Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Process Name
Post Nat Source IP	The source IP address after NAT.
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
External Severity
Policy Description
EmailCampaignSnippets
Alert tags
SHA256	SHA256
Process Names
State	State
PID	PID
Technical User	The technical user of the asset.
Policy Severity
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Parent Process IDs
Rendered HTML	The HTML content in a rendered form.
Tools
SHA512	SHA512
Technical Owner	The technical owner of the asset.
Event Type	Event Type
String Similarity Results
Src Ports	The source ports of the event.
Destination IP	The IP address the impossible traveler logged in to.
Device Id	Device Id
Threat Hunting Detected IP
Account Member Of
Dst Ports	The destination ports of the event.
Region
Personal Email
Job Code	Job Code
Referenced Resource ID
Country	The country from which the user logged in.
Dsts	The destination values.
Policy Details
Resource Name
Account ID
Identity Type
Protocols
Pre Nat Destination Port	The destination port before NAT.
File Paths
SKU Name
Vulnerable Product
App message
Domain Registrar Abuse Email
Registry Value Type
Category Count	The number of categories that are associated with the offense.
Referenced Resource Name
Org Level 2
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Device OS Name
Suspicious Executions
Zip Code	Zip Code
Post Nat Source Port	The source port after NAT.
Employee Display Name	The display name of the employee.
Sensor IP
Is Active	Alert status
Compliance Notes	Notes regarding the assets compliance.
SHA1	SHA1
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Policy ID
Policy Deleted
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
CVE ID
Destination Geolocation	The destination geolocation of the event.
List Of Rules - Event	The list of rules associated to an event.
Source Status
Bugtraq
Title	Title
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Cloud Region List
Alert Attack Time
Region ID
MITRE Tactic ID
Last Modified By
File Names
Traffic Direction	The direction of the traffic in the event.
Internal Addresses
Dest OS	Destination OS
OutgoingMirrorError
First Seen
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Birthday	Person's Birthday
Agent Version	Reporting Agent/Sensor Version
Source Network
Additional Email Addresses
Device OS Version
Log Source Name	The log source name associated with the event.
DNS Name	The DNS name of the asset.
Status Reason
Last Modified On
Verification Method	The method used to verify the user.
Source Category
Detected Users	Detected users
Signature
Cloud Instance ID	Cloud Instance ID
Password Reset Successfully	Whether the password has been successfully reset.
Similar incidents Dbot
Caller
Endpoint Isolation Status
User Creation Time
UUID	UUID as received from the integration JSON
OS Type	OS Type
Cloud Resource List
External Sub Category ID
City
Post Nat Destination IP	The destination IP address after NAT.
Protocol	Protocol
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Alert Category	The category of the alert
Application Name	Application Name
External Last Updated Time
Detected IPs
Process MD5
RemovedFromCampaigns
Appliance Name	Appliance name as received from the integration JSON
Affected Users
Job Function	Job Function
Dest Hostname	Destination hostname
Technical Owner Contact	The contact details for the technical owner.
Device External IP	Device External IP
Attack Mode	Attack mode as received from the integration JSON
Risk Name
Selected Indicators	Includes the indicators selected by the user.
OS Version	OS Version
Alert Action	Alert action as received from the integration JSON
Device External IPs
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
CMD
Leadership
Parent Process Path
Changed	The user who changed this incident
Closing Reason	The closing reason
Alert Rules
Risk Score
Device MAC Address
Employee Email	The email address of the employee.
Item Owner Email
Comment	The comments related with the incident
High Risky Hosts
User Engagement Response
Alert Malicious	Whether the alert is malicious.
Device Status
Error Message	The error message that contains details about the error that occurred.
Report Name
CVSS
Device Name	Device Name
Detected Internal Hosts	Detected internal hosts
Alert Source
Protocol names
External Addresses
Policy Remediable
Policy Recommendation
Attack Patterns
Parent Process MD5
Acquisition Hire
Classification	Incident Classification
Tool Usage Found
Assigned User	Assigned User
Alert URL	Alert URL as received from the integration JSON
Alert Name	Alert name as received from the integration JSON
External Link
Vendor Product
Registry Key
Escalation
CVE Published
External Start Time
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Work Phone
EmailCampaignCanvas
Device Internal IPs
IP Blocked Status
Phone Number	Phone number
Ticket Acknowledged Date
Tactic
MITRE Tactic Name
Device Hash	Device Hash
Related Report
Pre Nat Source Port	The source port before NAT.
Start Time	The time when the offense started.
File Relationships
Full Name	Person's Full Name
File SHA1
Affected Hosts
Surname	Surname
ASN
Block Indicators Status
URLs
Source Hostname	The hostname that performed the port scan.
Users
Src	Source
Detection Update Time
Detection ID
SKU TIER
Endpoint
Device Time	The time from the original logging device when the event occurred.
External Status
Tags
Device OU	Device's OU path in Active Directory
Event ID	Event ID
Technique ID
Isolated	Isolated
Tactic ID
EmailCampaignSummary
Source Urgency	Source Urgency
Alert Type ID
Post Nat Destination Port	The destination port after NAT.
Detection End Time
App
Ticket Closed Date
Custom Query Results
User Agent
Incident Link
IncomingMirrorError
Additional Data
MITRE Technique ID
Verdict
File MD5
Source Networks
Users Details
Source MAC Address	The source MAC address in an event.
Policy URI
Triggered Security Profile	Triggered Security Profile
Source Id
Child Process
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Process Creation Time
Process ID
File Name
Threat Hunting Detected Hostnames
SSDeep
Related Campaign
Log Source Type	The log source type associated with the event.
Alert ID	Alert ID as received from the integration JSON
Device Username	The username of the user that owns the device
Username	The username of the account who logged in.
Location Region	Location Region
Application Id	Application Id
Detection SLA	The time it took from incident creation until the maliciousness was determined.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
File Path
Account Name	Account Name
File SHA256
End Time	The time when the offense ended.
Asset ID
Detected Endpoints
Last Seen
User SID
Email Sent Successfully	Whether the email has been successfully sent.
User Anomaly Count
Mobile Device Model
CVE
Event Names	The event name (translated QID ) in the event.
Source Created By
Blocked Action	Blocked Action
Device Local IP	Device Local IP
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Source Updated by
Country Code Number
Log Source	Log Source
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Job Family	Job Family
Related Endpoints
Vendor ID
Destination IPV6	The destination IPV6 address.
Closing User	The closing user.
Number Of Log Sources	The number of log sources related to the offense.
Parent CMD line
High Risky Users
Application Path
First Name	First Name
Last Update Time
Raw Event	The unparsed event data.
Domain Updated Date
Related Alerts
Registration Email
Destination Port	The destination port used.
Source Port	The source port that was used
Triage SLA	The time it took to investigate and enrich incident information.
Command Line	Command Line
Manager Email Address
Subtype	Subtype
Process Path
Events	The events associated with the offense.
Device Model	Device Model
Risk Rating
Resource ID
Account Status
Use Case Description
Detection URL	URL of the ExtraHop Reveal(x) detection
Resource Type
Low Level Categories Events	The low level category of the event.
Destination Hostname	Destination hostname
Registry Value
Project ID
External Category Name
Org Unit
Parent Process
Vulnerability Category
Parent Process Name
Location	Location
Rating
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Number of Related Incidents
Policy Type
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Process CMD
Hunt Results Count
Team name
User Groups
External Confidence
Technique
Endpoints Details
Parent Process CMD
Suspicious Executions Found
Given Name	Given Name
CMD line
MITRE Technique Name
Item Owner
File Access Date
Scenario
Assignment Group
User Block Status
Ticket Opened Date
Org Level 1
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
File Size	File Size
High Level Categories	The high level categories in the events.
User Id	User Id
Approver	The person who approved or needs to approve the request.
Destination Networks
Password Changed Date
ASN Name
MD5	MD5
Command Line Verdict
Duration
Cloud Account ID
Dest	Destination
Src Hostname	Source hostname
Cost Center Code	Cost Center Code
Detected External Hosts	Detected external hosts
userAccountControl	userAccountControl
Policy Actions
Source Priority
Resource URL
MAC Address	MAC Address
Parent Process SHA256
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Sensor Name
Process Paths
Audit Logs
File Creation Date
Display Name	Display Name
Additional Indicators
Hostnames	The hostname in the event.
Campaign Name
IP Reputation
Tenant Name	Tenant Name
Asset Name
Src User	Source User
Close Time	The closing time.
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Number of similar files
External End Time
Unique Ports
OS	The operating system.
Srcs	The source values.
Dest NT Domain	Destination NT Domain
Usernames	The username in the event.
Org Level 3
File Hash
Categories	The categories for the incident.
Follow Up	True if marked for follow up.
Detected Internal IPs	Detected internal IPs
Group ID
External Sub Category Name
Destination IPs	The destination IPs of the event.
Agent ID	Agent ID
Containment SLA	The time it took to contain the incident.
Registry Hive
sAMAccountName	User sAMAAccountName
Operation Name
Ticket Number
Parent Process File Path
Department	Department
Detected User
Source IPV6	The source IPV6 address.
Last Name	Last Name
Objective
Source Username	The username that was the source of the attack.
External ID
Appliance ID	Appliance ID as received from the integration JSON
Manager Name	Manager Name
Description	The description of the incident
Country Name	Country Name
Source IPs	The source IPs of the event.
Verification Status	The status of the user verification.
Agents ID
Last Mirrored Time Stamp	The last time the incident was mirrored in.
User Risk Level
Detected External IPs	Detected external IPs
Mobile Phone
Domain Name
Process SHA256
EmailCampaignMutualIndicators
External System ID
similarIncidents
Reporter Email Address	The email address of the user who reported the email.
Src OS	Src OS
Source IP	The IP Address that the user initially logged in from.
Destination Network
Cost Center	Cost Center
Error Code
External Category ID
Rule Name	The name of a YARA rule
Approval Status	The status for the approval of the request.
Protocol - Event	The network protocol in the event.
Cloud Service
Investigation Stage	The stage of the investigation.
Source Geolocation	The source geolocation of the event.
Email	Primary Email Address
Exposure Level
Employee Manager Email	The email address of the employee's manager.
Source Create time
Event Descriptions	The description of the event name.
Timezone
Cloud Operation Type
Sub Category	The sub category
Destination MAC Address	The destination MAC address in an event.
Src NT Domain	Source NT Domain
Country Code
Source External IPs
Street Address
app channel name
Pre Nat Source IP	The source IP before NAT.

Incident Types

Name	Description
Authentication
Network
UnknownBinary
Job
C2Communication
Hunt
Vulnerability
Defacement
Indicator Feed
Lateral Movement
Exploit
Reconnaissance
Exfiltration
Simulation
DoS
Policy Violation

Indicator Fields

Name	Description
STIX Goals
File Extension
Publications
Street Address
Given Name	Given Name
STIX Primary Motivation.
Applications
Department	Department
Report type
STIX Sophistication
X.509 v3 Extensions
Organization First Seen	Date and time when the indicator was first seen in the organization.
Threat Actor Types
Validity Not After	Specifies the date on which the certificate validity period ends.
DNS Records
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Domains
Org Level 2
SHA256
Action
User ID
Office365Required
Registrar Name
Org Level 1
Validity Not Before	Specifies the date on which the certificate validity period begins.
Sophistication
Processor
Certificates
Name
Primary Motivation
Signature Authentihash
First Seen By Source	The first time the indicator was seen by the source vendor.
STIX Aliases	Alternative names used to identify this object
imphash
Certificate Validation Checks
Definition
Signature Copyright
Certificate Names
SWID	Specifies the Software Identification (SWID) tags entry for the software
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Domain Name
Indicator Identification
Rank	Used to display rank from different sources
Community Notes
Signature File Version
CVE Modified
Domain Referring Subnets
Is Processed
Objective
SHA1
Blocked
CVSS3
STIX Is Malware Family
Subdomains
CVE Description
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
MD5
Cost Center
Signature Internal Name
Product
Number of subkeys
STIX Tool Types
Published
Country Name
Query Language
Key Value
Roles
Location Region
Expiration Date
OS Version
Domain IDN Name
Organization
Zip Code
Org Level 3
Detection Engines	Total number of engines that checked the indicator
Region
BIOS Version
Signature Description
Mitre Tactics
Admin Name
CVSS Score
Creation Date
Subject Alternative Names
Tags
Admin Email
CVSS Vector
SHA512
Job Code	Job Code
Registrar Abuse Name
ASN
Org Unit
Admin Phone
Service	The specific service of a feed integration from which an indicator was ingested.
Architecture
Tool Version
Updated Date
IP Address
Work Phone
Registrant Email
Targets
Goals
Malware types
Mitre ID
Vendor
STIX Threat Actor Types
Title	Title
Associated File Names
Description
Public Key
Geo Location
Domain Referring IPs
Short Description
Size
Path
Source Original Severity	The original score/severity provided by the source without DBot translation.
Aliases	Alternative names used to identify this object
Organizational Unit (OU)
Report Object References	A list of STIX IDs referenced in the report.
Global Prevalence	The number of times the indicator is detected across all organizations.
Office365ExpressRoute
Certificate Signature
Organization Prevalence	The number of times the indicator is detected in the organization.
DHCP Server
Extension
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Registrant Name
Memory
City	City
Operating System Refs
Domain Status
Manager Name	Manager Name
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Name Servers
Signed
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Subject DN	Subject Distinguished Name
Behavior
Subject
Entry ID
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Implementation Languages
Signature Original Name
Signature Algorithm
Mobile Phone
Email Address
Is Malware Family
State
Organization Type
MAC Address
Acquisition Hire	Whether the employee is an acquisition hire.
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Organization Last Seen	Date and time when the indicator was last seen in the organization.
STIX Description
Operating System Version
Device Model
Issuer
Feed Related Indicators
Cost Center Code
Issuer DN	Issuer Distinguished Name
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Registrant Phone
Processors
Assigned role
Assigned user
CVSS
Capabilities
Download URL
Detections
Country Code
Job Function
DNS
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Secondary Motivations
Vulnerabilities
Registrar Abuse Address
Port
Operating System
Whois Records
Commands
Personal Email
PEM	Certificate in PEM format.
STIX Malware Types
Force Sync	Whether to force user synchronization.
Surname	Surname
Serial Number
CVSS Table
Username
Name Field
File Type
Account Type
Location
STIX Resource Level
STIX Roles
Infrastructure Types
Samples
Category
Leadership
Actor
Groups
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Job Family
Country Code Number
Campaign
Registrar Abuse Phone
Tool Types
Paths
Confidence
Registrar Abuse Email
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Registrar Abuse Network
Positive Detections	Number of engines that positively detected the indicator as malicious
Display Name
Geo Country
Version
Resource Level
AS Owner
Quarantined	Whether the indicator is quarantined or isolated
Admin Country
Email
Manager Email Address
Registrar Abuse Country
Office365Category
Reports
Hostname
Author
Registrant Country
SSDeep
STIX Secondary Motivations
Malware Family
Vulnerable Products
CVSS Version
Source Priority
Associations	Known associations to other pieces of Threat Data.
STIX Tool Version
Internal

Layouts

Name	Description
Report	Report Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
CVE Indicator	CVE Indicator Layout
Intrusion Set	Intrusion Set Layout
URL Indicator	URL Indicator Layout
Tool Indicator	Tool Indicator Layout
IP Indicator	IP Indicator Layout
Campaign	Campaign Indicator Layout
Account Indicator	Account Indicator Layout
File Indicator	File Indicator Layout
Email Indicator	Email Indicator Layout
Course of Action	Course of Action Indicator Layout
Software	Software Indicator Layout
Identity	Identity indicator layout
Domain Indicator	Domain Indicator Layout
Mutex	Mutex indicator layout
Tactic Layout	Tactic Indicator Layout
ASN	ASN Indicator Layout
Malware Indicator	Malware Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Indicator Feed Incident
Location	Location indicator layout
Host Indicator	Host indicator layout
Vulnerability Incident
X509 Certificate	CVE Indicator Layout

Indicator Types

Name	Description
Email
Intrusion Set
Mutex
Attack Pattern
Registry Key
Host
Report
Threat Actor
Domain
Infrastructure
Course of Action
Location
File SHA-1
Identity
ASN
File MD5
CVE
File SHA-256
IPv6
Tool
Campaign
ssdeep
Malware
IP
Onion Address
Tactic
URL
File
Account
IPv6CIDR
Software
DomainGlob
X509 Certificate
CIDR

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Resource Type
Given Name	Given Name
User SID
Original Alert ID	Alert ID as received from the integration JSON
Signature
Isolated	Isolated
Raw Event	The unparsed event data.
Domain Name
String Similarity Results
Account Status
Process SHA256
Report Name
Process Names
Org Level 2
Event Names	The event name (translated QID ) in the event.
Surname	Surname
Technical Owner	The technical owner of the asset.
Policy ID
Unique Ports
Org Level 1
sAMAccountName	User sAMAAccountName
File Creation Date
Application Path
Parent Process File Path
Vendor ID
Post Nat Source Port	The source port after NAT.
Policy Details
Source Networks
Approver	The person who approved or needs to approve the request.
Suspicious Executions
Ticket Closed Date
Org Unit
Attack Patterns
Cloud Account ID
App message
Parent Process SHA256
External Last Updated Time
Pre Nat Source IP	The source IP before NAT.
List Of Rules - Event	The list of rules associated to an event.
Start Time	The time when the offense started.
CVE ID
Rating
External Sub Category ID
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
MITRE Technique Name
Risk Rating
SHA512	SHA512
Parent Process Name
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Last Mirrored Time Stamp	The last time the incident was mirrored in.
User Groups
External Category ID
Cloud Resource List
Parent Process Path
User Anomaly Count
Original Events	The events associated with the offense.
External Severity
Job Code	Job Code
Related Report
Attack Mode	Attack mode as received from the integration JSON
Reporter Email Address	The email address of the user who reported the email.
Org Level 3
External Status
Assigned User	Assigned User
Closing Reason	The closing reason
SHA1	SHA1
Protocol names
Policy Description
Detection End Time
External Confidence
UUID	UUID as received from the integration JSON
Related Campaign
Account Member Of
Closing User	The closing user.
Policy Deleted
Timezone
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Device OS Version
Detection ID
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
CVE Published
External Start Time
Pre Nat Source Port	The source port before NAT.
Registry Value
Investigation Stage	The stage of the investigation.
Policy Type
End Time	The time when the offense ended.
Asset ID
State	State
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Scenario
OutgoingMirrorError
Alert Action	Alert action as received from the integration JSON
Additional Email Addresses
SKU TIER
High Risky Hosts
Technical Owner Contact	The contact details for the technical owner.
Email	Primary Email Address
EmailCampaignMutualIndicators
Related Endpoints
URLs
Dsts	The destination values.
Source Created By
Employee Email	The email address of the employee.
Location	Location
Password Changed Date
Triggered Security Profile	Triggered Security Profile
Is Active	Alert status
Detected Endpoints
Event ID	Event ID
Source Priority
Employee Manager Email	The email address of the employee's manager.
Alert Rules
Registration Email
Tool Usage Found
Process Paths
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Additional Indicators
City
Number of Related Incidents
Related Alerts
userAccountControl	userAccountControl
Country Code Number
Device Hash	Device Hash
Destination Networks
IP Blocked Status
Containment SLA	The time it took to contain the incident.
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Compliance Notes	Notes regarding the assets compliance.
Source Category
Detection URL	URL of the ExtraHop Reveal(x) detection
Src OS	Src OS
Domain Registrar Abuse Email
Process Creation Time
Source Updated by
Classification	Incident Classification
First Name	First Name
Agents ID
Category Count	The number of categories that are associated with the offense.
Source External IPs
Affected Hosts
Status Reason
Endpoint Isolation Status
Work Phone
Technique
Risk Score
MITRE Tactic Name
Device External IPs
Follow Up	True if marked for follow up.
Tactic ID
Street Address
MITRE Technique ID
Mobile Phone
Zip Code	Zip Code
Resource URL
Location Region	Location Region
Campaign Name
Password Reset Successfully	Whether the password has been successfully reset.
Blocked Action	Blocked Action
Pre Nat Destination Port	The destination port before NAT.
Device MAC Address
Error Message	The error message that contains details about the error that occurred.
Manager Email Address
Process ID
Assignment Group
Custom Query Results
User Block Status
Post Nat Source IP	The source IP address after NAT.
Post Nat Destination Port	The destination port after NAT.
First Seen
Command Line Verdict
External System ID
Alert Malicious	Whether the alert is malicious.
Original Description	The description of the incident
Rule Name	The name of a YARA rule
Sensor IP
Country Code
Group ID
Manager Name	Manager Name
Policy URI
Last Name	Last Name
Birthday	Person's Birthday
Acquisition Hire
Display Name	Display Name
Endpoints Details
Cost Center	Cost Center
Log Source Name	The log source name associated with the event.
Affected Users
IncomingMirrorError
Bugtraq
Job Function	Job Function
External Link
Approval Status	The status for the approval of the request.
Policy Actions
External End Time
Email Sent Successfully	Whether the email has been successfully sent.
Tools
Dest OS	Destination OS
Policy Remediable
File Hash
Last Update Time
Cloud Service
Detected Internal Hosts	Detected internal hosts
Last Modified On
Job Family	Job Family
Referenced Resource Name
Traffic Direction	The direction of the traffic in the event.
File Size	File Size
SKU Name
Objective
Ticket Acknowledged Date
Duration
CVE
Alert Type ID
User Id	User Id
Vendor Product
Source Id
ASN
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Last Seen
Verification Status	The status of the user verification.
Destination Geolocation	The destination geolocation of the event.
Cost Center Code	Cost Center Code
Log Source	Log Source
Caller
Device Internal IPs
Alert tags
Device Status
Parent Process IDs
ASN Name
IP Reputation
Use Case Description
Exposure Level
Risk Name
Low Level Categories Events	The low level category of the event.
External Category Name
Ticket Number
Comment	The comments related with the incident
EmailCampaignSummary
Device Model	Device Model
Registry Hive
Incident Link
Event Descriptions	The description of the event name.
External Sub Category Name
Post Nat Destination IP	The destination IP address after NAT.
Department	Department
Additional Data
File Relationships
Verification Method	The method used to verify the user.
Operation Name
Referenced Resource ID
Policy Recommendation
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Process CMD
Close Time	The closing time.
Subtype	Subtype
Identity Type
Users Details
Asset Name
Suspicious Executions Found
Destination IPV6	The destination IPV6 address.
Parent Process MD5
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Region ID
app channel name
Last Modified By
Employee Display Name	The display name of the employee.
User Engagement Response
similarIncidents
Device OU	Device's OU path in Active Directory
Detected External IPs	Detected external IPs
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Full Name	Person's Full Name
MITRE Tactic ID
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Region
Number Of Log Sources	The number of log sources related to the offense.
Technical User	The technical user of the asset.
Resource Name
Selected Indicators	Includes the indicators selected by the user.
EmailCampaignCanvas
Tenant Name	Tenant Name
Changed	The user who changed this incident
Technique ID
RemovedFromCampaigns
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Vulnerable Product
Similar incidents Dbot
Error Code
Personal Email
Source Status
Device Name	Device Name
Device Time	The time from the original logging device when the event occurred.
Source Create time
High Risky Users
Registry Key
Hunt Results Count
Original Alert Source
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Verdict
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
OS	The operating system.
Cloud Region List
OS Type	OS Type
Block Indicators Status
Vulnerability Category
SSDeep
Triage SLA	The time it took to investigate and enrich incident information.
User Creation Time
File SHA1
Source Geolocation	The source geolocation of the event.
Internal Addresses
Leadership
Device Id	Device Id
Registry Value Type
Account ID
Phone Number	Phone number
Audit Logs
Policy Severity
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Escalation
Project ID
EmailCampaignSnippets
Cloud Instance ID	Cloud Instance ID
Process MD5
Agent Version	Reporting Agent/Sensor Version
Number of similar files
Item Owner
Original Alert Name	Alert name as received from the integration JSON
CVSS
Team name
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Item Owner Email
File Access Date
Parent Process CMD
Source Urgency	Source Urgency
Mobile Device Model
Sub Category	The sub category
Device OS Name
Log Source Type	The log source type associated with the event.
Title	Title
Rendered HTML	The HTML content in a rendered form.
Domain Updated Date
Tactic

Incident Types

Name	Description
Policy Violation
Network
C2Communication
Exploit
Reconnaissance
Exfiltration
Defacement
Lateral Movement
Hunt
Simulation
Job
UnknownBinary
Authentication
Vulnerability
Indicator Feed
DoS

Indicator Fields

Name	Description
Name Field
DNS
Certificate Signature
Geo Location
File Extension
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Download URL
OS Version
PEM	Certificate in PEM format.
Detection Engines	Total number of engines that checked the indicator
Reports
Validity Not Before	Specifies the date on which the certificate validity period begins.
Detections
CVSS3
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Job Code	Job Code
Indicator Identification
Certificate Validation Checks
STIX Goals
Registrar Abuse Email
Org Level 3
Organization First Seen	Date and time when the indicator was first seen in the organization.
SHA1
Organizational Unit (OU)
X.509 v3 Extensions
Serial Number
Zip Code
Public Key
Domain Referring Subnets
Internal
Geo Country
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Name
First Seen By Source	The first time the indicator was seen by the source vendor.
Product
Issuer DN	Issuer Distinguished Name
Creation Date
Org Level 1
Secondary Motivations
Job Function
Report Object References	A list of STIX IDs referenced in the report.
Country Code Number
Acquisition Hire	Whether the employee is an acquisition hire.
Given Name	Given Name
Is Processed
SSDeep
Key Value
Assigned user
Subject DN	Subject Distinguished Name
Operating System Refs
STIX Resource Level
Signature Internal Name
Mobile Phone
Aliases	Alternative names used to identify this object
Signature File Version
Force Sync	Whether to force user synchronization.
Blocked
Registrar Abuse Name
Username
Memory
Signature Original Name
STIX Tool Version
Registrar Abuse Network
Primary Motivation
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Email Address
imphash
Updated Date
Global Prevalence	The number of times the indicator is detected across all organizations.
Resource Level
Registrant Name
Number of subkeys
CVSS Vector
Signed
Threat Actor Types
CVSS Version
Registrar Abuse Address
Feed Related Indicators
Samples
Expiration Date
Account Type
Leadership
Work Phone
STIX Threat Actor Types
Signature Authentihash
CVSS Score
Organization Prevalence	The number of times the indicator is detected in the organization.
Organization Type
Report type
Behavior
Processor
SWID	Specifies the Software Identification (SWID) tags entry for the software
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
BIOS Version
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Registrar Abuse Country
IP Address
Org Level 2
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Vulnerabilities
Device Model
SHA256
STIX Roles
Office365Category
Street Address
Assigned role
Path
Location
Subject Alternative Names
User ID
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Sophistication
Groups
Service	The specific service of a feed integration from which an indicator was ingested.
Whois Records
Operating System
Positive Detections	Number of engines that positively detected the indicator as malicious
Description
Mitre ID
Objective
Issuer
Cost Center
Manager Name	Manager Name
Name Servers
Email
Infrastructure Types
Region
Published
Signature Copyright
Signature Algorithm
Applications
Version
Surname	Surname
MD5
Quarantined	Whether the indicator is quarantined or isolated
City	City
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Office365Required
Extension
Action
Architecture
Location Region
STIX Malware Types
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Vendor
Actor
SHA512
Certificates
Subject
Validity Not After	Specifies the date on which the certificate validity period ends.
Port
Source Priority
Organization
Tool Types
Roles
Title	Title
Source Original Severity	The original score/severity provided by the source without DBot translation.
Registrant Email
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Office365ExpressRoute
Signature Description
Manager Email Address
Display Name
STIX Sophistication
STIX Secondary Motivations
Admin Email
CVSS
Subdomains
CVE Modified
Registrar Abuse Phone
CVSS Table
Entry ID
Definition
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Commands
Processors
Malware types
AS Owner
Size
CVE Description
Certificate Names
Domains
Domain Name
Admin Country
Capabilities
Associations	Known associations to other pieces of Threat Data.
Domain Referring IPs
Query Language
Malware Family
Admin Phone
Tags
STIX Description
Short Description
Campaign
Is Malware Family
Admin Name
Author
Registrant Country
Rank	Used to display rank from different sources
Goals
Vulnerable Products
Domain Status
STIX Aliases	Alternative names used to identify this object
Hostname
Implementation Languages
Org Unit
Mitre Tactics
Tool Version
Country Code
Category
Cost Center Code
Domain IDN Name
Community Notes
Job Family
DHCP Server
Country Name
Operating System Version
STIX Primary Motivation.
STIX Tool Types
Targets
Registrant Phone
Publications
File Type
ASN
Paths
State
STIX Is Malware Family
Confidence
Registrar Name
DNS Records
Associated File Names
Personal Email
Department	Department

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
Course of Action	Course of Action Indicator Layout
File Indicator	File Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Email Indicator	Email Indicator Layout
Campaign	Campaign Indicator Layout
X509 Certificate	CVE Indicator Layout
Host Indicator	Host indicator layout
Indicator Feed Incident
Tactic Layout	Tactic Indicator Layout
Location	Location indicator layout
Registry Key Indicator	Registry Key Indicator Layout
URL Indicator	URL Indicator Layout
IP Indicator	IP Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Malware Indicator	Malware Indicator Layout
Software	Software Indicator Layout
Account Indicator	Account Indicator Layout
Mutex	Mutex indicator layout
Intrusion Set	Intrusion Set Layout
Report	Report Indicator Layout
Domain Indicator	Domain Indicator Layout
CVE Indicator	CVE Indicator Layout
Tool Indicator	Tool Indicator Layout
ASN	ASN Indicator Layout
Identity	Identity indicator layout
Vulnerability Incident

Indicator Types

Name	Description
ASN
File SHA-1
CVE
X509 Certificate
Location
Campaign
Mutex
Course of Action
Host
IPv6
Tool
File
Report
Malware
Intrusion Set
Infrastructure
IPv6CIDR
Onion Address
File SHA-256
Domain
Identity
Threat Actor
Account
Attack Pattern
Email
Registry Key
File MD5
ssdeep
Software
CIDR
URL
DomainGlob
IP
Tactic

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (57)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1900707 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1621428 (November 11, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	September 9, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Common Types

Pack Contributors:

Pack Contributors:

Indicator Types

Indicator Types

Common Types

Incident Fields

Indicator Types

Common Types

Indicator Types

Indicator Types

Incident Fields

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Layouts

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications

New: Definition

Indicator Types

Incident Fields

Indicator Fields

Validity Not Before

Validity Not After

Layouts

Indicator Types

Indicator Types

Common Types

Incident Fields

Indicator Types

Common Types

Indicator Types

Indicator Types

Incident Fields

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product