- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Context Tables in Search
When using Search, you can select up to two context tables to include in your query and you can select one column from each context table. By including context tables in a search query, you can search inside any field and compare the values to values in context tables. Search performs a data type validation between the field you select and the content within the selected context tables.
For specific steps to add context tables to a search query, see the following sections below:
Note
Context table names are used instead of IDs, so a saved search will stop working if it uses a context table, and that table is renamed.
The rules below apply when using context tables in a search:
You cannot use a context table that has more than 100,000 rows. If a context table is larger than this, it will not show up in the context table list, available for selection.
You can include both user and device context tables in a search.
You can use the following types of context tables in Search:
STIX/TAXII-based Threat Intelligence context tables that include data from external sources that support the STIX/TAXII framework
Note
The option to specify a column is not available when including a STIX/TAXII context table in a search query.
Pre-built Threat Intelligence context tables that include data from an Exabeam-provided, curated source
Note
The option to specify a column is not available when including a pre-built threat intelligence context table in a search query.
Non-Threat Intelligence pre-built context tables
Note
Currently, the New-Scale Analytics set of pre-built context tables can only be accessed if you have the New-Scale Analytics License.
There must be at least one entry in the context table in order for search results to be returned.
Context table lookup is only available for fields that are of a string-like type (string, ip, email, etc.) or number type (number, integer). It is not available for other types (Boolean, time, etc).
Note
Context search performs case insensitive, exact match searching and NOT token searching. For example, searching for an ID of "james" will return results for "james", "James", and "JAMES".
You can use a maximum of two context table lookups per search query and you can select any single column from each table.
Context table lookups can only be added to a query with AND or AND NOT logic.
Context table lookups are are limited to a 30 day sliding window.
There are several restrictions when using context tables in a search based on the license you hold:
The search query time range must be within the number of months in your license, plus additional months if you are subscribed to any extended retention add-ons.
Note
If the search query is beyond the allowed time range, you will not be able to use a context table and will see a message explaining that the time range is beyond the allowed period.
If your license restricts the use of third party logs:
and you have an Exabeam Security Analytics license, your query will only return the first 10 events from third party logs.
and you have an Exabeam Security Investigation license, you will have 7 days of full search, and then will be restricted to the first 10 events from third party logs.
Add a Context Table in Basic Search
To add a context table to a basic search query:
Initiate a basic search as normal:
Select the
Basicoption in the Search mode drop down menu.Click in the search bar to open the query builder.
Select a field to search on. The field configuration panel opens. You can use the Search panel across the top to find the desired field.
The field filter panel opens.
At the top of the panel select the AND or AND NOT operator depending on whether you want to include or exclude values that meet the filter criteria you are going to define. In the case of context tables, the AND operator will include values from the table in search results and the AND NOT operator will exclude values in the table from the search results.
Click the In Context Table button. The following drop down fields are displayed and you can use them to select a context table and a column:
Context Table – Select a context table in which you want to search for results. A preview of the first few rows in the table is displayed.
Table Column – By default, the key field in the context table is selected as the column in which to search for values. To select a different column, either click the arrow in the drop down field and select a different column, or in the preview of the context table, click the column heading of a different column. Only one column can be selected.
Click Add to Query. The selected field with the context table filter is added to the search bar.
To add a second context table to the search query, repeat the process in steps 1 - 3 to add another.
Add a Context Table in Advanced Search
To add a context table to an advanced search query:
Initiate an advanced search by selecting the
Advancedoption in the Search mode drop down menu.Use the following syntax to add a context table and column name to the query:
IN "table name"."column name"Example:
To add a second context table to the search query, use an AND operator.
Example:
For more information, and example syntax for using context tables in advanced searches, see Query by Context Table.