Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Event ID	Event ID
PID	PID
Hunt Results Count
Vendor Product
Registry Hive
Resource ID
Location	Location
Dest Hostname	Destination hostname
Selected Indicators	Includes the indicators selected by the user.
Source External IPs
External Last Updated Time
Org Level 3
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Parent Process File Path
EmailCampaignMutualIndicators
Registry Value
High Risky Hosts
Alert Source
External System ID
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Related Alerts
Verification Status	The status of the user verification.
First Name	First Name
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Email Sent Successfully	Whether the email has been successfully sent.
Alert Type ID
Process Names
Password Changed Date
Destination IPs	The destination IPs of the event.
Device OS Version
Source Geolocation	The source geolocation of the event.
Is Active	Alert status
Sub Category	The sub category
Risk Name
Incident Link
Parent Process CMD
Item Owner Email
Alert Attack Time
Log Source Name	The log source name associated with the event.
CVSS
Technique ID
Comment	The comments related with the incident
Source Category
Application Path
Users Details
Detected Internal Hosts	Detected internal hosts
Policy Deleted
Dsts	The destination values.
Destination Network
Cloud Resource List
Device External IP	Device External IP
CVE ID
UUID	UUID as received from the integration JSON
User Engagement Response
CVE Published
Block Indicators Status
Attack Mode	Attack mode as received from the integration JSON
Policy URI
Alert Name	Alert name as received from the integration JSON
Cloud Instance ID	Cloud Instance ID
User SID
Custom Query Results
City
Source Status
File Size	File Size
Reporter Email Address	The email address of the user who reported the email.
File SHA1
File Creation Date
Cloud Service
Source IP	The IP Address that the user initially logged in from.
Command Line	Command Line
Device External IPs
Detected User
Related Report
Endpoint Isolation Status
Phone Number	Phone number
Affected Users
Threat Hunting Detected Hostnames
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
DNS Name	The DNS name of the asset.
OS Type	OS Type
Report Name
Risk Rating
Domain Updated Date
Device OU	Device's OU path in Active Directory
Parent Process SHA256
Last Seen
Destination Port	The destination port used.
Given Name	Given Name
Cloud Operation Type
Identity Type
Src	Source
Exposure Level
Detection ID
Device Model	Device Model
Source Hostname	The hostname that performed the port scan.
Caller
External Category Name
Destination IP	The IP address the impossible traveler logged in to.
Country	The country from which the user logged in.
SHA1	SHA1
Alert URL	Alert URL as received from the integration JSON
Escalation
Device OS Name
File Relationships
Resource Type
Duration
Log Source	Log Source
Detected Users	Detected users
Post Nat Source IP	The source IP address after NAT.
Org Unit
Post Nat Destination Port	The destination port after NAT.
Event Type	Event Type
Tags
Source MAC Address	The source MAC address in an event.
Destination IPV6	The destination IPV6 address.
Resource Name
Related Campaign
IncomingMirrorError
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
MITRE Technique Name
Detection Update Time
SHA512	SHA512
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Protocol names
External Confidence
CMD line
Cloud Region List
Command Line Verdict
Alert Malicious	Whether the alert is malicious.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
userAccountControl	userAccountControl
Agent ID	Agent ID
External ID
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Department	Department
Endpoint
Asset Name
User Anomaly Count
External Severity
Process SHA256
IP Blocked Status
URLs
Birthday	Person's Birthday
MITRE Technique ID
Threat Hunting Detected IP
Device Status
External Addresses
Detected IPs
Alert tags
Destination Geolocation	The destination geolocation of the event.
Signature
Internal Addresses
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
High Level Categories	The high level categories in the events.
Detected Endpoints
Source Create time
Appliance ID	Appliance ID as received from the integration JSON
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Source Networks
Process ID
Category Count	The number of categories that are associated with the offense.
Source Network
Unique Ports
Leadership
Timezone
Src NT Domain	Source NT Domain
Agents ID
Vendor ID
Users
Last Modified On
Referenced Resource Name
Parent Process MD5
Attack Patterns
Tactic ID
Technical User	The technical user of the asset.
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
App message
SKU TIER
Bugtraq
Job Code	Job Code
Source Username	The username that was the source of the attack.
Events	The events associated with the offense.
Title	Title
Destination MAC Address	The destination MAC address in an event.
Device MAC Address
Technical Owner Contact	The contact details for the technical owner.
Location Region	Location Region
Username	The username of the account who logged in.
Additional Indicators
OutgoingMirrorError
File MD5
Related Endpoints
Registry Value Type
Tenant Name	Tenant Name
Account ID
Cost Center	Cost Center
CMD
Source Urgency	Source Urgency
Scenario
Raw Event	The unparsed event data.
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Employee Display Name	The display name of the employee.
Policy Description
File Path
Last Update Time
Parent Process Name
Source Created By
Src Hostname	Source hostname
Compliance Notes	Notes regarding the assets compliance.
Employee Manager Email	The email address of the employee's manager.
Last Modified By
IP Reputation
Job Function	Job Function
Domain Name
SKU Name
Post Nat Destination IP	The destination IP address after NAT.
Usernames	The username in the event.
Source IPs	The source IPs of the event.
Parent CMD line
Device Time	The time from the original logging device when the event occurred.
External Sub Category ID
Region ID
EmailCampaignCanvas
External Sub Category Name
Event Names	The event name (translated QID ) in the event.
Manager Email Address
State	State
Surname	Surname
File Paths
Parent Process
Assigned User	Assigned User
Sensor Name
Email	Primary Email Address
Dest OS	Destination OS
Verification Method	The method used to verify the user.
Application Name	Application Name
Triage SLA	The time it took to investigate and enrich incident information.
Close Time	The closing time.
Ticket Closed Date
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Pre Nat Source Port	The source port before NAT.
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Child Process
File Names
Region
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Categories	The categories for the incident.
Dest	Destination
Country Code Number
Process Creation Time
Low Level Categories Events	The low level category of the event.
Process MD5
sAMAccountName	User sAMAAccountName
Destination Networks
Vulnerability Category
Zip Code	Zip Code
Process Paths
User Agent
Vulnerable Product
Group ID
User Risk Level
Source Priority
Detection URL	URL of the ExtraHop Reveal(x) detection
Device Local IP	Device Local IP
Policy Details
Password Reset Successfully	Whether the password has been successfully reset.
Hostnames	The hostname in the event.
Device Id	Device Id
Device Internal IPs
Tactic
Verdict
Policy Type
Number of Related Incidents
Source IPV6	The source IPV6 address.
Additional Email Addresses
App
Rule Name	The name of a YARA rule
Process CMD
Project ID
Account Name	Account Name
OS Version	OS Version
Referenced Resource ID
app channel name
Device Name	Device Name
Source Updated by
User Id	User Id
Technique
Containment SLA	The time it took to contain the incident.
Destination Hostname	Destination hostname
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Process Name
Isolated	Isolated
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Closing User	The closing user.
Item Owner
Campaign Name
Error Code
Suspicious Executions Found
EmailCampaignSummary
Approver	The person who approved or needs to approve the request.
Registration Email
Mobile Phone
ASN
Detected External Hosts	Detected external hosts
Number Of Log Sources	The number of log sources related to the offense.
Pre Nat Destination Port	The destination port before NAT.
Team name
Risk Score
Traffic Direction	The direction of the traffic in the event.
Suspicious Executions
Additional Data
User Creation Time
Protocol	Protocol
Assignment Group
Parent Process Path
File Access Date
File Name
Device Username	The username of the user that owns the device
Approval Status	The status for the approval of the request.
Account Status
Dst Ports	The destination ports of the event.
File SHA256
File Hash
External End Time
SHA256	SHA256
Technical Owner	The technical owner of the asset.
Src User	Source User
Pre Nat Source IP	The source IP before NAT.
similarIncidents
Country Name	Country Name
Parent Process IDs
Alert Action	Alert action as received from the integration JSON
Display Name	Display Name
Event Descriptions	The description of the event name.
OS	The operating system.
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
List Of Rules - Event	The list of rules associated to an event.
Src OS	Src OS
External Link
Affected Hosts
Log Source Type	The log source type associated with the event.
Srcs	The source values.
Asset ID
ASN Name
Operation Name
RemovedFromCampaigns
Detected External IPs	Detected external IPs
Registry Key
Last Name	Last Name
External Status
Mobile Device Model
Status Reason
MITRE Tactic Name
Manager Name	Manager Name
MD5	MD5
Blocked Action	Blocked Action
Policy ID
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
MITRE Tactic ID
Changed	The user who changed this incident
Investigation Stage	The stage of the investigation.
High Risky Users
String Similarity Results
Ticket Opened Date
Error Message	The error message that contains details about the error that occurred.
Resource URL
Personal Email
Rating
External Start Time
Objective
Tool Usage Found
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Cost Center Code	Cost Center Code
Similar incidents Dbot
Policy Remediable
Ticket Number
Post Nat Source Port	The source port after NAT.
Account Member Of
SSDeep
Employee Email	The email address of the employee.
Detected Internal IPs	Detected internal IPs
Detection End Time
Source Port	The source port that was used
Dest NT Domain	Destination NT Domain
Org Level 1
Start Time	The time when the offense started.
Domain Registrar Abuse Email
Acquisition Hire
Alert Category	The category of the alert
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Application Id	Application Id
Policy Actions
User Groups
Job Family	Job Family
Endpoints Details
Protocol - Event	The network protocol in the event.
Source Id
Closing Reason	The closing reason
Src Ports	The source ports of the event.
Org Level 2
End Time	The time when the offense ended.
User Block Status
Follow Up	True if marked for follow up.
Rendered HTML	The HTML content in a rendered form.
Classification	Incident Classification
External Category ID
Alert ID	Alert ID as received from the integration JSON
First Seen
Description	The description of the incident
Street Address
Agent Version	Reporting Agent/Sensor Version
MAC Address	MAC Address
EmailCampaignSnippets
Sensor IP
Tools
Alert Rules
Policy Recommendation
Number of similar files
Process Path
Ticket Acknowledged Date
CVE
Cloud Account ID
Country Code
Work Phone
Appliance Name	Appliance name as received from the integration JSON
Protocols
Triggered Security Profile	Triggered Security Profile
Device Hash	Device Hash
Policy Severity
Subtype	Subtype
Full Name	Person's Full Name
Use Case Description
Number Of Found Related Alerts	Medium or Higher Severity Alerts

Incident Types

Name	Description
Simulation
Lateral Movement
DoS
Authentication
Hunt
Indicator Feed
Vulnerability
Policy Violation
Exfiltration
Defacement
Reconnaissance
Exploit
Network
C2Communication
Job
UnknownBinary

Indicator Fields

Name	Description
Registrar Abuse Phone
Subject DN	Subject Distinguished Name
SSDeep
Memory
Department	Department
Vendor
Certificate Names
Zip Code
Name Field
Confidence
Registrar Abuse Network
Architecture
Implementation Languages
Subdomains
STIX Sophistication
Feed Related Indicators
Definition
Category
Updated Date
User ID
Publications
Description
CVSS3
PEM	Certificate in PEM format.
Version
SHA256
Subject
Given Name	Given Name
Registrant Email
Behavior
STIX Primary Motivation.
Reports
Organization First Seen	Date and time when the indicator was first seen in the organization.
SWID	Specifies the Software Identification (SWID) tags entry for the software
Expiration Date
Assigned role
Source Priority
Creation Date
DNS Records
Tags
Goals
Job Family
Quarantined	Whether the indicator is quarantined or isolated
Operating System Refs
Street Address
Action
Mitre Tactics
Domains
Display Name
Email Address
Query Language
Groups
Organization
Job Code	Job Code
CVSS Table
State
Organizational Unit (OU)
Key Value
Objective
Signature Internal Name
Service	The specific service of a feed integration from which an indicator was ingested.
Hostname
Cost Center
Secondary Motivations
Office365Category
Infrastructure Types
File Type
MAC Address
Serial Number
File Extension
STIX Goals
Validity Not Before	Specifies the date on which the certificate validity period begins.
STIX Description
CVE Description
Job Function
AS Owner
STIX Is Malware Family
Domain Status
Mitre ID
Signature Copyright
Rank	Used to display rank from different sources
imphash
Is Processed
Title	Title
STIX Secondary Motivations
Issuer
X.509 v3 Extensions
Capabilities
Name Servers
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Admin Name
ASN
Registrant Country
Admin Country
Issuer DN	Issuer Distinguished Name
Signed
Name
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Manager Email Address
Indicator Identification
STIX Resource Level
Leadership
Short Description
MD5
Malware Family
Org Unit
Is Malware Family
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Country Name
Region
Mobile Phone
City	City
Community Notes
CVSS Version
Cost Center Code
Signature Algorithm
Domain Referring Subnets
Registrant Phone
Associations	Known associations to other pieces of Threat Data.
Admin Email
Whois Records
Vulnerabilities
Email
Number of subkeys
STIX Roles
CVSS
SHA1
STIX Malware Types
Subject Alternative Names
Detection Engines	Total number of engines that checked the indicator
Operating System Version
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Admin Phone
Operating System
Location Region
Work Phone
Processor
Roles
Global Prevalence	The number of times the indicator is detected across all organizations.
Organization Prevalence	The number of times the indicator is detected in the organization.
Published
Registrar Name
Signature Description
Commands
Org Level 2
Geo Location
Resource Level
Extension
Org Level 3
Registrar Abuse Country
DHCP Server
Organization Type
Signature File Version
Public Key
Registrar Abuse Address
Registrar Abuse Name
Surname	Surname
Malware types
Sophistication
First Seen By Source	The first time the indicator was seen by the source vendor.
Validity Not After	Specifies the date on which the certificate validity period ends.
STIX Tool Version
Geo Country
Targets
Applications
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Vulnerable Products
SHA512
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Associated File Names
Paths
Office365ExpressRoute
STIX Aliases	Alternative names used to identify this object
CVSS Vector
BIOS Version
Source Original Severity	The original score/severity provided by the source without DBot translation.
Port
STIX Tool Types
Positive Detections	Number of engines that positively detected the indicator as malicious
Personal Email
Size
Domain Referring IPs
Certificates
Detections
Report Object References	A list of STIX IDs referenced in the report.
Author
Path
Blocked
Domain Name
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Campaign
DNS
Tool Version
Username
Country Code Number
Threat Actor Types
Force Sync	Whether to force user synchronization.
Device Model
Entry ID
CVE Modified
Report type
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Download URL
STIX Threat Actor Types
Office365Required
Product
Signature Authentihash
Samples
Assigned user
OS Version
Signature Original Name
Account Type
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Registrar Abuse Email
Internal
Tool Types
IP Address
Country Code
Certificate Validation Checks
Acquisition Hire	Whether the employee is an acquisition hire.
Actor
Location
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Registrant Name
Manager Name	Manager Name
Aliases	Alternative names used to identify this object
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Certificate Signature
Org Level 1
Primary Motivation
CVSS Score
Processors
Domain IDN Name

Layouts

Name	Description
Report	Report Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
ASN	ASN Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Tool Indicator	Tool Indicator Layout
Identity	Identity indicator layout
CVE Indicator	CVE Indicator Layout
URL Indicator	URL Indicator Layout
Email Indicator	Email Indicator Layout
Host Indicator	Host indicator layout
Account Indicator	Account Indicator Layout
IP Indicator	IP Indicator Layout
Malware Indicator	Malware Indicator Layout
Campaign	Campaign Indicator Layout
Intrusion Set	Intrusion Set Layout
Mutex	Mutex indicator layout
File Indicator	File Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Course of Action	Course of Action Indicator Layout
Domain Indicator	Domain Indicator Layout
Software	Software Indicator Layout
Vulnerability Incident
Indicator Feed Incident
X509 Certificate	CVE Indicator Layout
Location	Location indicator layout

Indicator Types

Name	Description
ASN
X509 Certificate
Infrastructure
Onion Address
ssdeep
Attack Pattern
File SHA-256
CVE
Location
Identity
CIDR
IPv6CIDR
Software
Course of Action
IP
IPv6
Host
Domain
URL
Account
Mutex
Malware
Report
Intrusion Set
Threat Actor
Registry Key
Campaign
Tool
File MD5
Email
File
DomainGlob
File SHA-1

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Mobile Device Model
Duration
IP Blocked Status
City
Timezone
Work Phone
Classification	Incident Classification
User Block Status
Status Reason
Dsts	The destination values.
userAccountControl	userAccountControl
Password Changed Date
Follow Up	True if marked for follow up.
Account Member Of
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Cloud Service
Org Level 1
Registration Email
Org Level 3
Sub Category	The sub category
Vulnerable Product
Title	Title
Raw Event	The unparsed event data.
Device Status
Event ID	Event ID
Parent Process SHA256
End Time	The time when the offense ended.
Event Descriptions	The description of the event name.
Process Creation Time
Referenced Resource Name
Mobile Phone
Post Nat Destination Port	The destination port after NAT.
Risk Score
Device OS Name
Last Modified On
SKU Name
Close Time	The closing time.
Similar incidents Dbot
EmailCampaignSnippets
Agents ID
Policy Type
Vendor ID
SHA512	SHA512
Caller
Vulnerability Category
similarIncidents
Ticket Closed Date
Device Time	The time from the original logging device when the event occurred.
Cost Center Code	Cost Center Code
Resource Name
Device OS Version
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Device Hash	Device Hash
Affected Hosts
Detection URL	URL of the ExtraHop Reveal(x) detection
Block Indicators Status
Agent Version	Reporting Agent/Sensor Version
Related Campaign
Internal Addresses
Sensor IP
Attack Patterns
MITRE Tactic Name
CVE
List Of Rules - Event	The list of rules associated to an event.
Verdict
Protocol names
Parent Process Path
External End Time
Threat Name	Define the threat name such as malware/exploit/phishing/etc
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
OS	The operating system.
Manager Email Address
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Detection ID
External Category Name
Is Active	Alert status
Source Urgency	Source Urgency
Traffic Direction	The direction of the traffic in the event.
Number Of Log Sources	The number of log sources related to the offense.
Policy Actions
Verification Status	The status of the user verification.
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Item Owner
MITRE Tactic ID
External Last Updated Time
Detected External IPs	Detected external IPs
Account Status
Exposure Level
Cloud Resource List
Technical Owner Contact	The contact details for the technical owner.
Related Alerts
Risk Rating
Parent Process IDs
Attack Mode	Attack mode as received from the integration JSON
Registry Value Type
Cloud Region List
Source Priority
Alert Malicious	Whether the alert is malicious.
Approver	The person who approved or needs to approve the request.
Process SHA256
Destination IPV6	The destination IPV6 address.
Alert Rules
Policy URI
Registry Hive
Original Description	The description of the incident
Zip Code	Zip Code
First Seen
Source Category
Low Level Categories Events	The low level category of the event.
Subtype	Subtype
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Process CMD
User Id	User Id
External Severity
Source Status
Category Count	The number of categories that are associated with the offense.
Source Created By
External Link
File Creation Date
Destination Geolocation	The destination geolocation of the event.
Org Unit
Employee Manager Email	The email address of the employee's manager.
Personal Email
MITRE Technique Name
File SHA1
Destination Networks
CVE Published
Closing Reason	The closing reason
External Sub Category Name
Endpoint Isolation Status
Street Address
Technique ID
Policy Remediable
Registry Key
Process ID
Region
User SID
EmailCampaignMutualIndicators
Device OU	Device's OU path in Active Directory
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Group ID
Log Source Name	The log source name associated with the event.
Resource Type
Alert Action	Alert action as received from the integration JSON
Source Networks
Source Geolocation	The source geolocation of the event.
Endpoints Details
High Risky Users
UUID	UUID as received from the integration JSON
Surname	Surname
Scenario
Error Message	The error message that contains details about the error that occurred.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Rendered HTML	The HTML content in a rendered form.
Reporter Email Address	The email address of the user who reported the email.
Post Nat Destination IP	The destination IP address after NAT.
Assignment Group
Location	Location
Employee Display Name	The display name of the employee.
Parent Process MD5
External Category ID
Policy Details
Closing User	The closing user.
Dest OS	Destination OS
Bugtraq
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Org Level 2
Additional Data
Unique Ports
CVSS
Number of similar files
Pre Nat Source Port	The source port before NAT.
Referenced Resource ID
Risk Name
Campaign Name
Process Names
External Sub Category ID
Policy Deleted
Approval Status	The status for the approval of the request.
Signature
Cost Center	Cost Center
External Confidence
Compliance Notes	Notes regarding the assets compliance.
Leadership
Technical User	The technical user of the asset.
Parent Process File Path
App message
sAMAccountName	User sAMAAccountName
Escalation
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
File Hash
Team name
Related Report
Last Update Time
Application Path
Source Create time
Source Id
Asset ID
File Access Date
Given Name	Given Name
Isolated	Isolated
Last Mirrored Time Stamp	The last time the incident was mirrored in.
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Log Source Type	The log source type associated with the event.
Log Source	Log Source
External System ID
Cloud Account ID
Alert Type ID
Affected Users
Acquisition Hire
Last Seen
Parent Process CMD
Additional Email Addresses
User Groups
Email Sent Successfully	Whether the email has been successfully sent.
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Display Name	Display Name
Tactic ID
Users Details
Password Reset Successfully	Whether the password has been successfully reset.
Changed	The user who changed this incident
OutgoingMirrorError
Tools
Device External IPs
Vendor Product
Suspicious Executions Found
Blocked Action	Blocked Action
Device Name	Device Name
SHA1	SHA1
Original Alert Name	Alert name as received from the integration JSON
Job Family	Job Family
Tool Usage Found
Policy Severity
Alert tags
Last Name	Last Name
Event Names	The event name (translated QID ) in the event.
Post Nat Source IP	The source IP address after NAT.
Country Code
Selected Indicators	Includes the indicators selected by the user.
Source Updated by
Objective
Additional Indicators
Containment SLA	The time it took to contain the incident.
Policy Description
Region ID
Triggered Security Profile	Triggered Security Profile
Detection End Time
Full Name	Person's Full Name
URLs
app channel name
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Src OS	Src OS
User Creation Time
Tactic
Resource URL
Project ID
EmailCampaignSummary
User Engagement Response
High Risky Hosts
Suspicious Executions
Original Alert ID	Alert ID as received from the integration JSON
Rule Name	The name of a YARA rule
Report Name
Location Region	Location Region
Department	Department
SSDeep
Registry Value
Command Line Verdict
Source External IPs
Verification Method	The method used to verify the user.
EmailCampaignCanvas
Pre Nat Destination Port	The destination port before NAT.
File Size	File Size
External Status
Item Owner Email
External Start Time
Parent Process Name
File Relationships
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Triage SLA	The time it took to investigate and enrich incident information.
Policy Recommendation
Start Time	The time when the offense started.
RemovedFromCampaigns
Job Code	Job Code
Account ID
Tenant Name	Tenant Name
Process MD5
Device MAC Address
Detected Internal Hosts	Detected internal hosts
Comment	The comments related with the incident
Email	Primary Email Address
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Ticket Number
OS Type	OS Type
Process Paths
Rating
State	State
String Similarity Results
SKU TIER
CVE ID
Post Nat Source Port	The source port after NAT.
Job Function	Job Function
MITRE Technique ID
ASN
Cloud Instance ID	Cloud Instance ID
Manager Name	Manager Name
Employee Email	The email address of the employee.
IncomingMirrorError
Device Internal IPs
Assigned User	Assigned User
Domain Registrar Abuse Email
Asset Name
Number of Related Incidents
User Anomaly Count
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Hunt Results Count
ASN Name
Policy ID
Operation Name
Phone Number	Phone number
Error Code
Country Code Number
Investigation Stage	The stage of the investigation.
First Name	First Name
Original Alert Source
Incident Link
Last Modified By
Technical Owner	The technical owner of the asset.
Device Id	Device Id
Original Events	The events associated with the offense.
Related Endpoints
Domain Name
Detected Endpoints
Identity Type
Use Case Description
Ticket Acknowledged Date
Birthday	Person's Birthday
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Technique
Pre Nat Source IP	The source IP before NAT.
IP Reputation
Domain Updated Date
Device Model	Device Model
Custom Query Results

Incident Types

Name	Description
Indicator Feed
Lateral Movement
Hunt
Policy Violation
Simulation
UnknownBinary
DoS
C2Communication
Defacement
Exploit
Job
Network
Exfiltration
Authentication
Vulnerability
Reconnaissance

Indicator Fields

Name	Description
Certificate Names
Path
Office365Required
Manager Email Address
STIX Description
Samples
Operating System
imphash
Action
CVSS
Published
STIX Goals
Port
Quarantined	Whether the indicator is quarantined or isolated
Organizational Unit (OU)
Org Level 1
Rank	Used to display rank from different sources
Signature Algorithm
Job Code	Job Code
Applications
Internal
Certificate Signature
Organization Type
Signature Authentihash
Mitre ID
Country Code Number
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Subject Alternative Names
Targets
Location Region
CVSS Table
Groups
Office365Category
SHA256
Secondary Motivations
Detection Engines	Total number of engines that checked the indicator
Tool Types
Domain IDN Name
Malware Family
Admin Name
STIX Sophistication
Serial Number
Blocked
Department	Department
STIX Tool Types
Aliases	Alternative names used to identify this object
Name Servers
Behavior
Zip Code
Source Original Severity	The original score/severity provided by the source without DBot translation.
STIX Is Malware Family
Manager Name	Manager Name
Service	The specific service of a feed integration from which an indicator was ingested.
Registrar Abuse Phone
STIX Tool Version
Report type
Publications
Commands
Memory
Whois Records
Geo Country
Signed
DNS
Associated File Names
Actor
CVSS Version
Registrar Abuse Address
BIOS Version
SHA1
Capabilities
Registrant Country
Registrar Abuse Email
Resource Level
STIX Malware Types
ASN
Source Priority
Expiration Date
STIX Threat Actor Types
STIX Primary Motivation.
Issuer DN	Issuer Distinguished Name
Definition
Confidence
Cost Center Code
Name Field
Force Sync	Whether to force user synchronization.
Registrant Name
Global Prevalence	The number of times the indicator is detected across all organizations.
Organization Prevalence	The number of times the indicator is detected in the organization.
Leadership
Implementation Languages
Location
Reports
Personal Email
Product
Vulnerabilities
Key Value
Job Function
Hostname
Number of subkeys
Feed Related Indicators
Job Family
Subdomains
Author
Account Type
Region
Registrant Email
Report Object References	A list of STIX IDs referenced in the report.
Updated Date
First Seen By Source	The first time the indicator was seen by the source vendor.
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Tool Version
Validity Not Before	Specifies the date on which the certificate validity period begins.
Admin Email
MD5
Campaign
Registrar Abuse Name
Mitre Tactics
Email
Validity Not After	Specifies the date on which the certificate validity period ends.
Query Language
Domains
STIX Aliases	Alternative names used to identify this object
Associations	Known associations to other pieces of Threat Data.
Is Processed
Vendor
Public Key
Positive Detections	Number of engines that positively detected the indicator as malicious
Signature Copyright
Organization
Assigned role
CVSS Vector
CVE Modified
Cost Center
AS Owner
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Roles
User ID
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Domain Referring Subnets
Registrar Abuse Network
Size
Office365ExpressRoute
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Given Name	Given Name
Device Model
File Type
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Domain Status
Tags
Infrastructure Types
Registrant Phone
Admin Country
Org Unit
Primary Motivation
Threat Actor Types
Processors
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Signature File Version
DNS Records
Signature Internal Name
Community Notes
Geo Location
X.509 v3 Extensions
CVSS Score
Signature Original Name
Issuer
Is Malware Family
Entry ID
Org Level 2
Subject DN	Subject Distinguished Name
Signature Description
SWID	Specifies the Software Identification (SWID) tags entry for the software
Assigned user
Operating System Version
Detections
File Extension
IP Address
Street Address
Mobile Phone
Name
Creation Date
Short Description
Operating System Refs
Domain Referring IPs
Sophistication
Work Phone
Org Level 3
Country Code
Email Address
SHA512
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Indicator Identification
STIX Secondary Motivations
PEM	Certificate in PEM format.
Download URL
Processor
Objective
Username
OS Version
Paths
Organization First Seen	Date and time when the indicator was first seen in the organization.
State
STIX Resource Level
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
CVSS3
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Subject
DHCP Server
Admin Phone
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Certificate Validation Checks
Goals
Architecture
STIX Roles
Registrar Name
SSDeep
Country Name
CVE Description
Description
City	City
Display Name
Certificates
Malware types
Registrar Abuse Country
Title	Title
Vulnerable Products
Category
Surname	Surname
Domain Name
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Version
Acquisition Hire	Whether the employee is an acquisition hire.
Extension

Layoutrule

Name	Description
Indicator Feed Layout Rule
Vulnerability Layout Rule

Layouts

Name	Description
CVE Indicator	CVE Indicator Layout
Mutex	Mutex indicator layout
URL Indicator	URL Indicator Layout
Course of Action	Course of Action Indicator Layout
IP Indicator	IP Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Campaign	Campaign Indicator Layout
Intrusion Set	Intrusion Set Layout
Threat Actor	Threat Actor Indicator Layout
Domain Indicator	Domain Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Vulnerability Incident
Malware Indicator	Malware Indicator Layout
Indicator Feed Incident
File Indicator	File Indicator Layout
Email Indicator	Email Indicator Layout
Host Indicator	Host indicator layout
Account Indicator	Account Indicator Layout
Identity	Identity indicator layout
ASN	ASN Indicator Layout
Software	Software Indicator Layout
Tool Indicator	Tool Indicator Layout
Location	Location indicator layout
Report	Report Indicator Layout
X509 Certificate	CVE Indicator Layout

Indicator Types

Name	Description
ASN
Domain
Report
Onion Address
Threat Actor
Infrastructure
IPv6CIDR
CIDR
Tool
ssdeep
Intrusion Set
URL
Software
Host
X509 Certificate
File SHA-1
File MD5
Location
Registry Key
Malware
Email
File
IPv6
Campaign
Mutex
Identity
Attack Pattern
File SHA-256
IP
DomainGlob
Account
CVE
Course of Action

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (56)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.5.5 - 1082615 (June 10, 2024)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

3.5.4 - 1061293 (June 2, 2024)

Indicator Types

Email

Related pull requests:
- 33924

Download

3.5.3 - 1021616 (May 16, 2024)

Indicator Fields

Kill Chain Phases
- Added a missing phase, Resource Development, to multi-select list

Related pull requests:
- 33786

Download

3.5.2 - 998827 (May 6, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Indicator Fields

Author

Related pull requests:
- 33839

Download

3.5.0 - 995825 (May 5, 2024)

Incident Fields

New: Registration Email
New: Domain Updated Date
New: Domain Registrar Abuse Email

Related pull requests:
- 32924

Download

3.4.10 - 951066 (April 11, 2024)

Incident Fields

Policy Type
New: CVE ID
New: Resource URL
New: User Anomaly Count
New: CVE Published
Policy Recommendation
New: Vulnerable Product
New: Alert Rules

Related pull requests:
- 33781

Download

3.4.9 - 948301 (April 10, 2024)

Incident Fields

Compliance Notes - Added the Prisma Cloud Compute Compliance v2 incident type as an associated types.

Related pull requests:
- 32936

Download

3.4.8 - 927547 (April 1, 2024)

Indicator Types

URL
Updated the regex to capture URLs with commas.

Related pull requests:
- 33688

Download

3.4.7 - 904622 (March 20, 2024)

Incident Fields

Containment SLA
- Updated to be searchable
Incident Duration
- Updated to be searchable
Triage SLA
- Updated to be searchable

Indicator Fields

New: Number of subkeys
New: Samples

Related pull requests:
- 33419

Download

3.4.5 - 882064 (March 11, 2024)

Incident Fields

New: Additional Email Addresses

Related pull requests:
- 33129

Download

3.4.4 - 870683 (March 5, 2024)

Indicator Fields

New: Subject
New: Issuer
New: Certificate Names
New: Validity Not Before
New: PEM
New: Certificate Signature
New: Extension
New: X.509 v3 Extensions
New: Certificate Validation Checks
New: Issuer DN
New: SPKI SHA256
New: Validity Not After
New: Serial Number
New: Signature Algorithm
New: Public Key
New: Subject Alternative Names
New: Domains
New: Subject DN

Layouts

New: X509 Certificate
layout for the new X509 indicator type (Available from Cortex XSOAR 6.0.0).

Related pull requests:
- 31341

Download

3.4.3 - 865088 (March 3, 2024)

Incident Fields

New: Alert tags
New: User Risk Level

Related pull requests:
- 32470

Download

3.4.2 - 860237 (February 29, 2024)

Incident Fields

Added the CrowdStrike Falcon Mobile Detection incident type to the following incident fields:

Email
Detection ID
Last Update Time
Vendor Product
Display Name

Related pull requests:
- 33072

Download

3.4.1 - R828628 (February 14, 2024)

Indicator Types

URL
Fixed an issue with the regex not capturing quoted slashes.

Related pull requests:
- 32719

Download

3.4.0 - 778227 (January 22, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

3.3.99 - 764361 (January 15, 2024)

Indicator Fields

Blocked

Related pull requests:
- 32218

Download

3.3.98 - 737854 (January 2, 2024)

Incident Fields

New: Status Reason

Related pull requests:
- 31187

Download

3.3.97 - 729445 (January 1, 2024)

Indicator Types

IPv6
Updated IPv6 regex for better performance and to avoid MAC addresses.

Related pull requests:
- 31686

Download

3.3.96 - 716847 (December 25, 2023)

Indicator Fields

New: Signature Original Name

Related pull requests:
- 31587

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	December 11, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Common Types

Pack Contributors:

Pack Contributors:

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications

New: Definition

Indicator Types

Incident Fields

Indicator Fields

Validity Not Before

Validity Not After

Layouts

Indicator Types

Incident Fields

Indicator Types

Layouts

Indicator Fields

Primary Motivation

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Common Types

Indicator Types

Indicator Fields

Common Types

Indicator Fields

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Indicator Fields

Incident Fields

Indicator Fields

Layouts

Incident Fields

Incident Fields

Indicator Types

Common Types

Indicator Fields

Incident Fields

Indicator Types

Indicator Fields

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER