Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Caller
Is Active	Alert status
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Registry Value Type
Team name
Timezone
Alert Rules
Identity Type
Related Alerts
MAC Address	MAC Address
Vendor Product
Policy Remediable
File Names
Parent Process MD5
Tenant Name	Tenant Name
Asset Name
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Dest OS	Destination OS
Post Nat Source Port	The source port after NAT.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Device External IPs
Technical Owner Contact	The contact details for the technical owner.
First Seen
Hunt Results Count
Device Id	Device Id
Verdict
File SHA256
Log Source Name	The log source name associated with the event.
EmailCampaignSummary
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Exposure Level
Detected Internal Hosts	Detected internal hosts
Traffic Direction	The direction of the traffic in the event.
Alert Attack Time
RemovedFromCampaigns
External Status
Pre Nat Destination Port	The destination port before NAT.
Additional Indicators
Detected Users	Detected users
Attack Patterns
Last Modified By
Ticket Closed Date
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Destination Hostname	Destination hostname
Ticket Opened Date
Number Of Log Sources	The number of log sources related to the offense.
Additional Data
Hostnames	The hostname in the event.
State	State
Error Message	The error message that contains details about the error that occurred.
Last Modified On
Related Report
Technique
Source IPV6	The source IPV6 address.
OS Type	OS Type
Location	Location
Destination IP	The IP address the impossible traveler logged in to.
Src User	Source User
User Groups
Changed	The user who changed this incident
Source Updated by
SHA256	SHA256
Reporter Email Address	The email address of the user who reported the email.
Cost Center Code	Cost Center Code
Dest Hostname	Destination hostname
Objective
Birthday	Person's Birthday
Classification	Incident Classification
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Related Endpoints
Destination Port	The destination port used.
Report Name
User Engagement Response
Last Seen
Vulnerability Category
Source Network
Parent Process SHA256
Post Nat Destination IP	The destination IP address after NAT.
userAccountControl	userAccountControl
Raw Event	The unparsed event data.
File Creation Date
File Access Date
Job Code	Job Code
Resource Name
Vendor ID
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Policy Recommendation
Application Name	Application Name
End Time	The time when the offense ended.
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Policy Type
Duration
Policy URI
Device Status
MITRE Technique ID
Detection Update Time
Source Priority
Country Code Number
Detected User
Email	Primary Email Address
Process MD5
Detected IPs
Rendered HTML	The HTML content in a rendered form.
Log Source	Log Source
Technique ID
Endpoint Isolation Status
Srcs	The source values.
Investigation Stage	The stage of the investigation.
EmailCampaignMutualIndicators
Referenced Resource Name
Appliance ID	Appliance ID as received from the integration JSON
Source IP	The IP Address that the user initially logged in from.
Department	Department
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Parent Process
UUID	UUID as received from the integration JSON
Start Time	The time when the offense started.
Protocol names
PID	PID
File Paths
Org Level 3
Region
Approval Status	The status for the approval of the request.
External Sub Category ID
Compliance Notes	Notes regarding the assets compliance.
Blocked Action	Blocked Action
Dest NT Domain	Destination NT Domain
MITRE Tactic Name
Assigned User	Assigned User
Suspicious Executions Found
Operation Name
External Category ID
Cost Center	Cost Center
Registry Key
Cloud Operation Type
Password Reset Successfully	Whether the password has been successfully reset.
Src	Source
Parent Process Name
OS Version	OS Version
SSDeep
DNS Name	The DNS name of the asset.
Personal Email
Src OS	Src OS
High Risky Hosts
Country	The country from which the user logged in.
Technical User	The technical user of the asset.
Manager Name	Manager Name
ASN Name
Org Unit
Endpoints Details
Device OS Version
EmailCampaignCanvas
Bugtraq
Org Level 2
Appliance Name	Appliance name as received from the integration JSON
Policy Severity
Process CMD
Device External IP	Device External IP
Device Name	Device Name
Agent ID	Agent ID
Detected External IPs	Detected external IPs
Country Name	Country Name
Parent Process IDs
Approver	The person who approved or needs to approve the request.
Process Path
Audit Logs
Destination Network
Additional Email Addresses
Command Line Verdict
Rule Name	The name of a YARA rule
Signature
Process Paths
Post Nat Source IP	The source IP address after NAT.
Parent Process File Path
List Of Rules - Event	The list of rules associated to an event.
Verification Method	The method used to verify the user.
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
File Relationships
Application Path
Device Internal IPs
Scenario
Acquisition Hire
Source Networks
Cloud Instance ID	Cloud Instance ID
Custom Query Results
Number of similar files
Full Name	Person's Full Name
Sub Category	The sub category
CMD
File MD5
Employee Display Name	The display name of the employee.
Destination IPV6	The destination IPV6 address.
File Path
File SHA1
Process ID
Registry Value
Alert tags
City
Block Indicators Status
ASN
Assignment Group
Event ID	Event ID
Device Model	Device Model
CVE
External Start Time
Agent Version	Reporting Agent/Sensor Version
External System ID
Tools
Referenced Resource ID
Low Level Categories Events	The low level category of the event.
Containment SLA	The time it took to contain the incident.
Registry Hive
Source MAC Address	The source MAC address in an event.
External ID
Source Port	The source port that was used
CVSS
Policy Deleted
Detection ID
Employee Email	The email address of the employee.
External Severity
File Name
Title	Title
Device Hash	Device Hash
MITRE Tactic ID
Street Address
User Anomaly Count
Alert Name	Alert name as received from the integration JSON
Account Status
Domain Name
app channel name
Cloud Region List
Item Owner
Use Case Description
OS	The operating system.
Error Code
Cloud Resource List
Manager Email Address
Detection End Time
Project ID
User Creation Time
Sensor IP
Cloud Account ID
Parent Process CMD
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Device OS Name
Number of Related Incidents
Device Time	The time from the original logging device when the event occurred.
Protocol	Protocol
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Escalation
Category Count	The number of categories that are associated with the offense.
Source External IPs
Triggered Security Profile	Triggered Security Profile
External Confidence
Org Level 1
Zip Code	Zip Code
Protocol - Event	The network protocol in the event.
Source Category
OutgoingMirrorError
Unique Ports
Endpoint
Phone Number	Phone number
Risk Rating
Password Changed Date
External Addresses
Categories	The categories for the incident.
Process Creation Time
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Isolated	Isolated
Related Campaign
Detected Internal IPs	Detected internal IPs
Alert Category	The category of the alert
Employee Manager Email	The email address of the employee's manager.
Source Geolocation	The source geolocation of the event.
Alert URL	Alert URL as received from the integration JSON
High Level Categories	The high level categories in the events.
Selected Indicators	Includes the indicators selected by the user.
Cloud Service
Users
MD5	MD5
Work Phone
Triage SLA	The time it took to investigate and enrich incident information.
Verification Status	The status of the user verification.
Dst Ports	The destination ports of the event.
Registration Email
Follow Up	True if marked for follow up.
Process SHA256
Incident Link
Child Process
Group ID
Policy Details
Asset ID
Item Owner Email
User Risk Level
Detected Endpoints
Threat Hunting Detected IP
IP Reputation
Country Code
App message
Threat Hunting Detected Hostnames
Region ID
URLs
Account Member Of
Job Function	Job Function
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Agents ID
Event Names	The event name (translated QID ) in the event.
External Link
Src Ports	The source ports of the event.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Log Source Type	The log source type associated with the event.
Device OU	Device's OU path in Active Directory
First Name	First Name
Username	The username of the account who logged in.
Detection URL	URL of the ExtraHop Reveal(x) detection
Affected Users
Usernames	The username in the event.
Source Urgency	Source Urgency
Resource ID
Policy Description
Dest	Destination
Resource Type
sAMAccountName	User sAMAAccountName
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Source Create time
File Hash
Leadership
Tool Usage Found
SHA512	SHA512
Similar incidents Dbot
Destination Geolocation	The destination geolocation of the event.
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Risk Name
Protocols
Attack Mode	Attack mode as received from the integration JSON
Description	The description of the incident
IncomingMirrorError
External Category Name
Dsts	The destination values.
Detected External Hosts	Detected external hosts
EmailCampaignSnippets
Sensor Name
SKU Name
Domain Updated Date
Users Details
External Sub Category Name
CMD line
External End Time
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Source Status
Job Family	Job Family
IP Blocked Status
Surname	Surname
User SID
Account Name	Account Name
MITRE Technique Name
Post Nat Destination Port	The destination port after NAT.
Mobile Device Model
SKU TIER
Resource URL
Location Region	Location Region
Status Reason
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Destination MAC Address	The destination MAC address in an event.
Account ID
Event Type	Event Type
Events	The events associated with the offense.
Alert Source
Application Id	Application Id
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Tags
Pre Nat Source Port	The source port before NAT.
String Similarity Results
Device MAC Address
Campaign Name
Policy ID
Device Local IP	Device Local IP
Src NT Domain	Source NT Domain
User Agent
SHA1	SHA1
Event Descriptions	The description of the event name.
Process Name
Mobile Phone
Technical Owner	The technical owner of the asset.
Ticket Number
Pre Nat Source IP	The source IP before NAT.
Email Sent Successfully	Whether the email has been successfully sent.
Internal Addresses
App
Display Name	Display Name
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Parent Process Path
Process Names
Tactic
Rating
similarIncidents
CVE ID
Source Id
Last Update Time
Comment	The comments related with the incident
Policy Actions
Source Username	The username that was the source of the attack.
Close Time	The closing time.
Command Line	Command Line
Closing User	The closing user.
Vulnerable Product
Alert Type ID
Tactic ID
High Risky Users
Source Hostname	The hostname that performed the port scan.
Last Name	Last Name
Subtype	Subtype
Destination Networks
Closing Reason	The closing reason
Alert Action	Alert action as received from the integration JSON
Alert ID	Alert ID as received from the integration JSON
User Block Status
Alert Malicious	Whether the alert is malicious.
Source IPs	The source IPs of the event.
Risk Score
Src Hostname	Source hostname
Parent CMD line
File Size	File Size
External Last Updated Time
Destination IPs	The destination IPs of the event.
CVE Published
Ticket Acknowledged Date
Source Created By
Device Username	The username of the user that owns the device
Given Name	Given Name
Affected Hosts
User Id	User Id
Suspicious Executions
Domain Registrar Abuse Email

Incident Types

Name	Description
Vulnerability
Simulation
UnknownBinary
Policy Violation
Authentication
Defacement
Lateral Movement
Hunt
Exploit
DoS
Exfiltration
Reconnaissance
C2Communication
Job
Network
Indicator Feed

Indicator Fields

Name	Description
Signature Algorithm
Validity Not Before	Specifies the date on which the certificate validity period begins.
Office365Required
Resource Level
Reports
File Extension
Admin Name
DNS
Behavior
Assigned user
Domain Status
CVE Description
Geo Location
Work Phone
Samples
STIX Malware Types
Job Function
Community Notes
Groups
imphash
CVSS Vector
Name
Associations	Known associations to other pieces of Threat Data.
Short Description
Tool Types
Manager Name	Manager Name
Is Processed
Operating System Version
Implementation Languages
Mitre ID
Domain Referring IPs
Admin Email
Processor
Department	Department
STIX Primary Motivation.
Cost Center Code
Domain Referring Subnets
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Personal Email
Registrar Name
Report type
Registrar Abuse Address
Blocked
Subject
Location
Country Name
Rank	Used to display rank from different sources
Registrant Country
First Seen By Source	The first time the indicator was seen by the source vendor.
Subject DN	Subject Distinguished Name
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Subject Alternative Names
Category
MD5
Signature Copyright
Serial Number
Signed
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Zip Code
Organizational Unit (OU)
SHA512
Registrar Abuse Email
Positive Detections	Number of engines that positively detected the indicator as malicious
Registrant Email
Certificates
Device Model
BIOS Version
STIX Threat Actor Types
Is Malware Family
STIX Goals
Job Code	Job Code
Registrant Name
Mitre Tactics
Country Code
Issuer DN	Issuer Distinguished Name
Country Code Number
Email Address
Processors
Service	The specific service of a feed integration from which an indicator was ingested.
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
CVSS
STIX Tool Types
Vulnerabilities
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Malware types
Sophistication
Updated Date
STIX Is Malware Family
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Public Key
Architecture
Query Language
File Type
Username
Report Object References	A list of STIX IDs referenced in the report.
Signature File Version
Targets
City	City
Acquisition Hire	Whether the employee is an acquisition hire.
Detection Engines	Total number of engines that checked the indicator
Leadership
Applications
Title	Title
Org Level 2
Infrastructure Types
CVSS Table
Secondary Motivations
Region
Certificate Names
Tags
Version
Registrant Phone
Vulnerable Products
Display Name
X.509 v3 Extensions
STIX Description
Commands
Subdomains
Entry ID
Download URL
AS Owner
Account Type
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Cost Center
Certificate Signature
Domain IDN Name
Roles
Whois Records
Organization Prevalence	The number of times the indicator is detected in the organization.
Admin Country
CVE Modified
Street Address
Registrar Abuse Country
Product
Operating System Refs
Expiration Date
Location Region
DNS Records
Associated File Names
CVSS Score
STIX Sophistication
Tool Version
Registrar Abuse Phone
Org Unit
Description
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Name Servers
Organization Type
Given Name	Given Name
CVSS3
Capabilities
Paths
Number of subkeys
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Detections
Geo Country
Office365Category
Hostname
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
SSDeep
Org Level 1
Signature Description
Extension
Quarantined	Whether the indicator is quarantined or isolated
Published
Office365ExpressRoute
Actor
Goals
STIX Resource Level
MAC Address
Aliases	Alternative names used to identify this object
Port
SWID	Specifies the Software Identification (SWID) tags entry for the software
IP Address
Memory
Action
DHCP Server
Domain Name
Campaign
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Organization
Assigned role
ASN
STIX Tool Version
Issuer
State
STIX Roles
User ID
STIX Secondary Motivations
Validity Not After	Specifies the date on which the certificate validity period ends.
Force Sync	Whether to force user synchronization.
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Definition
PEM	Certificate in PEM format.
Vendor
Feed Related Indicators
Source Original Severity	The original score/severity provided by the source without DBot translation.
Organization First Seen	Date and time when the indicator was first seen in the organization.
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Mobile Phone
SHA1
Author
Threat Actor Types
Creation Date
SHA256
OS Version
Publications
Global Prevalence	The number of times the indicator is detected across all organizations.
Signature Internal Name
Size
Registrar Abuse Name
Path
Signature Original Name
Admin Phone
STIX Aliases	Alternative names used to identify this object
Email
Primary Motivation
Certificate Validation Checks
Indicator Identification
Operating System
Confidence
Name Field
Objective
Internal
Org Level 3
Source Priority
Malware Family
Signature Authentihash
Manager Email Address
Registrar Abuse Network
Surname	Surname
CVSS Version
Job Family
Key Value
Domains

Layouts

Name	Description
Tool Indicator	Tool Indicator Layout
Mutex	Mutex indicator layout
ASN	ASN Indicator Layout
Email Indicator	Email Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
File Indicator	File Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Domain Indicator	Domain Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Account Indicator	Account Indicator Layout
Identity	Identity indicator layout
Tactic Layout	Tactic Indicator Layout
CVE Indicator	CVE Indicator Layout
Host Indicator	Host indicator layout
URL Indicator	URL Indicator Layout
IP Indicator	IP Indicator Layout
Vulnerability Incident
Report	Report Indicator Layout
Location	Location indicator layout
Course of Action	Course of Action Indicator Layout
Threat Actor	Threat Actor Indicator Layout
X509 Certificate	CVE Indicator Layout
Malware Indicator	Malware Indicator Layout
Intrusion Set	Intrusion Set Layout
Campaign	Campaign Indicator Layout
Indicator Feed Incident
Software	Software Indicator Layout

Indicator Types

Name	Description
Malware
CVE
Host
Mutex
Identity
Tool
ASN
Threat Actor
File SHA-1
Domain
URL
Email
Intrusion Set
Onion Address
Infrastructure
Attack Pattern
File
Tactic
X509 Certificate
Campaign
Report
IPv6
File SHA-256
File MD5
IP
DomainGlob
Location
ssdeep
CIDR
Software
Account
Registry Key
Course of Action
IPv6CIDR

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Reporter Email Address	The email address of the user who reported the email.
Cloud Account ID
Tactic
Department	Department
Affected Hosts
Policy Description
Approver	The person who approved or needs to approve the request.
Device Internal IPs
External Severity
First Seen
Raw Event	The unparsed event data.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
External Last Updated Time
Country Code
SHA512	SHA512
Location Region	Location Region
Additional Data
Additional Indicators
Parent Process IDs
Classification	Incident Classification
EmailCampaignSummary
Asset Name
Group ID
Operation Name
Source Id
Mobile Phone
External Category ID
Resource Name
Objective
Agent Version	Reporting Agent/Sensor Version
Cloud Resource List
Source Category
Suspicious Executions
Password Changed Date
Password Reset Successfully	Whether the password has been successfully reset.
Domain Registrar Abuse Email
Category Count	The number of categories that are associated with the offense.
Technical User	The technical user of the asset.
Pre Nat Destination Port	The destination port before NAT.
Technical Owner Contact	The contact details for the technical owner.
Application Path
Parent Process SHA256
Blocked Action	Blocked Action
Policy Severity
Process ID
Post Nat Destination Port	The destination port after NAT.
OutgoingMirrorError
Detected Endpoints
Risk Score
Item Owner
Title	Title
Last Seen
SKU TIER
Domain Name
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Detected Internal Hosts	Detected internal hosts
SHA1	SHA1
Related Campaign
sAMAccountName	User sAMAAccountName
Custom Query Results
Source Priority
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Approval Status	The status for the approval of the request.
Number of similar files
Is Active	Alert status
Device OU	Device's OU path in Active Directory
Original Alert Name	Alert name as received from the integration JSON
Country Code Number
Triggered Security Profile	Triggered Security Profile
Source External IPs
Email	Primary Email Address
Tactic ID
State	State
File Access Date
Escalation
MITRE Tactic ID
Log Source	Log Source
User Block Status
Zip Code	Zip Code
Account Status
Source Status
List Of Rules - Event	The list of rules associated to an event.
Triage SLA	The time it took to investigate and enrich incident information.
External End Time
Timezone
Policy URI
Process Creation Time
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
External Status
Tools
Ticket Acknowledged Date
Post Nat Destination IP	The destination IP address after NAT.
Tool Usage Found
Org Unit
Campaign Name
Acquisition Hire
ASN
Detected External IPs	Detected external IPs
Vendor Product
Endpoints Details
App message
Vulnerability Category
Region ID
MITRE Technique ID
Agents ID
Vendor ID
Process Names
Source Geolocation	The source geolocation of the event.
Account Member Of
Parent Process CMD
First Name	First Name
Phone Number	Phone number
External Link
Resource Type
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Risk Name
Policy Deleted
Policy Remediable
Org Level 3
Isolated	Isolated
Technique
Process CMD
Email Sent Successfully	Whether the email has been successfully sent.
External Confidence
Display Name	Display Name
Org Level 1
Original Alert Source
External System ID
Cloud Region List
File Creation Date
Registry Value Type
Scenario
User Groups
Endpoint Isolation Status
Tenant Name	Tenant Name
External Start Time
Number Of Log Sources	The number of log sources related to the offense.
Protocol names
OS Type	OS Type
Event ID	Event ID
Work Phone
SSDeep
Parent Process File Path
Technique ID
Cost Center	Cost Center
Device Model	Device Model
Registry Value
Job Code	Job Code
Attack Mode	Attack mode as received from the integration JSON
File SHA1
IncomingMirrorError
Parent Process Path
Detection ID
External Sub Category ID
File Relationships
Related Alerts
Employee Display Name	The display name of the employee.
End Time	The time when the offense ended.
Vulnerable Product
Last Update Time
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Device Hash	Device Hash
Alert Type ID
Dsts	The destination values.
Event Names	The event name (translated QID ) in the event.
Last Modified By
Policy ID
Related Report
Assigned User	Assigned User
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Internal Addresses
Device Time	The time from the original logging device when the event occurred.
Post Nat Source Port	The source port after NAT.
Cloud Service
Subtype	Subtype
Policy Actions
Sub Category	The sub category
Destination Geolocation	The destination geolocation of the event.
Sensor IP
Employee Manager Email	The email address of the employee's manager.
UUID	UUID as received from the integration JSON
Original Events	The events associated with the offense.
CVE ID
Compliance Notes	Notes regarding the assets compliance.
Referenced Resource ID
URLs
IP Blocked Status
Number Of Found Related Alerts	Medium or Higher Severity Alerts
CVE
Street Address
User Engagement Response
Rating
User SID
High Risky Hosts
IP Reputation
Rendered HTML	The HTML content in a rendered form.
File Hash
Verification Status	The status of the user verification.
Closing Reason	The closing reason
Related Endpoints
Closing User	The closing user.
Employee Email	The email address of the employee.
Log Source Type	The log source type associated with the event.
Location	Location
Birthday	Person's Birthday
Team name
Status Reason
Original Description	The description of the incident
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Src OS	Src OS
Start Time	The time when the offense started.
Alert Action	Alert action as received from the integration JSON
Job Family	Job Family
Cost Center Code	Cost Center Code
Additional Email Addresses
Surname	Surname
Selected Indicators	Includes the indicators selected by the user.
Source Networks
similarIncidents
Policy Type
Parent Process MD5
Audit Logs
Incident Link
EmailCampaignMutualIndicators
External Sub Category Name
Event Descriptions	The description of the event name.
Detection End Time
Project ID
Traffic Direction	The direction of the traffic in the event.
String Similarity Results
CVE Published
Unique Ports
Log Source Name	The log source name associated with the event.
Error Code
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Low Level Categories Events	The low level category of the event.
Last Name	Last Name
Pre Nat Source Port	The source port before NAT.
Number of Related Incidents
Command Line Verdict
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Full Name	Person's Full Name
Device OS Version
Registration Email
Process SHA256
Given Name	Given Name
Device External IPs
Post Nat Source IP	The source IP address after NAT.
User Anomaly Count
Source Urgency	Source Urgency
Region
Personal Email
Job Function	Job Function
Cloud Instance ID	Cloud Instance ID
Source Updated by
Asset ID
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Changed	The user who changed this incident
RemovedFromCampaigns
Device Status
City
EmailCampaignSnippets
User Id	User Id
Pre Nat Source IP	The source IP before NAT.
userAccountControl	userAccountControl
High Risky Users
Alert Malicious	Whether the alert is malicious.
Device Name	Device Name
MITRE Tactic Name
Alert Rules
Domain Updated Date
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Report Name
Duration
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Registry Hive
Last Modified On
Source Created By
Block Indicators Status
Item Owner Email
Source Create time
Ticket Closed Date
OS	The operating system.
Comment	The comments related with the incident
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Caller
Risk Rating
Device Id	Device Id
Verification Method	The method used to verify the user.
Attack Patterns
MITRE Technique Name
Suspicious Executions Found
Detection URL	URL of the ExtraHop Reveal(x) detection
Rule Name	The name of a YARA rule
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Ticket Number
Referenced Resource Name
Device OS Name
Investigation Stage	The stage of the investigation.
Bugtraq
Error Message	The error message that contains details about the error that occurred.
Use Case Description
Parent Process Name
CVSS
ASN Name
Alert tags
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Containment SLA	The time it took to contain the incident.
Dest OS	Destination OS
Destination Networks
Affected Users
Manager Email Address
Device MAC Address
Manager Name	Manager Name
Leadership
Resource URL
Registry Key
Destination IPV6	The destination IPV6 address.
Policy Recommendation
Assignment Group
Verdict
Identity Type
Org Level 2
Policy Details
Hunt Results Count
SKU Name
EmailCampaignCanvas
User Creation Time
Close Time	The closing time.
External Category Name
Follow Up	True if marked for follow up.
Signature
Exposure Level
Users Details
Mobile Device Model
Process Paths
app channel name
Technical Owner	The technical owner of the asset.
Account ID
File Size	File Size
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Similar incidents Dbot
Original Alert ID	Alert ID as received from the integration JSON
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Process MD5

Incident Types

Name	Description
Hunt
Vulnerability
Exploit
Job
Authentication
C2Communication
Exfiltration
Indicator Feed
Policy Violation
UnknownBinary
Simulation
Network
DoS
Reconnaissance
Lateral Movement
Defacement

Indicator Fields

Name	Description
Leadership
Expiration Date
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Cost Center Code
PEM	Certificate in PEM format.
Quarantined	Whether the indicator is quarantined or isolated
File Type
Malware types
Domains
Memory
Secondary Motivations
Mitre ID
STIX Secondary Motivations
Creation Date
CVSS3
Applications
Given Name	Given Name
DNS
Campaign
STIX Is Malware Family
Signed
Force Sync	Whether to force user synchronization.
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Cost Center
Title	Title
Geo Location
MD5
IP Address
Public Key
STIX Description
Signature File Version
Certificate Validation Checks
Report Object References	A list of STIX IDs referenced in the report.
Operating System Version
Associated File Names
Sophistication
Job Function
Organizational Unit (OU)
Signature Authentihash
Vulnerabilities
Registrar Name
Registrant Name
Admin Country
STIX Aliases	Alternative names used to identify this object
Is Processed
Vulnerable Products
OS Version
Personal Email
SHA256
Targets
STIX Goals
Org Level 1
First Seen By Source	The first time the indicator was seen by the source vendor.
Vendor
Username
Version
Entry ID
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Country Code Number
Indicator Identification
Blocked
BIOS Version
Org Level 3
Operating System Refs
Detection Engines	Total number of engines that checked the indicator
Product
Community Notes
File Extension
Processor
Objective
Whois Records
Mitre Tactics
DHCP Server
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Zip Code
Office365Category
Name
Registrar Abuse Name
Registrar Abuse Country
Definition
Action
CVSS Score
imphash
Org Level 2
Source Priority
Surname	Surname
STIX Resource Level
Resource Level
Issuer
Manager Name	Manager Name
STIX Roles
Paths
Registrar Abuse Network
Admin Email
Domain Status
CVSS Vector
Is Malware Family
Tool Version
Manager Email Address
Organization Type
Domain IDN Name
Subject Alternative Names
Short Description
Organization First Seen	Date and time when the indicator was first seen in the organization.
SWID	Specifies the Software Identification (SWID) tags entry for the software
Subject
Account Type
Threat Actor Types
Author
Organization Prevalence	The number of times the indicator is detected in the organization.
CVSS Table
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Positive Detections	Number of engines that positively detected the indicator as malicious
Confidence
Operating System
Subject DN	Subject Distinguished Name
Primary Motivation
Rank	Used to display rank from different sources
Commands
Architecture
Updated Date
AS Owner
Global Prevalence	The number of times the indicator is detected across all organizations.
STIX Malware Types
Associations	Known associations to other pieces of Threat Data.
Aliases	Alternative names used to identify this object
Infrastructure Types
Certificate Names
Domain Referring Subnets
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Location Region
Implementation Languages
STIX Tool Version
Name Servers
Assigned role
Signature Original Name
Office365Required
Tool Types
DNS Records
Admin Name
Geo Country
Roles
Domain Referring IPs
Country Code
Admin Phone
Port
Hostname
Country Name
Work Phone
Serial Number
City	City
Region
CVSS
Domain Name
STIX Threat Actor Types
Description
Street Address
Location
Display Name
Signature Internal Name
Query Language
Organization
Number of subkeys
Registrar Abuse Phone
Subdomains
ASN
Certificate Signature
Detections
Extension
Key Value
STIX Primary Motivation.
Job Family
CVE Description
Name Field
Acquisition Hire	Whether the employee is an acquisition hire.
Job Code	Job Code
Email
Mobile Phone
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
CVSS Version
Samples
Device Model
State
Malware Family
Published
Department	Department
Download URL
Registrar Abuse Address
X.509 v3 Extensions
Email Address
Reports
Groups
Registrar Abuse Email
Behavior
Issuer DN	Issuer Distinguished Name
Internal
Signature Algorithm
CVE Modified
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Registrant Phone
Validity Not After	Specifies the date on which the certificate validity period ends.
Source Original Severity	The original score/severity provided by the source without DBot translation.
SHA512
Signature Description
Service	The specific service of a feed integration from which an indicator was ingested.
Assigned user
Feed Related Indicators
STIX Sophistication
Certificates
Actor
Goals
Org Unit
User ID
Office365ExpressRoute
Path
Registrant Email
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Tags
SSDeep
Category
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Signature Copyright
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Registrant Country
STIX Tool Types
Size
Processors
Capabilities
Validity Not Before	Specifies the date on which the certificate validity period begins.
SHA1
Publications
Report type

Layoutrule

Name	Description
Indicator Feed Layout Rule
Vulnerability Layout Rule

Layouts

Name	Description
Vulnerability Incident
CVE Indicator	CVE Indicator Layout
Intrusion Set	Intrusion Set Layout
Infrastructure	Infrastructure Indicator Layout
Host Indicator	Host indicator layout
Mutex	Mutex indicator layout
Identity	Identity indicator layout
Registry Key Indicator	Registry Key Indicator Layout
Email Indicator	Email Indicator Layout
Domain Indicator	Domain Indicator Layout
Campaign	Campaign Indicator Layout
Malware Indicator	Malware Indicator Layout
Account Indicator	Account Indicator Layout
ASN	ASN Indicator Layout
Threat Actor	Threat Actor Indicator Layout
URL Indicator	URL Indicator Layout
IP Indicator	IP Indicator Layout
Location	Location indicator layout
Tool Indicator	Tool Indicator Layout
X509 Certificate	CVE Indicator Layout
Report	Report Indicator Layout
File Indicator	File Indicator Layout
Tactic Layout	Tactic Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Course of Action	Course of Action Indicator Layout
Indicator Feed Incident
Software	Software Indicator Layout

Indicator Types

Name	Description
Campaign
Malware
Threat Actor
DomainGlob
Location
File SHA-1
Identity
File
Software
File SHA-256
Tool
CIDR
Report
Attack Pattern
URL
Course of Action
X509 Certificate
Registry Key
IPv6
Account
CVE
ssdeep
IPv6CIDR
Tactic
Host
File MD5
Infrastructure
Email
Mutex
ASN
Intrusion Set
Onion Address
IP
Domain

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (59)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
Trellix Email Security - Cloud	By: Cortex XSOAR
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GravityZone	By: Bitdefender
Akamai GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (4)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

3.10.10 - 8801294 (May 6, 2026)

Layouts

URL Indicator
Updated Add tags and Remove tags in the URL Indicator layout to use a pipe (|) delimiter.

Related pull requests:
- 44206

Download

3.10.9 - 8727847 (May 4, 2026)

Indicator Types

IPv6
Fixed an issue where IPv6 indicators with a trailing :: (for example, aaaa:9999:1111:ffff::) were not extracted.

Related pull requests:
- 44112

Download

3.10.8 - 8382811 (April 20, 2026)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

3.10.7 - 8288718 (April 15, 2026)

Indicator Types

Domain
Fixed an issue where false-positive domain indicators were extracted.

Related pull requests:
- 43856

Download

3.10.6 - 8227525 (April 13, 2026)

Incident Fields

Last Update Time
Updated the Last Update Time incident field to support the CrowdStrike Falcon Intelligence Recon incident type.

Related pull requests:
- 42097
- 41869

Download

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7389211 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920594 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.10.10 - 8801294 (May 6, 2026)

Layouts

URL Indicator
Updated Add tags and Remove tags in the URL Indicator layout to use a pipe (|) delimiter.

Related pull requests:
- 44206

Download

3.10.9 - 8727847 (May 4, 2026)

Indicator Types

IPv6
Fixed an issue where IPv6 indicators with a trailing :: (for example, aaaa:9999:1111:ffff::) were not extracted.

Related pull requests:
- 44112

Download

3.10.8 - 8382811 (April 20, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

3.10.7 - 8288718 (April 15, 2026)

Indicator Types

Domain
Fixed an issue where false-positive domain indicators were extracted.

Related pull requests:
- 43856

Download

3.10.6 - 8227525 (April 13, 2026)

Incident Fields

Last Update Time
Updated the Last Update Time incident field to support the CrowdStrike Falcon Intelligence Recon incident type.

Related pull requests:
- 42097
- 41869

Download

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7379405 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920581 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	May 6, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Mandiant Automated Defense (Formerly Respond Software)

VMware Carbon Black Endpoint Standard (Deprecated)

Palo Alto Networks - Prisma Cloud Compute

Palo Alto Networks Cortex XDR - Investigation and Response

Symantec Data Loss Prevention (Deprecated)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.