Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
EmailCampaignSnippets | |
File Names | |
External Sub Category ID | |
File SHA1 | |
Policy Deleted | |
Protocols | |
Unique Ports | |
Detected Internal IPs | Detected internal IPs |
Process Names | |
File Creation Date | |
File Access Date | |
Detected User | |
Timezone | |
Referenced Resource ID | |
Source IPs | The source IPs of the event. |
Comment | The comments related with the incident |
MITRE Technique Name | |
External Start Time | |
IP Blocked Status | |
Rule Name | The name of a YARA rule |
Surname | Surname |
Containment SLA | The time it took to contain the incident. |
External Severity | |
Investigation Stage | The stage of the investigation. |
User Risk Level | |
Ticket Opened Date | |
User SID | |
Parent Process IDs | |
Dsts | The destination values. |
Destination IPV6 | The destination IPV6 address. |
Parent Process | |
Block Indicators Status | |
Device Internal IPs | |
Employee Manager Email | The email address of the employee's manager. |
Srcs | The source values. |
String Similarity Results | |
Registry Value Type | |
Leadership | |
CVE | |
Source Network | |
Asset ID | |
Duration | |
High Level Categories | The high level categories in the events. |
Technical Owner | The technical owner of the asset. |
Log Source | Log Source |
Given Name | Given Name |
Blocked Action | Blocked Action |
Dst Ports | The destination ports of the event. |
Source Updated by | |
app channel name | |
PID | PID |
Additional Indicators | |
Process ID | |
Related Campaign | |
Follow Up | True if marked for follow up. |
SKU Name | |
OS Version | OS Version |
Reporter Email Address | The email address of the user who reported the email. |
Triggered Security Profile | Triggered Security Profile |
CVSS | |
App | |
Cloud Operation Type | |
Post Nat Source Port | The source port after NAT. |
Closing Reason | The closing reason |
Account ID | |
Escalation | |
Attack Patterns | |
Process CMD | |
Mobile Phone | |
Manager Name | Manager Name |
External Status | |
Traffic Direction | The direction of the traffic in the event. |
Policy Type | |
Street Address | |
User Groups | |
Source Created By | |
Vendor ID | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Manager Email Address | |
Country Code Number | |
Phone Number | Phone number |
Source Urgency | Source Urgency |
Internal Addresses | |
Number Of Log Sources | The number of log sources related to the offense. |
Approver | The person who approved or needs to approve the request. |
Cost Center Code | Cost Center Code |
Alert Action | Alert action as received from the integration JSON |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
MAC Address | MAC Address |
SKU TIER | |
Similar incidents Dbot | |
Country Code | |
Password Reset Successfully | Whether the password has been successfully reset. |
File Name | |
File SHA256 | |
Endpoint Isolation Status | |
Project ID | |
Detected Users | Detected users |
Assignment Group | |
User Creation Time | |
Tenant Name | Tenant Name |
Destination Network | |
Policy ID | |
OS | The operating system. |
Parent Process SHA256 | |
ASN Name | |
CVE Published | |
Source External IPs | |
Resource Type | |
Process Name | |
Endpoints Details | |
Resource ID | |
Employee Display Name | The display name of the employee. |
Alert Name | Alert name as received from the integration JSON |
Risk Name | |
Related Report | |
Bugtraq | |
Campaign Name | |
Job Code | Job Code |
Log Source Type | The log source type associated with the event. |
Agent Version | Reporting Agent/Sensor Version |
Item Owner Email | |
Rendered HTML | The HTML content in a rendered form. |
Destination Hostname | Destination hostname |
OutgoingMirrorError | |
CMD line | |
Command Line | Command Line |
Technique ID | |
Event Names | The event name (translated QID ) in the event. |
MD5 | MD5 |
Source MAC Address | The source MAC address in an event. |
High Risky Users | |
Vulnerability Category | |
Resource Name | |
EmailCampaignCanvas | |
Low Level Categories Events | The low level category of the event. |
CVE ID | |
Destination Port | The destination port used. |
Title | Title |
Dest Hostname | Destination hostname |
Pre Nat Destination Port | The destination port before NAT. |
Related Alerts | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Raw Event | The unparsed event data. |
Parent Process Name | |
Users Details | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Device OS Name | |
Registry Value | |
Account Status | |
Approval Status | The status for the approval of the request. |
Domain Name | |
Source Id | |
Identity Type | |
Caller | |
Referenced Resource Name | |
Technical Owner Contact | The contact details for the technical owner. |
Alert Source | |
Scenario | |
Display Name | Display Name |
Agents ID | |
Full Name | Person's Full Name |
Source Status | |
SHA1 | SHA1 |
Endpoint | |
Hunt Results Count | |
Device External IPs | |
External Link | |
Dest | Destination |
Appliance Name | Appliance name as received from the integration JSON |
Status Reason | |
External End Time | |
Alert tags | |
Last Modified By | |
Device Username | The username of the user that owns the device |
Sub Category | The sub category |
Detected Internal Hosts | Detected internal hosts |
Process SHA256 | |
Item Owner | |
Users | |
Source IPV6 | The source IPV6 address. |
Post Nat Destination Port | The destination port after NAT. |
Child Process | |
List Of Rules - Event | The list of rules associated to an event. |
Ticket Closed Date | |
Number of similar files | |
Vendor Product | |
MITRE Technique ID | |
Source Create time | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Destination IPs | The destination IPs of the event. |
End Time | The time when the offense ended. |
Alert Category | The category of the alert |
Selected Indicators | Includes the indicators selected by the user. |
Password Changed Date | |
Tactic | |
Device MAC Address | |
User Agent | |
Account Name | Account Name |
Verdict | |
Registry Hive | |
Device OS Version | |
Group ID | |
Compliance Notes | Notes regarding the assets compliance. |
Country Name | Country Name |
Additional Data | |
Domain Updated Date | |
Agent ID | Agent ID |
Source Networks | |
User Block Status | |
Events | The events associated with the offense. |
Device Local IP | Device Local IP |
Last Modified On | |
Tactic ID | |
Last Seen | |
Device Name | Device Name |
Attack Mode | Attack mode as received from the integration JSON |
Detected External Hosts | Detected external hosts |
Job Function | Job Function |
SSDeep | |
IP Reputation | |
Error Message | The error message that contains details about the error that occurred. |
Categories | The categories for the incident. |
Last Name | Last Name |
Org Level 3 | |
File Paths | |
Process MD5 | |
Isolated | Isolated |
Tool Usage Found | |
Hostnames | The hostname in the event. |
Verification Status | The status of the user verification. |
Source Hostname | The hostname that performed the port scan. |
OS Type | OS Type |
High Risky Hosts | |
File Path | |
userAccountControl | userAccountControl |
Technique | |
Region | |
SHA256 | SHA256 |
City | |
Org Level 1 | |
App message | |
Ticket Acknowledged Date | |
Last Update Time | |
Pre Nat Source IP | The source IP before NAT. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Cloud Resource List | |
Rating | |
Process Creation Time | |
Device External IP | Device External IP |
Assigned User | Assigned User |
Username | The username of the account who logged in. |
Detected IPs | |
Org Unit | |
Threat Hunting Detected Hostnames | |
Mobile Device Model | |
Destination MAC Address | The destination MAC address in an event. |
Usernames | The username in the event. |
Birthday | Person's Birthday |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Verification Method | The method used to verify the user. |
First Seen | |
Resource URL | |
External Last Updated Time | |
Affected Users | |
Protocol - Event | The network protocol in the event. |
Application Name | Application Name |
URLs | |
Tools | |
Parent CMD line | |
Src | Source |
ASN | |
Alert Attack Time | |
First Name | First Name |
Suspicious Executions Found | |
Process Path | |
Source Category | |
sAMAccountName | User sAMAAccountName |
Application Id | Application Id |
SHA512 | SHA512 |
Objective | |
Parent Process CMD | |
Event Descriptions | The description of the event name. |
MITRE Tactic ID | |
Error Code | |
EmailCampaignSummary | |
Affected Hosts | |
Src NT Domain | Source NT Domain |
MITRE Tactic Name | |
Source Username | The username that was the source of the attack. |
Signature | |
Domain Registrar Abuse Email | |
Pre Nat Source Port | The source port before NAT. |
Parent Process Path | |
Policy Description | |
Sensor IP | |
Device Hash | Device Hash |
Device Id | Device Id |
similarIncidents | |
Employee Email | The email address of the employee. |
Detection Update Time | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Close Time | The closing time. |
Detected External IPs | Detected external IPs |
Use Case Description | |
IncomingMirrorError | |
Cloud Service | |
Location | Location |
Custom Query Results | |
Number of Related Incidents | |
Alert Malicious | Whether the alert is malicious. |
RemovedFromCampaigns | |
Report Name | |
Src Ports | The source ports of the event. |
Destination Geolocation | The destination geolocation of the event. |
External Category Name | |
Alert ID | Alert ID as received from the integration JSON |
Cloud Instance ID | Cloud Instance ID |
Classification | Incident Classification |
Policy URI | |
Policy Details | |
Policy Actions | |
Changed | The user who changed this incident |
External Sub Category Name | |
Policy Recommendation | |
Personal Email | |
Tags | |
State | State |
DNS Name | The DNS name of the asset. |
Asset Name | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
File Relationships | |
EmailCampaignMutualIndicators | |
User Anomaly Count | |
Suspicious Executions | |
Sensor Name | |
Account Member Of | |
Destination IP | The IP address the impossible traveler logged in to. |
Event ID | Event ID |
Threat Hunting Detected IP | |
Source IP | The IP Address that the user initially logged in from. |
Source Priority | |
Application Path | |
Category Count | The number of categories that are associated with the offense. |
Post Nat Source IP | The source IP address after NAT. |
Src User | Source User |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Registry Key | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Dest OS | Destination OS |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Primary Email Address | |
Detection ID | |
User Id | User Id |
Post Nat Destination IP | The destination IP address after NAT. |
Zip Code | Zip Code |
Operation Name | |
Email Sent Successfully | Whether the email has been successfully sent. |
Cloud Account ID | |
Src Hostname | Source hostname |
Vulnerable Product | |
Exposure Level | |
Department | Department |
Ticket Number | |
File Size | File Size |
Protocol | Protocol |
External Confidence | |
Detection End Time | |
Risk Rating | |
Country | The country from which the user logged in. |
External System ID | |
Subtype | Subtype |
Start Time | The time when the offense started. |
Policy Severity | |
Dest NT Domain | Destination NT Domain |
Source Port | The source port that was used |
Protocol names | |
Src OS | Src OS |
CMD | |
External Addresses | |
Risk Score | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Parent Process MD5 | |
Work Phone | |
Technical User | The technical user of the asset. |
Region ID | |
Acquisition Hire | |
Log Source Name | The log source name associated with the event. |
Alert Type ID | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Cost Center | Cost Center |
Cloud Region List | |
Location Region | Location Region |
Parent Process File Path | |
Team name | |
Device Time | The time from the original logging device when the event occurred. |
Alert URL | Alert URL as received from the integration JSON |
Job Family | Job Family |
Description | The description of the incident |
Detected Endpoints | |
Device Model | Device Model |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Is Active | Alert status |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Related Endpoints | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Closing User | The closing user. |
Alert Rules | |
File Hash | |
External Category ID | |
File MD5 | |
Event Type | Event Type |
Appliance ID | Appliance ID as received from the integration JSON |
Org Level 2 | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
UUID | UUID as received from the integration JSON |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Source Geolocation | The source geolocation of the event. |
Device Status | |
Destination Networks | |
Audit Logs | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
User Engagement Response | |
Device OU | Device's OU path in Active Directory |
Policy Remediable | |
Incident Link | |
Command Line Verdict | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
External ID | |
Triage SLA | The time it took to investigate and enrich incident information. |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Registration Email | |
Additional Email Addresses | |
Process Paths |
Name | Description |
---|---|
Exploit | |
Network | |
Exfiltration | |
Lateral Movement | |
Simulation | |
Hunt | |
Defacement | |
Policy Violation | |
UnknownBinary | |
DoS | |
Indicator Feed | |
C2Communication | |
Authentication | |
Job | |
Reconnaissance | |
Vulnerability |
Name | Description |
---|---|
Street Address | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Certificate Validation Checks | |
Issuer DN | Issuer Distinguished Name |
Associations | Known associations to other pieces of Threat Data. |
Serial Number | |
Size | |
City | City |
Signed | |
Internal | |
Zip Code | |
Commands | |
STIX Malware Types | |
Targets | |
Download URL | |
AS Owner | |
Country Name | |
STIX Resource Level | |
Account Type | |
State | |
STIX Aliases | Alternative names used to identify this object |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Admin Phone | |
Updated Date | |
Resource Level | |
Registrant Country | |
Signature Description | |
Region | |
Assigned role | |
Secondary Motivations | |
Applications | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Behavior | |
IP Address | |
Goals | |
Organization Type | |
Name | |
Report type | |
Registrar Abuse Name | |
Assigned user | |
Mobile Phone | |
Published | |
Certificate Names | |
Feed Related Indicators | |
Job Code | Job Code |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Community Notes | |
Office365Category | |
Query Language | |
Operating System | |
Tags | |
Blocked | |
File Type | |
Mitre Tactics | |
STIX Sophistication | |
CVSS Vector | |
CVE Modified | |
Vulnerabilities | |
Registrar Abuse Address | |
Domain Status | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Admin Country | |
STIX Goals | |
Creation Date | |
Subdomains | |
Operating System Version | |
Given Name | Given Name |
Number of subkeys | |
Primary Motivation | |
Signature Original Name | |
STIX Is Malware Family | |
Signature File Version | |
Subject | |
Report Object References | A list of STIX IDs referenced in the report. |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
CVSS Version | |
Name Field | |
Port | |
Display Name | |
Author | |
BIOS Version | |
Short Description | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Org Level 3 | |
Department | Department |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Public Key | |
MAC Address | |
STIX Primary Motivation. | |
Vendor | |
DNS | |
Geo Location | |
Reports | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
CVSS | |
Certificate Signature | |
SHA512 | |
Version | |
Organizational Unit (OU) | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Malware types | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Country Code Number | |
Is Processed | |
Operating System Refs | |
CVE Description | |
Signature Algorithm | |
Title | Title |
Confidence | |
OS Version | |
User ID | |
Admin Email | |
Cost Center Code | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
STIX Description | |
Objective | |
Personal Email | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Registrant Phone | |
Device Model | |
ASN | |
Whois Records | |
Malware Family | |
Admin Name | |
CVSS Score | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Action | |
Name Servers | |
Org Level 1 | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Office365Required | |
CVSS Table | |
Work Phone | |
Entry ID | |
Infrastructure Types | |
Geo Country | |
Location Region | |
Mitre ID | |
Signature Authentihash | |
Memory | |
imphash | |
Organization | |
Campaign | |
Job Family | |
Registrant Name | |
Tool Types | |
Location | |
Roles | |
Registrant Email | |
Email Address | |
Force Sync | Whether to force user synchronization. |
Product | |
STIX Secondary Motivations | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Registrar Abuse Phone | |
Quarantined | Whether the indicator is quarantined or isolated |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Country Code | |
Org Level 2 | |
Is Malware Family | |
MD5 | |
Username | |
Hostname | |
Registrar Name | |
Domain Referring Subnets | |
Source Priority | |
Issuer | |
PEM | Certificate in PEM format. |
Domain Referring IPs | |
Publications | |
Manager Email Address | |
Vulnerable Products | |
DHCP Server | |
Detection Engines | Total number of engines that checked the indicator |
Validity Not After | Specifies the date on which the certificate validity period ends. |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
STIX Tool Version | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Groups | |
File Extension | |
Surname | Surname |
Registrar Abuse Network | |
Signature Copyright | |
Cost Center | |
Samples | |
Domains | |
Domain IDN Name | |
Job Function | |
Registrar Abuse Country | |
Subject DN | Subject Distinguished Name |
SSDeep | |
Signature Internal Name | |
Rank | Used to display rank from different sources |
Paths | |
Path | |
Expiration Date | |
X.509 v3 Extensions | |
STIX Roles | |
Architecture | |
Org Unit | |
Domain Name | |
SHA256 | |
Tool Version | |
Actor | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Leadership | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Extension | |
Acquisition Hire | Whether the employee is an acquisition hire. |
STIX Tool Types | |
Category | |
Description | |
DNS Records | |
Capabilities | |
Indicator Identification | |
Aliases | Alternative names used to identify this object |
Registrar Abuse Email | |
Subject Alternative Names | |
SHA1 | |
Detections | |
Sophistication | |
Manager Name | Manager Name |
Definition | |
Processors | |
CVSS3 | |
Processor | |
Key Value | |
STIX Threat Actor Types | |
Threat Actor Types | |
Implementation Languages | |
Office365ExpressRoute | |
Associated File Names | |
Certificates |
Name | Description |
---|---|
Tool Indicator | Tool Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Intrusion Set | Intrusion Set Layout |
File Indicator | File Indicator Layout |
Identity | Identity indicator layout |
Campaign | Campaign Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Location | Location indicator layout |
URL Indicator | URL Indicator Layout |
Malware Indicator | Malware Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Email Indicator | Email Indicator Layout |
Account Indicator | Account Indicator Layout |
ASN | ASN Indicator Layout |
Host Indicator | Host indicator layout |
Tactic Layout | Tactic Indicator Layout |
Mutex | Mutex indicator layout |
Software | Software Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Vulnerability Incident | |
Course of Action | Course of Action Indicator Layout |
IP Indicator | IP Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Report | Report Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Indicator Feed Incident |
Name | Description |
---|---|
Intrusion Set | |
Attack Pattern | |
Host | |
Registry Key | |
Tool | |
Report | |
File | |
Tactic | |
Software | |
File SHA-256 | |
IPv6 | |
Domain | |
Threat Actor | |
IPv6CIDR | |
Mutex | |
CVE | |
ASN | |
Malware | |
File MD5 | |
CIDR | |
Identity | |
ssdeep | |
Location | |
Infrastructure | |
URL | |
Campaign | |
Account | |
Onion Address | |
DomainGlob | |
Course of Action | |
IP | |
X509 Certificate | |
File SHA-1 |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Last Modified By | |
Email Sent Successfully | Whether the email has been successfully sent. |
User Engagement Response | |
EmailCampaignCanvas | |
Caller | |
Street Address | |
Org Level 1 | |
Process Names | |
High Risky Hosts | |
External Category ID | |
Related Report | |
File Creation Date | |
Device MAC Address | |
Employee Email | The email address of the employee. |
Tenant Name | Tenant Name |
Process Creation Time | |
External End Time | |
Source Networks | |
Detection ID | |
Last Name | Last Name |
Policy Details | |
userAccountControl | userAccountControl |
Policy Remediable | |
Block Indicators Status | |
Post Nat Source Port | The source port after NAT. |
Org Unit | |
User Block Status | |
External Confidence | |
Detected Internal Hosts | Detected internal hosts |
Log Source Name | The log source name associated with the event. |
Tactic | |
App message | |
Investigation Stage | The stage of the investigation. |
Closing User | The closing user. |
CVE | |
Technical Owner | The technical owner of the asset. |
Containment SLA | The time it took to contain the incident. |
Report Name | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
sAMAccountName | User sAMAAccountName |
High Risky Users | |
Cloud Account ID | |
String Similarity Results | |
Account Member Of | |
Original Description | The description of the incident |
Isolated | Isolated |
Policy ID | |
Detected External IPs | Detected external IPs |
Asset Name | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Zip Code | Zip Code |
Process ID | |
Country Code Number | |
Related Alerts | |
MITRE Technique Name | |
Asset ID | |
Password Changed Date | |
Source Geolocation | The source geolocation of the event. |
Alert Malicious | Whether the alert is malicious. |
Post Nat Destination Port | The destination port after NAT. |
Detection End Time | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Detected Endpoints | |
Item Owner Email | |
Verification Method | The method used to verify the user. |
Src OS | Src OS |
User Creation Time | |
Attack Mode | Attack mode as received from the integration JSON |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Device Hash | Device Hash |
Protocol names | |
Start Time | The time when the offense started. |
Referenced Resource ID | |
Rating | |
Registration Email | |
Timezone | |
Policy Type | |
Employee Manager Email | The email address of the employee's manager. |
Source Created By | |
Device Time | The time from the original logging device when the event occurred. |
Account ID | |
Domain Name | |
Primary Email Address | |
Triggered Security Profile | Triggered Security Profile |
Cloud Resource List | |
IP Blocked Status | |
Identity Type | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Source Urgency | Source Urgency |
Original Alert Source | |
Org Level 2 | |
List Of Rules - Event | The list of rules associated to an event. |
Source Updated by | |
Internal Addresses | |
Full Name | Person's Full Name |
External Last Updated Time | |
Technique ID | |
EmailCampaignSnippets | |
Job Family | Job Family |
Changed | The user who changed this incident |
Vulnerability Category | |
Device OS Name | |
Attack Patterns | |
Domain Updated Date | |
Parent Process IDs | |
Vendor Product | |
Group ID | |
Selected Indicators | Includes the indicators selected by the user. |
Team name | |
Process MD5 | |
ASN | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Job Function | Job Function |
Source Priority | |
Mobile Phone | |
Employee Display Name | The display name of the employee. |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
File SHA1 | |
Device Internal IPs | |
Item Owner | |
Birthday | Person's Birthday |
Last Update Time | |
State | State |
Closing Reason | The closing reason |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Additional Data | |
Command Line Verdict | |
Password Reset Successfully | Whether the password has been successfully reset. |
Last Modified On | |
Policy Actions | |
Rendered HTML | The HTML content in a rendered form. |
OS | The operating system. |
Title | Title |
Job Code | Job Code |
Bugtraq | |
Parent Process Name | |
Follow Up | True if marked for follow up. |
Registry Hive | |
Process Paths | |
Suspicious Executions | |
Incident Link | |
Cloud Region List | |
Duration | |
Policy Severity | |
Comment | The comments related with the incident |
Cost Center Code | Cost Center Code |
Assigned User | Assigned User |
Parent Process MD5 | |
Parent Process Path | |
MITRE Tactic ID | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Location Region | Location Region |
Escalation | |
Custom Query Results | |
Manager Name | Manager Name |
Post Nat Source IP | The source IP address after NAT. |
Additional Indicators | |
External System ID | |
First Name | First Name |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Country Code | |
Technical Owner Contact | The contact details for the technical owner. |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
External Status | |
Rule Name | The name of a YARA rule |
Mobile Device Model | |
Location | Location |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
External Link | |
Event Names | The event name (translated QID ) in the event. |
Status Reason | |
Source Category | |
Log Source | Log Source |
Category Count | The number of categories that are associated with the offense. |
IP Reputation | |
Registry Key | |
Vendor ID | |
Operation Name | |
Device Id | Device Id |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
External Sub Category ID | |
Verification Status | The status of the user verification. |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Objective | |
Exposure Level | |
Tool Usage Found | |
External Sub Category Name | |
Campaign Name | |
EmailCampaignMutualIndicators | |
File Relationships | |
Cost Center | Cost Center |
Approval Status | The status for the approval of the request. |
SKU TIER | |
Alert Rules | |
Referenced Resource Name | |
Number of Related Incidents | |
IncomingMirrorError | |
Error Code | |
Triage SLA | The time it took to investigate and enrich incident information. |
Last Seen | |
Risk Score | |
Region | |
Blocked Action | Blocked Action |
Event Descriptions | The description of the event name. |
Tools | |
Destination Networks | |
Related Campaign | |
Org Level 3 | |
Work Phone | |
CVSS | |
Vulnerable Product | |
Agents ID | |
Device External IPs | |
Acquisition Hire | |
Process CMD | |
Alert Action | Alert action as received from the integration JSON |
Error Message | The error message that contains details about the error that occurred. |
Post Nat Destination IP | The destination IP address after NAT. |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Assignment Group | |
Registry Value Type | |
Users Details | |
app channel name | |
ASN Name | |
Phone Number | Phone number |
CVE Published | |
Parent Process CMD | |
Device OS Version | |
Source Create time | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Is Active | Alert status |
Tactic ID | |
Resource Name | |
Policy Recommendation | |
Destination IPV6 | The destination IPV6 address. |
Device Status | |
Pre Nat Source IP | The source IP before NAT. |
End Time | The time when the offense ended. |
Pre Nat Destination Port | The destination port before NAT. |
Subtype | Subtype |
Raw Event | The unparsed event data. |
Alert tags | |
Device OU | Device's OU path in Active Directory |
Audit Logs | |
Cloud Instance ID | Cloud Instance ID |
Signature | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Region ID | |
Surname | Surname |
Policy Description | |
Use Case Description | |
Policy URI | |
Personal Email | |
Device Name | Device Name |
Resource URL | |
Approver | The person who approved or needs to approve the request. |
User Id | User Id |
Endpoint Isolation Status | |
Process SHA256 | |
SSDeep | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Project ID | |
Agent Version | Reporting Agent/Sensor Version |
Technique | |
Source Id | |
User Anomaly Count | |
Similar incidents Dbot | |
Display Name | Display Name |
Number of similar files | |
Dsts | The destination values. |
Manager Email Address | |
CVE ID | |
External Category Name | |
Original Alert Name | Alert name as received from the integration JSON |
External Start Time | |
Log Source Type | The log source type associated with the event. |
Original Events | The events associated with the offense. |
Suspicious Executions Found | |
Sensor IP | |
Unique Ports | |
MITRE Technique ID | |
Verdict | |
Given Name | Given Name |
Department | Department |
Classification | Incident Classification |
Event ID | Event ID |
Traffic Direction | The direction of the traffic in the event. |
Technical User | The technical user of the asset. |
External Severity | |
Domain Registrar Abuse Email | |
Ticket Number | |
First Seen | |
File Size | File Size |
Registry Value | |
Scenario | |
SHA512 | SHA512 |
Ticket Acknowledged Date | |
similarIncidents | |
SHA1 | SHA1 |
Cloud Service | |
File Hash | |
UUID | UUID as received from the integration JSON |
Source Status | |
Affected Hosts | |
OS Type | OS Type |
Device Model | Device Model |
Source External IPs | |
Resource Type | |
RemovedFromCampaigns | |
EmailCampaignSummary | |
Hunt Results Count | |
Low Level Categories Events | The low level category of the event. |
Leadership | |
Original Alert ID | Alert ID as received from the integration JSON |
Additional Email Addresses | |
OutgoingMirrorError | |
Policy Deleted | |
City | |
Ticket Closed Date | |
Risk Rating | |
URLs | |
User Groups | |
Account Status | |
MITRE Tactic Name | |
Sub Category | The sub category |
User SID | |
Parent Process File Path | |
Compliance Notes | Notes regarding the assets compliance. |
Dest OS | Destination OS |
Affected Users | |
Application Path | |
Close Time | The closing time. |
Pre Nat Source Port | The source port before NAT. |
Risk Name | |
Related Endpoints | |
Alert Type ID | |
Destination Geolocation | The destination geolocation of the event. |
File Access Date | |
Reporter Email Address | The email address of the user who reported the email. |
Parent Process SHA256 | |
Endpoints Details | |
SKU Name | |
Number Of Log Sources | The number of log sources related to the offense. |
Name | Description |
---|---|
Simulation | |
Hunt | |
C2Communication | |
Vulnerability | |
DoS | |
Exfiltration | |
UnknownBinary | |
Defacement | |
Exploit | |
Authentication | |
Reconnaissance | |
Network | |
Policy Violation | |
Indicator Feed | |
Job | |
Lateral Movement |
Name | Description |
---|---|
STIX Tool Version | |
Department | Department |
Operating System Version | |
Certificate Validation Checks | |
Manager Name | Manager Name |
Admin Phone | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Primary Motivation | |
Org Unit | |
Rank | Used to display rank from different sources |
Cost Center Code | |
Job Family | |
Resource Level | |
Serial Number | |
Subject Alternative Names | |
Category | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Signature Original Name | |
Objective | |
Given Name | Given Name |
Device Model | |
Vulnerable Products | |
X.509 v3 Extensions | |
Port | |
Action | |
Subject DN | Subject Distinguished Name |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Query Language | |
Name Field | |
STIX Threat Actor Types | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Extension | |
City | City |
Signature Internal Name | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Admin Email | |
Blocked | |
STIX Tool Types | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Sophistication | |
Download URL | |
CVSS | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Report type | |
Location | |
Hostname | |
Signature Authentihash | |
Geo Location | |
CVE Modified | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Admin Country | |
Domain IDN Name | |
Size | |
Registrant Country | |
STIX Description | |
Registrant Email | |
Updated Date | |
Title | Title |
Domain Referring IPs | |
Internal | |
CVE Description | |
SHA512 | |
STIX Primary Motivation. | |
Username | |
Email Address | |
Registrant Name | |
Org Level 2 | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Registrar Abuse Address | |
Report Object References | A list of STIX IDs referenced in the report. |
Registrar Name | |
Detections | |
Vendor | |
Tags | |
Expiration Date | |
DNS Records | |
STIX Roles | |
Acquisition Hire | Whether the employee is an acquisition hire. |
CVSS Score | |
Zip Code | |
Leadership | |
Certificate Names | |
Is Processed | |
Roles | |
Detection Engines | Total number of engines that checked the indicator |
Tool Types | |
Manager Email Address | |
Architecture | |
Cost Center | |
Admin Name | |
Subdomains | |
Entry ID | |
ASN | |
Processor | |
State | |
Domain Status | |
Name | |
Goals | |
SSDeep | |
Number of subkeys | |
Malware Family | |
Groups | |
Secondary Motivations | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Organization | |
Community Notes | |
Domains | |
Org Level 3 | |
Account Type | |
Registrar Abuse Name | |
Confidence | |
Force Sync | Whether to force user synchronization. |
AS Owner | |
Signed | |
Key Value | |
Assigned role | |
Source Priority | |
Work Phone | |
Creation Date | |
Actor | |
Registrant Phone | |
IP Address | |
SHA1 | |
Surname | Surname |
STIX Sophistication | |
Malware types | |
Reports | |
Registrar Abuse Email | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Definition | |
SHA256 | |
Mitre Tactics | |
File Extension | |
Organization Type | |
CVSS Version | |
Registrar Abuse Country | |
Author | |
Service | The specific service of a feed integration from which an indicator was ingested. |
STIX Resource Level | |
Office365ExpressRoute | |
Organizational Unit (OU) | |
Office365Required | |
Targets | |
STIX Aliases | Alternative names used to identify this object |
Publications | |
Subject | |
DNS | |
Paths | |
Signature File Version | |
Issuer | |
Display Name | |
Behavior | |
Org Level 1 | |
Infrastructure Types | |
PEM | Certificate in PEM format. |
Country Code Number | |
Mobile Phone | |
Associations | Known associations to other pieces of Threat Data. |
Country Name | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
STIX Is Malware Family | |
Certificate Signature | |
Capabilities | |
Whois Records | |
Vulnerabilities | |
Location Region | |
Feed Related Indicators | |
STIX Secondary Motivations | |
Aliases | Alternative names used to identify this object |
Is Malware Family | |
Threat Actor Types | |
Registrar Abuse Network | |
Country Code | |
Public Key | |
Path | |
Short Description | |
Campaign | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
imphash | |
Commands | |
Job Function | |
File Type | |
User ID | |
Indicator Identification | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Job Code | Job Code |
Registrar Abuse Phone | |
Name Servers | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
CVSS Table | |
Issuer DN | Issuer Distinguished Name |
STIX Malware Types | |
Version | |
Street Address | |
Signature Algorithm | |
Description | |
Operating System | |
Certificates | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Tool Version | |
MD5 | |
Signature Copyright | |
Quarantined | Whether the indicator is quarantined or isolated |
Signature Description | |
Published | |
Associated File Names | |
STIX Goals | |
Processors | |
DHCP Server | |
OS Version | |
Geo Country | |
Samples | |
Domain Name | |
Applications | |
BIOS Version | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
CVSS Vector | |
Domain Referring Subnets | |
Product | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Personal Email | |
Memory | |
Implementation Languages | |
Office365Category | |
CVSS3 | |
Region | |
Assigned user | |
Mitre ID | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Operating System Refs |
Name | Description |
---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Name | Description |
---|---|
URL Indicator | URL Indicator Layout |
Host Indicator | Host indicator layout |
X509 Certificate | CVE Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Vulnerability Incident | |
Campaign | Campaign Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Location | Location indicator layout |
Registry Key Indicator | Registry Key Indicator Layout |
File Indicator | File Indicator Layout |
Malware Indicator | Malware Indicator Layout |
ASN | ASN Indicator Layout |
IP Indicator | IP Indicator Layout |
Identity | Identity indicator layout |
Email Indicator | Email Indicator Layout |
Account Indicator | Account Indicator Layout |
Indicator Feed Incident | |
Threat Actor | Threat Actor Indicator Layout |
Mutex | Mutex indicator layout |
Course of Action | Course of Action Indicator Layout |
Report | Report Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Tactic Layout | Tactic Indicator Layout |
Software | Software Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Name | Description |
---|---|
DomainGlob | |
IPv6 | |
CVE | |
Malware | |
Tactic | |
File MD5 | |
Report | |
Software | |
Attack Pattern | |
Location | |
CIDR | |
Identity | |
Host | |
Onion Address | |
Tool | |
X509 Certificate | |
Mutex | |
Account | |
Infrastructure | |
Campaign | |
Threat Actor | |
ASN | |
File SHA-1 | |
IPv6CIDR | |
ssdeep | |
Domain | |
File SHA-256 | |
Registry Key | |
URL | |
IP | |
Course of Action | |
File | |
Intrusion Set |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Username
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Added new number field which represents the number of times the indicator is detected in the organization.
Added new number field which represents the number of times the indicator is detected across all organizations.
Added new date field which represents when the indicator was first seen in the organization.
Added new date field which represents when the indicator was last seen in the organization.
File
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
File.OrganizationPrevalence |
globalprevalence |
File.GlobalPrevalence |
organizationfirstseen |
File.OrganizationFirstSeen |
organizationlastseen |
File.OrganizationLastSeen |
firstseenbysource |
File.FirstSeenBySource |
lastseenbysource |
File.LastSeenBySource |
Domain
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
Domain.OrganizationPrevalence |
globalprevalence |
Domain.GlobalPrevalence |
organizationfirstseen |
Domain.OrganizationFirstSeen |
organizationlastseen |
Domain.OrganizationLastSeen |
firstseenbysource |
Domain.FirstSeenBySource |
lastseenbysource |
Domain.LastSeenBySource |
URL
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
URL.OrganizationPrevalence |
globalprevalence |
URL.GlobalPrevalence |
organizationfirstseen |
URL.OrganizationFirstSeen |
organizationlastseen |
URL.OrganizationLastSeen |
firstseenbysource |
URL.FirstSeenBySource |
lastseenbysource |
URL.LastSeenBySource |
IP
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
IP.OrganizationPrevalence |
globalprevalence |
IP.GlobalPrevalence |
organizationfirstseen |
IP.OrganizationFirstSeen |
organizationlastseen |
IP.OrganizationLastSeen |
firstseenbysource |
IP.FirstSeenBySource |
lastseenbysource |
IP.LastSeenBySource |
IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence
| IPv6.OrganizationPrevalence |
| globalprevalence
| IPv6.GlobalPrevalence |
| organizationfirstseen
| IPv6.OrganizationFirstSeen |
| organizationlastseen
| IPv6.OrganizationLastSeen |
| firstseenbysource
| IPv6.FirstSeenBySource |
| lastseenbysource
| IPv6.LastSeenBySource |
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
File Indicator
Updated layout with canvas
tab.
Account Indicator
Updated layout with canvas
tab.
Report
Updated layout with canvas
tab.
Threat Actor
Updated layout with canvas
tab.
URL Indicator
Updated layout with canvas
tab.
X509 Certificate
Updated layout with canvas
tab.
Mutex
Updated layout with canvas
tab.
Campaign
Updated layout with canvas
tab.
Location
Updated layout with canvas
tab.
Tool Indicator
Updated layout with canvas
tab.
Attack Pattern
Updated layout with canvas
tab.
Infrastructure
Updated layout with canvas
tab.
IP Indicator
Updated layout with canvas
tab.
Malware Indicator
Updated layout with canvas
tab.
Course of Action
Updated layout with canvas
tab.
Host Indicator
Updated layout with canvas
tab.
Tool
Updated layout with canvas
tab.
Email Indicator
Updated layout with canvas
tab.
CVE Indicator
Updated layout with canvas
tab.
Domain Indicator
Updated layout with canvas
tab.
Identity
Updated layout with canvas
tab.
Software
Updated layout with canvas
tab.
Intrusion Set
Updated layout with canvas
tab.
ASN
Updated layout with canvas
tab.
Registry Key Indicator
Updated layout with canvas
tab.
Malware
Updated layout with canvas
tab.
External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.
File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.
Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Added new number field which represents the number of times the indicator is detected in the organization.
Added new number field which represents the number of times the indicator is detected across all organizations.
Added new date field which represents when the indicator was first seen in the organization.
Added new date field which represents when the indicator was last seen in the organization.
File
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
File.OrganizationPrevalence |
globalprevalence |
File.GlobalPrevalence |
organizationfirstseen |
File.OrganizationFirstSeen |
organizationlastseen |
File.OrganizationLastSeen |
firstseenbysource |
File.FirstSeenBySource |
lastseenbysource |
File.LastSeenBySource |
Domain
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
Domain.OrganizationPrevalence |
globalprevalence |
Domain.GlobalPrevalence |
organizationfirstseen |
Domain.OrganizationFirstSeen |
organizationlastseen |
Domain.OrganizationLastSeen |
firstseenbysource |
Domain.FirstSeenBySource |
lastseenbysource |
Domain.LastSeenBySource |
URL
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
URL.OrganizationPrevalence |
globalprevalence |
URL.GlobalPrevalence |
organizationfirstseen |
URL.OrganizationFirstSeen |
organizationlastseen |
URL.OrganizationLastSeen |
firstseenbysource |
URL.FirstSeenBySource |
lastseenbysource |
URL.LastSeenBySource |
IP
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
IP.OrganizationPrevalence |
globalprevalence |
IP.GlobalPrevalence |
organizationfirstseen |
IP.OrganizationFirstSeen |
organizationlastseen |
IP.OrganizationLastSeen |
firstseenbysource |
IP.FirstSeenBySource |
lastseenbysource |
IP.LastSeenBySource |
IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence
| IPv6.OrganizationPrevalence |
| globalprevalence
| IPv6.GlobalPrevalence |
| organizationfirstseen
| IPv6.OrganizationFirstSeen |
| organizationlastseen
| IPv6.OrganizationLastSeen |
| firstseenbysource
| IPv6.FirstSeenBySource |
| lastseenbysource
| IPv6.LastSeenBySource |
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
File Indicator
Updated layout with canvas
tab.
Account Indicator
Updated layout with canvas
tab.
Report
Updated layout with canvas
tab.
Threat Actor
Updated layout with canvas
tab.
URL Indicator
Updated layout with canvas
tab.
X509 Certificate
Updated layout with canvas
tab.
Mutex
Updated layout with canvas
tab.
Campaign
Updated layout with canvas
tab.
Location
Updated layout with canvas
tab.
Tool Indicator
Updated layout with canvas
tab.
Attack Pattern
Updated layout with canvas
tab.
Infrastructure
Updated layout with canvas
tab.
IP Indicator
Updated layout with canvas
tab.
Malware Indicator
Updated layout with canvas
tab.
Course of Action
Updated layout with canvas
tab.
Host Indicator
Updated layout with canvas
tab.
Tool
Updated layout with canvas
tab.
Email Indicator
Updated layout with canvas
tab.
CVE Indicator
Updated layout with canvas
tab.
Domain Indicator
Updated layout with canvas
tab.
Identity
Updated layout with canvas
tab.
Software
Updated layout with canvas
tab.
Intrusion Set
Updated layout with canvas
tab.
ASN
Updated layout with canvas
tab.
Registry Key Indicator
Updated layout with canvas
tab.
Malware
Updated layout with canvas
tab.
File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.
Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | April 20, 2025 |