- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Threat Intelligence Enrichment
Threat intelligence data is available to Search from the Context Management service which includes the following built-in intelligence tables:
Exabeam Threat Intelligence Domains — Collects data about known malicious domains.
Exabeam Treat Intelligence IPs — Collects data about known malicious IP addresses
For information about these context tables, see Built-in Threat Intelligence Context Tables.
The Context Management service injects indicators of compromise (IOC) tags into event logs. Fields are added to events to hold tags that mark a record as having specific characteristics that are evidence of a security breach.
As event records are ingested, they are validated against existing threat intelligence data, and are marked with IOC metadata.
You can select from the following metadata fields in the MetadataCustom fields list when using Assisted Search:
is_ioc
— (boolean) Populated (true), any time an event record matches a parsed field value against a threat intelligence data source.ioc_types
— (array of strings) Populated with IOC types, such as IP_trojan, Domain_ransomware, etc.ioc_fields
— (array of strings) Populated with the IOC field names whose values matched threat intelligence data, such as src_ip, host, etc.
Use these pre-populated IOC fields to build queries and reports leveraging these fields and their values.