Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Common Types
- Details
- Content
- Dependencies
- Version History
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Log Source Name | The log source name associated with the event. |
Parent Process SHA256 | |
Technique | |
Attack Patterns | |
User Groups | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Source IP | The IP Address that the user initially logged in from. |
Detected Internal Hosts | Detected internal hosts |
CVE Published | |
Cloud Account ID | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
SHA1 | SHA1 |
Application Id | Application Id |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Objective | |
Country Name | Country Name |
Alert Category | The category of the alert |
Risk Score | |
File Relationships | |
Exposure Level | |
Email Sent Successfully | Whether the email has been successfully sent. |
SHA256 | SHA256 |
File MD5 | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Post Nat Source Port | The source port after NAT. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
External Confidence | |
Parent Process File Path | |
Referenced Resource ID | |
Post Nat Destination Port | The destination port after NAT. |
Job Family | Job Family |
Detected Endpoints | |
File Paths | |
Project ID | |
Events | The events associated with the offense. |
Classification | Incident Classification |
Parent CMD line | |
High Risky Users | |
Account Name | Account Name |
Resource Type | |
Verification Status | The status of the user verification. |
Cost Center | Cost Center |
Domain Updated Date | |
Policy URI | |
Registry Key | |
Alert Type ID | |
IP Blocked Status | |
Policy Recommendation | |
Attack Mode | Attack mode as received from the integration JSON |
Org Level 3 | |
Location Region | Location Region |
External Sub Category ID | |
Source Hostname | The hostname that performed the port scan. |
City | |
Application Name | Application Name |
User Risk Level | |
Leadership | |
Policy Details | |
Caller | |
Password Reset Successfully | Whether the password has been successfully reset. |
High Level Categories | The high level categories in the events. |
Start Time | The time when the offense started. |
Device OS Name | |
SKU Name | |
Source Created By | |
Source IPs | The source IPs of the event. |
Password Changed Date | |
Destination Network | |
DNS Name | The DNS name of the asset. |
Dest NT Domain | Destination NT Domain |
Last Seen | |
Assigned User | Assigned User |
Policy Severity | |
Destination IP | The IP address the impossible traveler logged in to. |
Approver | The person who approved or needs to approve the request. |
Threat Hunting Detected IP | |
Parent Process CMD | |
Source Create time | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Event Descriptions | The description of the event name. |
External Sub Category Name | |
Source Networks | |
Manager Email Address | |
Display Name | Display Name |
Asset ID | |
Custom Query Results | |
Dsts | The destination values. |
Device Time | The time from the original logging device when the event occurred. |
Protocol | Protocol |
Detected External Hosts | Detected external hosts |
Number of Related Incidents | |
Registry Hive | |
Last Modified By | |
Rendered HTML | The HTML content in a rendered form. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Detection End Time | |
Org Unit | |
Process Paths | |
Dest Hostname | Destination hostname |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
EmailCampaignMutualIndicators | |
Log Source | Log Source |
File SHA1 | |
External System ID | |
Incident Link | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Src NT Domain | Source NT Domain |
Endpoint Isolation Status | |
Account Status | |
File Creation Date | |
Full Name | Person's Full Name |
File Names | |
Destination Hostname | Destination hostname |
Blocked Action | Blocked Action |
Birthday | Person's Birthday |
External Category Name | |
Technical Owner Contact | The contact details for the technical owner. |
Item Owner | |
Destination IPs | The destination IPs of the event. |
Source IPV6 | The source IPV6 address. |
First Seen | |
CVSS | |
Appliance Name | Appliance name as received from the integration JSON |
Dst Ports | The destination ports of the event. |
Suspicious Executions Found | |
Containment SLA | The time it took to contain the incident. |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Closing User | The closing user. |
Srcs | The source values. |
Process Name | |
Source Category | |
Tools | |
Country Code | |
Registration Email | |
Hunt Results Count | |
Title | Title |
User Id | User Id |
Agent Version | Reporting Agent/Sensor Version |
Src Ports | The source ports of the event. |
RemovedFromCampaigns | |
File Name | |
Process Path | |
Parent Process | |
Related Campaign | |
Resource ID | |
Pre Nat Source Port | The source port before NAT. |
String Similarity Results | |
Team name | |
Alert ID | Alert ID as received from the integration JSON |
Number Of Log Sources | The number of log sources related to the offense. |
CMD | |
Audit Logs | |
User Anomaly Count | |
Follow Up | True if marked for follow up. |
Vendor Product | |
External Severity | |
Ticket Closed Date | |
Signature | |
EmailCampaignSummary | |
Subtype | Subtype |
State | State |
User SID | |
Device Internal IPs | |
Pre Nat Destination Port | The destination port before NAT. |
End Time | The time when the offense ended. |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Block Indicators Status | |
MD5 | MD5 |
Command Line | Command Line |
Job Function | Job Function |
Process ID | |
Manager Name | Manager Name |
Related Alerts | |
Source Network | |
Device External IPs | |
Status Reason | |
Org Level 2 | |
Asset Name | |
External Category ID | |
Alert URL | Alert URL as received from the integration JSON |
Destination IPV6 | The destination IPV6 address. |
File Access Date | |
File Hash | |
Source Username | The username that was the source of the attack. |
Protocol names | |
Reporter Email Address | The email address of the user who reported the email. |
Source MAC Address | The source MAC address in an event. |
MITRE Technique Name | |
Process CMD | |
SSDeep | |
Mobile Device Model | |
OS | The operating system. |
Selected Indicators | Includes the indicators selected by the user. |
Org Level 1 | |
Device Id | Device Id |
Rule Name | The name of a YARA rule |
Appliance ID | Appliance ID as received from the integration JSON |
Device OU | Device's OU path in Active Directory |
Parent Process Name | |
User Engagement Response | |
File SHA256 | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Additional Data | |
Endpoints Details | |
Identity Type | |
Device Username | The username of the user that owns the device |
Destination MAC Address | The destination MAC address in an event. |
Investigation Stage | The stage of the investigation. |
Ticket Number | |
Policy Deleted | |
Detected IPs | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
MAC Address | MAC Address |
Last Modified On | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Phone Number | Phone number |
Dest OS | Destination OS |
Child Process | |
Src OS | Src OS |
Detected External IPs | Detected external IPs |
Pre Nat Source IP | The source IP before NAT. |
Related Report | |
PID | PID |
Group ID | |
CVE | |
Bugtraq | |
Traffic Direction | The direction of the traffic in the event. |
app channel name | |
Cloud Service | |
Tactic | |
Device Hash | Device Hash |
Tags | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
List Of Rules - Event | The list of rules associated to an event. |
Post Nat Source IP | The source IP address after NAT. |
Dest | Destination |
Registry Value Type | |
Country | The country from which the user logged in. |
Cloud Instance ID | Cloud Instance ID |
Event ID | Event ID |
Acquisition Hire | |
Parent Process IDs | |
External ID | |
Description | The description of the incident |
Users Details | |
MITRE Tactic Name | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Registry Value | |
Users | |
Process SHA256 | |
Sensor Name | |
Ticket Acknowledged Date | |
Vulnerability Category | |
Error Message | The error message that contains details about the error that occurred. |
File Path | |
Resource Name | |
userAccountControl | userAccountControl |
Risk Name | |
Source Urgency | Source Urgency |
Use Case Description | |
Event Type | Event Type |
OS Type | OS Type |
Device MAC Address | |
Source Status | |
Ticket Opened Date | |
Command Line Verdict | |
Alert Action | Alert action as received from the integration JSON |
Referenced Resource Name | |
Event Names | The event name (translated QID ) in the event. |
User Agent | |
First Name | First Name |
Destination Geolocation | The destination geolocation of the event. |
Technique ID | |
Street Address | |
Detection Update Time | |
Zip Code | Zip Code |
Vendor ID | |
Policy Remediable | |
CVE ID | |
Alert tags | |
Device Model | Device Model |
Raw Event | The unparsed event data. |
Affected Users | |
Account Member Of | |
Alert Rules | |
Internal Addresses | |
Parent Process MD5 | |
Hostnames | The hostname in the event. |
Threat Hunting Detected Hostnames | |
Sub Category | The sub category |
External Addresses | |
Detected Internal IPs | Detected internal IPs |
Last Update Time | |
External Link | |
Employee Manager Email | The email address of the employee's manager. |
SKU TIER | |
Suspicious Executions | |
Technical Owner | The technical owner of the asset. |
Source Port | The source port that was used |
URLs | |
External End Time | |
MITRE Technique ID | |
Process Creation Time | |
File Size | File Size |
User Creation Time | |
Category Count | The number of categories that are associated with the offense. |
UUID | UUID as received from the integration JSON |
User Block Status | |
Post Nat Destination IP | The destination IP address after NAT. |
Alert Attack Time | |
Is Active | Alert status |
Src User | Source User |
Agent ID | Agent ID |
Additional Indicators | |
Rating | |
Domain Name | |
External Last Updated Time | |
Scenario | |
Device OS Version | |
Device Local IP | Device Local IP |
Location | Location |
Last Name | Last Name |
Device Name | Device Name |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Cost Center Code | Cost Center Code |
Src | Source |
Domain Registrar Abuse Email | |
Employee Display Name | The display name of the employee. |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Personal Email | |
Changed | The user who changed this incident |
Cloud Operation Type | |
Work Phone | |
Mobile Phone | |
Escalation | |
External Status | |
High Risky Hosts | |
Timezone | |
Endpoint | |
Close Time | The closing time. |
Risk Rating | |
Report Name | |
OS Version | OS Version |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Verdict | |
Tool Usage Found | |
Isolated | Isolated |
MITRE Tactic ID | |
Closing Reason | The closing reason |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
App message | |
Triggered Security Profile | Triggered Security Profile |
Job Code | Job Code |
Source Geolocation | The source geolocation of the event. |
Categories | The categories for the incident. |
Country Code Number | |
Src Hostname | Source hostname |
ASN Name | |
Alert Source | |
Detected Users | Detected users |
Affected Hosts | |
Detected User | |
EmailCampaignCanvas | |
Protocols | |
Operation Name | |
Compliance Notes | Notes regarding the assets compliance. |
Similar incidents Dbot | |
Log Source Type | The log source type associated with the event. |
Additional Email Addresses | |
Low Level Categories Events | The low level category of the event. |
Primary Email Address | |
Comment | The comments related with the incident |
Destination Networks | |
OutgoingMirrorError | |
Region | |
Detection ID | |
Triage SLA | The time it took to investigate and enrich incident information. |
App | |
Resource URL | |
Approval Status | The status for the approval of the request. |
Parent Process Path | |
Tactic ID | |
Source Updated by | |
Surname | Surname |
Alert Malicious | Whether the alert is malicious. |
Account ID | |
Number of similar files | |
Alert Name | Alert name as received from the integration JSON |
Region ID | |
Source Id | |
Cloud Resource List | |
Technical User | The technical user of the asset. |
Cloud Region List | |
External Start Time | |
similarIncidents | |
sAMAccountName | User sAMAAccountName |
SHA512 | SHA512 |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Device Status | |
Agents ID | |
Policy Actions | |
Process Names | |
Unique Ports | |
Destination Port | The destination port used. |
Error Code | |
Source External IPs | |
IncomingMirrorError | |
Policy Type | |
Policy Description | |
IP Reputation | |
Sensor IP | |
Department | Department |
EmailCampaignSnippets | |
CMD line | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Assignment Group | |
Employee Email | The email address of the employee. |
ASN | |
Device External IP | Device External IP |
Verification Method | The method used to verify the user. |
Username | The username of the account who logged in. |
Related Endpoints | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Given Name | Given Name |
Tenant Name | Tenant Name |
Protocol - Event | The network protocol in the event. |
Policy ID | |
Duration | |
Campaign Name | |
Item Owner Email | |
Source Priority | |
Usernames | The username in the event. |
Application Path | |
Vulnerable Product | |
Process MD5 |
Incident Types
| Name | Description |
|---|---|
Job | |
Reconnaissance | |
Lateral Movement | |
Exploit | |
Vulnerability | |
Defacement | |
Exfiltration | |
Policy Violation | |
DoS | |
C2Communication | |
UnknownBinary | |
Hunt | |
Network | |
Indicator Feed | |
Simulation | |
Authentication |
Indicator Fields
| Name | Description |
|---|---|
Indicator Identification | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Registrant Email | |
SHA256 | |
Name Field | |
Registrar Abuse Address | |
Certificate Signature | |
Service | The specific service of a feed integration from which an indicator was ingested. |
SHA512 | |
Threat Actor Types | |
Description | |
Reports | |
Infrastructure Types | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Domain Referring IPs | |
Registrant Name | |
Mitre ID | |
Processors | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
IP Address | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Org Level 2 | |
Country Code Number | |
Registrar Abuse Network | |
DNS | |
Department | Department |
Resource Level | |
Account Type | |
Subject Alternative Names | |
STIX Tool Types | |
File Extension | |
Secondary Motivations | |
STIX Roles | |
Rank | Used to display rank from different sources |
Leadership | |
Force Sync | Whether to force user synchronization. |
Is Processed | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Malware Family | |
Zip Code | |
Job Family | |
CVSS Version | |
Community Notes | |
CVE Description | |
Signed | |
CVSS3 | |
MD5 | |
Action | |
Malware types | |
SHA1 | |
Is Malware Family | |
Location | |
Commands | |
STIX Resource Level | |
BIOS Version | |
imphash | |
OS Version | |
Associations | Known associations to other pieces of Threat Data. |
Domain IDN Name | |
Detections | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Geo Location | |
Actor | |
Quarantined | Whether the indicator is quarantined or isolated |
Hostname | |
STIX Sophistication | |
Capabilities | |
Mobile Phone | |
Roles | |
Organizational Unit (OU) | |
DNS Records | |
Job Code | Job Code |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Primary Motivation | |
Report Object References | A list of STIX IDs referenced in the report. |
Subject | |
Tool Types | |
Signature Algorithm | |
Product | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Cost Center Code | |
CVE Modified | |
STIX Tool Version | |
Targets | |
Memory | |
Region | |
STIX Is Malware Family | |
Sophistication | |
PEM | Certificate in PEM format. |
City | City |
CVSS | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Port | |
Cost Center | |
Street Address | |
Domains | |
Path | |
Aliases | Alternative names used to identify this object |
Work Phone | |
Signature Authentihash | |
Size | |
Registrar Abuse Name | |
Domain Name | |
Device Model | |
Admin Name | |
Entry ID | |
Signature File Version | |
Goals | |
Registrar Abuse Email | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Operating System | |
SSDeep | |
Associated File Names | |
Architecture | |
Short Description | |
Admin Email | |
Issuer DN | Issuer Distinguished Name |
Public Key | |
Certificate Names | |
Assigned user | |
Subject DN | Subject Distinguished Name |
Country Code | |
Registrar Abuse Country | |
DHCP Server | |
Office365ExpressRoute | |
Samples | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Manager Email Address | |
Definition | |
Paths | |
Username | |
Author | |
Job Function | |
Assigned role | |
Subdomains | |
ASN | |
Mitre Tactics | |
Name Servers | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Vulnerabilities | |
STIX Malware Types | |
Registrant Phone | |
X.509 v3 Extensions | |
Location Region | |
Category | |
Number of subkeys | |
STIX Goals | |
AS Owner | |
Signature Original Name | |
Registrar Abuse Phone | |
CVSS Table | |
Feed Related Indicators | |
CVSS Score | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Implementation Languages | |
CVSS Vector | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Org Level 3 | |
Serial Number | |
State | |
Issuer | |
Objective | |
STIX Secondary Motivations | |
Vendor | |
Org Level 1 | |
Organization Type | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
File Type | |
Processor | |
MAC Address | |
Download URL | |
Vulnerable Products | |
Campaign | |
Publications | |
Expiration Date | |
User ID | |
Office365Required | |
Creation Date | |
Version | |
Groups | |
Name | |
Org Unit | |
Certificate Validation Checks | |
Admin Phone | |
Signature Internal Name | |
STIX Primary Motivation. | |
Extension | |
Published | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Title | Title |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Domain Referring Subnets | |
Given Name | Given Name |
Registrar Name | |
Surname | Surname |
Tags | |
Domain Status | |
Blocked | |
Detection Engines | Total number of engines that checked the indicator |
Confidence | |
Source Priority | |
Signature Copyright | |
Whois Records | |
Admin Country | |
Personal Email | |
Applications | |
Email Address | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Display Name | |
Signature Description | |
Certificates | |
STIX Aliases | Alternative names used to identify this object |
Report type | |
Query Language | |
Operating System Version | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Manager Name | Manager Name |
Internal | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Behavior | |
Operating System Refs | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Key Value | |
Tool Version | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Registrant Country | |
Updated Date | |
STIX Threat Actor Types | |
Organization | |
Country Name | |
Office365Category | |
STIX Description | |
Geo Country |
Layouts
| Name | Description |
|---|---|
ASN | ASN Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Email Indicator | Email Indicator Layout |
File Indicator | File Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Vulnerability Incident | |
CVE Indicator | CVE Indicator Layout |
Report | Report Indicator Layout |
Identity | Identity indicator layout |
Mutex | Mutex indicator layout |
IP Indicator | IP Indicator Layout |
Campaign | Campaign Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Course of Action | Course of Action Indicator Layout |
URL Indicator | URL Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Host Indicator | Host indicator layout |
Location | Location indicator layout |
Tactic Layout | Tactic Indicator Layout |
Account Indicator | Account Indicator Layout |
Software | Software Indicator Layout |
Indicator Feed Incident |
Indicator Types
| Name | Description |
|---|---|
ssdeep | |
URL | |
Course of Action | |
Campaign | |
Identity | |
Mutex | |
DomainGlob | |
Attack Pattern | |
Infrastructure | |
File | |
X509 Certificate | |
Report | |
CIDR | |
Tool | |
File MD5 | |
Tactic | |
Location | |
IPv6CIDR | |
IP | |
Intrusion Set | |
Threat Actor | |
IPv6 | |
Software | |
Account | |
Malware | |
CVE | |
File SHA-256 | |
ASN | |
File SHA-1 | |
Registry Key | |
Onion Address | |
Host | |
Domain |
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Mobile Phone | |
EmailCampaignSummary | |
Additional Data | |
Assignment Group | |
File Access Date | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Registry Hive | |
Job Code | Job Code |
Parent Process File Path | |
Region ID | |
Employee Display Name | The display name of the employee. |
Detection ID | |
Event Descriptions | The description of the event name. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Parent Process MD5 | |
Birthday | Person's Birthday |
Registry Value Type | |
Original Events | The events associated with the offense. |
Process Names | |
Report Name | |
Policy URI | |
RemovedFromCampaigns | |
Close Time | The closing time. |
Low Level Categories Events | The low level category of the event. |
Source Updated by | |
Device OS Version | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Compliance Notes | Notes regarding the assets compliance. |
Related Report | |
Assigned User | Assigned User |
OS | The operating system. |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Command Line Verdict | |
Last Modified On | |
Tool Usage Found | |
Asset Name | |
Account ID | |
Closing Reason | The closing reason |
Email Sent Successfully | Whether the email has been successfully sent. |
Phone Number | Phone number |
Src OS | Src OS |
Device Status | |
First Name | First Name |
Original Alert Name | Alert name as received from the integration JSON |
User Anomaly Count | |
Full Name | Person's Full Name |
Account Status | |
Referenced Resource Name | |
Reporter Email Address | The email address of the user who reported the email. |
CVE | |
First Seen | |
Source Id | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Pre Nat Source Port | The source port before NAT. |
Triage SLA | The time it took to investigate and enrich incident information. |
Pre Nat Source IP | The source IP before NAT. |
Cost Center | Cost Center |
Timezone | |
MITRE Technique ID | |
Alert Rules | |
External System ID | |
Protocol names | |
Device OS Name | |
Post Nat Destination IP | The destination IP address after NAT. |
Blocked Action | Blocked Action |
External Severity | |
Surname | Surname |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Ticket Number | |
URLs | |
Hunt Results Count | |
Escalation | |
Technique | |
Identity Type | |
External Sub Category Name | |
EmailCampaignMutualIndicators | |
Category Count | The number of categories that are associated with the offense. |
Parent Process IDs | |
Employee Email | The email address of the employee. |
Rendered HTML | The HTML content in a rendered form. |
Display Name | Display Name |
Caller | |
Policy Recommendation | |
Pre Nat Destination Port | The destination port before NAT. |
Device Model | Device Model |
Source Category | |
Destination IPV6 | The destination IPV6 address. |
Process Paths | |
Tactic ID | |
Cloud Account ID | |
Users Details | |
Approver | The person who approved or needs to approve the request. |
Source Priority | |
Source Created By | |
Resource Name | |
Leadership | |
Event Names | The event name (translated QID ) in the event. |
Similar incidents Dbot | |
Application Path | |
Changed | The user who changed this incident |
Affected Hosts | |
Source Create time | |
Country Code | |
EmailCampaignSnippets | |
User Engagement Response | |
Employee Manager Email | The email address of the employee's manager. |
Alert tags | |
External Link | |
File Relationships | |
User Id | User Id |
SHA512 | SHA512 |
Is Active | Alert status |
Original Alert ID | Alert ID as received from the integration JSON |
Tenant Name | Tenant Name |
Block Indicators Status | |
Last Modified By | |
Event ID | Event ID |
Team name | |
High Risky Users | |
Rating | |
Last Update Time | |
Parent Process Name | |
Org Level 1 | |
Detected External IPs | Detected external IPs |
Post Nat Destination Port | The destination port after NAT. |
Detected Endpoints | |
Attack Mode | Attack mode as received from the integration JSON |
Post Nat Source IP | The source IP address after NAT. |
Objective | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Last Seen | |
Vendor ID | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Policy Description | |
ASN Name | |
Related Alerts | |
OS Type | OS Type |
File Hash | |
SHA1 | SHA1 |
Additional Indicators | |
User Groups | |
Region | |
User Block Status | |
CVE ID | |
Resource Type | |
File Creation Date | |
Technique ID | |
Registration Email | |
Policy Deleted | |
External End Time | |
Destination Geolocation | The destination geolocation of the event. |
Internal Addresses | |
High Risky Hosts | |
Dest OS | Destination OS |
Approval Status | The status for the approval of the request. |
Follow Up | True if marked for follow up. |
Policy Details | |
Cloud Region List | |
Given Name | Given Name |
Related Campaign | |
Risk Score | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Process SHA256 | |
IP Reputation | |
Project ID | |
Alert Action | Alert action as received from the integration JSON |
Mobile Device Model | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Technical User | The technical user of the asset. |
Destination Networks | |
External Category Name | |
Country Code Number | |
Policy Remediable | |
Number Of Log Sources | The number of log sources related to the offense. |
Campaign Name | |
Device Time | The time from the original logging device when the event occurred. |
Verdict | |
Job Family | Job Family |
Original Description | The description of the incident |
OutgoingMirrorError | |
Device Name | Device Name |
Device OU | Device's OU path in Active Directory |
Number of similar files | |
Triggered Security Profile | Triggered Security Profile |
Incident Link | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
MITRE Tactic ID | |
Policy ID | |
Location | Location |
Zip Code | Zip Code |
Registry Key | |
Registry Value | |
Classification | Incident Classification |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Primary Email Address | |
Traffic Direction | The direction of the traffic in the event. |
File SHA1 | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
End Time | The time when the offense ended. |
Log Source Type | The log source type associated with the event. |
Comment | The comments related with the incident |
Manager Email Address | |
Device External IPs | |
Related Endpoints | |
MITRE Technique Name | |
Exposure Level | |
State | State |
Asset ID | |
sAMAccountName | User sAMAAccountName |
Isolated | Isolated |
Ticket Acknowledged Date | |
Cloud Service | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Process MD5 | |
Manager Name | Manager Name |
IncomingMirrorError | |
Risk Rating | |
Parent Process Path | |
Personal Email | |
String Similarity Results | |
Sub Category | The sub category |
Start Time | The time when the offense started. |
Selected Indicators | Includes the indicators selected by the user. |
Additional Email Addresses | |
Number of Related Incidents | |
SSDeep | |
Parent Process SHA256 | |
Street Address | |
Job Function | Job Function |
External Status | |
Location Region | Location Region |
Source Networks | |
Source External IPs | |
User Creation Time | |
Item Owner Email | |
Process ID | |
Signature | |
Dsts | The destination values. |
CVE Published | |
Suspicious Executions | |
Agent Version | Reporting Agent/Sensor Version |
MITRE Tactic Name | |
Sensor IP | |
Post Nat Source Port | The source port after NAT. |
Group ID | |
Alert Malicious | Whether the alert is malicious. |
Containment SLA | The time it took to contain the incident. |
Device Internal IPs | |
Custom Query Results | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Item Owner | |
UUID | UUID as received from the integration JSON |
Policy Severity | |
Policy Actions | |
External Sub Category ID | |
Operation Name | |
Use Case Description | |
External Confidence | |
IP Blocked Status | |
Parent Process CMD | |
Vendor Product | |
Endpoint Isolation Status | |
Org Unit | |
Password Changed Date | |
Error Code | |
Org Level 3 | |
Org Level 2 | |
Work Phone | |
Process Creation Time | |
External Last Updated Time | |
Domain Updated Date | |
Vulnerability Category | |
Device Id | Device Id |
City | |
External Category ID | |
List Of Rules - Event | The list of rules associated to an event. |
Source Geolocation | The source geolocation of the event. |
Attack Patterns | |
Bugtraq | |
Cloud Resource List | |
Title | Title |
Unique Ports | |
Policy Type | |
Domain Registrar Abuse Email | |
Source Urgency | Source Urgency |
Detection End Time | |
Process CMD | |
EmailCampaignCanvas | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Cost Center Code | Cost Center Code |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Subtype | Subtype |
Verification Method | The method used to verify the user. |
Source Status | |
Device Hash | Device Hash |
File Size | File Size |
Resource URL | |
Last Name | Last Name |
Tactic | |
Log Source Name | The log source name associated with the event. |
Rule Name | The name of a YARA rule |
Endpoints Details | |
userAccountControl | userAccountControl |
Risk Name | |
Department | Department |
app channel name | |
Log Source | Log Source |
Ticket Closed Date | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Verification Status | The status of the user verification. |
Acquisition Hire | |
User SID | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Affected Users | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
CVSS | |
Alert Type ID | |
Audit Logs | |
Original Alert Source | |
Detected Internal Hosts | Detected internal hosts |
Scenario | |
SKU TIER | |
Suspicious Executions Found | |
Raw Event | The unparsed event data. |
External Start Time | |
Technical Owner | The technical owner of the asset. |
Error Message | The error message that contains details about the error that occurred. |
Domain Name | |
Vulnerable Product | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Status Reason | |
Password Reset Successfully | Whether the password has been successfully reset. |
Agents ID | |
similarIncidents | |
Technical Owner Contact | The contact details for the technical owner. |
Cloud Instance ID | Cloud Instance ID |
SKU Name | |
App message | |
Account Member Of | |
Investigation Stage | The stage of the investigation. |
Closing User | The closing user. |
Device MAC Address | |
Tools | |
Referenced Resource ID | |
ASN | |
Duration |
Incident Types
| Name | Description |
|---|---|
Job | |
Authentication | |
Simulation | |
Exploit | |
Indicator Feed | |
Reconnaissance | |
DoS | |
Hunt | |
Vulnerability | |
C2Communication | |
Defacement | |
Network | |
Policy Violation | |
UnknownBinary | |
Exfiltration | |
Lateral Movement |
Indicator Fields
| Name | Description |
|---|---|
Implementation Languages | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Device Model | |
Indicator Identification | |
CVSS Score | |
STIX Roles | |
Entry ID | |
Registrar Abuse Address | |
Registrar Abuse Country | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Rank | Used to display rank from different sources |
CVE Description | |
Manager Email Address | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
STIX Description | |
CVSS Version | |
Definition | |
Blocked | |
Associated File Names | |
BIOS Version | |
Version | |
Signature Original Name | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Vendor | |
MD5 | |
CVSS Table | |
Registrar Abuse Email | |
Geo Location | |
Domains | |
STIX Sophistication | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Serial Number | |
Organizational Unit (OU) | |
Registrar Name | |
Admin Name | |
Operating System Version | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Published | |
Whois Records | |
Issuer DN | Issuer Distinguished Name |
Community Notes | |
Issuer | |
Campaign | |
Query Language | |
User ID | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
CVSS Vector | |
Surname | Surname |
Signature Description | |
Detection Engines | Total number of engines that checked the indicator |
Country Code Number | |
Manager Name | Manager Name |
Registrar Abuse Phone | |
Objective | |
Subject | |
Internal | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Zip Code | |
Org Unit | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Groups | |
Processors | |
Applications | |
Force Sync | Whether to force user synchronization. |
Email Address | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Office365ExpressRoute | |
Office365Category | |
Detections | |
Admin Phone | |
Account Type | |
STIX Goals | |
IP Address | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
SHA1 | |
Subdomains | |
Secondary Motivations | |
Assigned role | |
Registrant Email | |
Assigned user | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Location | |
Goals | |
Subject Alternative Names | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Name Servers | |
Cost Center | |
Infrastructure Types | |
Primary Motivation | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Architecture | |
Feed Related Indicators | |
Certificate Validation Checks | |
STIX Malware Types | |
Malware Family | |
Department | Department |
STIX Tool Version | |
STIX Secondary Motivations | |
State | |
Samples | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Report type | |
Source Priority | |
Key Value | |
Org Level 3 | |
File Type | |
Domain Referring IPs | |
Actor | |
Path | |
Signature Authentihash | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Username | |
CVSS3 | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Registrant Phone | |
Job Code | Job Code |
Vulnerable Products | |
Report Object References | A list of STIX IDs referenced in the report. |
Reports | |
Certificate Signature | |
Registrant Country | |
Street Address | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
STIX Primary Motivation. | |
Capabilities | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Org Level 1 | |
Admin Country | |
Expiration Date | |
Publications | |
Memory | |
Product | |
STIX Threat Actor Types | |
Domain Name | |
Hostname | |
Description | |
Title | Title |
Sophistication | |
Extension | |
Creation Date | |
DNS Records | |
Vulnerabilities | |
Mitre ID | |
Location Region | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
imphash | |
STIX Resource Level | |
Certificate Names | |
Updated Date | |
DNS | |
Job Function | |
Processor | |
Signature Copyright | |
Registrar Abuse Network | |
Signed | |
Domain IDN Name | |
OS Version | |
Paths | |
File Extension | |
Org Level 2 | |
Region | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Targets | |
Tags | |
Number of subkeys | |
Mitre Tactics | |
STIX Aliases | Alternative names used to identify this object |
Signature File Version | |
Category | |
Public Key | |
Registrant Name | |
PEM | Certificate in PEM format. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
City | City |
Action | |
Confidence | |
Personal Email | |
Size | |
Registrar Abuse Name | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Behavior | |
DHCP Server | |
Signature Algorithm | |
Display Name | |
Organization | |
Operating System Refs | |
Download URL | |
Leadership | |
CVSS | |
STIX Tool Types | |
Country Code | |
SSDeep | |
Mobile Phone | |
Is Malware Family | |
Is Processed | |
Tool Version | |
Malware types | |
Port | |
Country Name | |
Author | |
AS Owner | |
Resource Level | |
Short Description | |
Domain Referring Subnets | |
SHA256 | |
X.509 v3 Extensions | |
CVE Modified | |
Name Field | |
SHA512 | |
Organization Type | |
Associations | Known associations to other pieces of Threat Data. |
Subject DN | Subject Distinguished Name |
Aliases | Alternative names used to identify this object |
Admin Email | |
Work Phone | |
Job Family | |
Office365Required | |
ASN | |
Geo Country | |
Given Name | Given Name |
Certificates | |
Commands | |
Name | |
Threat Actor Types | |
Operating System | |
Cost Center Code | |
Tool Types | |
Quarantined | Whether the indicator is quarantined or isolated |
Signature Internal Name | |
Domain Status | |
Roles | |
STIX Is Malware Family |
Layoutrule
| Name | Description |
|---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Layouts
| Name | Description |
|---|---|
Threat Actor | Threat Actor Indicator Layout |
Identity | Identity indicator layout |
Intrusion Set | Intrusion Set Layout |
Indicator Feed Incident | |
Account Indicator | Account Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Email Indicator | Email Indicator Layout |
ASN | ASN Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Location | Location indicator layout |
Report | Report Indicator Layout |
File Indicator | File Indicator Layout |
Campaign | Campaign Indicator Layout |
IP Indicator | IP Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Vulnerability Incident | |
Mutex | Mutex indicator layout |
X509 Certificate | CVE Indicator Layout |
Host Indicator | Host indicator layout |
Course of Action | Course of Action Indicator Layout |
URL Indicator | URL Indicator Layout |
Software | Software Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Indicator Types
| Name | Description |
|---|---|
Malware | |
Account | |
CIDR | |
IP | |
Tool | |
Report | |
File MD5 | |
Attack Pattern | |
Infrastructure | |
IPv6 | |
ssdeep | |
ASN | |
DomainGlob | |
Campaign | |
Identity | |
Course of Action | |
Mutex | |
File | |
Host | |
URL | |
Tactic | |
Registry Key | |
CVE | |
Location | |
Onion Address | |
Threat Actor | |
IPv6CIDR | |
X509 Certificate | |
File SHA-256 | |
File SHA-1 | |
Software | |
Intrusion Set | |
Domain |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
Optional Content Packs (57)
All level dependencies (4)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
| Aggregated Scripts | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
3.10.0 - 6802612 (January 20, 2026)
- 42537
Download
Incident Fields
Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
- 42537
Download
3.9.5 - 5208238 (September 30, 2025)
- 41462
Download
Indicator Fields
Primary Motivation
- Updated the Primary Motivation indicator field to include additional values.
Indicator Types
- File
- Updated the file formatter to include the
imphashincident field.
Layouts
- Threat Actor
- Updated the Threat Actor layout to include additional incident fields.
- 41462
Download
3.9.0 - 4121830 (July 10, 2025)
- 40208
Download
Incident Fields
Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
- 40208
Download
3.8.3 - 2086795 (January 27, 2025)
- 38269
Download
Indicator Types
- IPv6
- Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
- Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.
- 38269
Download
3.10.0 - 6802612 (January 20, 2026)
- 42537
Download
Incident Fields
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
- 42537
Download
3.9.5 - 5212533 (October 1, 2025)
- 41462
Download
Indicator Fields
Primary Motivation
- Updated the Primary Motivation indicator field to include additional values.
Indicator Types
- File
- Updated the file formatter to include the
imphashincident field.
Layouts
- Threat Actor
- Updated the Threat Actor layout to include additional incident fields.
- 41462
Download
3.9.0 - 4118212 (July 9, 2025)
- 40208
Download
Incident Fields
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
- 40208
Download
3.8.3 - 2086795 (January 27, 2025)
- 38269
Download
Indicator Types
- IPv6
- Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
- Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.
- 38269
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 26, 2020 | |
| Last Release | January 20, 2026 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
