Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
External ID
MITRE Technique ID
Location Region	Location Region
Rule Name	The name of a YARA rule
Tools
User SID
Alert Source
Incident Link
Tags
High Level Categories	The high level categories in the events.
External Category Name
Last Name	Last Name
Hunt Results Count
Alert ID	Alert ID as received from the integration JSON
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
File MD5
Log Source Type	The log source type associated with the event.
Application Name	Application Name
Pre Nat Source Port	The source port before NAT.
User Block Status
URLs
Source Id
Tactic ID
Device External IP	Device External IP
Is Active	Alert status
Srcs	The source values.
Detected Endpoints
Employee Manager Email	The email address of the employee's manager.
Process Path
Account ID
External Start Time
Containment SLA	The time it took to contain the incident.
External Addresses
Surname	Surname
Process CMD
Detected External Hosts	Detected external hosts
EmailCampaignSummary
External Confidence
Parent Process
Agents ID
Source Create time
Error Code
Threat Hunting Detected IP
Destination Network
EmailCampaignSnippets
MITRE Tactic ID
Cloud Region List
Process Creation Time
Team name
Report Name
Agent ID	Agent ID
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Attack Mode	Attack mode as received from the integration JSON
Registration Email
Source Username	The username that was the source of the attack.
Command Line	Command Line
Device Time	The time from the original logging device when the event occurred.
SHA1	SHA1
Org Level 1
Source IP	The IP Address that the user initially logged in from.
EmailCampaignCanvas
Device OU	Device's OU path in Active Directory
Verdict
Region ID
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
MITRE Tactic Name
User Risk Level
Source Status
Timezone
Sensor IP
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Event Names	The event name (translated QID ) in the event.
File Creation Date
IP Blocked Status
Job Code	Job Code
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Dsts	The destination values.
Acquisition Hire
Related Campaign
State	State
SSDeep
Protocol	Protocol
Policy ID
External Last Updated Time
Src NT Domain	Source NT Domain
Investigation Stage	The stage of the investigation.
Parent Process IDs
MAC Address	MAC Address
Dst Ports	The destination ports of the event.
Blocked Action	Blocked Action
Reporter Email Address	The email address of the user who reported the email.
Tenant Name	Tenant Name
Operation Name
Scenario
Policy Actions
External Status
Affected Users
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Unique Ports
Risk Rating
Country Code
Cloud Resource List
CVE
PID	PID
Destination Networks
Last Update Time
RemovedFromCampaigns
Source Network
Location	Location
Suspicious Executions
Source MAC Address	The source MAC address in an event.
Mobile Device Model
File SHA1
Source Updated by
Post Nat Source Port	The source port after NAT.
Status Reason
Display Name	Display Name
Device Status
File Size	File Size
OS Version	OS Version
Detection URL	URL of the ExtraHop Reveal(x) detection
Account Member Of
Post Nat Destination Port	The destination port after NAT.
Source Hostname	The hostname that performed the port scan.
Device Id	Device Id
Src User	Source User
Technique ID
Destination IP	The IP address the impossible traveler logged in to.
EmailCampaignMutualIndicators
Tool Usage Found
CVE Published
Escalation
Manager Name	Manager Name
Endpoint
Technical Owner Contact	The contact details for the technical owner.
Leadership
Error Message	The error message that contains details about the error that occurred.
Sub Category	The sub category
Changed	The user who changed this incident
Country Code Number
User Agent
Policy Type
Related Alerts
Usernames	The username in the event.
userAccountControl	userAccountControl
Risk Score
File Path
Process SHA256
Parent Process File Path
Additional Email Addresses
Dest	Destination
Registry Value Type
CVE ID
Campaign Name
Policy URI
Email	Primary Email Address
Pre Nat Source IP	The source IP before NAT.
Policy Details
Post Nat Destination IP	The destination IP address after NAT.
Detected User
CMD line
Destination Port	The destination port used.
City
Follow Up	True if marked for follow up.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Device Name	Device Name
Parent Process CMD
Rating
Email Sent Successfully	Whether the email has been successfully sent.
Approval Status	The status for the approval of the request.
Device Model	Device Model
Full Name	Person's Full Name
Endpoints Details
Detected Users	Detected users
Region
Last Modified By
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Source Port	The source port that was used
Vendor Product
UUID	UUID as received from the integration JSON
File Relationships
Log Source Name	The log source name associated with the event.
Child Process
Detected Internal IPs	Detected internal IPs
Application Path
Raw Event	The unparsed event data.
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Number of Related Incidents
Policy Recommendation
Source IPV6	The source IPV6 address.
Verification Method	The method used to verify the user.
Detection Update Time
Alert Attack Time
Use Case Description
Number of similar files
Endpoint Isolation Status
Comment	The comments related with the incident
Cost Center	Cost Center
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Pre Nat Destination Port	The destination port before NAT.
Dest Hostname	Destination hostname
Referenced Resource Name
Parent CMD line
Isolated	Isolated
Block Indicators Status
String Similarity Results
Event Descriptions	The description of the event name.
Identity Type
Protocol - Event	The network protocol in the event.
Resource Name
Description	The description of the incident
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Sensor Name
Src Ports	The source ports of the event.
Device Username	The username of the user that owns the device
Dest OS	Destination OS
Source IPs	The source IPs of the event.
Low Level Categories Events	The low level category of the event.
Account Name	Account Name
Log Source	Log Source
Detected IPs
Parent Process MD5
Cloud Operation Type
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Approver	The person who approved or needs to approve the request.
Last Seen
Closing Reason	The closing reason
External Sub Category ID
Domain Name
First Seen
Title	Title
Close Time	The closing time.
File SHA256
High Risky Users
Destination Hostname	Destination hostname
Resource URL
Registry Hive
Protocols
Org Unit
Phone Number	Phone number
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Exposure Level
Tactic
Dest NT Domain	Destination NT Domain
Registry Key
Password Reset Successfully	Whether the password has been successfully reset.
Suspicious Executions Found
Vulnerable Product
MD5	MD5
Zip Code	Zip Code
Work Phone
Additional Indicators
Alert Rules
External Category ID
File Paths
Traffic Direction	The direction of the traffic in the event.
External End Time
Alert URL	Alert URL as received from the integration JSON
Command Line Verdict
Project ID
App message
ASN Name
Affected Hosts
Similar incidents Dbot
Destination IPV6	The destination IPV6 address.
List Of Rules - Event	The list of rules associated to an event.
Source Created By
CMD
OutgoingMirrorError
Asset ID
File Name
Internal Addresses
Domain Registrar Abuse Email
SHA512	SHA512
Number Of Log Sources	The number of log sources related to the offense.
Resource Type
Detected Internal Hosts	Detected internal hosts
Cloud Service
Device Local IP	Device Local IP
Alert Name	Alert name as received from the integration JSON
Destination MAC Address	The destination MAC address in an event.
Additional Data
Device External IPs
Assigned User	Assigned User
SHA256	SHA256
Triage SLA	The time it took to investigate and enrich incident information.
Duration
First Name	First Name
MITRE Technique Name
Related Report
Agent Version	Reporting Agent/Sensor Version
Compliance Notes	Notes regarding the assets compliance.
Personal Email
Events	The events associated with the offense.
Post Nat Source IP	The source IP address after NAT.
Source Urgency	Source Urgency
Device Internal IPs
Resource ID
Given Name	Given Name
Risk Name
Employee Email	The email address of the employee.
Technical Owner	The technical owner of the asset.
User Id	User Id
File Hash
Bugtraq
Group ID
File Names
Detected External IPs	Detected external IPs
Custom Query Results
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Item Owner Email
Destination IPs	The destination IPs of the event.
Country Name	Country Name
Device OS Version
Process MD5
Appliance ID	Appliance ID as received from the integration JSON
Rendered HTML	The HTML content in a rendered form.
Last Mirrored Time Stamp	The last time the incident was mirrored in.
External Link
CVSS Availability Requirement	The CVSS availability requirement for the asset.
User Groups
DNS Name	The DNS name of the asset.
Alert tags
Alert Malicious	Whether the alert is malicious.
Technique
Objective
Source Category
Src	Source
Department	Department
Registry Value
Item Owner
Device Hash	Device Hash
Start Time	The time when the offense started.
Parent Process Path
Threat Hunting Detected Hostnames
similarIncidents
OS	The operating system.
Employee Display Name	The display name of the employee.
SKU Name
Policy Deleted
Hostnames	The hostname in the event.
Destination Geolocation	The destination geolocation of the event.
Account Status
Triggered Security Profile	Triggered Security Profile
App
Process Names
Verification Status	The status of the user verification.
Appliance Name	Appliance name as received from the integration JSON
Event Type	Event Type
Birthday	Person's Birthday
Detection ID
Signature
Domain Updated Date
Category Count	The number of categories that are associated with the offense.
Job Function	Job Function
Process Name
File Access Date
Ticket Closed Date
Password Changed Date
Vulnerability Category
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Assignment Group
sAMAccountName	User sAMAAccountName
End Time	The time when the offense ended.
Ticket Number
Job Family	Job Family
Caller
Referenced Resource ID
Attack Patterns
Src Hostname	Source hostname
Technical User	The technical user of the asset.
ASN
Event ID	Event ID
External Severity
Users
Source Priority
Mobile Phone
Org Level 2
Alert Type ID
Process Paths
Application Id	Application Id
Device OS Name
Ticket Acknowledged Date
User Engagement Response
Detection End Time
CVSS
Policy Description
Cloud Instance ID	Cloud Instance ID
Street Address
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
External System ID
Manager Email Address
Vendor ID
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Related Endpoints
IncomingMirrorError
Policy Severity
Org Level 3
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Alert Action	Alert action as received from the integration JSON
Src OS	Src OS
External Sub Category Name
app channel name
Selected Indicators	Includes the indicators selected by the user.
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Source Networks
Cost Center Code	Cost Center Code
Asset Name
Parent Process SHA256
Username	The username of the account who logged in.
Last Modified On
User Creation Time
OS Type	OS Type
Country	The country from which the user logged in.
Source Geolocation	The source geolocation of the event.
User Anomaly Count
Categories	The categories for the incident.
Audit Logs
Parent Process Name
Threat Name	Define the threat name such as malware/exploit/phishing/etc
High Risky Hosts
Classification	Incident Classification
Cloud Account ID
Users Details
Protocol names
Source External IPs
Closing User	The closing user.
IP Reputation
Policy Remediable
SKU TIER
Process ID
Alert Category	The category of the alert
Device MAC Address
Ticket Opened Date
Subtype	Subtype

Incident Types

Name	Description
DoS
Simulation
Network
Authentication
Indicator Feed
Hunt
Policy Violation
Exploit
Vulnerability
Exfiltration
UnknownBinary
Reconnaissance
Job
Lateral Movement
C2Communication
Defacement

Indicator Fields

Name	Description
Organization Prevalence	The number of times the indicator is detected in the organization.
AS Owner
Location
IP Address
Subject
Operating System
CVSS Table
Validity Not Before	Specifies the date on which the certificate validity period begins.
Domain IDN Name
Org Unit
Certificate Names
Positive Detections	Number of engines that positively detected the indicator as malicious
STIX Description
Infrastructure Types
Source Priority
Geo Country
Zip Code
Goals
Aliases	Alternative names used to identify this object
Behavior
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Port
STIX Aliases	Alternative names used to identify this object
Display Name
SWID	Specifies the Software Identification (SWID) tags entry for the software
Whois Records
Memory
Confidence
Cost Center
STIX Is Malware Family
Geo Location
User ID
Name
Subdomains
Processor
Implementation Languages
Work Phone
Tool Types
Community Notes
Updated Date
Registrar Abuse Email
Signature File Version
City	City
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
SSDeep
Name Field
Country Code
Registrar Abuse Phone
Commands
Registrar Abuse Country
Short Description
OS Version
Signature Copyright
Issuer DN	Issuer Distinguished Name
Version
Registrar Abuse Network
Signature Description
Is Malware Family
Extension
DNS Records
Job Code	Job Code
Domain Status
Samples
Mitre Tactics
Job Function
Architecture
Email
Secondary Motivations
Processors
Description
Report type
Public Key
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Tool Version
STIX Threat Actor Types
Device Model
Global Prevalence	The number of times the indicator is detected across all organizations.
ASN
Service	The specific service of a feed integration from which an indicator was ingested.
STIX Secondary Motivations
STIX Resource Level
Actor
Domain Referring Subnets
Category
Feed Related Indicators
Surname	Surname
Org Level 3
Department	Department
Applications
Associations	Known associations to other pieces of Threat Data.
Country Code Number
File Type
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Organizational Unit (OU)
Author
Threat Actor Types
Key Value
Publications
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Office365Required
Product
STIX Tool Version
Acquisition Hire	Whether the employee is an acquisition hire.
Email Address
Registrant Name
CVE Description
Expiration Date
Operating System Refs
Organization First Seen	Date and time when the indicator was first seen in the organization.
Campaign
Certificate Validation Checks
Admin Country
Internal
Given Name	Given Name
Admin Email
Domain Referring IPs
Mobile Phone
Office365ExpressRoute
Hostname
Certificates
Account Type
Registrar Abuse Address
Reports
Force Sync	Whether to force user synchronization.
Leadership
DHCP Server
Personal Email
Malware Family
CVSS3
Targets
Published
CVSS Score
CVE Modified
Issuer
Street Address
Action
Name Servers
Definition
Org Level 1
Region
Registrant Country
Signed
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Malware types
Signature Algorithm
STIX Primary Motivation.
STIX Roles
Signature Authentihash
SHA512
CVSS
Groups
Report Object References	A list of STIX IDs referenced in the report.
Country Name
Number of subkeys
Indicator Identification
Associated File Names
CVSS Version
Registrar Name
Organization Type
SHA256
imphash
Objective
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Is Processed
Manager Name	Manager Name
State
Query Language
Subject Alternative Names
PEM	Certificate in PEM format.
BIOS Version
Entry ID
Sophistication
Office365Category
Tags
Path
Organization
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Vulnerabilities
Domain Name
Subject DN	Subject Distinguished Name
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Serial Number
Signature Internal Name
Registrant Phone
Username
Assigned role
Vulnerable Products
DNS
STIX Sophistication
SHA1
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
First Seen By Source	The first time the indicator was seen by the source vendor.
Org Level 2
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Vendor
Domains
File Extension
Primary Motivation
Capabilities
Rank	Used to display rank from different sources
Registrant Email
Admin Name
Job Family
Mitre ID
CVSS Vector
Title	Title
Resource Level
Operating System Version
Signature Original Name
Size
Detections
Cost Center Code
Quarantined	Whether the indicator is quarantined or isolated
Source Original Severity	The original score/severity provided by the source without DBot translation.
Download URL
MD5
Validity Not After	Specifies the date on which the certificate validity period ends.
STIX Malware Types
Admin Phone
Detection Engines	Total number of engines that checked the indicator
Certificate Signature
MAC Address
Creation Date
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Registrar Abuse Name
STIX Goals
Roles
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
X.509 v3 Extensions
Manager Email Address
Blocked
STIX Tool Types
Paths
Assigned user
Location Region

Layouts

Name	Description
Domain Indicator	Domain Indicator Layout
URL Indicator	URL Indicator Layout
CVE Indicator	CVE Indicator Layout
Host Indicator	Host indicator layout
Report	Report Indicator Layout
Intrusion Set	Intrusion Set Layout
Course of Action	Course of Action Indicator Layout
Campaign	Campaign Indicator Layout
Threat Actor	Threat Actor Indicator Layout
IP Indicator	IP Indicator Layout
Identity	Identity indicator layout
Software	Software Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Tactic Layout	Tactic Indicator Layout
ASN	ASN Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Location	Location indicator layout
Attack Pattern	Attack Pattern Indicator Layout
Email Indicator	Email Indicator Layout
Account Indicator	Account Indicator Layout
Malware Indicator	Malware Indicator Layout
X509 Certificate	CVE Indicator Layout
Vulnerability Incident
File Indicator	File Indicator Layout
Indicator Feed Incident
Tool Indicator	Tool Indicator Layout
Mutex	Mutex indicator layout

Indicator Types

Name	Description
Tactic
Mutex
Onion Address
IPv6
File
Tool
Domain
Location
CVE
Attack Pattern
File SHA-256
Account
Malware
CIDR
DomainGlob
Software
Email
ssdeep
ASN
Infrastructure
Registry Key
URL
Course of Action
Report
Identity
File SHA-1
Threat Actor
Host
Campaign
File MD5
Intrusion Set
IPv6CIDR
X509 Certificate
IP

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Bugtraq
Classification	Incident Classification
Region
Investigation Stage	The stage of the investigation.
External Severity
Scenario
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Tactic ID
Technique ID
Registry Key
Policy Recommendation
External Last Updated Time
IP Reputation
Source Id
Technical Owner	The technical owner of the asset.
Resource URL
Follow Up	True if marked for follow up.
Last Mirrored Time Stamp	The last time the incident was mirrored in.
EmailCampaignMutualIndicators
User Creation Time
Technical User	The technical user of the asset.
Source Geolocation	The source geolocation of the event.
Risk Score
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Source Status
Number of Related Incidents
Alert Action	Alert action as received from the integration JSON
External Category Name
Source Updated by
High Risky Hosts
OS Type	OS Type
Parent Process Name
Resource Name
Verification Status	The status of the user verification.
CVE Published
Acquisition Hire
Source External IPs
Assignment Group
Signature
Pre Nat Destination Port	The destination port before NAT.
Exposure Level
Triggered Security Profile	Triggered Security Profile
ASN
Rating
Department	Department
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Application Path
Employee Email	The email address of the employee.
Technique
Item Owner Email
Affected Hosts
Policy URI
Compliance Notes	Notes regarding the assets compliance.
Detection End Time
Registry Value
Category Count	The number of categories that are associated with the offense.
External Confidence
Objective
similarIncidents
Ticket Closed Date
Street Address
Device External IPs
Status Reason
Block Indicators Status
CVE ID
Related Report
High Risky Users
Location	Location
Endpoints Details
File Size	File Size
Tactic
Rule Name	The name of a YARA rule
Zip Code	Zip Code
Referenced Resource ID
Employee Display Name	The display name of the employee.
Last Modified By
IP Blocked Status
OS	The operating system.
Policy Deleted
Custom Query Results
Use Case Description
MITRE Technique Name
First Name	First Name
Comment	The comments related with the incident
Source Urgency	Source Urgency
Related Campaign
First Seen
Src OS	Src OS
Cost Center	Cost Center
userAccountControl	userAccountControl
EmailCampaignSnippets
Org Level 1
Detection URL	URL of the ExtraHop Reveal(x) detection
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Device Name	Device Name
Similar incidents Dbot
State	State
OutgoingMirrorError
File Access Date
Device Model	Device Model
Domain Updated Date
Destination Networks
Operation Name
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Process Creation Time
Close Time	The closing time.
Destination IPV6	The destination IPV6 address.
Original Alert Name	Alert name as received from the integration JSON
Referenced Resource Name
Campaign Name
Agent Version	Reporting Agent/Sensor Version
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Last Name	Last Name
Changed	The user who changed this incident
Agents ID
String Similarity Results
Cost Center Code	Cost Center Code
Number Of Log Sources	The number of log sources related to the offense.
Job Function	Job Function
Region ID
Source Category
Registry Value Type
Policy Type
EmailCampaignSummary
Additional Data
Email Sent Successfully	Whether the email has been successfully sent.
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Pre Nat Source IP	The source IP before NAT.
Source Priority
Domain Registrar Abuse Email
Attack Patterns
sAMAccountName	User sAMAAccountName
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Event Names	The event name (translated QID ) in the event.
IncomingMirrorError
Approval Status	The status for the approval of the request.
Device OS Version
Log Source	Log Source
MITRE Tactic ID
Item Owner
Mobile Phone
Vulnerable Product
Post Nat Destination IP	The destination IP address after NAT.
Post Nat Source Port	The source port after NAT.
Job Code	Job Code
Attack Mode	Attack mode as received from the integration JSON
Closing Reason	The closing reason
SHA1	SHA1
Device Id	Device Id
Last Update Time
Org Level 2
Manager Name	Manager Name
Cloud Region List
Command Line Verdict
Raw Event	The unparsed event data.
Isolated	Isolated
External Category ID
Additional Email Addresses
Error Message	The error message that contains details about the error that occurred.
Country Code
Surname	Surname
Alert tags
Device Internal IPs
Process Paths
Vendor ID
ASN Name
Parent Process Path
Approver	The person who approved or needs to approve the request.
Device MAC Address
Policy Remediable
Timezone
Cloud Instance ID	Cloud Instance ID
Internal Addresses
Containment SLA	The time it took to contain the incident.
Full Name	Person's Full Name
Additional Indicators
SSDeep
Device OS Name
External Link
Is Active	Alert status
Org Level 3
Error Code
Log Source Type	The log source type associated with the event.
Verdict
Traffic Direction	The direction of the traffic in the event.
App message
Identity Type
SKU TIER
Ticket Acknowledged Date
Email	Primary Email Address
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
SHA512	SHA512
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
External Sub Category ID
Account ID
City
Selected Indicators	Includes the indicators selected by the user.
Title	Title
Registry Hive
User Anomaly Count
User Groups
Policy ID
Mobile Device Model
Device Hash	Device Hash
File Relationships
Parent Process CMD
Team name
Policy Actions
Alert Malicious	Whether the alert is malicious.
Low Level Categories Events	The low level category of the event.
Cloud Service
Phone Number	Phone number
Sub Category	The sub category
SKU Name
Start Time	The time when the offense started.
Cloud Account ID
Reporter Email Address	The email address of the user who reported the email.
Suspicious Executions
Tenant Name	Tenant Name
Parent Process MD5
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Parent Process SHA256
app channel name
Job Family	Job Family
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Asset Name
Subtype	Subtype
RemovedFromCampaigns
UUID	UUID as received from the integration JSON
File Creation Date
Original Alert Source
Device Status
CVSS
Employee Manager Email	The email address of the employee's manager.
Original Alert ID	Alert ID as received from the integration JSON
Destination Geolocation	The destination geolocation of the event.
EmailCampaignCanvas
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Event Descriptions	The description of the event name.
Sensor IP
Post Nat Source IP	The source IP address after NAT.
Policy Description
User SID
URLs
Password Changed Date
Detection ID
Endpoint Isolation Status
User Engagement Response
Work Phone
External Start Time
Tools
Assigned User	Assigned User
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Technical Owner Contact	The contact details for the technical owner.
Domain Name
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Related Alerts
File SHA1
Cloud Resource List
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Unique Ports
Duration
Event ID	Event ID
Report Name
Ticket Number
Pre Nat Source Port	The source port before NAT.
Triage SLA	The time it took to investigate and enrich incident information.
Post Nat Destination Port	The destination port after NAT.
Source Networks
Birthday	Person's Birthday
User Id	User Id
Registration Email
Policy Severity
Related Endpoints
Log Source Name	The log source name associated with the event.
Org Unit
Parent Process File Path
External Status
Process ID
MITRE Technique ID
Vulnerability Category
MITRE Tactic Name
End Time	The time when the offense ended.
Last Seen
Source Created By
Original Events	The events associated with the offense.
Number Of Found Related Alerts	Medium or Higher Severity Alerts
User Block Status
Device OU	Device's OU path in Active Directory
Manager Email Address
Project ID
Affected Users
Hunt Results Count
Display Name	Display Name
Verification Method	The method used to verify the user.
Protocol names
Audit Logs
Process SHA256
Suspicious Executions Found
Risk Name
Original Description	The description of the incident
CVE
Detected Internal Hosts	Detected internal hosts
Caller
Last Modified On
Personal Email
Dsts	The destination values.
Process Names
List Of Rules - Event	The list of rules associated to an event.
Resource Type
Account Member Of
Process MD5
Process CMD
External End Time
Closing User	The closing user.
Escalation
Asset ID
Detected Endpoints
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Alert Type ID
Password Reset Successfully	Whether the password has been successfully reset.
External System ID
Incident Link
Alert Rules
File Hash
Device Time	The time from the original logging device when the event occurred.
Rendered HTML	The HTML content in a rendered form.
Parent Process IDs
Number of similar files
Group ID
Risk Rating
Vendor Product
Blocked Action	Blocked Action
Location Region	Location Region
Given Name	Given Name
Country Code Number
Policy Details
Users Details
Dest OS	Destination OS
External Sub Category Name
Tool Usage Found
Detected External IPs	Detected external IPs
Account Status
Source Create time
Leadership

Incident Types

Name	Description
Hunt
Reconnaissance
UnknownBinary
Exfiltration
Indicator Feed
Job
DoS
Vulnerability
C2Communication
Lateral Movement
Authentication
Exploit
Network
Defacement
Simulation
Policy Violation

Indicator Fields

Name	Description
STIX Secondary Motivations
Internal
Indicator Identification
Signature Internal Name
Signature Authentihash
Geo Country
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Processor
MD5
Issuer DN	Issuer Distinguished Name
Org Level 2
Office365Required
Architecture
Given Name	Given Name
Display Name
Is Malware Family
Category
Surname	Surname
STIX Resource Level
STIX Tool Types
Aliases	Alternative names used to identify this object
STIX Aliases	Alternative names used to identify this object
Size
File Extension
Global Prevalence	The number of times the indicator is detected across all organizations.
DNS
Vendor
STIX Roles
Domain Referring IPs
CVSS Score
Organizational Unit (OU)
Registrar Abuse Country
Personal Email
Admin Phone
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Source Original Severity	The original score/severity provided by the source without DBot translation.
Registrant Email
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Rank	Used to display rank from different sources
Behavior
Org Level 3
Report type
Number of subkeys
Malware types
Commands
Account Type
Key Value
Registrar Name
CVSS Table
Author
Username
Region
Paths
Mitre ID
CVSS Vector
Org Unit
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Name Field
STIX Goals
Secondary Motivations
Operating System Refs
Subject
Quarantined	Whether the indicator is quarantined or isolated
Reports
Organization Prevalence	The number of times the indicator is detected in the organization.
Detection Engines	Total number of engines that checked the indicator
Primary Motivation
Query Language
CVSS Version
ASN
Domain Name
STIX Primary Motivation.
Tool Types
Signature Algorithm
Name Servers
Actor
Registrant Country
Source Priority
Org Level 1
Office365ExpressRoute
Processors
Vulnerable Products
Manager Name	Manager Name
Subject DN	Subject Distinguished Name
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Assigned role
X.509 v3 Extensions
Hostname
Certificate Names
Validity Not After	Specifies the date on which the certificate validity period ends.
Geo Location
Associations	Known associations to other pieces of Threat Data.
CVSS
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Cost Center Code
Signed
Device Model
Admin Name
Sophistication
Country Code
Entry ID
Serial Number
Roles
Organization Type
Targets
Implementation Languages
Subdomains
Tool Version
Description
Issuer
Creation Date
City	City
Mitre Tactics
Associated File Names
SHA512
Force Sync	Whether to force user synchronization.
Campaign
Certificates
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Signature Copyright
Detections
Expiration Date
Certificate Validation Checks
Domain Status
Product
Registrar Abuse Phone
Download URL
File Type
Acquisition Hire	Whether the employee is an acquisition hire.
STIX Malware Types
Street Address
State
Publications
DNS Records
Feed Related Indicators
Email Address
Location
Tags
Report Object References	A list of STIX IDs referenced in the report.
Registrar Abuse Address
CVSS3
Resource Level
Assigned user
STIX Description
STIX Sophistication
Capabilities
Organization
Blocked
Registrar Abuse Network
Community Notes
Mobile Phone
Title	Title
Operating System
Zip Code
Subject Alternative Names
Is Processed
Registrar Abuse Name
BIOS Version
Samples
Country Name
OS Version
Signature File Version
Job Family
Validity Not Before	Specifies the date on which the certificate validity period begins.
STIX Tool Version
IP Address
SWID	Specifies the Software Identification (SWID) tags entry for the software
Infrastructure Types
Registrar Abuse Email
Confidence
Threat Actor Types
SSDeep
Action
AS Owner
Manager Email Address
Operating System Version
Path
Office365Category
Objective
SHA1
Country Code Number
Applications
Name
Domain Referring Subnets
Extension
Groups
Public Key
Memory
Vulnerabilities
Department	Department
Job Function
User ID
Port
Goals
PEM	Certificate in PEM format.
imphash
Signature Original Name
Service	The specific service of a feed integration from which an indicator was ingested.
Short Description
Registrant Phone
Registrant Name
SHA256
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Updated Date
Positive Detections	Number of engines that positively detected the indicator as malicious
Location Region
Domains
Certificate Signature
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
DHCP Server
Work Phone
Admin Email
First Seen By Source	The first time the indicator was seen by the source vendor.
Cost Center
STIX Is Malware Family
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Domain IDN Name
Malware Family
Leadership
CVE Description
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
STIX Threat Actor Types
Admin Country
Definition
Whois Records
Job Code	Job Code
CVE Modified
Published
Organization First Seen	Date and time when the indicator was first seen in the organization.
Version
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Email
Signature Description
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info

Layoutrule

Name	Description
Indicator Feed Layout Rule
Vulnerability Layout Rule

Layouts

Name	Description
X509 Certificate	CVE Indicator Layout
Vulnerability Incident
Attack Pattern	Attack Pattern Indicator Layout
Malware Indicator	Malware Indicator Layout
Account Indicator	Account Indicator Layout
Host Indicator	Host indicator layout
CVE Indicator	CVE Indicator Layout
Report	Report Indicator Layout
Mutex	Mutex indicator layout
Registry Key Indicator	Registry Key Indicator Layout
URL Indicator	URL Indicator Layout
Campaign	Campaign Indicator Layout
Domain Indicator	Domain Indicator Layout
File Indicator	File Indicator Layout
Course of Action	Course of Action Indicator Layout
Identity	Identity indicator layout
Intrusion Set	Intrusion Set Layout
Tool Indicator	Tool Indicator Layout
Email Indicator	Email Indicator Layout
Location	Location indicator layout
ASN	ASN Indicator Layout
IP Indicator	IP Indicator Layout
Tactic Layout	Tactic Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Software	Software Indicator Layout
Indicator Feed Incident

Indicator Types

Name	Description
ssdeep
Onion Address
Domain
IP
X509 Certificate
CIDR
Threat Actor
DomainGlob
Tool
Campaign
Email
Attack Pattern
Mutex
Account
URL
File MD5
File SHA-256
Report
Location
Infrastructure
Registry Key
CVE
Tactic
IPv6CIDR
Course of Action
Software
Identity
File SHA-1
Malware
Intrusion Set
Host
File
IPv6
ASN

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (57)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1900707 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1621428 (November 11, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field

Related pull requests:
- 36582

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	September 30, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.