Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Common Types
- Details
- Content
- Dependencies
- Version History
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Org Level 1 | |
Mobile Phone | |
Policy ID | |
End Time | The time when the offense ended. |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Alert ID | Alert ID as received from the integration JSON |
Parent CMD line | |
Username | The username of the account who logged in. |
Parent Process MD5 | |
Technical Owner Contact | The contact details for the technical owner. |
First Seen | |
Cloud Instance ID | Cloud Instance ID |
External Sub Category ID | |
Report Name | |
Cloud Account ID | |
Alert Category | The category of the alert |
Region ID | |
Password Reset Successfully | Whether the password has been successfully reset. |
Rating | |
Alert Attack Time | |
Objective | |
Risk Name | |
Mobile Device Model | |
Approver | The person who approved or needs to approve the request. |
Assignment Group | |
CVSS | |
OS Type | OS Type |
OS Version | OS Version |
Alert Rules | |
Changed | The user who changed this incident |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Bugtraq | |
Related Campaign | |
Device Id | Device Id |
Account Name | Account Name |
Full Name | Person's Full Name |
Source External IPs | |
Resource Type | |
Error Message | The error message that contains details about the error that occurred. |
Subtype | Subtype |
External Category ID | |
Employee Manager Email | The email address of the employee's manager. |
Process Paths | |
Closing Reason | The closing reason |
IP Reputation | |
Additional Data | |
Identity Type | |
Vulnerability Category | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Device OS Version | |
Policy URI | |
Device OS Name | |
Protocol | Protocol |
Detection End Time | |
Verdict | |
External Start Time | |
Description | The description of the incident |
Registry Value Type | |
Sub Category | The sub category |
Policy Deleted | |
External Link | |
Approval Status | The status for the approval of the request. |
Process SHA256 | |
External Category Name | |
Source Geolocation | The source geolocation of the event. |
Blocked Action | Blocked Action |
Cloud Region List | |
MITRE Technique ID | |
Usernames | The username in the event. |
OS | The operating system. |
Src | Source |
URLs | |
Dest | Destination |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Event Names | The event name (translated QID ) in the event. |
Device Local IP | Device Local IP |
Parent Process SHA256 | |
Users Details | |
MITRE Technique Name | |
Block Indicators Status | |
Event ID | Event ID |
Location | Location |
Command Line | Command Line |
Personal Email | |
Device Internal IPs | |
Registry Key | |
Event Type | Event Type |
Account ID | |
State | State |
Raw Event | The unparsed event data. |
Operation Name | |
Protocol names | |
Parent Process File Path | |
Process MD5 | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
RemovedFromCampaigns | |
Assigned User | Assigned User |
Parent Process Name | |
Ticket Acknowledged Date | |
Srcs | The source values. |
Suspicious Executions Found | |
Closing User | The closing user. |
Detected User | |
Post Nat Destination IP | The destination IP address after NAT. |
Sensor Name | |
SSDeep | |
Compliance Notes | Notes regarding the assets compliance. |
MITRE Tactic Name | |
Policy Details | |
Traffic Direction | The direction of the traffic in the event. |
Account Member Of | |
Device External IP | Device External IP |
File Path | |
similarIncidents | |
Source Network | |
Low Level Categories Events | The low level category of the event. |
Destination Networks | |
Additional Email Addresses | |
Post Nat Destination Port | The destination port after NAT. |
Referenced Resource ID | |
Post Nat Source IP | The source IP address after NAT. |
File Creation Date | |
Ticket Closed Date | |
Additional Indicators | |
File MD5 | |
Org Level 2 | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Destination IPV6 | The destination IPV6 address. |
Last Modified By | |
Log Source Name | The log source name associated with the event. |
High Risky Users | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Parent Process Path | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
userAccountControl | userAccountControl |
Device Name | Device Name |
File SHA1 | |
Process Creation Time | |
Domain Updated Date | |
Source MAC Address | The source MAC address in an event. |
Log Source | Log Source |
Policy Recommendation | |
Registry Value | |
Pre Nat Source IP | The source IP before NAT. |
Comment | The comments related with the incident |
Country | The country from which the user logged in. |
CMD line | |
Registration Email | |
Policy Actions | |
Child Process | |
Triggered Security Profile | Triggered Security Profile |
External Confidence | |
Number of similar files | |
Src OS | Src OS |
Dest OS | Destination OS |
User Agent | |
Source Category | |
UUID | UUID as received from the integration JSON |
Selected Indicators | Includes the indicators selected by the user. |
Src NT Domain | Source NT Domain |
Post Nat Source Port | The source port after NAT. |
Log Source Type | The log source type associated with the event. |
Rule Name | The name of a YARA rule |
Group ID | |
External Sub Category Name | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Users | |
External System ID | |
ASN | |
Close Time | The closing time. |
Dest Hostname | Destination hostname |
Verification Status | The status of the user verification. |
Surname | Surname |
Manager Email Address | |
DNS Name | The DNS name of the asset. |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Triage SLA | The time it took to investigate and enrich incident information. |
Parent Process IDs | |
Cloud Service | |
CMD | |
Leadership | |
SHA1 | SHA1 |
Detection Update Time | |
User Anomaly Count | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Hostnames | The hostname in the event. |
Parent Process | |
Endpoint | |
User Engagement Response | |
Alert Source | |
Org Level 3 | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Primary Email Address | |
Cost Center Code | Cost Center Code |
Investigation Stage | The stage of the investigation. |
EmailCampaignSummary | |
Cost Center | Cost Center |
Device OU | Device's OU path in Active Directory |
High Level Categories | The high level categories in the events. |
Destination IPs | The destination IPs of the event. |
Policy Severity | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Categories | The categories for the incident. |
Is Active | Alert status |
Tool Usage Found | |
Containment SLA | The time it took to contain the incident. |
Source Created By | |
Src User | Source User |
Technical User | The technical user of the asset. |
Destination Port | The destination port used. |
Region | |
Source Status | |
Affected Users | |
External Status | |
Exposure Level | |
First Name | First Name |
Destination Hostname | Destination hostname |
Detected Users | Detected users |
Zip Code | Zip Code |
Device Hash | Device Hash |
Source Networks | |
Source Create time | |
SKU TIER | |
Registry Hive | |
Event Descriptions | The description of the event name. |
Vendor ID | |
Pre Nat Destination Port | The destination port before NAT. |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Scenario | |
Internal Addresses | |
City | |
Risk Score | |
Detected External Hosts | Detected external hosts |
Isolated | Isolated |
External Severity | |
Affected Hosts | |
Source Id | |
User Block Status | |
Rendered HTML | The HTML content in a rendered form. |
Cloud Resource List | |
Detected Internal IPs | Detected internal IPs |
Application Path | |
Threat Hunting Detected Hostnames | |
IncomingMirrorError | |
Protocol - Event | The network protocol in the event. |
Resource Name | |
Alert Action | Alert action as received from the integration JSON |
Similar incidents Dbot | |
Project ID | |
EmailCampaignSnippets | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
User Id | User Id |
Incident Link | |
Title | Title |
Destination Geolocation | The destination geolocation of the event. |
Last Seen | |
Dst Ports | The destination ports of the event. |
Country Code Number | |
Domain Name | |
Parent Process CMD | |
File Relationships | |
OutgoingMirrorError | |
File SHA256 | |
Endpoints Details | |
Technique ID | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Detected IPs | |
Custom Query Results | |
Audit Logs | |
Detection ID | |
Vendor Product | |
PID | PID |
Events | The events associated with the offense. |
Policy Remediable | |
Street Address | |
Attack Mode | Attack mode as received from the integration JSON |
Use Case Description | |
Job Family | Job Family |
User Creation Time | |
Status Reason | |
App message | |
Employee Display Name | The display name of the employee. |
Tactic | |
Category Count | The number of categories that are associated with the offense. |
Application Id | Application Id |
Destination IP | The IP address the impossible traveler logged in to. |
Tools | |
Risk Rating | |
Source Port | The source port that was used |
Campaign Name | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Attack Patterns | |
Ticket Opened Date | |
List Of Rules - Event | The list of rules associated to an event. |
Source IPV6 | The source IPV6 address. |
Detected Internal Hosts | Detected internal hosts |
Process Names | |
Agents ID | |
Job Function | Job Function |
Process CMD | |
Cloud Operation Type | |
Device MAC Address | |
Threat Hunting Detected IP | |
Related Report | |
Source IPs | The source IPs of the event. |
Tags | |
Tactic ID | |
Country Name | Country Name |
Technique | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Error Code | |
Hunt Results Count | |
Device Status | |
Location Region | Location Region |
Acquisition Hire | |
Agent Version | Reporting Agent/Sensor Version |
Email Sent Successfully | Whether the email has been successfully sent. |
High Risky Hosts | |
Reporter Email Address | The email address of the user who reported the email. |
Timezone | |
CVE ID | |
Vulnerable Product | |
Unique Ports | |
Source Updated by | |
File Hash | |
Tenant Name | Tenant Name |
CVE | |
Source Username | The username that was the source of the attack. |
Agent ID | Agent ID |
Application Name | Application Name |
Display Name | Display Name |
sAMAccountName | User sAMAAccountName |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Process Path | |
IP Blocked Status | |
Duration | |
SHA256 | SHA256 |
Ticket Number | |
File Paths | |
Policy Type | |
Start Time | The time when the offense started. |
EmailCampaignCanvas | |
Process ID | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
File Size | File Size |
User Groups | |
Technical Owner | The technical owner of the asset. |
Asset ID | |
Signature | |
User Risk Level | |
Alert URL | Alert URL as received from the integration JSON |
File Name | |
Given Name | Given Name |
Asset Name | |
Device External IPs | |
Caller | |
Source IP | The IP Address that the user initially logged in from. |
SKU Name | |
SHA512 | SHA512 |
Related Alerts | |
Command Line Verdict | |
String Similarity Results | |
Alert Type ID | |
External ID | |
Source Urgency | Source Urgency |
Department | Department |
Resource ID | |
Source Priority | |
Last Name | Last Name |
Appliance Name | Appliance name as received from the integration JSON |
MAC Address | MAC Address |
Src Ports | The source ports of the event. |
Password Changed Date | |
App | |
Team name | |
File Names | |
Device Username | The username of the user that owns the device |
Last Update Time | |
Source Hostname | The hostname that performed the port scan. |
EmailCampaignMutualIndicators | |
External Last Updated Time | |
Item Owner Email | |
ASN Name | |
Pre Nat Source Port | The source port before NAT. |
MD5 | MD5 |
Escalation | |
Sensor IP | |
Appliance ID | Appliance ID as received from the integration JSON |
app channel name | |
User SID | |
Policy Description | |
Detected Endpoints | |
Destination Network | |
Birthday | Person's Birthday |
Alert Malicious | Whether the alert is malicious. |
Dest NT Domain | Destination NT Domain |
Org Unit | |
CVE Published | |
Device Time | The time from the original logging device when the event occurred. |
Job Code | Job Code |
Phone Number | Phone number |
Alert Name | Alert name as received from the integration JSON |
Process Name | |
Employee Email | The email address of the employee. |
Work Phone | |
Domain Registrar Abuse Email | |
External Addresses | |
Suspicious Executions | |
Protocols | |
File Access Date | |
Dsts | The destination values. |
Related Endpoints | |
Alert tags | |
Referenced Resource Name | |
External End Time | |
Number Of Log Sources | The number of log sources related to the offense. |
Manager Name | Manager Name |
Item Owner | |
MITRE Tactic ID | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Account Status | |
Number of Related Incidents | |
Detected External IPs | Detected external IPs |
Classification | Incident Classification |
Src Hostname | Source hostname |
Device Model | Device Model |
Verification Method | The method used to verify the user. |
Last Modified On | |
Destination MAC Address | The destination MAC address in an event. |
Follow Up | True if marked for follow up. |
Endpoint Isolation Status | |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Country Code | |
Resource URL |
Incident Types
| Name | Description |
|---|---|
Defacement | |
Reconnaissance | |
Policy Violation | |
Lateral Movement | |
DoS | |
Vulnerability | |
Exfiltration | |
UnknownBinary | |
C2Communication | |
Simulation | |
Exploit | |
Job | |
Indicator Feed | |
Network | |
Authentication | |
Hunt |
Indicator Fields
| Name | Description |
|---|---|
Signature File Version | |
Entry ID | |
Domain Name | |
Serial Number | |
PEM | Certificate in PEM format. |
STIX Description | |
Job Code | Job Code |
Admin Phone | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Org Level 2 | |
DNS Records | |
Title | Title |
Certificate Signature | |
SSDeep | |
Registrant Name | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Org Level 1 | |
Key Value | |
Detections | |
Community Notes | |
Source Priority | |
Groups | |
Admin Name | |
Is Malware Family | |
Subject Alternative Names | |
Download URL | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
STIX Roles | |
SHA1 | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Hostname | |
CVSS Vector | |
Country Name | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Feed Related Indicators | |
Size | |
IP Address | |
Creation Date | |
Assigned user | |
Sophistication | |
File Type | |
Processors | |
Device Model | |
Email Address | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
STIX Resource Level | |
Roles | |
Definition | |
Signed | |
Indicator Identification | |
Leadership | |
Username | |
Org Unit | |
Job Family | |
X.509 v3 Extensions | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
BIOS Version | |
Domain Referring Subnets | |
Org Level 3 | |
Infrastructure Types | |
Organizational Unit (OU) | |
Primary Motivation | |
STIX Threat Actor Types | |
Country Code Number | |
Memory | |
Vendor | |
Registrar Abuse Network | |
Geo Country | |
Admin Country | |
STIX Tool Types | |
Issuer | |
Registrar Abuse Address | |
Operating System Refs | |
Blocked | |
City | City |
Office365Required | |
Published | |
Registrant Phone | |
DHCP Server | |
Registrar Name | |
Associated File Names | |
Vulnerable Products | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Signature Copyright | |
Issuer DN | Issuer Distinguished Name |
Malware types | |
STIX Sophistication | |
Tool Types | |
Country Code | |
Rank | Used to display rank from different sources |
Name | |
Number of subkeys | |
Extension | |
Product | |
Signature Description | |
CVSS Version | |
CVSS Table | |
CVSS | |
Acquisition Hire | Whether the employee is an acquisition hire. |
STIX Secondary Motivations | |
Region | |
Registrar Abuse Country | |
Registrar Abuse Phone | |
Threat Actor Types | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
CVE Description | |
Secondary Motivations | |
Public Key | |
Signature Original Name | |
Whois Records | |
Certificate Names | |
Campaign | |
Mitre Tactics | |
Location | |
Domain IDN Name | |
STIX Aliases | Alternative names used to identify this object |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Detection Engines | Total number of engines that checked the indicator |
Assigned role | |
Updated Date | |
Job Function | |
Goals | |
STIX Goals | |
MAC Address | |
Tool Version | |
Operating System | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Name Servers | |
Resource Level | |
Paths | |
Subdomains | |
Aliases | Alternative names used to identify this object |
SHA256 | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Behavior | |
OS Version | |
Description | |
Quarantined | Whether the indicator is quarantined or isolated |
STIX Primary Motivation. | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Location Region | |
Certificates | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Registrant Email | |
User ID | |
File Extension | |
Surname | Surname |
Expiration Date | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Category | |
Objective | |
Cost Center Code | |
Subject | |
Registrar Abuse Name | |
State | |
Domain Status | |
Vulnerabilities | |
DNS | |
Manager Name | Manager Name |
Operating System Version | |
Office365Category | |
Office365ExpressRoute | |
Associations | Known associations to other pieces of Threat Data. |
Force Sync | Whether to force user synchronization. |
Actor | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Implementation Languages | |
Street Address | |
STIX Tool Version | |
Registrant Country | |
Geo Location | |
Mitre ID | |
CVSS Score | |
Short Description | |
CVSS3 | |
Personal Email | |
Signature Algorithm | |
Certificate Validation Checks | |
Capabilities | |
Applications | |
Signature Internal Name | |
Query Language | |
Report Object References | A list of STIX IDs referenced in the report. |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Domains | |
Organization Type | |
Commands | |
Processor | |
Path | |
Name Field | |
Report type | |
Subject DN | Subject Distinguished Name |
STIX Is Malware Family | |
Action | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Version | |
Manager Email Address | |
Organization | |
CVE Modified | |
Port | |
Reports | |
Publications | |
Cost Center | |
Author | |
Registrar Abuse Email | |
Display Name | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Given Name | Given Name |
Targets | |
Confidence | |
Tags | |
Architecture | |
Domain Referring IPs | |
imphash | |
Mobile Phone | |
Zip Code | |
Internal | |
Admin Email | |
Department | Department |
SHA512 | |
MD5 | |
Service | The specific service of a feed integration from which an indicator was ingested. |
AS Owner | |
Samples | |
Malware Family | |
Signature Authentihash | |
STIX Malware Types | |
Work Phone | |
ASN | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Account Type | |
Is Processed |
Layouts
| Name | Description |
|---|---|
Infrastructure | Infrastructure Indicator Layout |
ASN | ASN Indicator Layout |
Identity | Identity indicator layout |
URL Indicator | URL Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Indicator Feed Incident | |
CVE Indicator | CVE Indicator Layout |
Host Indicator | Host indicator layout |
Mutex | Mutex indicator layout |
Course of Action | Course of Action Indicator Layout |
Email Indicator | Email Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Report | Report Indicator Layout |
Account Indicator | Account Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Vulnerability Incident | |
IP Indicator | IP Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
File Indicator | File Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Location | Location indicator layout |
Software | Software Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Campaign | Campaign Indicator Layout |
Indicator Types
| Name | Description |
|---|---|
ssdeep | |
IPv6 | |
Location | |
DomainGlob | |
IPv6CIDR | |
Report | |
ASN | |
Infrastructure | |
CIDR | |
CVE | |
Attack Pattern | |
Threat Actor | |
Malware | |
File SHA-256 | |
URL | |
Host | |
IP | |
Identity | |
Onion Address | |
Registry Key | |
Software | |
File | |
Domain | |
Intrusion Set | |
Campaign | |
Mutex | |
Account | |
File SHA-1 | |
Tactic | |
X509 Certificate | |
Tool | |
File MD5 | |
Course of Action | |
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Related Report | |
Tool Usage Found | |
IP Blocked Status | |
Alert Malicious | Whether the alert is malicious. |
Resource URL | |
Attack Mode | Attack mode as received from the integration JSON |
Log Source Type | The log source type associated with the event. |
Tactic ID | |
Start Time | The time when the offense started. |
Event Descriptions | The description of the event name. |
Pre Nat Source IP | The source IP before NAT. |
User Id | User Id |
Agents ID | |
Detection ID | |
Region ID | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
External Status | |
Additional Indicators | |
Policy URI | |
Device External IPs | |
First Seen | |
Internal Addresses | |
Employee Email | The email address of the employee. |
User Creation Time | |
Original Description | The description of the incident |
External Start Time | |
Account Member Of | |
Technique ID | |
Process CMD | |
Category Count | The number of categories that are associated with the offense. |
ASN Name | |
Suspicious Executions Found | |
Cloud Resource List | |
Source Category | |
Registry Value Type | |
Policy Actions | |
Last Seen | |
Region | |
Org Level 1 | |
Project ID | |
Source Geolocation | The source geolocation of the event. |
Policy Remediable | |
Source Status | |
MITRE Tactic Name | |
Verification Status | The status of the user verification. |
Command Line Verdict | |
Job Family | Job Family |
Alert tags | |
Source Priority | |
Parent Process Path | |
Reporter Email Address | The email address of the user who reported the email. |
Changed | The user who changed this incident |
Item Owner Email | |
Domain Updated Date | |
Unique Ports | |
Mobile Device Model | |
Job Code | Job Code |
Device Model | Device Model |
Title | Title |
MITRE Technique Name | |
Agent Version | Reporting Agent/Sensor Version |
Password Reset Successfully | Whether the password has been successfully reset. |
Duration | |
Ticket Acknowledged Date | |
Source Urgency | Source Urgency |
Escalation | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Attack Patterns | |
High Risky Hosts | |
Manager Name | Manager Name |
Hunt Results Count | |
Location | Location |
Is Active | Alert status |
Approver | The person who approved or needs to approve the request. |
Post Nat Destination IP | The destination IP address after NAT. |
Closing User | The closing user. |
Last Modified By | |
Parent Process CMD | |
Error Code | |
External Confidence | |
Alert Action | Alert action as received from the integration JSON |
Verification Method | The method used to verify the user. |
Policy ID | |
Mobile Phone | |
Device OS Version | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
File Creation Date | |
CVE Published | |
EmailCampaignSnippets | |
Given Name | Given Name |
Policy Description | |
CVSS | |
Post Nat Destination Port | The destination port after NAT. |
Org Level 3 | |
Department | Department |
Registry Value | |
Registration Email | |
Incident Link | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
App message | |
Bugtraq | |
Country Code | |
Last Modified On | |
Cost Center Code | Cost Center Code |
Scenario | |
Low Level Categories Events | The low level category of the event. |
Triggered Security Profile | Triggered Security Profile |
Vendor Product | |
Zip Code | Zip Code |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Verdict | |
Event ID | Event ID |
Caller | |
Policy Type | |
Comment | The comments related with the incident |
UUID | UUID as received from the integration JSON |
Assignment Group | |
User SID | |
Rendered HTML | The HTML content in a rendered form. |
Acquisition Hire | |
Number of similar files | |
Vulnerable Product | |
File Access Date | |
Destination Networks | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Team name | |
Custom Query Results | |
Org Level 2 | |
File Hash | |
Dest OS | Destination OS |
Primary Email Address | |
Device Time | The time from the original logging device when the event occurred. |
Status Reason | |
External Link | |
Exposure Level | |
Selected Indicators | Includes the indicators selected by the user. |
Subtype | Subtype |
Sensor IP | |
CVE ID | |
Error Message | The error message that contains details about the error that occurred. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Group ID | |
Cloud Region List | |
SHA512 | SHA512 |
EmailCampaignSummary | |
Cloud Account ID | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Parent Process SHA256 | |
Password Changed Date | |
Follow Up | True if marked for follow up. |
Related Endpoints | |
Surname | Surname |
IP Reputation | |
Dsts | The destination values. |
List Of Rules - Event | The list of rules associated to an event. |
Endpoints Details | |
Post Nat Source Port | The source port after NAT. |
Timezone | |
Affected Users | |
Source Created By | |
Log Source | Log Source |
Endpoint Isolation Status | |
Pre Nat Source Port | The source port before NAT. |
EmailCampaignMutualIndicators | |
Vendor ID | |
Alert Type ID | |
File Size | File Size |
Tactic | |
Number of Related Incidents | |
URLs | |
Org Unit | |
High Risky Users | |
Users Details | |
Detected External IPs | Detected external IPs |
Source Networks | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
IncomingMirrorError | |
External System ID | |
Investigation Stage | The stage of the investigation. |
Parent Process IDs | |
Leadership | |
Blocked Action | Blocked Action |
Cloud Service | |
Report Name | |
Operation Name | |
External Category ID | |
Domain Name | |
Personal Email | |
Assigned User | Assigned User |
Source Create time | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Device MAC Address | |
Process SHA256 | |
Affected Hosts | |
Original Alert Name | Alert name as received from the integration JSON |
Source Updated by | |
Policy Deleted | |
Device OS Name | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Identity Type | |
Rule Name | The name of a YARA rule |
Ticket Number | |
Original Alert ID | Alert ID as received from the integration JSON |
Last Name | Last Name |
Related Campaign | |
Cost Center | Cost Center |
External Category Name | |
Employee Manager Email | The email address of the employee's manager. |
First Name | First Name |
User Engagement Response | |
ASN | |
Number Of Log Sources | The number of log sources related to the offense. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Device Name | Device Name |
app channel name | |
Compliance Notes | Notes regarding the assets compliance. |
Process MD5 | |
Classification | Incident Classification |
Device Id | Device Id |
Traffic Direction | The direction of the traffic in the event. |
MITRE Tactic ID | |
Closing Reason | The closing reason |
Application Path | |
External Severity | |
Close Time | The closing time. |
Raw Event | The unparsed event data. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Policy Severity | |
Protocol names | |
Tenant Name | Tenant Name |
Display Name | Display Name |
OutgoingMirrorError | |
Technical User | The technical user of the asset. |
Referenced Resource Name | |
Cloud Instance ID | Cloud Instance ID |
Parent Process MD5 | |
Policy Details | |
Process Names | |
String Similarity Results | |
Triage SLA | The time it took to investigate and enrich incident information. |
Job Function | Job Function |
Referenced Resource ID | |
Log Source Name | The log source name associated with the event. |
Campaign Name | |
Location Region | Location Region |
Original Alert Source | |
SKU Name | |
EmailCampaignCanvas | |
Process Creation Time | |
Detected Internal Hosts | Detected internal hosts |
Sub Category | The sub category |
File Relationships | |
Destination IPV6 | The destination IPV6 address. |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Detected Endpoints | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Technical Owner | The technical owner of the asset. |
Src OS | Src OS |
Audit Logs | |
Domain Registrar Abuse Email | |
City | |
Destination Geolocation | The destination geolocation of the event. |
Resource Type | |
State | State |
Objective | |
Last Update Time | |
Alert Rules | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
User Anomaly Count | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Source External IPs | |
Technical Owner Contact | The contact details for the technical owner. |
Original Events | The events associated with the offense. |
SKU TIER | |
Device Internal IPs | |
End Time | The time when the offense ended. |
Related Alerts | |
External Last Updated Time | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Registry Key | |
User Groups | |
Containment SLA | The time it took to contain the incident. |
Source Id | |
Account Status | |
CVE | |
Process ID | |
Street Address | |
Device Hash | Device Hash |
Asset Name | |
Signature | |
Use Case Description | |
similarIncidents | |
Isolated | Isolated |
Country Code Number | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Pre Nat Destination Port | The destination port before NAT. |
External Sub Category ID | |
SHA1 | SHA1 |
OS Type | OS Type |
Approval Status | The status for the approval of the request. |
Tools | |
External Sub Category Name | |
Asset ID | |
Work Phone | |
Block Indicators Status | |
Technique | |
Suspicious Executions | |
Risk Score | |
Manager Email Address | |
Device OU | Device's OU path in Active Directory |
userAccountControl | userAccountControl |
Risk Rating | |
Event Names | The event name (translated QID ) in the event. |
Account ID | |
Policy Recommendation | |
File SHA1 | |
Employee Display Name | The display name of the employee. |
Full Name | Person's Full Name |
Item Owner | |
Registry Hive | |
Email Sent Successfully | Whether the email has been successfully sent. |
Additional Data | |
sAMAccountName | User sAMAAccountName |
Risk Name | |
Ticket Closed Date | |
Additional Email Addresses | |
Detection End Time | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Similar incidents Dbot | |
RemovedFromCampaigns | |
Rating | |
Resource Name | |
Phone Number | Phone number |
SSDeep | |
Process Paths | |
OS | The operating system. |
Parent Process File Path | |
Birthday | Person's Birthday |
Post Nat Source IP | The source IP address after NAT. |
Vulnerability Category | |
Device Status | |
User Block Status | |
External End Time | |
Parent Process Name | |
MITRE Technique ID |
Incident Types
| Name | Description |
|---|---|
DoS | |
Exfiltration | |
Network | |
UnknownBinary | |
Exploit | |
Reconnaissance | |
Lateral Movement | |
Job | |
C2Communication | |
Hunt | |
Policy Violation | |
Authentication | |
Indicator Feed | |
Simulation | |
Defacement | |
Vulnerability |
Indicator Fields
| Name | Description |
|---|---|
Domain Status | |
Memory | |
Surname | Surname |
Country Name | |
Quarantined | Whether the indicator is quarantined or isolated |
Malware Family | |
Name Field | |
Key Value | |
Short Description | |
BIOS Version | |
STIX Malware Types | |
Display Name | |
CVSS | |
Registrar Abuse Phone | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Definition | |
Work Phone | |
Query Language | |
STIX Description | |
Whois Records | |
STIX Sophistication | |
Extension | |
Signature Authentihash | |
Size | |
Implementation Languages | |
Feed Related Indicators | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Author | |
Office365Required | |
Org Level 3 | |
Certificates | |
Admin Country | |
City | City |
Location Region | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Certificate Names | |
Registrant Email | |
Tags | |
Secondary Motivations | |
Indicator Identification | |
Signature File Version | |
STIX Is Malware Family | |
Country Code Number | |
Job Family | |
Department | Department |
Signature Algorithm | |
Roles | |
Account Type | |
Samples | |
Operating System | |
File Extension | |
Domains | |
CVSS Score | |
Registrar Abuse Country | |
Location | |
Vulnerable Products | |
Issuer DN | Issuer Distinguished Name |
Is Malware Family | |
Title | Title |
Mitre ID | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
CVSS Version | |
STIX Primary Motivation. | |
Description | |
Port | |
Assigned user | |
Registrar Name | |
Detections | |
Number of subkeys | |
Job Code | Job Code |
Cost Center Code | |
Admin Name | |
STIX Secondary Motivations | |
Organizational Unit (OU) | |
Is Processed | |
Signature Description | |
Registrar Abuse Email | |
Region | |
Paths | |
Organization Type | |
Community Notes | |
Certificate Signature | |
Action | |
File Type | |
Reports | |
STIX Aliases | Alternative names used to identify this object |
Targets | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
AS Owner | |
Signed | |
Cost Center | |
Product | |
Aliases | Alternative names used to identify this object |
Org Level 1 | |
Street Address | |
Signature Original Name | |
Applications | |
Infrastructure Types | |
Associations | Known associations to other pieces of Threat Data. |
Domain Name | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
IP Address | |
Operating System Refs | |
Blocked | |
Subdomains | |
Registrant Phone | |
Architecture | |
Admin Email | |
DHCP Server | |
DNS | |
Sophistication | |
Organization | |
SHA256 | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Associated File Names | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Domain Referring IPs | |
STIX Tool Types | |
Country Code | |
Source Priority | |
Office365Category | |
Registrar Abuse Network | |
SHA512 | |
Detection Engines | Total number of engines that checked the indicator |
imphash | |
Updated Date | |
Signature Internal Name | |
CVE Description | |
Registrar Abuse Name | |
SHA1 | |
CVSS Table | |
Domain IDN Name | |
Mobile Phone | |
MD5 | |
Capabilities | |
Rank | Used to display rank from different sources |
Entry ID | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Subject Alternative Names | |
Zip Code | |
Geo Location | |
Geo Country | |
Published | |
Device Model | |
Public Key | |
Name | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Version | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Tool Version | |
Operating System Version | |
Registrar Abuse Address | |
CVSS3 | |
CVE Modified | |
Domain Referring Subnets | |
Actor | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
STIX Threat Actor Types | |
Org Unit | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Mitre Tactics | |
Vulnerabilities | |
Commands | |
Certificate Validation Checks | |
Manager Email Address | |
Threat Actor Types | |
Groups | |
Behavior | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
CVSS Vector | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Confidence | |
Malware types | |
Registrant Country | |
Vendor | |
Category | |
STIX Tool Version | |
Report type | |
STIX Goals | |
Expiration Date | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Hostname | |
Campaign | |
PEM | Certificate in PEM format. |
Subject | |
State | |
Username | |
Objective | |
Goals | |
Job Function | |
Signature Copyright | |
User ID | |
SSDeep | |
STIX Roles | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
X.509 v3 Extensions | |
Publications | |
Personal Email | |
Serial Number | |
Registrant Name | |
Subject DN | Subject Distinguished Name |
Resource Level | |
OS Version | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Creation Date | |
Admin Phone | |
Processors | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
ASN | |
Manager Name | Manager Name |
DNS Records | |
Issuer | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Download URL | |
Report Object References | A list of STIX IDs referenced in the report. |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Email Address | |
Primary Motivation | |
Name Servers | |
Tool Types | |
Force Sync | Whether to force user synchronization. |
Given Name | Given Name |
Path | |
STIX Resource Level | |
Processor | |
Internal | |
Office365ExpressRoute | |
Assigned role | |
Leadership | |
Org Level 2 |
Layoutrule
| Name | Description |
|---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Layouts
| Name | Description |
|---|---|
Intrusion Set | Intrusion Set Layout |
URL Indicator | URL Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
ASN | ASN Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Vulnerability Incident | |
IP Indicator | IP Indicator Layout |
File Indicator | File Indicator Layout |
Mutex | Mutex indicator layout |
Attack Pattern | Attack Pattern Indicator Layout |
Email Indicator | Email Indicator Layout |
Report | Report Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Account Indicator | Account Indicator Layout |
Software | Software Indicator Layout |
Host Indicator | Host indicator layout |
Location | Location indicator layout |
Domain Indicator | Domain Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Identity | Identity indicator layout |
Indicator Feed Incident | |
Campaign | Campaign Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Indicator Types
| Name | Description |
|---|---|
Campaign | |
Attack Pattern | |
ssdeep | |
Intrusion Set | |
File | |
Tool | |
ASN | |
File MD5 | |
Threat Actor | |
Host | |
Account | |
IPv6CIDR | |
Software | |
Malware | |
DomainGlob | |
IPv6 | |
File SHA-1 | |
URL | |
Report | |
Tactic | |
Registry Key | |
Mutex | |
CIDR | |
Identity | |
Domain | |
Onion Address | |
File SHA-256 | |
Course of Action | |
CVE | |
X509 Certificate | |
IP | |
Location | |
Infrastructure |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
Optional Content Packs (58)
All level dependencies (4)
| Pack Name | Pack By |
|---|---|
| Aggregated Scripts | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
3.10.1 - 6920594 (January 28, 2026)
- 42762
Download
Incident Fields
Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.
- 42762
Download
3.10.0 - 6802612 (January 20, 2026)
- 42537
Download
Incident Fields
Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
- 42537
Download
3.9.5 - 5208238 (September 30, 2025)
- 41462
Download
Indicator Fields
Primary Motivation
- Updated the Primary Motivation indicator field to include additional values.
Indicator Types
- File
- Updated the file formatter to include the
imphashincident field.
Layouts
- Threat Actor
- Updated the Threat Actor layout to include additional incident fields.
- 41462
Download
3.9.0 - 4121830 (July 10, 2025)
- 40208
Download
Incident Fields
Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
- 40208
Download
3.10.1 - 6920581 (January 28, 2026)
- 42762
Download
Incident Fields
Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.
- 42762
Download
3.10.0 - 6802612 (January 20, 2026)
- 42537
Download
Incident Fields
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
- 42537
Download
3.9.5 - 5212533 (October 1, 2025)
- 41462
Download
Indicator Fields
Primary Motivation
- Updated the Primary Motivation indicator field to include additional values.
Indicator Types
- File
- Updated the file formatter to include the
imphashincident field.
Layouts
- Threat Actor
- Updated the Threat Actor layout to include additional incident fields.
- 41462
Download
3.9.0 - 4118212 (July 9, 2025)
- 40208
Download
Incident Fields
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
- 40208
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 26, 2020 | |
| Last Release | March 1, 2026 |