context tables. A table ID is required to specify the table for deletion. All table records are deleted. Optionally, unused custom attributes can also be deleted. The new API endpoint is: DELETE /context-management/v1/tables/{id}

For more information about Context Management APIs, see Context Management APIs. To try the new API, see the Exabeam API Reference Guide.

Context Table Attribute Display Enhancements

In an ongoing effort to facilitate efficient context onboarding, several user interface improvements have been implemented.

For creating or editing user context tables, the following improvements have been made to the attribute mapping panel:

You can click on many attributes to see drop-down descriptions and example values.
You can easily see attributes that are calculated, either in form or value, because they are now identified by a Calculated attribute tag. You can also hover over a calculated attribute to see a description of how it's calculated.
You can search for specific attributes in a new search bar at the top of the attribute list, either by the source or the target attribute name.
You can toggle the display of specific attribute columns in your table by clicking the visibility icon () next to a specific attribute in the list.

For creating or editing custom context tables, the following improvements have been made to attribute mapping dialog box:

The attributes in the Available Attributes column are now presented in two categories: attributes that are most Commonly Used, and Other icons that are either less frequently used or are custom attributes that already exist in your environment.
You can click on many attributes to see drop-down descriptions and example values.

For more information, see the relevant sections in Onboarding a Context Table.

October 2023

The following features were introduced in Context Management during October 2023.

Feature

Description

Okta Context Tables

You can now create a context table to process user attributes from an Okta context cloud collector. By default, an Okta context table processes a predetermined set of user attributes from the source collector and maps them to a set of standardized Exabeam target attributes.

For more information, see Okta Context Tables in the Context Management Administration Guide.

User Attribute Renaming

As part of the ongoing evolution of the Exabeam user common information model, the following user attributes have been renamed:

Old Attribute	New Attribute
Object ID	ID
User ID	Primary Login (Email Format)
User	Primary User Name
Email Address	Email Addresses
User Name	Removed - instead use either Primary Login (Email Format) or Primary User Name
Domain NetBIOS	Removed - but still a required configuration to onboard an Active Directory context table

These changes will impact the public APIs, existing context tables, and new context tables, as described below:

Public APIs – Attribute names will be converted automatically to the new names.
Existing Context Tables – The new attribute names are available for use but the old attributes will be retained and marked as custom attributes.
New Context Tables – Only the new attributes will be available by default but old attributes can be defined as custom attributes.

API Endpoint Deprecation

In August, Context Management API endpoints were renamed and moved to a new base URL: context-management/v1. The endpoints at the old base URL, context-collectors/v1, are now deprecated and each of the previous endpoints has been moved to the new base URL. For more information, see Context Management APIs.

September 2023

The following features were introduced in Context Management during September 2023.

Feature	Description
ZeroFox Feed Improvements	Exabeam ingestion of threat intelligence now leverages tags that ZeroFox has recently added to identify IP addresses within large SaaS providers, like Amazon, Google, and Microsoft. Filtering for these IP address ranges improves the quality of the threat intelligence feed and reduces the rate of false positive alerts in downstream Exabeam applications. For information about using threat intelligence in Context Management, see Built-In Threat Intelligence Context Tables.
Threat Intelligence Records Retrieved via API	Records from the following built in threat intelligence context tables can now be retrieved via the Get table records by ID API: Exabeam Threat Intelligence Domains Exabeam Threat Intelligence IPs See the Developer Portal to use this endpoint: GET /context-management/v1/tables/{sourceName}/records For information about these context tables, see Built-In Threat Intelligence Context Tables.
Update to the Email Address Attribute	The Email Address target attribute for Active Directory context records has been updated to extract a set of email addresses from `proxyAddress` and `mail` attributes associated with a user. Note From `proxyAddress` attributes, only the values starting with `smtp` are considered (regardless of case). In the UI, the resulting list is concatenated using colons (:) and is a calculated field (not modifiable). For example, the following list of attribute values: `proxyAddress` Values: SMTP:[email protected] smtp:[email protected] isp:[email protected] `mail` Value: [email protected] Becomes: `[email protected]:[email protected]:[email protected]` For more information about Active Directory attributes, see Default Active Directory Attribute Mapping.

Feature

Description

ZeroFox Feed Improvements

Exabeam ingestion of threat intelligence now leverages tags that ZeroFox has recently added to identify IP addresses within large SaaS providers, like Amazon, Google, and Microsoft. Filtering for these IP address ranges improves the quality of the threat intelligence feed and reduces the rate of false positive alerts in downstream Exabeam applications.

For information about using threat intelligence in Context Management, see Built-In Threat Intelligence Context Tables.

Threat Intelligence Records Retrieved via API

Records from the following built in threat intelligence context tables can now be retrieved via the Get table records by ID API:

Exabeam Threat Intelligence Domains
Exabeam Threat Intelligence IPs

See the Developer Portal to use this endpoint:

GET /context-management/v1/tables/{sourceName}/records

For information about these context tables, see Built-In Threat Intelligence Context Tables.

Update to the Email Address Attribute

The Email Address target attribute for Active Directory context records has been updated to extract a set of email addresses from proxyAddress and mail attributes associated with a user.

Note

From proxyAddress attributes, only the values starting with smtp are considered (regardless of case).

In the UI, the resulting list is concatenated using colons (:) and is a calculated field (not modifiable).

For example, the following list of attribute values:

proxyAddress Values:
- SMTP:[email protected]
- smtp:[email protected]
- isp:[email protected]
mail Value:
- [email protected]

Becomes:

[email protected]:[email protected]:[email protected]

For more information about Active Directory attributes, see Default Active Directory Attribute Mapping.

August 2023

The following features were introduced in Context Management during August 2023.

Feature	Description
Context Management Product Renaming	The Context Collectors service has been renamed as Context Management. This updated name better aligns with the functionality of the service itself. It clarifies the difference between the Context Management service, where context data is processed, and the Site Collector and Cloud Collector services where context data is collected. As part of the product renaming, the following changes have been implemented: On the Exabeam Security Operations Platform home page, Context Management has been recategorized as Security Management (previously part of Collectors). Context collectors are now referred to, more accurately, as context tables. Context Management API endpoints have been renamed and moved to a new base URL: `context-management/v1`. For more information, see Context Management APIs. API key permissions for Context Management have been renamed to Manage Context. For information, see Create an API Key in the API Getting Started Guide. For more information about working with context tables, see the Context Management Administration Guide.
Context Management in Service Health and Consumption Dashboards	Context table health and Context Management service health can now be monitored in the Service Health and Consumption dashboards. Two dashboards are available: Processing Health Details – Displays the health status of your context tables. Application Health Details – Displays the health of the Context Management service itself. For more information, see Context Management in Service Health and Consumption in the Context Management Administration Guide.

Feature

Description

Context Management Product Renaming

The Context Collectors service has been renamed as Context Management. This updated name better aligns with the functionality of the service itself. It clarifies the difference between the Context Management service, where context data is processed, and the Site Collector and Cloud Collector services where context data is collected.

As part of the product renaming, the following changes have been implemented:

On the Exabeam Security Operations Platform home page, Context Management has been recategorized as Security Management (previously part of Collectors).
Context collectors are now referred to, more accurately, as context tables.
Context Management API endpoints have been renamed and moved to a new base URL: context-management/v1. For more information, see Context Management APIs.
API key permissions for Context Management have been renamed to Manage Context. For information, see Create an API Key in the API Getting Started Guide.

For more information about working with context tables, see the Context Management Administration Guide.

Context Management in Service Health and Consumption Dashboards

Context table health and Context Management service health can now be monitored in the Service Health and Consumption dashboards. Two dashboards are available:

Processing Health Details – Displays the health status of your context tables.
Application Health Details – Displays the health of the Context Management service itself.

For more information, see Context Management in Service Health and Consumption in the Context Management Administration Guide.

July 2023

The following features were introduced in Context Management during July 2023.

Feature	Description
Audit Log Integration	Exabeam Audit Log functionality now includes storage of specific context table activities. The following types of context table events can be accessed via the Query Builder in Search: Context source created Context source deleted Context source modified For more information, see Context in Audit Logs in the Context Management Administration Guide.
nETBIOSName Values Required	Inclusion of a nETBIOSName value is now mandatory for Active Directory context tables. This value represents the Active Directory domain name and helps to uniquely identify individual users. You can retrieve a nETBIOSName value by running the following command in the Powershell command line of your domain controller: `Get-ADDomain -Identity <BaseDN>`, where <BaseDN> is the DN value of the site collector that will be the source of the context data. For existing Active Directory context tables that were created before the nETBIOSName value was required, this field will appear empty. You can view the existing table data but cannot edit or update the context table until you add a value to the new netBIOSName field. For more information, see Step 4 of Create an Active Directory Context Table in the Context Management Administration Guide.
Built-in Threat Intelligence Column Name Changes	To increase clarity, some column names have been updated in the following two built-in Exabeam threat intelligence context tables: Exabeam Threat Intelligence Domains Exabeam Threat Intelligence IPs For a list of the column names and descriptions, see View Built-in Context Table Configuration in the Context Management Administration Guide.
API Renaming	Context Management API endpoints are being renamed. To facilitate this change, a new base URL is now available: `context-management/v1`. All of the previously released APIs are available there, as well as any new APIs. The Context Collector APIs are being deprecated and the `context-collector/v1` URL will no longer be supported after 31-OCT-2023. For more information, see End of Life APIs in the Context Management Administration Guide.
New Context Management APIs	The following new Context Management APIs are available: Create a context table with metadata Get the available attributes for a specific context table type Get context table records by ID For more information, see Context Management APIs in the Administration Guide or look up individual endpoints in the Exabeam API Reference Guide.

June 2023

The following features were introduced in Context Management during June 2023.

Feature	Description
Active Directory Context Tables	You can now create a context table to process user attributes from a Microsoft Active Directory site collector. By default, an Active Directory context table pulls a predetermined set of user attributes from the source collector and maps them to a set of standardized Exabeam target attributes. You can also manually map any additional raw data fetched by the source collector. For more information, see Active Directory Context Tables in the Context Management Administration Guide.
Filtered Context Tables	You can now create a custom context table that incorporates user data from an already existing context table. You can filter the data extracted from the connected source table by defining a set of conditions. With this functionality, you can create smaller tables that can be leveraged in downstream processes to focus on specific subsets of your data. For more information, see Working with Filtered Context Tables in the Context Management Administration Guide.

Feature

Description

Active Directory Context Tables

You can now create a context table to process user attributes from a Microsoft Active Directory site collector. By default, an Active Directory context table pulls a predetermined set of user attributes from the source collector and maps them to a set of standardized Exabeam target attributes. You can also manually map any additional raw data fetched by the source collector.

For more information, see Active Directory Context Tables in the Context Management Administration Guide.

Filtered Context Tables

You can now create a custom context table that incorporates user data from an already existing context table. You can filter the data extracted from the connected source table by defining a set of conditions. With this functionality, you can create smaller tables that can be leveraged in downstream processes to focus on specific subsets of your data.

For more information, see Working with Filtered Context Tables in the Context Management Administration Guide.

February 2023

The following features were introduced in Context Management during February 2023.

Feature	Description
Context Management APIs	You can now manage certain aspects of Context Management programmatically through Exabeam Open APIs. With an API key that has Manage Context Tables permissions, you can access the following APIs: Retrieve metadata for all existing context tables Retrieve metadata for a single context table Add records to an existing context table by uploading a CSV file Add records to an existing context table by including a JSON payload Track ingestion progress For more information, see Context Management APIs in the Administration Guide or look up individual endpoints in the Exabeam API Reference Guide.

Feature

Description

Context Management APIs

You can now manage certain aspects of Context Management programmatically through Exabeam Open APIs. With an API key that has Manage Context Tables permissions, you can access the following APIs:

Retrieve metadata for all existing context tables
Retrieve metadata for a single context table
Add records to an existing context table by uploading a CSV file
Add records to an existing context table by including a JSON payload
Track ingestion progress

For more information, see Context Management APIs in the Administration Guide or look up individual endpoints in the Exabeam API Reference Guide.

January 2023

The following features were introduced in Context Management during January 2023.

Feature	Description
Expanded Integration with Search and Correlation Rules	Context data is now integrated with Correlation Rules. In addition, access to context data has been expanded in both Search and Correlation Rules. Previously, context data lookup was limited to event fields enriched with specific threat intelligence data. That access has been expanded. You can now use a new Add Context List option to add a custom context table to a search query. When the query runs it will search for events that include values found in the key field column of the selected context table. For more information, see Using Context Data in Downstream Application.

Feature

Description

Expanded Integration with Search and Correlation Rules

Context data is now integrated with Correlation Rules. In addition, access to context data has been expanded in both Search and Correlation Rules. Previously, context data lookup was limited to event fields enriched with specific threat intelligence data. That access has been expanded.

You can now use a new Add Context List option to add a custom context table to a search query. When the query runs it will search for events that include values found in the key field column of the selected context table.

For more information, see Using Context Data in Downstream Application.

Context ManagementContext Management Release Notes

Table of ContentsTable of Contents