Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
List Of Rules - Event	The list of rules associated to an event.
Number Of Log Sources	The number of log sources related to the offense.
Source Id
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Protocols
Detected External Hosts	Detected external hosts
User SID
File Relationships
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Account ID
Application Name	Application Name
Policy URI
Risk Name
Additional Indicators
Source External IPs
Isolated	Isolated
Display Name	Display Name
Policy Remediable
Sub Category	The sub category
Application Id	Application Id
Source Port	The source port that was used
Parent CMD line
Cloud Account ID
Triggered Security Profile	Triggered Security Profile
Rendered HTML	The HTML content in a rendered form.
Parent Process File Path
Cloud Service
Detection Update Time
Changed	The user who changed this incident
Vulnerable Product
Source Created By
Classification	Incident Classification
Subtype	Subtype
Log Source	Log Source
External End Time
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Category Count	The number of categories that are associated with the offense.
High Risky Hosts
Destination MAC Address	The destination MAC address in an event.
Cost Center Code	Cost Center Code
Related Endpoints
Process Creation Time
Source Username	The username that was the source of the attack.
User Creation Time
Pre Nat Destination Port	The destination port before NAT.
Source Category
Resource ID
Tactic
Rule Name	The name of a YARA rule
Related Campaign
Cost Center	Cost Center
Device OS Name
Device OS Version
Parent Process IDs
Dest NT Domain	Destination NT Domain
User Risk Level
Domain Updated Date
Device OU	Device's OU path in Active Directory
Account Member Of
Attack Patterns
Last Update Time
Device External IPs
Street Address
MITRE Technique ID
Source Updated by
Source Networks
Additional Data
Zip Code	Zip Code
Location Region	Location Region
Referenced Resource Name
High Level Categories	The high level categories in the events.
Technical Owner Contact	The contact details for the technical owner.
Cloud Operation Type
Event Type	Event Type
Process SHA256
CVSS Availability Requirement	The CVSS availability requirement for the asset.
External Category ID
Personal Email
Dest	Destination
RemovedFromCampaigns
Org Level 2
Incident Link
Job Family	Job Family
Related Alerts
Password Changed Date
OutgoingMirrorError
Source MAC Address	The source MAC address in an event.
Ticket Acknowledged Date
SHA1	SHA1
Follow Up	True if marked for follow up.
Custom Query Results
Device Internal IPs
File Size	File Size
Technique ID
Device External IP	Device External IP
Error Message	The error message that contains details about the error that occurred.
Verification Method	The method used to verify the user.
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
File MD5
Assignment Group
Given Name	Given Name
Child Process
User Anomaly Count
Mobile Device Model
Sensor Name
SSDeep
Alert ID	Alert ID as received from the integration JSON
Internal Addresses
Users Details
Reporter Email Address	The email address of the user who reported the email.
Src Hostname	Source hostname
Alert Rules
Post Nat Source Port	The source port after NAT.
Protocol - Event	The network protocol in the event.
Usernames	The username in the event.
Source IPs	The source IPs of the event.
Registry Value
Appliance ID	Appliance ID as received from the integration JSON
App
External Category Name
External Confidence
Endpoints Details
Parent Process SHA256
Group ID
Dest OS	Destination OS
Detection End Time
Dsts	The destination values.
Unique Ports
Process Names
Alert Source
External ID
Employee Display Name	The display name of the employee.
Vendor ID
MITRE Tactic ID
Comment	The comments related with the incident
Country Name	Country Name
DNS Name	The DNS name of the asset.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Threat Hunting Detected IP
Tags
CVE
Escalation
Suspicious Executions Found
Raw Event	The unparsed event data.
Events	The events associated with the offense.
Phone Number	Phone number
Event Names	The event name (translated QID ) in the event.
Vendor Product
File Paths
Process CMD
Src OS	Src OS
Destination Geolocation	The destination geolocation of the event.
Country	The country from which the user logged in.
Users
External Last Updated Time
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Sensor IP
Process ID
Registry Hive
External Severity
Detected Internal IPs	Detected internal IPs
Start Time	The time when the offense started.
Source Create time
MAC Address	MAC Address
Detected Internal Hosts	Detected internal hosts
Hunt Results Count
PID	PID
Application Path
App message
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Region ID
Objective
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Country Code
File Hash
Dst Ports	The destination ports of the event.
Block Indicators Status
Error Code
User Id	User Id
Detection ID
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Policy Description
Scenario
SHA256	SHA256
Source IPV6	The source IPV6 address.
OS Version	OS Version
Src	Source
Parent Process
Resource Type
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Asset ID
Parent Process MD5
Cloud Resource List
Org Level 1
Alert URL	Alert URL as received from the integration JSON
Exposure Level
Approval Status	The status for the approval of the request.
Number of Related Incidents
File Access Date
Approver	The person who approved or needs to approve the request.
Parent Process CMD
Surname	Surname
Affected Users
Closing Reason	The closing reason
Device Model	Device Model
Detection URL	URL of the ExtraHop Reveal(x) detection
EmailCampaignSummary
Policy Severity
Agent ID	Agent ID
Duration
Log Source Type	The log source type associated with the event.
Tools
IncomingMirrorError
Log Source Name	The log source name associated with the event.
Timezone
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Description	The description of the incident
CMD
External Sub Category Name
EmailCampaignCanvas
Event ID	Event ID
Mobile Phone
Account Status
CVE ID
Attack Mode	Attack mode as received from the integration JSON
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Assigned User	Assigned User
Destination IPV6	The destination IPV6 address.
Parent Process Path
Signature
High Risky Users
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Policy Deleted
External Status
OS Type	OS Type
External System ID
EmailCampaignMutualIndicators
Device Hash	Device Hash
Appliance Name	Appliance name as received from the integration JSON
OS	The operating system.
Post Nat Destination Port	The destination port after NAT.
File SHA256
Destination Port	The destination port used.
SHA512	SHA512
Tool Usage Found
Process MD5
Item Owner
Device Local IP	Device Local IP
State	State
Device Status
Password Reset Successfully	Whether the password has been successfully reset.
Technique
Src Ports	The source ports of the event.
Department	Department
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Registry Value Type
Policy Type
Source Priority
Source Urgency	Source Urgency
External Sub Category ID
Tactic ID
First Seen
SKU TIER
Title	Title
Username	The username of the account who logged in.
Detected External IPs	Detected external IPs
MD5	MD5
Bugtraq
SKU Name
Vulnerability Category
Last Name	Last Name
Command Line Verdict
Use Case Description
IP Blocked Status
Risk Score
ASN
Operation Name
Ticket Number
Detected IPs
Alert Malicious	Whether the alert is malicious.
Dest Hostname	Destination hostname
Verdict
Domain Name
Employee Manager Email	The email address of the employee's manager.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
First Name	First Name
Ticket Opened Date
Campaign Name
Account Name	Account Name
Parent Process Name
Device Name	Device Name
Post Nat Source IP	The source IP address after NAT.
Email	Primary Email Address
Pre Nat Source Port	The source port before NAT.
Process Path
Affected Hosts
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Closing User	The closing user.
Policy Recommendation
Destination Hostname	Destination hostname
Registration Email
Investigation Stage	The stage of the investigation.
Is Active	Alert status
Cloud Region List
Technical User	The technical user of the asset.
Alert Attack Time
Related Report
Destination IPs	The destination IPs of the event.
Birthday	Person's Birthday
String Similarity Results
Agent Version	Reporting Agent/Sensor Version
Risk Rating
Source IP	The IP Address that the user initially logged in from.
File Names
End Time	The time when the offense ended.
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Location	Location
Agents ID
Last Modified By
Org Level 3
External Addresses
Destination Networks
Threat Name	Define the threat name such as malware/exploit/phishing/etc
userAccountControl	userAccountControl
Selected Indicators	Includes the indicators selected by the user.
Blocked Action	Blocked Action
Item Owner Email
Policy Details
Asset Name
Employee Email	The email address of the employee.
Process Paths
External Start Time
Srcs	The source values.
IP Reputation
Leadership
Rating
City
Region
Low Level Categories Events	The low level category of the event.
File Name
Last Modified On
Containment SLA	The time it took to contain the incident.
Source Geolocation	The source geolocation of the event.
Verification Status	The status of the user verification.
Post Nat Destination IP	The destination IP address after NAT.
URLs
Country Code Number
Event Descriptions	The description of the event name.
Process Name
Tenant Name	Tenant Name
ASN Name
Source Hostname	The hostname that performed the port scan.
Threat Hunting Detected Hostnames
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Manager Email Address
Alert tags
Endpoint Isolation Status
Audit Logs
MITRE Technique Name
Suspicious Executions
Job Code	Job Code
Alert Name	Alert name as received from the integration JSON
Device MAC Address
File SHA1
Destination Network
Device Time	The time from the original logging device when the event occurred.
Org Unit
Categories	The categories for the incident.
Work Phone
Protocol names
Device Username	The username of the user that owns the device
Status Reason
Destination IP	The IP address the impossible traveler logged in to.
CMD line
Project ID
Traffic Direction	The direction of the traffic in the event.
Acquisition Hire
External Link
Number of similar files
Additional Email Addresses
MITRE Tactic Name
Detected Users	Detected users
similarIncidents
app channel name
Domain Registrar Abuse Email
Last Seen
Src User	Source User
Alert Action	Alert action as received from the integration JSON
Similar incidents Dbot
Detected Endpoints
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
User Engagement Response
CVE Published
Email Sent Successfully	Whether the email has been successfully sent.
UUID	UUID as received from the integration JSON
Referenced Resource ID
Source Network
Policy ID
Caller
Policy Actions
Hostnames	The hostname in the event.
Compliance Notes	Notes regarding the assets compliance.
sAMAccountName	User sAMAAccountName
Identity Type
Device Id	Device Id
Resource Name
Job Function	Job Function
User Agent
File Creation Date
Pre Nat Source IP	The source IP before NAT.
Src NT Domain	Source NT Domain
Report Name
Ticket Closed Date
Alert Category	The category of the alert
User Block Status
Alert Type ID
CVSS
Triage SLA	The time it took to investigate and enrich incident information.
Team name
Registry Key
EmailCampaignSnippets
Close Time	The closing time.
Endpoint
Cloud Instance ID	Cloud Instance ID
Command Line	Command Line
Source Status
File Path
Manager Name	Manager Name
Resource URL
Full Name	Person's Full Name
User Groups
Technical Owner	The technical owner of the asset.
Protocol	Protocol
Detected User

Incident Types

Name	Description
Network
Authentication
Hunt
Exploit
C2Communication
Job
Simulation
DoS
Vulnerability
Indicator Feed
UnknownBinary
Defacement
Lateral Movement
Policy Violation
Reconnaissance
Exfiltration

Indicator Fields

Name	Description
Service	The specific service of a feed integration from which an indicator was ingested.
Associated File Names
Signature Authentihash
Registrar Abuse Name
Manager Email Address
Associations	Known associations to other pieces of Threat Data.
CVE Description
Admin Phone
Certificate Validation Checks
Display Name
Author
Primary Motivation
File Type
Is Malware Family
Organization
Domain IDN Name
Org Level 3
STIX Tool Version
MD5
Cost Center Code
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
DNS Records
Signed
Signature Internal Name
Account Type
Admin Name
Registrant Country
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Capabilities
City	City
Source Priority
Country Code Number
State
ASN
Architecture
Processors
Organizational Unit (OU)
Certificates
CVSS Version
Signature Description
Assigned role
Goals
CVE Modified
Paths
Operating System Version
Subdomains
Cost Center
Updated Date
AS Owner
Subject
Manager Name	Manager Name
Job Family
CVSS
Registrant Email
Community Notes
Surname	Surname
Registrar Name
Product
Commands
Creation Date
STIX Malware Types
Definition
Operating System Refs
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Global Prevalence	The number of times the indicator is detected across all organizations.
Hostname
Signature Original Name
STIX Aliases	Alternative names used to identify this object
Mobile Phone
Registrar Abuse Network
Behavior
Detection Engines	Total number of engines that checked the indicator
STIX Goals
Office365Required
Confidence
OS Version
File Extension
Secondary Motivations
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Processor
Path
Domains
Samples
Region
Number of subkeys
Extension
CVSS3
Org Unit
Registrar Abuse Phone
Issuer DN	Issuer Distinguished Name
Source Original Severity	The original score/severity provided by the source without DBot translation.
Short Description
CVSS Score
Signature File Version
Certificate Names
Rank	Used to display rank from different sources
Office365Category
Vulnerabilities
Department	Department
Work Phone
STIX Tool Types
Port
Signature Copyright
Domain Name
Given Name	Given Name
DNS
Registrar Abuse Country
Title	Title
Vulnerable Products
Internal
IP Address
Registrar Abuse Address
SHA1
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Action
Sophistication
Location Region
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
PEM	Certificate in PEM format.
Name
STIX Is Malware Family
Serial Number
DHCP Server
SSDeep
Category
Expiration Date
Organization First Seen	Date and time when the indicator was first seen in the organization.
Validity Not After	Specifies the date on which the certificate validity period ends.
STIX Description
Force Sync	Whether to force user synchronization.
STIX Resource Level
MAC Address
SHA256
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Certificate Signature
BIOS Version
Mitre ID
Roles
imphash
Positive Detections	Number of engines that positively detected the indicator as malicious
Email
Indicator Identification
STIX Secondary Motivations
Email Address
Tool Types
Office365ExpressRoute
Zip Code
Domain Referring IPs
Tags
Implementation Languages
Campaign
Registrant Name
Description
Username
Admin Email
Subject Alternative Names
Subject DN	Subject Distinguished Name
First Seen By Source	The first time the indicator was seen by the source vendor.
Actor
Country Code
Registrant Phone
Issuer
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Geo Location
Org Level 1
SHA512
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
CVSS Vector
Whois Records
Is Processed
Mitre Tactics
Groups
CVSS Table
Job Code	Job Code
Leadership
Domain Status
Publications
X.509 v3 Extensions
Location
Reports
Feed Related Indicators
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Validity Not Before	Specifies the date on which the certificate validity period begins.
Job Function
Org Level 2
Name Field
STIX Sophistication
Download URL
Version
STIX Primary Motivation.
Vendor
Objective
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Published
Admin Country
STIX Threat Actor Types
Blocked
Public Key
Malware Family
Device Model
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Malware types
Key Value
STIX Roles
Threat Actor Types
Geo Country
Report type
Applications
Targets
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Organization Prevalence	The number of times the indicator is detected in the organization.
User ID
Signature Algorithm
Detections
Registrar Abuse Email
Acquisition Hire	Whether the employee is an acquisition hire.
Entry ID
Memory
Size
Tool Version
Report Object References	A list of STIX IDs referenced in the report.
Domain Referring Subnets
SWID	Specifies the Software Identification (SWID) tags entry for the software
Personal Email
Resource Level
Operating System
Infrastructure Types
Assigned user
Quarantined	Whether the indicator is quarantined or isolated
Organization Type
Country Name
Name Servers
Street Address
Aliases	Alternative names used to identify this object
Query Language

Layouts

Name	Description
Host Indicator	Host indicator layout
Account Indicator	Account Indicator Layout
Report	Report Indicator Layout
Indicator Feed Incident
IP Indicator	IP Indicator Layout
File Indicator	File Indicator Layout
Mutex	Mutex indicator layout
Identity	Identity indicator layout
Course of Action	Course of Action Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Tool Indicator	Tool Indicator Layout
CVE Indicator	CVE Indicator Layout
URL Indicator	URL Indicator Layout
ASN	ASN Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Vulnerability Incident
X509 Certificate	CVE Indicator Layout
Email Indicator	Email Indicator Layout
Campaign	Campaign Indicator Layout
Malware Indicator	Malware Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Tactic Layout	Tactic Indicator Layout
Domain Indicator	Domain Indicator Layout
Intrusion Set	Intrusion Set Layout
Location	Location indicator layout
Software	Software Indicator Layout

Indicator Types

Name	Description
Software
Tactic
ssdeep
Course of Action
Account
Registry Key
Threat Actor
Report
Identity
Campaign
Malware
Infrastructure
DomainGlob
IP
Onion Address
Tool
Attack Pattern
URL
IPv6
File SHA-256
Email
CVE
Intrusion Set
File
X509 Certificate
Host
File SHA-1
File MD5
Domain
IPv6CIDR
Mutex
CIDR
ASN
Location

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Alert tags
Ticket Closed Date
Registry Value Type
Caller
Isolated	Isolated
Parent Process File Path
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Detected External IPs	Detected external IPs
Suspicious Executions Found
Policy Type
Affected Users
Hunt Results Count
External Severity
Process Names
RemovedFromCampaigns
Alert Rules
IncomingMirrorError
Risk Name
Subtype	Subtype
Agent Version	Reporting Agent/Sensor Version
CVSS
Source Priority
app channel name
Detected Internal Hosts	Detected internal hosts
Process ID
Source External IPs
Manager Email Address
Compliance Notes	Notes regarding the assets compliance.
Device Time	The time from the original logging device when the event occurred.
Last Mirrored Time Stamp	The last time the incident was mirrored in.
First Seen
Assignment Group
Source Urgency	Source Urgency
Verdict
Domain Name
Category Count	The number of categories that are associated with the offense.
Related Alerts
Project ID
Last Seen
Parent Process SHA256
Original Description	The description of the incident
Duration
Timezone
SKU Name
Vendor ID
Error Message	The error message that contains details about the error that occurred.
Pre Nat Source Port	The source port before NAT.
Registry Key
Use Case Description
Device OU	Device's OU path in Active Directory
Policy Severity
Technique
Department	Department
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Cost Center	Cost Center
Device Id	Device Id
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
User Anomaly Count
Destination Networks
Display Name	Display Name
Sub Category	The sub category
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Log Source	Log Source
Manager Name	Manager Name
Work Phone
File Size	File Size
Original Alert Name	Alert name as received from the integration JSON
Reporter Email Address	The email address of the user who reported the email.
Destination Geolocation	The destination geolocation of the event.
CVE Published
Source Status
Org Level 3
Phone Number	Phone number
User Engagement Response
Original Alert Source
Source Created By
Device MAC Address
Location	Location
Additional Indicators
Registry Value
URLs
External Category Name
Item Owner Email
Internal Addresses
MITRE Tactic ID
IP Blocked Status
Scenario
Detection URL	URL of the ExtraHop Reveal(x) detection
Location Region	Location Region
Tool Usage Found
Exposure Level
ASN Name
Verification Method	The method used to verify the user.
Pre Nat Destination Port	The destination port before NAT.
Last Modified On
Device OS Version
Traffic Direction	The direction of the traffic in the event.
Referenced Resource ID
Close Time	The closing time.
Rating
Verification Status	The status of the user verification.
Source Updated by
External Confidence
Affected Hosts
Device Hash	Device Hash
Pre Nat Source IP	The source IP before NAT.
Policy URI
Full Name	Person's Full Name
Tenant Name	Tenant Name
Selected Indicators	Includes the indicators selected by the user.
Org Level 1
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Device Model	Device Model
ASN
Cloud Region List
Cloud Service
Number of similar files
Email Sent Successfully	Whether the email has been successfully sent.
Is Active	Alert status
Comment	The comments related with the incident
Policy Details
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
External Last Updated Time
Technical User	The technical user of the asset.
File Access Date
Alert Type ID
Sensor IP
Users Details
EmailCampaignMutualIndicators
Approver	The person who approved or needs to approve the request.
CVE
Title	Title
Attack Patterns
Process CMD
Process Creation Time
High Risky Users
Source Geolocation	The source geolocation of the event.
Policy Deleted
Technical Owner Contact	The contact details for the technical owner.
Start Time	The time when the offense started.
External Category ID
Dest OS	Destination OS
Org Unit
Account ID
Ticket Acknowledged Date
External Sub Category ID
Error Code
Closing User	The closing user.
Street Address
String Similarity Results
CVE ID
UUID	UUID as received from the integration JSON
Password Reset Successfully	Whether the password has been successfully reset.
Country Code
Low Level Categories Events	The low level category of the event.
OutgoingMirrorError
Registration Email
Parent Process Name
Resource Type
Risk Score
Closing Reason	The closing reason
OS	The operating system.
Parent Process Path
Containment SLA	The time it took to contain the incident.
Related Campaign
Escalation
Additional Email Addresses
Detected Endpoints
Agents ID
Mobile Device Model
Alert Action	Alert action as received from the integration JSON
Dsts	The destination values.
Resource URL
Referenced Resource Name
File Creation Date
User Id	User Id
Technique ID
Destination IPV6	The destination IPV6 address.
Related Report
Policy Description
Post Nat Destination IP	The destination IP address after NAT.
Account Status
Device Status
Personal Email
Leadership
Rule Name	The name of a YARA rule
Birthday	Person's Birthday
Process Paths
Campaign Name
Region
Cloud Account ID
Follow Up	True if marked for follow up.
Source Id
User Block Status
Detection End Time
userAccountControl	userAccountControl
sAMAccountName	User sAMAAccountName
MITRE Tactic Name
Block Indicators Status
Tactic ID
Policy Actions
Device Name	Device Name
Region ID
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Original Alert ID	Alert ID as received from the integration JSON
Country Code Number
Original Events	The events associated with the offense.
Triage SLA	The time it took to investigate and enrich incident information.
EmailCampaignCanvas
City
Parent Process MD5
MITRE Technique Name
Mobile Phone
Device External IPs
Similar incidents Dbot
Vendor Product
Technical Owner	The technical owner of the asset.
Audit Logs
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Source Create time
Policy Recommendation
Process SHA256
SSDeep
Resource Name
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Device OS Name
Custom Query Results
IP Reputation
Post Nat Source Port	The source port after NAT.
Employee Display Name	The display name of the employee.
OS Type	OS Type
Post Nat Source IP	The source IP address after NAT.
Alert Malicious	Whether the alert is malicious.
Application Path
Ticket Number
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
File Hash
Objective
Last Name	Last Name
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Changed	The user who changed this incident
Attack Mode	Attack mode as received from the integration JSON
Vulnerability Category
Tools
Bugtraq
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Log Source Name	The log source name associated with the event.
External Sub Category Name
Src OS	Src OS
Endpoint Isolation Status
EmailCampaignSnippets
App message
Rendered HTML	The HTML content in a rendered form.
Job Family	Job Family
Raw Event	The unparsed event data.
Email	Primary Email Address
Source Networks
Blocked Action	Blocked Action
Signature
Post Nat Destination Port	The destination port after NAT.
Cost Center Code	Cost Center Code
Job Code	Job Code
Account Member Of
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Additional Data
Cloud Resource List
Item Owner
Employee Email	The email address of the employee.
State	State
Status Reason
File Relationships
First Name	First Name
Detection ID
User Groups
SHA512	SHA512
External Link
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
User SID
Suspicious Executions
External End Time
External Status
Incident Link
Approval Status	The status for the approval of the request.
Related Endpoints
Command Line Verdict
Job Function	Job Function
User Creation Time
Event Descriptions	The description of the event name.
Event ID	Event ID
MITRE Technique ID
List Of Rules - Event	The list of rules associated to an event.
Tactic
Identity Type
Vulnerable Product
Parent Process CMD
Given Name	Given Name
Org Level 2
EmailCampaignSummary
Last Update Time
File SHA1
Domain Registrar Abuse Email
Team name
Cloud Instance ID	Cloud Instance ID
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Domain Updated Date
Password Changed Date
Log Source Type	The log source type associated with the event.
SHA1	SHA1
Number Of Log Sources	The number of log sources related to the offense.
Endpoints Details
External Start Time
Source Category
Assigned User	Assigned User
Last Modified By
Investigation Stage	The stage of the investigation.
SKU TIER
Report Name
Device Internal IPs
Triggered Security Profile	Triggered Security Profile
Parent Process IDs
Protocol names
Employee Manager Email	The email address of the employee's manager.
Surname	Surname
Classification	Incident Classification
High Risky Hosts
Risk Rating
Event Names	The event name (translated QID ) in the event.
Zip Code	Zip Code
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Process MD5
Operation Name
Registry Hive
Asset Name
Policy ID
Policy Remediable
External System ID
Acquisition Hire
Unique Ports
similarIncidents
End Time	The time when the offense ended.
Asset ID
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Group ID
Number of Related Incidents

Incident Types

Name	Description
Policy Violation
DoS
Vulnerability
UnknownBinary
Exfiltration
Exploit
C2Communication
Lateral Movement
Simulation
Network
Job
Reconnaissance
Hunt
Indicator Feed
Authentication
Defacement

Indicator Fields

Name	Description
Assigned user
BIOS Version
imphash
Title	Title
Entry ID
Region
Registrar Abuse Address
Signature File Version
Registrant Name
CVSS Table
Infrastructure Types
STIX Resource Level
Vendor
Rank	Used to display rank from different sources
ASN
Signature Algorithm
Behavior
Processor
File Type
Architecture
Registrant Email
Org Level 1
Operating System Refs
Whois Records
STIX Goals
Source Original Severity	The original score/severity provided by the source without DBot translation.
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Resource Level
Domain Status
Name
Port
Signature Original Name
DNS
PEM	Certificate in PEM format.
SHA512
Associated File Names
Operating System
Org Level 3
Indicator Identification
Certificates
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Size
Email
Confidence
Admin Phone
Objective
Processors
Organization Prevalence	The number of times the indicator is detected in the organization.
Subject Alternative Names
STIX Secondary Motivations
Registrant Country
Account Type
Action
Registrant Phone
File Extension
Mitre Tactics
Commands
Job Family
Reports
AS Owner
STIX Sophistication
Vulnerabilities
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
OS Version
Signature Internal Name
Office365Required
Issuer
Blocked
Signature Copyright
Personal Email
X.509 v3 Extensions
Goals
Actor
Short Description
State
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Acquisition Hire	Whether the employee is an acquisition hire.
Email Address
Surname	Surname
Creation Date
Registrar Abuse Phone
IP Address
Tool Version
STIX Tool Version
Version
DNS Records
Implementation Languages
Organization
First Seen By Source	The first time the indicator was seen by the source vendor.
Registrar Abuse Email
Org Unit
Certificate Names
Registrar Abuse Country
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Organization First Seen	Date and time when the indicator was first seen in the organization.
Subject
Cost Center Code
CVE Modified
Subdomains
Targets
STIX Malware Types
Office365Category
Category
Street Address
Path
Organization Type
Department	Department
Job Function
Definition
Service	The specific service of a feed integration from which an indicator was ingested.
Samples
STIX Roles
Mitre ID
Org Level 2
City	City
SHA1
Admin Country
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Operating System Version
Public Key
CVE Description
CVSS3
STIX Tool Types
Product
Query Language
Signature Description
Serial Number
Mobile Phone
Subject DN	Subject Distinguished Name
CVSS Version
Publications
Roles
Published
Campaign
STIX Is Malware Family
SWID	Specifies the Software Identification (SWID) tags entry for the software
Domain Referring IPs
Organizational Unit (OU)
MD5
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Extension
Capabilities
Leadership
Threat Actor Types
Manager Name	Manager Name
Key Value
Registrar Abuse Network
Location
Certificate Validation Checks
Name Servers
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Geo Location
Domains
Country Name
Registrar Name
Associations	Known associations to other pieces of Threat Data.
STIX Description
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Detection Engines	Total number of engines that checked the indicator
Signed
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Work Phone
Certificate Signature
User ID
SSDeep
Aliases	Alternative names used to identify this object
Admin Email
Tags
Username
Expiration Date
CVSS Vector
Display Name
Primary Motivation
Domain IDN Name
Is Processed
Groups
Registrar Abuse Name
Malware types
Device Model
Domain Name
CVSS
Validity Not After	Specifies the date on which the certificate validity period ends.
Vulnerable Products
Feed Related Indicators
Domain Referring Subnets
CVSS Score
Hostname
Signature Authentihash
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Paths
Download URL
Validity Not Before	Specifies the date on which the certificate validity period begins.
Number of subkeys
Sophistication
Positive Detections	Number of engines that positively detected the indicator as malicious
Quarantined	Whether the indicator is quarantined or isolated
Job Code	Job Code
Malware Family
STIX Aliases	Alternative names used to identify this object
Secondary Motivations
Country Code
Zip Code
DHCP Server
Global Prevalence	The number of times the indicator is detected across all organizations.
Country Code Number
STIX Threat Actor Types
Name Field
Tool Types
Given Name	Given Name
Author
Source Priority
Detections
Force Sync	Whether to force user synchronization.
Community Notes
Applications
STIX Primary Motivation.
Cost Center
Memory
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Report type
Manager Email Address
Admin Name
Geo Country
Report Object References	A list of STIX IDs referenced in the report.
Updated Date
SHA256
Description
Assigned role
Internal
Office365ExpressRoute
Location Region
Is Malware Family
Issuer DN	Issuer Distinguished Name

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
File Indicator	File Indicator Layout
Threat Actor	Threat Actor Indicator Layout
X509 Certificate	CVE Indicator Layout
URL Indicator	URL Indicator Layout
Host Indicator	Host indicator layout
Tactic Layout	Tactic Indicator Layout
Infrastructure	Infrastructure Indicator Layout
IP Indicator	IP Indicator Layout
Account Indicator	Account Indicator Layout
Report	Report Indicator Layout
Tool Indicator	Tool Indicator Layout
CVE Indicator	CVE Indicator Layout
Intrusion Set	Intrusion Set Layout
Course of Action	Course of Action Indicator Layout
Mutex	Mutex indicator layout
Domain Indicator	Domain Indicator Layout
ASN	ASN Indicator Layout
Identity	Identity indicator layout
Malware Indicator	Malware Indicator Layout
Campaign	Campaign Indicator Layout
Vulnerability Incident
Email Indicator	Email Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Indicator Feed Incident
Software	Software Indicator Layout
Location	Location indicator layout

Indicator Types

Name	Description
Report
Registry Key
Attack Pattern
Intrusion Set
Host
Tool
CVE
File SHA-256
Onion Address
URL
IPv6CIDR
Infrastructure
CIDR
File
Identity
File SHA-1
ASN
Malware
Campaign
Software
Tactic
Threat Actor
X509 Certificate
ssdeep
IPv6
IP
Domain
Account
Course of Action
File MD5
Email
Mutex
DomainGlob
Location

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (59)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
Trellix Email Security - Cloud	By: Cortex XSOAR
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GravityZone	By: Bitdefender
Akamai GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (4)

Pack Name	Pack By
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

3.10.8 - 8382811 (April 20, 2026)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

3.10.7 - 8288718 (April 15, 2026)

Indicator Types

Domain
Fixed an issue where false-positive domain indicators were extracted.

Related pull requests:
- 43856

Download

3.10.6 - 8227525 (April 13, 2026)

Incident Fields

Last Update Time
Updated the Last Update Time incident field to support the CrowdStrike Falcon Intelligence Recon incident type.

Related pull requests:
- 42097
- 41869

Download

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7389211 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920594 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.10.8 - 8382811 (April 20, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

3.10.7 - 8288718 (April 15, 2026)

Indicator Types

Domain
Fixed an issue where false-positive domain indicators were extracted.

Related pull requests:
- 43856

Download

3.10.6 - 8227525 (April 13, 2026)

Incident Fields

Last Update Time
Updated the Last Update Time incident field to support the CrowdStrike Falcon Intelligence Recon incident type.

Related pull requests:
- 42097
- 41869

Download

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7379405 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920581 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	April 20, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Mandiant Automated Defense (Formerly Respond Software)

Palo Alto Networks Cortex XDR - Investigation and Response

Symantec Data Loss Prevention (Deprecated)

VMware Carbon Black Endpoint Standard (Deprecated)

Palo Alto Networks - Prisma Cloud Compute

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.