Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
External ID | |
MITRE Technique ID | |
Location Region | Location Region |
Rule Name | The name of a YARA rule |
Tools | |
User SID | |
Alert Source | |
Incident Link | |
Tags | |
High Level Categories | The high level categories in the events. |
External Category Name | |
Last Name | Last Name |
Hunt Results Count | |
Alert ID | Alert ID as received from the integration JSON |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
File MD5 | |
Log Source Type | The log source type associated with the event. |
Application Name | Application Name |
Pre Nat Source Port | The source port before NAT. |
User Block Status | |
URLs | |
Source Id | |
Tactic ID | |
Device External IP | Device External IP |
Is Active | Alert status |
Srcs | The source values. |
Detected Endpoints | |
Employee Manager Email | The email address of the employee's manager. |
Process Path | |
Account ID | |
External Start Time | |
Containment SLA | The time it took to contain the incident. |
External Addresses | |
Surname | Surname |
Process CMD | |
Detected External Hosts | Detected external hosts |
EmailCampaignSummary | |
External Confidence | |
Parent Process | |
Agents ID | |
Source Create time | |
Error Code | |
Threat Hunting Detected IP | |
Destination Network | |
EmailCampaignSnippets | |
MITRE Tactic ID | |
Cloud Region List | |
Process Creation Time | |
Team name | |
Report Name | |
Agent ID | Agent ID |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Attack Mode | Attack mode as received from the integration JSON |
Registration Email | |
Source Username | The username that was the source of the attack. |
Command Line | Command Line |
Device Time | The time from the original logging device when the event occurred. |
SHA1 | SHA1 |
Org Level 1 | |
Source IP | The IP Address that the user initially logged in from. |
EmailCampaignCanvas | |
Device OU | Device's OU path in Active Directory |
Verdict | |
Region ID | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
MITRE Tactic Name | |
User Risk Level | |
Source Status | |
Timezone | |
Sensor IP | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Event Names | The event name (translated QID ) in the event. |
File Creation Date | |
IP Blocked Status | |
Job Code | Job Code |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Dsts | The destination values. |
Acquisition Hire | |
Related Campaign | |
State | State |
SSDeep | |
Protocol | Protocol |
Policy ID | |
External Last Updated Time | |
Src NT Domain | Source NT Domain |
Investigation Stage | The stage of the investigation. |
Parent Process IDs | |
MAC Address | MAC Address |
Dst Ports | The destination ports of the event. |
Blocked Action | Blocked Action |
Reporter Email Address | The email address of the user who reported the email. |
Tenant Name | Tenant Name |
Operation Name | |
Scenario | |
Policy Actions | |
External Status | |
Affected Users | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Unique Ports | |
Risk Rating | |
Country Code | |
Cloud Resource List | |
CVE | |
PID | PID |
Destination Networks | |
Last Update Time | |
RemovedFromCampaigns | |
Source Network | |
Location | Location |
Suspicious Executions | |
Source MAC Address | The source MAC address in an event. |
Mobile Device Model | |
File SHA1 | |
Source Updated by | |
Post Nat Source Port | The source port after NAT. |
Status Reason | |
Display Name | Display Name |
Device Status | |
File Size | File Size |
OS Version | OS Version |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Account Member Of | |
Post Nat Destination Port | The destination port after NAT. |
Source Hostname | The hostname that performed the port scan. |
Device Id | Device Id |
Src User | Source User |
Technique ID | |
Destination IP | The IP address the impossible traveler logged in to. |
EmailCampaignMutualIndicators | |
Tool Usage Found | |
CVE Published | |
Escalation | |
Manager Name | Manager Name |
Endpoint | |
Technical Owner Contact | The contact details for the technical owner. |
Leadership | |
Error Message | The error message that contains details about the error that occurred. |
Sub Category | The sub category |
Changed | The user who changed this incident |
Country Code Number | |
User Agent | |
Policy Type | |
Related Alerts | |
Usernames | The username in the event. |
userAccountControl | userAccountControl |
Risk Score | |
File Path | |
Process SHA256 | |
Parent Process File Path | |
Additional Email Addresses | |
Dest | Destination |
Registry Value Type | |
CVE ID | |
Campaign Name | |
Policy URI | |
Primary Email Address | |
Pre Nat Source IP | The source IP before NAT. |
Policy Details | |
Post Nat Destination IP | The destination IP address after NAT. |
Detected User | |
CMD line | |
Destination Port | The destination port used. |
City | |
Follow Up | True if marked for follow up. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Device Name | Device Name |
Parent Process CMD | |
Rating | |
Email Sent Successfully | Whether the email has been successfully sent. |
Approval Status | The status for the approval of the request. |
Device Model | Device Model |
Full Name | Person's Full Name |
Endpoints Details | |
Detected Users | Detected users |
Region | |
Last Modified By | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Source Port | The source port that was used |
Vendor Product | |
UUID | UUID as received from the integration JSON |
File Relationships | |
Log Source Name | The log source name associated with the event. |
Child Process | |
Detected Internal IPs | Detected internal IPs |
Application Path | |
Raw Event | The unparsed event data. |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Number of Related Incidents | |
Policy Recommendation | |
Source IPV6 | The source IPV6 address. |
Verification Method | The method used to verify the user. |
Detection Update Time | |
Alert Attack Time | |
Use Case Description | |
Number of similar files | |
Endpoint Isolation Status | |
Comment | The comments related with the incident |
Cost Center | Cost Center |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Pre Nat Destination Port | The destination port before NAT. |
Dest Hostname | Destination hostname |
Referenced Resource Name | |
Parent CMD line | |
Isolated | Isolated |
Block Indicators Status | |
String Similarity Results | |
Event Descriptions | The description of the event name. |
Identity Type | |
Protocol - Event | The network protocol in the event. |
Resource Name | |
Description | The description of the incident |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Sensor Name | |
Src Ports | The source ports of the event. |
Device Username | The username of the user that owns the device |
Dest OS | Destination OS |
Source IPs | The source IPs of the event. |
Low Level Categories Events | The low level category of the event. |
Account Name | Account Name |
Log Source | Log Source |
Detected IPs | |
Parent Process MD5 | |
Cloud Operation Type | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Approver | The person who approved or needs to approve the request. |
Last Seen | |
Closing Reason | The closing reason |
External Sub Category ID | |
Domain Name | |
First Seen | |
Title | Title |
Close Time | The closing time. |
File SHA256 | |
High Risky Users | |
Destination Hostname | Destination hostname |
Resource URL | |
Registry Hive | |
Protocols | |
Org Unit | |
Phone Number | Phone number |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Exposure Level | |
Tactic | |
Dest NT Domain | Destination NT Domain |
Registry Key | |
Password Reset Successfully | Whether the password has been successfully reset. |
Suspicious Executions Found | |
Vulnerable Product | |
MD5 | MD5 |
Zip Code | Zip Code |
Work Phone | |
Additional Indicators | |
Alert Rules | |
External Category ID | |
File Paths | |
Traffic Direction | The direction of the traffic in the event. |
External End Time | |
Alert URL | Alert URL as received from the integration JSON |
Command Line Verdict | |
Project ID | |
App message | |
ASN Name | |
Affected Hosts | |
Similar incidents Dbot | |
Destination IPV6 | The destination IPV6 address. |
List Of Rules - Event | The list of rules associated to an event. |
Source Created By | |
CMD | |
OutgoingMirrorError | |
Asset ID | |
File Name | |
Internal Addresses | |
Domain Registrar Abuse Email | |
SHA512 | SHA512 |
Number Of Log Sources | The number of log sources related to the offense. |
Resource Type | |
Detected Internal Hosts | Detected internal hosts |
Cloud Service | |
Device Local IP | Device Local IP |
Alert Name | Alert name as received from the integration JSON |
Destination MAC Address | The destination MAC address in an event. |
Additional Data | |
Device External IPs | |
Assigned User | Assigned User |
SHA256 | SHA256 |
Triage SLA | The time it took to investigate and enrich incident information. |
Duration | |
First Name | First Name |
MITRE Technique Name | |
Related Report | |
Agent Version | Reporting Agent/Sensor Version |
Compliance Notes | Notes regarding the assets compliance. |
Personal Email | |
Events | The events associated with the offense. |
Post Nat Source IP | The source IP address after NAT. |
Source Urgency | Source Urgency |
Device Internal IPs | |
Resource ID | |
Given Name | Given Name |
Risk Name | |
Employee Email | The email address of the employee. |
Technical Owner | The technical owner of the asset. |
User Id | User Id |
File Hash | |
Bugtraq | |
Group ID | |
File Names | |
Detected External IPs | Detected external IPs |
Custom Query Results | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Item Owner Email | |
Destination IPs | The destination IPs of the event. |
Country Name | Country Name |
Device OS Version | |
Process MD5 | |
Appliance ID | Appliance ID as received from the integration JSON |
Rendered HTML | The HTML content in a rendered form. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
External Link | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
User Groups | |
DNS Name | The DNS name of the asset. |
Alert tags | |
Alert Malicious | Whether the alert is malicious. |
Technique | |
Objective | |
Source Category | |
Src | Source |
Department | Department |
Registry Value | |
Item Owner | |
Device Hash | Device Hash |
Start Time | The time when the offense started. |
Parent Process Path | |
Threat Hunting Detected Hostnames | |
similarIncidents | |
OS | The operating system. |
Employee Display Name | The display name of the employee. |
SKU Name | |
Policy Deleted | |
Hostnames | The hostname in the event. |
Destination Geolocation | The destination geolocation of the event. |
Account Status | |
Triggered Security Profile | Triggered Security Profile |
App | |
Process Names | |
Verification Status | The status of the user verification. |
Appliance Name | Appliance name as received from the integration JSON |
Event Type | Event Type |
Birthday | Person's Birthday |
Detection ID | |
Signature | |
Domain Updated Date | |
Category Count | The number of categories that are associated with the offense. |
Job Function | Job Function |
Process Name | |
File Access Date | |
Ticket Closed Date | |
Password Changed Date | |
Vulnerability Category | |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Assignment Group | |
sAMAccountName | User sAMAAccountName |
End Time | The time when the offense ended. |
Ticket Number | |
Job Family | Job Family |
Caller | |
Referenced Resource ID | |
Attack Patterns | |
Src Hostname | Source hostname |
Technical User | The technical user of the asset. |
ASN | |
Event ID | Event ID |
External Severity | |
Users | |
Source Priority | |
Mobile Phone | |
Org Level 2 | |
Alert Type ID | |
Process Paths | |
Application Id | Application Id |
Device OS Name | |
Ticket Acknowledged Date | |
User Engagement Response | |
Detection End Time | |
CVSS | |
Policy Description | |
Cloud Instance ID | Cloud Instance ID |
Street Address | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
External System ID | |
Manager Email Address | |
Vendor ID | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Related Endpoints | |
IncomingMirrorError | |
Policy Severity | |
Org Level 3 | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Alert Action | Alert action as received from the integration JSON |
Src OS | Src OS |
External Sub Category Name | |
app channel name | |
Selected Indicators | Includes the indicators selected by the user. |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Source Networks | |
Cost Center Code | Cost Center Code |
Asset Name | |
Parent Process SHA256 | |
Username | The username of the account who logged in. |
Last Modified On | |
User Creation Time | |
OS Type | OS Type |
Country | The country from which the user logged in. |
Source Geolocation | The source geolocation of the event. |
User Anomaly Count | |
Categories | The categories for the incident. |
Audit Logs | |
Parent Process Name | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
High Risky Hosts | |
Classification | Incident Classification |
Cloud Account ID | |
Users Details | |
Protocol names | |
Source External IPs | |
Closing User | The closing user. |
IP Reputation | |
Policy Remediable | |
SKU TIER | |
Process ID | |
Alert Category | The category of the alert |
Device MAC Address | |
Ticket Opened Date | |
Subtype | Subtype |
Name | Description |
---|---|
DoS | |
Simulation | |
Network | |
Authentication | |
Indicator Feed | |
Hunt | |
Policy Violation | |
Exploit | |
Vulnerability | |
Exfiltration | |
UnknownBinary | |
Reconnaissance | |
Job | |
Lateral Movement | |
C2Communication | |
Defacement |
Name | Description |
---|---|
Organization Prevalence | The number of times the indicator is detected in the organization. |
AS Owner | |
Location | |
IP Address | |
Subject | |
Operating System | |
CVSS Table | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Domain IDN Name | |
Org Unit | |
Certificate Names | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
STIX Description | |
Infrastructure Types | |
Source Priority | |
Geo Country | |
Zip Code | |
Goals | |
Aliases | Alternative names used to identify this object |
Behavior | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Port | |
STIX Aliases | Alternative names used to identify this object |
Display Name | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Whois Records | |
Memory | |
Confidence | |
Cost Center | |
STIX Is Malware Family | |
Geo Location | |
User ID | |
Name | |
Subdomains | |
Processor | |
Implementation Languages | |
Work Phone | |
Tool Types | |
Community Notes | |
Updated Date | |
Registrar Abuse Email | |
Signature File Version | |
City | City |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
SSDeep | |
Name Field | |
Country Code | |
Registrar Abuse Phone | |
Commands | |
Registrar Abuse Country | |
Short Description | |
OS Version | |
Signature Copyright | |
Issuer DN | Issuer Distinguished Name |
Version | |
Registrar Abuse Network | |
Signature Description | |
Is Malware Family | |
Extension | |
DNS Records | |
Job Code | Job Code |
Domain Status | |
Samples | |
Mitre Tactics | |
Job Function | |
Architecture | |
Secondary Motivations | |
Processors | |
Description | |
Report type | |
Public Key | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Tool Version | |
STIX Threat Actor Types | |
Device Model | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
ASN | |
Service | The specific service of a feed integration from which an indicator was ingested. |
STIX Secondary Motivations | |
STIX Resource Level | |
Actor | |
Domain Referring Subnets | |
Category | |
Feed Related Indicators | |
Surname | Surname |
Org Level 3 | |
Department | Department |
Applications | |
Associations | Known associations to other pieces of Threat Data. |
Country Code Number | |
File Type | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Organizational Unit (OU) | |
Author | |
Threat Actor Types | |
Key Value | |
Publications | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Office365Required | |
Product | |
STIX Tool Version | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Email Address | |
Registrant Name | |
CVE Description | |
Expiration Date | |
Operating System Refs | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Campaign | |
Certificate Validation Checks | |
Admin Country | |
Internal | |
Given Name | Given Name |
Admin Email | |
Domain Referring IPs | |
Mobile Phone | |
Office365ExpressRoute | |
Hostname | |
Certificates | |
Account Type | |
Registrar Abuse Address | |
Reports | |
Force Sync | Whether to force user synchronization. |
Leadership | |
DHCP Server | |
Personal Email | |
Malware Family | |
CVSS3 | |
Targets | |
Published | |
CVSS Score | |
CVE Modified | |
Issuer | |
Street Address | |
Action | |
Name Servers | |
Definition | |
Org Level 1 | |
Region | |
Registrant Country | |
Signed | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Malware types | |
Signature Algorithm | |
STIX Primary Motivation. | |
STIX Roles | |
Signature Authentihash | |
SHA512 | |
CVSS | |
Groups | |
Report Object References | A list of STIX IDs referenced in the report. |
Country Name | |
Number of subkeys | |
Indicator Identification | |
Associated File Names | |
CVSS Version | |
Registrar Name | |
Organization Type | |
SHA256 | |
imphash | |
Objective | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Is Processed | |
Manager Name | Manager Name |
State | |
Query Language | |
Subject Alternative Names | |
PEM | Certificate in PEM format. |
BIOS Version | |
Entry ID | |
Sophistication | |
Office365Category | |
Tags | |
Path | |
Organization | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Vulnerabilities | |
Domain Name | |
Subject DN | Subject Distinguished Name |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Serial Number | |
Signature Internal Name | |
Registrant Phone | |
Username | |
Assigned role | |
Vulnerable Products | |
DNS | |
STIX Sophistication | |
SHA1 | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Org Level 2 | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Vendor | |
Domains | |
File Extension | |
Primary Motivation | |
Capabilities | |
Rank | Used to display rank from different sources |
Registrant Email | |
Admin Name | |
Job Family | |
Mitre ID | |
CVSS Vector | |
Title | Title |
Resource Level | |
Operating System Version | |
Signature Original Name | |
Size | |
Detections | |
Cost Center Code | |
Quarantined | Whether the indicator is quarantined or isolated |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Download URL | |
MD5 | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
STIX Malware Types | |
Admin Phone | |
Detection Engines | Total number of engines that checked the indicator |
Certificate Signature | |
MAC Address | |
Creation Date | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Registrar Abuse Name | |
STIX Goals | |
Roles | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
X.509 v3 Extensions | |
Manager Email Address | |
Blocked | |
STIX Tool Types | |
Paths | |
Assigned user | |
Location Region |
Name | Description |
---|---|
Domain Indicator | Domain Indicator Layout |
URL Indicator | URL Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Host Indicator | Host indicator layout |
Report | Report Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Course of Action | Course of Action Indicator Layout |
Campaign | Campaign Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
IP Indicator | IP Indicator Layout |
Identity | Identity indicator layout |
Software | Software Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
ASN | ASN Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Location | Location indicator layout |
Attack Pattern | Attack Pattern Indicator Layout |
Email Indicator | Email Indicator Layout |
Account Indicator | Account Indicator Layout |
Malware Indicator | Malware Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Vulnerability Incident | |
File Indicator | File Indicator Layout |
Indicator Feed Incident | |
Tool Indicator | Tool Indicator Layout |
Mutex | Mutex indicator layout |
Name | Description |
---|---|
Tactic | |
Mutex | |
Onion Address | |
IPv6 | |
File | |
Tool | |
Domain | |
Location | |
CVE | |
Attack Pattern | |
File SHA-256 | |
Account | |
Malware | |
CIDR | |
DomainGlob | |
Software | |
ssdeep | |
ASN | |
Infrastructure | |
Registry Key | |
URL | |
Course of Action | |
Report | |
Identity | |
File SHA-1 | |
Threat Actor | |
Host | |
Campaign | |
File MD5 | |
Intrusion Set | |
IPv6CIDR | |
X509 Certificate | |
IP |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Bugtraq | |
Classification | Incident Classification |
Region | |
Investigation Stage | The stage of the investigation. |
External Severity | |
Scenario | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Tactic ID | |
Technique ID | |
Registry Key | |
Policy Recommendation | |
External Last Updated Time | |
IP Reputation | |
Source Id | |
Technical Owner | The technical owner of the asset. |
Resource URL | |
Follow Up | True if marked for follow up. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
EmailCampaignMutualIndicators | |
User Creation Time | |
Technical User | The technical user of the asset. |
Source Geolocation | The source geolocation of the event. |
Risk Score | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Source Status | |
Number of Related Incidents | |
Alert Action | Alert action as received from the integration JSON |
External Category Name | |
Source Updated by | |
High Risky Hosts | |
OS Type | OS Type |
Parent Process Name | |
Resource Name | |
Verification Status | The status of the user verification. |
CVE Published | |
Acquisition Hire | |
Source External IPs | |
Assignment Group | |
Signature | |
Pre Nat Destination Port | The destination port before NAT. |
Exposure Level | |
Triggered Security Profile | Triggered Security Profile |
ASN | |
Rating | |
Department | Department |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Application Path | |
Employee Email | The email address of the employee. |
Technique | |
Item Owner Email | |
Affected Hosts | |
Policy URI | |
Compliance Notes | Notes regarding the assets compliance. |
Detection End Time | |
Registry Value | |
Category Count | The number of categories that are associated with the offense. |
External Confidence | |
Objective | |
similarIncidents | |
Ticket Closed Date | |
Street Address | |
Device External IPs | |
Status Reason | |
Block Indicators Status | |
CVE ID | |
Related Report | |
High Risky Users | |
Location | Location |
Endpoints Details | |
File Size | File Size |
Tactic | |
Rule Name | The name of a YARA rule |
Zip Code | Zip Code |
Referenced Resource ID | |
Employee Display Name | The display name of the employee. |
Last Modified By | |
IP Blocked Status | |
OS | The operating system. |
Policy Deleted | |
Custom Query Results | |
Use Case Description | |
MITRE Technique Name | |
First Name | First Name |
Comment | The comments related with the incident |
Source Urgency | Source Urgency |
Related Campaign | |
First Seen | |
Src OS | Src OS |
Cost Center | Cost Center |
userAccountControl | userAccountControl |
EmailCampaignSnippets | |
Org Level 1 | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Device Name | Device Name |
Similar incidents Dbot | |
State | State |
OutgoingMirrorError | |
File Access Date | |
Device Model | Device Model |
Domain Updated Date | |
Destination Networks | |
Operation Name | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Process Creation Time | |
Close Time | The closing time. |
Destination IPV6 | The destination IPV6 address. |
Original Alert Name | Alert name as received from the integration JSON |
Referenced Resource Name | |
Campaign Name | |
Agent Version | Reporting Agent/Sensor Version |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Last Name | Last Name |
Changed | The user who changed this incident |
Agents ID | |
String Similarity Results | |
Cost Center Code | Cost Center Code |
Number Of Log Sources | The number of log sources related to the offense. |
Job Function | Job Function |
Region ID | |
Source Category | |
Registry Value Type | |
Policy Type | |
EmailCampaignSummary | |
Additional Data | |
Email Sent Successfully | Whether the email has been successfully sent. |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Pre Nat Source IP | The source IP before NAT. |
Source Priority | |
Domain Registrar Abuse Email | |
Attack Patterns | |
sAMAccountName | User sAMAAccountName |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Event Names | The event name (translated QID ) in the event. |
IncomingMirrorError | |
Approval Status | The status for the approval of the request. |
Device OS Version | |
Log Source | Log Source |
MITRE Tactic ID | |
Item Owner | |
Mobile Phone | |
Vulnerable Product | |
Post Nat Destination IP | The destination IP address after NAT. |
Post Nat Source Port | The source port after NAT. |
Job Code | Job Code |
Attack Mode | Attack mode as received from the integration JSON |
Closing Reason | The closing reason |
SHA1 | SHA1 |
Device Id | Device Id |
Last Update Time | |
Org Level 2 | |
Manager Name | Manager Name |
Cloud Region List | |
Command Line Verdict | |
Raw Event | The unparsed event data. |
Isolated | Isolated |
External Category ID | |
Additional Email Addresses | |
Error Message | The error message that contains details about the error that occurred. |
Country Code | |
Surname | Surname |
Alert tags | |
Device Internal IPs | |
Process Paths | |
Vendor ID | |
ASN Name | |
Parent Process Path | |
Approver | The person who approved or needs to approve the request. |
Device MAC Address | |
Policy Remediable | |
Timezone | |
Cloud Instance ID | Cloud Instance ID |
Internal Addresses | |
Containment SLA | The time it took to contain the incident. |
Full Name | Person's Full Name |
Additional Indicators | |
SSDeep | |
Device OS Name | |
External Link | |
Is Active | Alert status |
Org Level 3 | |
Error Code | |
Log Source Type | The log source type associated with the event. |
Verdict | |
Traffic Direction | The direction of the traffic in the event. |
App message | |
Identity Type | |
SKU TIER | |
Ticket Acknowledged Date | |
Primary Email Address | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
SHA512 | SHA512 |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
External Sub Category ID | |
Account ID | |
City | |
Selected Indicators | Includes the indicators selected by the user. |
Title | Title |
Registry Hive | |
User Anomaly Count | |
User Groups | |
Policy ID | |
Mobile Device Model | |
Device Hash | Device Hash |
File Relationships | |
Parent Process CMD | |
Team name | |
Policy Actions | |
Alert Malicious | Whether the alert is malicious. |
Low Level Categories Events | The low level category of the event. |
Cloud Service | |
Phone Number | Phone number |
Sub Category | The sub category |
SKU Name | |
Start Time | The time when the offense started. |
Cloud Account ID | |
Reporter Email Address | The email address of the user who reported the email. |
Suspicious Executions | |
Tenant Name | Tenant Name |
Parent Process MD5 | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Parent Process SHA256 | |
app channel name | |
Job Family | Job Family |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Asset Name | |
Subtype | Subtype |
RemovedFromCampaigns | |
UUID | UUID as received from the integration JSON |
File Creation Date | |
Original Alert Source | |
Device Status | |
CVSS | |
Employee Manager Email | The email address of the employee's manager. |
Original Alert ID | Alert ID as received from the integration JSON |
Destination Geolocation | The destination geolocation of the event. |
EmailCampaignCanvas | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Event Descriptions | The description of the event name. |
Sensor IP | |
Post Nat Source IP | The source IP address after NAT. |
Policy Description | |
User SID | |
URLs | |
Password Changed Date | |
Detection ID | |
Endpoint Isolation Status | |
User Engagement Response | |
Work Phone | |
External Start Time | |
Tools | |
Assigned User | Assigned User |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Technical Owner Contact | The contact details for the technical owner. |
Domain Name | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Related Alerts | |
File SHA1 | |
Cloud Resource List | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Unique Ports | |
Duration | |
Event ID | Event ID |
Report Name | |
Ticket Number | |
Pre Nat Source Port | The source port before NAT. |
Triage SLA | The time it took to investigate and enrich incident information. |
Post Nat Destination Port | The destination port after NAT. |
Source Networks | |
Birthday | Person's Birthday |
User Id | User Id |
Registration Email | |
Policy Severity | |
Related Endpoints | |
Log Source Name | The log source name associated with the event. |
Org Unit | |
Parent Process File Path | |
External Status | |
Process ID | |
MITRE Technique ID | |
Vulnerability Category | |
MITRE Tactic Name | |
End Time | The time when the offense ended. |
Last Seen | |
Source Created By | |
Original Events | The events associated with the offense. |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
User Block Status | |
Device OU | Device's OU path in Active Directory |
Manager Email Address | |
Project ID | |
Affected Users | |
Hunt Results Count | |
Display Name | Display Name |
Verification Method | The method used to verify the user. |
Protocol names | |
Audit Logs | |
Process SHA256 | |
Suspicious Executions Found | |
Risk Name | |
Original Description | The description of the incident |
CVE | |
Detected Internal Hosts | Detected internal hosts |
Caller | |
Last Modified On | |
Personal Email | |
Dsts | The destination values. |
Process Names | |
List Of Rules - Event | The list of rules associated to an event. |
Resource Type | |
Account Member Of | |
Process MD5 | |
Process CMD | |
External End Time | |
Closing User | The closing user. |
Escalation | |
Asset ID | |
Detected Endpoints | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Alert Type ID | |
Password Reset Successfully | Whether the password has been successfully reset. |
External System ID | |
Incident Link | |
Alert Rules | |
File Hash | |
Device Time | The time from the original logging device when the event occurred. |
Rendered HTML | The HTML content in a rendered form. |
Parent Process IDs | |
Number of similar files | |
Group ID | |
Risk Rating | |
Vendor Product | |
Blocked Action | Blocked Action |
Location Region | Location Region |
Given Name | Given Name |
Country Code Number | |
Policy Details | |
Users Details | |
Dest OS | Destination OS |
External Sub Category Name | |
Tool Usage Found | |
Detected External IPs | Detected external IPs |
Account Status | |
Source Create time | |
Leadership |
Name | Description |
---|---|
Hunt | |
Reconnaissance | |
UnknownBinary | |
Exfiltration | |
Indicator Feed | |
Job | |
DoS | |
Vulnerability | |
C2Communication | |
Lateral Movement | |
Authentication | |
Exploit | |
Network | |
Defacement | |
Simulation | |
Policy Violation |
Name | Description |
---|---|
STIX Secondary Motivations | |
Internal | |
Indicator Identification | |
Signature Internal Name | |
Signature Authentihash | |
Geo Country | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Processor | |
MD5 | |
Issuer DN | Issuer Distinguished Name |
Org Level 2 | |
Office365Required | |
Architecture | |
Given Name | Given Name |
Display Name | |
Is Malware Family | |
Category | |
Surname | Surname |
STIX Resource Level | |
STIX Tool Types | |
Aliases | Alternative names used to identify this object |
STIX Aliases | Alternative names used to identify this object |
Size | |
File Extension | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
DNS | |
Vendor | |
STIX Roles | |
Domain Referring IPs | |
CVSS Score | |
Organizational Unit (OU) | |
Registrar Abuse Country | |
Personal Email | |
Admin Phone | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Registrant Email | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Rank | Used to display rank from different sources |
Behavior | |
Org Level 3 | |
Report type | |
Number of subkeys | |
Malware types | |
Commands | |
Account Type | |
Key Value | |
Registrar Name | |
CVSS Table | |
Author | |
Username | |
Region | |
Paths | |
Mitre ID | |
CVSS Vector | |
Org Unit | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Name Field | |
STIX Goals | |
Secondary Motivations | |
Operating System Refs | |
Subject | |
Quarantined | Whether the indicator is quarantined or isolated |
Reports | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Detection Engines | Total number of engines that checked the indicator |
Primary Motivation | |
Query Language | |
CVSS Version | |
ASN | |
Domain Name | |
STIX Primary Motivation. | |
Tool Types | |
Signature Algorithm | |
Name Servers | |
Actor | |
Registrant Country | |
Source Priority | |
Org Level 1 | |
Office365ExpressRoute | |
Processors | |
Vulnerable Products | |
Manager Name | Manager Name |
Subject DN | Subject Distinguished Name |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Assigned role | |
X.509 v3 Extensions | |
Hostname | |
Certificate Names | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Geo Location | |
Associations | Known associations to other pieces of Threat Data. |
CVSS | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Cost Center Code | |
Signed | |
Device Model | |
Admin Name | |
Sophistication | |
Country Code | |
Entry ID | |
Serial Number | |
Roles | |
Organization Type | |
Targets | |
Implementation Languages | |
Subdomains | |
Tool Version | |
Description | |
Issuer | |
Creation Date | |
City | City |
Mitre Tactics | |
Associated File Names | |
SHA512 | |
Force Sync | Whether to force user synchronization. |
Campaign | |
Certificates | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Signature Copyright | |
Detections | |
Expiration Date | |
Certificate Validation Checks | |
Domain Status | |
Product | |
Registrar Abuse Phone | |
Download URL | |
File Type | |
Acquisition Hire | Whether the employee is an acquisition hire. |
STIX Malware Types | |
Street Address | |
State | |
Publications | |
DNS Records | |
Feed Related Indicators | |
Email Address | |
Location | |
Tags | |
Report Object References | A list of STIX IDs referenced in the report. |
Registrar Abuse Address | |
CVSS3 | |
Resource Level | |
Assigned user | |
STIX Description | |
STIX Sophistication | |
Capabilities | |
Organization | |
Blocked | |
Registrar Abuse Network | |
Community Notes | |
Mobile Phone | |
Title | Title |
Operating System | |
Zip Code | |
Subject Alternative Names | |
Is Processed | |
Registrar Abuse Name | |
BIOS Version | |
Samples | |
Country Name | |
OS Version | |
Signature File Version | |
Job Family | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
STIX Tool Version | |
IP Address | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Infrastructure Types | |
Registrar Abuse Email | |
Confidence | |
Threat Actor Types | |
SSDeep | |
Action | |
AS Owner | |
Manager Email Address | |
Operating System Version | |
Path | |
Office365Category | |
Objective | |
SHA1 | |
Country Code Number | |
Applications | |
Name | |
Domain Referring Subnets | |
Extension | |
Groups | |
Public Key | |
Memory | |
Vulnerabilities | |
Department | Department |
Job Function | |
User ID | |
Port | |
Goals | |
PEM | Certificate in PEM format. |
imphash | |
Signature Original Name | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Short Description | |
Registrant Phone | |
Registrant Name | |
SHA256 | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Updated Date | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Location Region | |
Domains | |
Certificate Signature | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
DHCP Server | |
Work Phone | |
Admin Email | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Cost Center | |
STIX Is Malware Family | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Domain IDN Name | |
Malware Family | |
Leadership | |
CVE Description | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
STIX Threat Actor Types | |
Admin Country | |
Definition | |
Whois Records | |
Job Code | Job Code |
CVE Modified | |
Published | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Version | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Signature Description | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Name | Description |
---|---|
Indicator Feed Layout Rule | |
Vulnerability Layout Rule |
Name | Description |
---|---|
X509 Certificate | CVE Indicator Layout |
Vulnerability Incident | |
Attack Pattern | Attack Pattern Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Account Indicator | Account Indicator Layout |
Host Indicator | Host indicator layout |
CVE Indicator | CVE Indicator Layout |
Report | Report Indicator Layout |
Mutex | Mutex indicator layout |
Registry Key Indicator | Registry Key Indicator Layout |
URL Indicator | URL Indicator Layout |
Campaign | Campaign Indicator Layout |
Domain Indicator | Domain Indicator Layout |
File Indicator | File Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Identity | Identity indicator layout |
Intrusion Set | Intrusion Set Layout |
Tool Indicator | Tool Indicator Layout |
Email Indicator | Email Indicator Layout |
Location | Location indicator layout |
ASN | ASN Indicator Layout |
IP Indicator | IP Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Software | Software Indicator Layout |
Indicator Feed Incident |
Name | Description |
---|---|
ssdeep | |
Onion Address | |
Domain | |
IP | |
X509 Certificate | |
CIDR | |
Threat Actor | |
DomainGlob | |
Tool | |
Campaign | |
Attack Pattern | |
Mutex | |
Account | |
URL | |
File MD5 | |
File SHA-256 | |
Report | |
Location | |
Infrastructure | |
Registry Key | |
CVE | |
Tactic | |
IPv6CIDR | |
Course of Action | |
Software | |
Identity | |
File SHA-1 | |
Malware | |
Intrusion Set | |
Host | |
File | |
IPv6 | |
ASN |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Common Scripts | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
imphash
incident field.Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Added new number field which represents the number of times the indicator is detected in the organization.
Added new number field which represents the number of times the indicator is detected across all organizations.
Added new date field which represents when the indicator was first seen in the organization.
Added new date field which represents when the indicator was last seen in the organization.
File
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
File.OrganizationPrevalence |
globalprevalence |
File.GlobalPrevalence |
organizationfirstseen |
File.OrganizationFirstSeen |
organizationlastseen |
File.OrganizationLastSeen |
firstseenbysource |
File.FirstSeenBySource |
lastseenbysource |
File.LastSeenBySource |
Domain
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
Domain.OrganizationPrevalence |
globalprevalence |
Domain.GlobalPrevalence |
organizationfirstseen |
Domain.OrganizationFirstSeen |
organizationlastseen |
Domain.OrganizationLastSeen |
firstseenbysource |
Domain.FirstSeenBySource |
lastseenbysource |
Domain.LastSeenBySource |
URL
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
URL.OrganizationPrevalence |
globalprevalence |
URL.GlobalPrevalence |
organizationfirstseen |
URL.OrganizationFirstSeen |
organizationlastseen |
URL.OrganizationLastSeen |
firstseenbysource |
URL.FirstSeenBySource |
lastseenbysource |
URL.LastSeenBySource |
IP
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
IP.OrganizationPrevalence |
globalprevalence |
IP.GlobalPrevalence |
organizationfirstseen |
IP.OrganizationFirstSeen |
organizationlastseen |
IP.OrganizationLastSeen |
firstseenbysource |
IP.FirstSeenBySource |
lastseenbysource |
IP.LastSeenBySource |
IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence
| IPv6.OrganizationPrevalence |
| globalprevalence
| IPv6.GlobalPrevalence |
| organizationfirstseen
| IPv6.OrganizationFirstSeen |
| organizationlastseen
| IPv6.OrganizationLastSeen |
| firstseenbysource
| IPv6.FirstSeenBySource |
| lastseenbysource
| IPv6.LastSeenBySource |
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
imphash
incident field.Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Added new number field which represents the number of times the indicator is detected in the organization.
Added new number field which represents the number of times the indicator is detected across all organizations.
Added new date field which represents when the indicator was first seen in the organization.
Added new date field which represents when the indicator was last seen in the organization.
File
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
File.OrganizationPrevalence |
globalprevalence |
File.GlobalPrevalence |
organizationfirstseen |
File.OrganizationFirstSeen |
organizationlastseen |
File.OrganizationLastSeen |
firstseenbysource |
File.FirstSeenBySource |
lastseenbysource |
File.LastSeenBySource |
Domain
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
Domain.OrganizationPrevalence |
globalprevalence |
Domain.GlobalPrevalence |
organizationfirstseen |
Domain.OrganizationFirstSeen |
organizationlastseen |
Domain.OrganizationLastSeen |
firstseenbysource |
Domain.FirstSeenBySource |
lastseenbysource |
Domain.LastSeenBySource |
URL
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
URL.OrganizationPrevalence |
globalprevalence |
URL.GlobalPrevalence |
organizationfirstseen |
URL.OrganizationFirstSeen |
organizationlastseen |
URL.OrganizationLastSeen |
firstseenbysource |
URL.FirstSeenBySource |
lastseenbysource |
URL.LastSeenBySource |
IP
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
IP.OrganizationPrevalence |
globalprevalence |
IP.GlobalPrevalence |
organizationfirstseen |
IP.OrganizationFirstSeen |
organizationlastseen |
IP.OrganizationLastSeen |
firstseenbysource |
IP.FirstSeenBySource |
lastseenbysource |
IP.LastSeenBySource |
IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence
| IPv6.OrganizationPrevalence |
| globalprevalence
| IPv6.GlobalPrevalence |
| organizationfirstseen
| IPv6.OrganizationFirstSeen |
| organizationlastseen
| IPv6.OrganizationLastSeen |
| firstseenbysource
| IPv6.FirstSeenBySource |
| lastseenbysource
| IPv6.LastSeenBySource |
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | September 30, 2025 |