Skip to main content

Responses are generated using AI and may contain mistakes.

Threat Detection ManagementThreat Detection Management Guide

Context Operations Using Analytics Rule Syntax

Evaluate and retrieve data from context tables using analytics rule syntax.

Function

Description

Returned Value

Examples

ContextListContains('table', value)

Checks whether the context table table contains value.

Returns false if the context table doesn't exist or is unsupported.

Boolean

ContextListContains('CompanyNames', Exabeam) returns true if Exabeam exists in the CompanyNames context table

ContextListContains('SuspiciousDomains', getDomainFromURL(url)) returns true if url is http://malicious.com/phishing and the domain malicious.com is in the SuspiciousDomains context table.

GetDynamicContextAttribute(key, value)

COMING SOON

COMING SOON

COMING SOON

contextGetValue('table', 'column', 'key_value')

Retrieves the value under column for a corresponding key_value in context table table.

table can be any pre-built or custom context table except a STIX/TAXII context table.

key must be an exact match.

The value under column

contextGetValue('Exabeam Threat Intelligence IPs', 'Threat Category', '102.211.56.20') returns 'TOR IP'

GetContextAttribute(T, K, A)

Returns the value of an attribute column, A, from whichever row matches K in the key column of context table T.

Note

Finding the attribute_id for the A Input

The A input for the GetContextAttribute expression must be represented by the attribute_id of a column in the context table, and not by the display name in the column header in the Context Management UI. The mapping of attribute_id to column names is not available in the Context Management UI.

To find an attribute_id, navigate to the GET /context-management/v1/tables API endpoint in the Exabeam Developers Portal. Run this API to return a list of metadata for the context tables in your environment, including attribute mapping. Select the appropriate attribute_id for the column you want to represent in the A input for the GetContextAttribute expression.

For information about this API endpoint, and for links to other resources about running Exabeam public APIs, see Context Management APIs.

The value of attribute column A.

GetContextAttribute('AD Users', '8229faf6-7de1-4cf1-99b8-2c5c1d515bd1', 'bWeYC3dG7H')

Result:

Looks in the key column of the AD Users context table (the ID column). Finds the row where the key column value is 8229faf6-7de1-4cf1-99b8-2c5c1d515bd1. Returns the value, from the same row, for the column whose attribute_id is bWeYC3dG7H.