- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Threat Intelligence Enrichment
Threat intelligence data is available to the Search application from the Context Management service. Context Management provides different types of threat intelligence context tables:
Pre-built context tables include Exabeam-provided, curated threat intelligence data about known malicious domains and IP addresses. For information about these context tables, see Pre-Built-Threat Intelligence Context Tables. The following context tables are included:
Exabeam Threat Intelligence Domains — Collects data about known malicious domains.
Exabeam Treat Intelligence IPs — Collects data about known malicious IP addresses
STIX/TAXII-based context tables are tables that provide external threat intelligence data from any log source that supports the STIX/TAXII framework. For more information about these context tables, see STIX/TAXII Context Tables. Pre-configured formats may be available for some external log sources in the Context Management service.
Note
STIX/TAXII context tables are available as part of a Cloud Collector Early Access program. During the early access period, you can access this functionality for STIX/TAXII context tables only if you participate in the program. To participate, see Sign Up for the Early Access Program, in the Cloud Collectors Administration Guide
The Context Management service injects indicators of compromise (IOC) tags into event logs. When added to events, these enriched IOC fields mark the event records as having specific characteristics that may be evidence of a security breach.
As event records are ingested, they are validated against existing threat intelligence data, and are marked with IOC metadata.
You can use the following fields to build queries and reports leveraging enriched IOC information:
is_ioc— (boolean) Populated (true), any time an event record matches a parsed field value against a threat intelligence data source.ioc_types— (array of strings) Populated with IOC types, such as IP_trojan, Domain_ransomware, etc.ioc_fields— (array of strings) Populated with the IOC field names whose values matched threat intelligence data, such as src_ip, host, etc.ioc_sources— (array of strings) Populated with the name of the log sources from which data marked as an IOC was ingested.
When using the Basic search mode, you can select the IOC fields from the Common event fields list to include them in a query.