Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Process Name | |
Post Nat Source IP | The source IP address after NAT. |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
External Severity | |
Policy Description | |
EmailCampaignSnippets | |
Alert tags | |
SHA256 | SHA256 |
Process Names | |
State | State |
PID | PID |
Technical User | The technical user of the asset. |
Policy Severity | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Parent Process IDs | |
Rendered HTML | The HTML content in a rendered form. |
Tools | |
SHA512 | SHA512 |
Technical Owner | The technical owner of the asset. |
Event Type | Event Type |
String Similarity Results | |
Src Ports | The source ports of the event. |
Destination IP | The IP address the impossible traveler logged in to. |
Device Id | Device Id |
Threat Hunting Detected IP | |
Account Member Of | |
Dst Ports | The destination ports of the event. |
Region | |
Personal Email | |
Job Code | Job Code |
Referenced Resource ID | |
Country | The country from which the user logged in. |
Dsts | The destination values. |
Policy Details | |
Resource Name | |
Account ID | |
Identity Type | |
Protocols | |
Pre Nat Destination Port | The destination port before NAT. |
File Paths | |
SKU Name | |
Vulnerable Product | |
App message | |
Domain Registrar Abuse Email | |
Registry Value Type | |
Category Count | The number of categories that are associated with the offense. |
Referenced Resource Name | |
Org Level 2 | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Device OS Name | |
Suspicious Executions | |
Zip Code | Zip Code |
Post Nat Source Port | The source port after NAT. |
Employee Display Name | The display name of the employee. |
Sensor IP | |
Is Active | Alert status |
Compliance Notes | Notes regarding the assets compliance. |
SHA1 | SHA1 |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Policy ID | |
Policy Deleted | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
CVE ID | |
Destination Geolocation | The destination geolocation of the event. |
List Of Rules - Event | The list of rules associated to an event. |
Source Status | |
Bugtraq | |
Title | Title |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Cloud Region List | |
Alert Attack Time | |
Region ID | |
MITRE Tactic ID | |
Last Modified By | |
File Names | |
Traffic Direction | The direction of the traffic in the event. |
Internal Addresses | |
Dest OS | Destination OS |
OutgoingMirrorError | |
First Seen | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Birthday | Person's Birthday |
Agent Version | Reporting Agent/Sensor Version |
Source Network | |
Additional Email Addresses | |
Device OS Version | |
Log Source Name | The log source name associated with the event. |
DNS Name | The DNS name of the asset. |
Status Reason | |
Last Modified On | |
Verification Method | The method used to verify the user. |
Source Category | |
Detected Users | Detected users |
Signature | |
Cloud Instance ID | Cloud Instance ID |
Password Reset Successfully | Whether the password has been successfully reset. |
Similar incidents Dbot | |
Caller | |
Endpoint Isolation Status | |
User Creation Time | |
UUID | UUID as received from the integration JSON |
OS Type | OS Type |
Cloud Resource List | |
External Sub Category ID | |
City | |
Post Nat Destination IP | The destination IP address after NAT. |
Protocol | Protocol |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Alert Category | The category of the alert |
Application Name | Application Name |
External Last Updated Time | |
Detected IPs | |
Process MD5 | |
RemovedFromCampaigns | |
Appliance Name | Appliance name as received from the integration JSON |
Affected Users | |
Job Function | Job Function |
Dest Hostname | Destination hostname |
Technical Owner Contact | The contact details for the technical owner. |
Device External IP | Device External IP |
Attack Mode | Attack mode as received from the integration JSON |
Risk Name | |
Selected Indicators | Includes the indicators selected by the user. |
OS Version | OS Version |
Alert Action | Alert action as received from the integration JSON |
Device External IPs | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
CMD | |
Leadership | |
Parent Process Path | |
Changed | The user who changed this incident |
Closing Reason | The closing reason |
Alert Rules | |
Risk Score | |
Device MAC Address | |
Employee Email | The email address of the employee. |
Item Owner Email | |
Comment | The comments related with the incident |
High Risky Hosts | |
User Engagement Response | |
Alert Malicious | Whether the alert is malicious. |
Device Status | |
Error Message | The error message that contains details about the error that occurred. |
Report Name | |
CVSS | |
Device Name | Device Name |
Detected Internal Hosts | Detected internal hosts |
Alert Source | |
Protocol names | |
External Addresses | |
Policy Remediable | |
Policy Recommendation | |
Attack Patterns | |
Parent Process MD5 | |
Acquisition Hire | |
Classification | Incident Classification |
Tool Usage Found | |
Assigned User | Assigned User |
Alert URL | Alert URL as received from the integration JSON |
Alert Name | Alert name as received from the integration JSON |
External Link | |
Vendor Product | |
Registry Key | |
Escalation | |
CVE Published | |
External Start Time | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Work Phone | |
EmailCampaignCanvas | |
Device Internal IPs | |
IP Blocked Status | |
Phone Number | Phone number |
Ticket Acknowledged Date | |
Tactic | |
MITRE Tactic Name | |
Device Hash | Device Hash |
Related Report | |
Pre Nat Source Port | The source port before NAT. |
Start Time | The time when the offense started. |
File Relationships | |
Full Name | Person's Full Name |
File SHA1 | |
Affected Hosts | |
Surname | Surname |
ASN | |
Block Indicators Status | |
URLs | |
Source Hostname | The hostname that performed the port scan. |
Users | |
Src | Source |
Detection Update Time | |
Detection ID | |
SKU TIER | |
Endpoint | |
Device Time | The time from the original logging device when the event occurred. |
External Status | |
Tags | |
Device OU | Device's OU path in Active Directory |
Event ID | Event ID |
Technique ID | |
Isolated | Isolated |
Tactic ID | |
EmailCampaignSummary | |
Source Urgency | Source Urgency |
Alert Type ID | |
Post Nat Destination Port | The destination port after NAT. |
Detection End Time | |
App | |
Ticket Closed Date | |
Custom Query Results | |
User Agent | |
Incident Link | |
IncomingMirrorError | |
Additional Data | |
MITRE Technique ID | |
Verdict | |
File MD5 | |
Source Networks | |
Users Details | |
Source MAC Address | The source MAC address in an event. |
Policy URI | |
Triggered Security Profile | Triggered Security Profile |
Source Id | |
Child Process | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Process Creation Time | |
Process ID | |
File Name | |
Threat Hunting Detected Hostnames | |
SSDeep | |
Related Campaign | |
Log Source Type | The log source type associated with the event. |
Alert ID | Alert ID as received from the integration JSON |
Device Username | The username of the user that owns the device |
Username | The username of the account who logged in. |
Location Region | Location Region |
Application Id | Application Id |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
File Path | |
Account Name | Account Name |
File SHA256 | |
End Time | The time when the offense ended. |
Asset ID | |
Detected Endpoints | |
Last Seen | |
User SID | |
Email Sent Successfully | Whether the email has been successfully sent. |
User Anomaly Count | |
Mobile Device Model | |
CVE | |
Event Names | The event name (translated QID ) in the event. |
Source Created By | |
Blocked Action | Blocked Action |
Device Local IP | Device Local IP |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Source Updated by | |
Country Code Number | |
Log Source | Log Source |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Job Family | Job Family |
Related Endpoints | |
Vendor ID | |
Destination IPV6 | The destination IPV6 address. |
Closing User | The closing user. |
Number Of Log Sources | The number of log sources related to the offense. |
Parent CMD line | |
High Risky Users | |
Application Path | |
First Name | First Name |
Last Update Time | |
Raw Event | The unparsed event data. |
Domain Updated Date | |
Related Alerts | |
Registration Email | |
Destination Port | The destination port used. |
Source Port | The source port that was used |
Triage SLA | The time it took to investigate and enrich incident information. |
Command Line | Command Line |
Manager Email Address | |
Subtype | Subtype |
Process Path | |
Events | The events associated with the offense. |
Device Model | Device Model |
Risk Rating | |
Resource ID | |
Account Status | |
Use Case Description | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Resource Type | |
Low Level Categories Events | The low level category of the event. |
Destination Hostname | Destination hostname |
Registry Value | |
Project ID | |
External Category Name | |
Org Unit | |
Parent Process | |
Vulnerability Category | |
Parent Process Name | |
Location | Location |
Rating | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Number of Related Incidents | |
Policy Type | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Process CMD | |
Hunt Results Count | |
Team name | |
User Groups | |
External Confidence | |
Technique | |
Endpoints Details | |
Parent Process CMD | |
Suspicious Executions Found | |
Given Name | Given Name |
CMD line | |
MITRE Technique Name | |
Item Owner | |
File Access Date | |
Scenario | |
Assignment Group | |
User Block Status | |
Ticket Opened Date | |
Org Level 1 | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
File Size | File Size |
High Level Categories | The high level categories in the events. |
User Id | User Id |
Approver | The person who approved or needs to approve the request. |
Destination Networks | |
Password Changed Date | |
ASN Name | |
MD5 | MD5 |
Command Line Verdict | |
Duration | |
Cloud Account ID | |
Dest | Destination |
Src Hostname | Source hostname |
Cost Center Code | Cost Center Code |
Detected External Hosts | Detected external hosts |
userAccountControl | userAccountControl |
Policy Actions | |
Source Priority | |
Resource URL | |
MAC Address | MAC Address |
Parent Process SHA256 | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Sensor Name | |
Process Paths | |
Audit Logs | |
File Creation Date | |
Display Name | Display Name |
Additional Indicators | |
Hostnames | The hostname in the event. |
Campaign Name | |
IP Reputation | |
Tenant Name | Tenant Name |
Asset Name | |
Src User | Source User |
Close Time | The closing time. |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Number of similar files | |
External End Time | |
Unique Ports | |
OS | The operating system. |
Srcs | The source values. |
Dest NT Domain | Destination NT Domain |
Usernames | The username in the event. |
Org Level 3 | |
File Hash | |
Categories | The categories for the incident. |
Follow Up | True if marked for follow up. |
Detected Internal IPs | Detected internal IPs |
Group ID | |
External Sub Category Name | |
Destination IPs | The destination IPs of the event. |
Agent ID | Agent ID |
Containment SLA | The time it took to contain the incident. |
Registry Hive | |
sAMAccountName | User sAMAAccountName |
Operation Name | |
Ticket Number | |
Parent Process File Path | |
Department | Department |
Detected User | |
Source IPV6 | The source IPV6 address. |
Last Name | Last Name |
Objective | |
Source Username | The username that was the source of the attack. |
External ID | |
Appliance ID | Appliance ID as received from the integration JSON |
Manager Name | Manager Name |
Description | The description of the incident |
Country Name | Country Name |
Source IPs | The source IPs of the event. |
Verification Status | The status of the user verification. |
Agents ID | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
User Risk Level | |
Detected External IPs | Detected external IPs |
Mobile Phone | |
Domain Name | |
Process SHA256 | |
EmailCampaignMutualIndicators | |
External System ID | |
similarIncidents | |
Reporter Email Address | The email address of the user who reported the email. |
Src OS | Src OS |
Source IP | The IP Address that the user initially logged in from. |
Destination Network | |
Cost Center | Cost Center |
Error Code | |
External Category ID | |
Rule Name | The name of a YARA rule |
Approval Status | The status for the approval of the request. |
Protocol - Event | The network protocol in the event. |
Cloud Service | |
Investigation Stage | The stage of the investigation. |
Source Geolocation | The source geolocation of the event. |
Primary Email Address | |
Exposure Level | |
Employee Manager Email | The email address of the employee's manager. |
Source Create time | |
Event Descriptions | The description of the event name. |
Timezone | |
Cloud Operation Type | |
Sub Category | The sub category |
Destination MAC Address | The destination MAC address in an event. |
Src NT Domain | Source NT Domain |
Country Code | |
Source External IPs | |
Street Address | |
app channel name | |
Pre Nat Source IP | The source IP before NAT. |
Name | Description |
---|---|
Authentication | |
Network | |
UnknownBinary | |
Job | |
C2Communication | |
Hunt | |
Vulnerability | |
Defacement | |
Indicator Feed | |
Lateral Movement | |
Exploit | |
Reconnaissance | |
Exfiltration | |
Simulation | |
DoS | |
Policy Violation |
Name | Description |
---|---|
STIX Goals | |
File Extension | |
Publications | |
Street Address | |
Given Name | Given Name |
STIX Primary Motivation. | |
Applications | |
Department | Department |
Report type | |
STIX Sophistication | |
X.509 v3 Extensions | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Threat Actor Types | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
DNS Records | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Domains | |
Org Level 2 | |
SHA256 | |
Action | |
User ID | |
Office365Required | |
Registrar Name | |
Org Level 1 | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Sophistication | |
Processor | |
Certificates | |
Name | |
Primary Motivation | |
Signature Authentihash | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
STIX Aliases | Alternative names used to identify this object |
imphash | |
Certificate Validation Checks | |
Definition | |
Signature Copyright | |
Certificate Names | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Domain Name | |
Indicator Identification | |
Rank | Used to display rank from different sources |
Community Notes | |
Signature File Version | |
CVE Modified | |
Domain Referring Subnets | |
Is Processed | |
Objective | |
SHA1 | |
Blocked | |
CVSS3 | |
STIX Is Malware Family | |
Subdomains | |
CVE Description | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
MD5 | |
Cost Center | |
Signature Internal Name | |
Product | |
Number of subkeys | |
STIX Tool Types | |
Published | |
Country Name | |
Query Language | |
Key Value | |
Roles | |
Location Region | |
Expiration Date | |
OS Version | |
Domain IDN Name | |
Organization | |
Zip Code | |
Org Level 3 | |
Detection Engines | Total number of engines that checked the indicator |
Region | |
BIOS Version | |
Signature Description | |
Mitre Tactics | |
Admin Name | |
CVSS Score | |
Creation Date | |
Subject Alternative Names | |
Tags | |
Admin Email | |
CVSS Vector | |
SHA512 | |
Job Code | Job Code |
Registrar Abuse Name | |
ASN | |
Org Unit | |
Admin Phone | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Architecture | |
Tool Version | |
Updated Date | |
IP Address | |
Work Phone | |
Registrant Email | |
Targets | |
Goals | |
Malware types | |
Mitre ID | |
Vendor | |
STIX Threat Actor Types | |
Title | Title |
Associated File Names | |
Description | |
Public Key | |
Geo Location | |
Domain Referring IPs | |
Short Description | |
Size | |
Path | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Aliases | Alternative names used to identify this object |
Organizational Unit (OU) | |
Report Object References | A list of STIX IDs referenced in the report. |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Office365ExpressRoute | |
Certificate Signature | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
DHCP Server | |
Extension | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Registrant Name | |
Memory | |
City | City |
Operating System Refs | |
Domain Status | |
Manager Name | Manager Name |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Name Servers | |
Signed | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Subject DN | Subject Distinguished Name |
Behavior | |
Subject | |
Entry ID | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Implementation Languages | |
Signature Original Name | |
Signature Algorithm | |
Mobile Phone | |
Email Address | |
Is Malware Family | |
State | |
Organization Type | |
MAC Address | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
STIX Description | |
Operating System Version | |
Device Model | |
Issuer | |
Feed Related Indicators | |
Cost Center Code | |
Issuer DN | Issuer Distinguished Name |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Registrant Phone | |
Processors | |
Assigned role | |
Assigned user | |
CVSS | |
Capabilities | |
Download URL | |
Detections | |
Country Code | |
Job Function | |
DNS | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Secondary Motivations | |
Vulnerabilities | |
Registrar Abuse Address | |
Port | |
Operating System | |
Whois Records | |
Commands | |
Personal Email | |
PEM | Certificate in PEM format. |
STIX Malware Types | |
Force Sync | Whether to force user synchronization. |
Surname | Surname |
Serial Number | |
CVSS Table | |
Username | |
Name Field | |
File Type | |
Account Type | |
Location | |
STIX Resource Level | |
STIX Roles | |
Infrastructure Types | |
Samples | |
Category | |
Leadership | |
Actor | |
Groups | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Job Family | |
Country Code Number | |
Campaign | |
Registrar Abuse Phone | |
Tool Types | |
Paths | |
Confidence | |
Registrar Abuse Email | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Registrar Abuse Network | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Display Name | |
Geo Country | |
Version | |
Resource Level | |
AS Owner | |
Quarantined | Whether the indicator is quarantined or isolated |
Admin Country | |
Manager Email Address | |
Registrar Abuse Country | |
Office365Category | |
Reports | |
Hostname | |
Author | |
Registrant Country | |
SSDeep | |
STIX Secondary Motivations | |
Malware Family | |
Vulnerable Products | |
CVSS Version | |
Source Priority | |
Associations | Known associations to other pieces of Threat Data. |
STIX Tool Version | |
Internal |
Name | Description |
---|---|
Report | Report Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Intrusion Set | Intrusion Set Layout |
URL Indicator | URL Indicator Layout |
Tool Indicator | Tool Indicator Layout |
IP Indicator | IP Indicator Layout |
Campaign | Campaign Indicator Layout |
Account Indicator | Account Indicator Layout |
File Indicator | File Indicator Layout |
Email Indicator | Email Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Software | Software Indicator Layout |
Identity | Identity indicator layout |
Domain Indicator | Domain Indicator Layout |
Mutex | Mutex indicator layout |
Tactic Layout | Tactic Indicator Layout |
ASN | ASN Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Indicator Feed Incident | |
Location | Location indicator layout |
Host Indicator | Host indicator layout |
Vulnerability Incident | |
X509 Certificate | CVE Indicator Layout |
Name | Description |
---|---|
Intrusion Set | |
Mutex | |
Attack Pattern | |
Registry Key | |
Host | |
Report | |
Threat Actor | |
Domain | |
Infrastructure | |
Course of Action | |
Location | |
File SHA-1 | |
Identity | |
ASN | |
File MD5 | |
CVE | |
File SHA-256 | |
IPv6 | |
Tool | |
Campaign | |
ssdeep | |
Malware | |
IP | |
Onion Address | |
Tactic | |
URL | |
File | |
Account | |
IPv6CIDR | |
Software | |
DomainGlob | |
X509 Certificate | |
CIDR |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Resource Type | |
Given Name | Given Name |
User SID | |
Original Alert ID | Alert ID as received from the integration JSON |
Signature | |
Isolated | Isolated |
Raw Event | The unparsed event data. |
Domain Name | |
String Similarity Results | |
Account Status | |
Process SHA256 | |
Report Name | |
Process Names | |
Org Level 2 | |
Event Names | The event name (translated QID ) in the event. |
Surname | Surname |
Technical Owner | The technical owner of the asset. |
Policy ID | |
Unique Ports | |
Org Level 1 | |
sAMAccountName | User sAMAAccountName |
File Creation Date | |
Application Path | |
Parent Process File Path | |
Vendor ID | |
Post Nat Source Port | The source port after NAT. |
Policy Details | |
Source Networks | |
Approver | The person who approved or needs to approve the request. |
Suspicious Executions | |
Ticket Closed Date | |
Org Unit | |
Attack Patterns | |
Cloud Account ID | |
App message | |
Parent Process SHA256 | |
External Last Updated Time | |
Pre Nat Source IP | The source IP before NAT. |
List Of Rules - Event | The list of rules associated to an event. |
Start Time | The time when the offense started. |
CVE ID | |
Rating | |
External Sub Category ID | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
MITRE Technique Name | |
Risk Rating | |
SHA512 | SHA512 |
Parent Process Name | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
User Groups | |
External Category ID | |
Cloud Resource List | |
Parent Process Path | |
User Anomaly Count | |
Original Events | The events associated with the offense. |
External Severity | |
Job Code | Job Code |
Related Report | |
Attack Mode | Attack mode as received from the integration JSON |
Reporter Email Address | The email address of the user who reported the email. |
Org Level 3 | |
External Status | |
Assigned User | Assigned User |
Closing Reason | The closing reason |
SHA1 | SHA1 |
Protocol names | |
Policy Description | |
Detection End Time | |
External Confidence | |
UUID | UUID as received from the integration JSON |
Related Campaign | |
Account Member Of | |
Closing User | The closing user. |
Policy Deleted | |
Timezone | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Device OS Version | |
Detection ID | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
CVE Published | |
External Start Time | |
Pre Nat Source Port | The source port before NAT. |
Registry Value | |
Investigation Stage | The stage of the investigation. |
Policy Type | |
End Time | The time when the offense ended. |
Asset ID | |
State | State |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Scenario | |
OutgoingMirrorError | |
Alert Action | Alert action as received from the integration JSON |
Additional Email Addresses | |
SKU TIER | |
High Risky Hosts | |
Technical Owner Contact | The contact details for the technical owner. |
Primary Email Address | |
EmailCampaignMutualIndicators | |
Related Endpoints | |
URLs | |
Dsts | The destination values. |
Source Created By | |
Employee Email | The email address of the employee. |
Location | Location |
Password Changed Date | |
Triggered Security Profile | Triggered Security Profile |
Is Active | Alert status |
Detected Endpoints | |
Event ID | Event ID |
Source Priority | |
Employee Manager Email | The email address of the employee's manager. |
Alert Rules | |
Registration Email | |
Tool Usage Found | |
Process Paths | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Additional Indicators | |
City | |
Number of Related Incidents | |
Related Alerts | |
userAccountControl | userAccountControl |
Country Code Number | |
Device Hash | Device Hash |
Destination Networks | |
IP Blocked Status | |
Containment SLA | The time it took to contain the incident. |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Compliance Notes | Notes regarding the assets compliance. |
Source Category | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Src OS | Src OS |
Domain Registrar Abuse Email | |
Process Creation Time | |
Source Updated by | |
Classification | Incident Classification |
First Name | First Name |
Agents ID | |
Category Count | The number of categories that are associated with the offense. |
Source External IPs | |
Affected Hosts | |
Status Reason | |
Endpoint Isolation Status | |
Work Phone | |
Technique | |
Risk Score | |
MITRE Tactic Name | |
Device External IPs | |
Follow Up | True if marked for follow up. |
Tactic ID | |
Street Address | |
MITRE Technique ID | |
Mobile Phone | |
Zip Code | Zip Code |
Resource URL | |
Location Region | Location Region |
Campaign Name | |
Password Reset Successfully | Whether the password has been successfully reset. |
Blocked Action | Blocked Action |
Pre Nat Destination Port | The destination port before NAT. |
Device MAC Address | |
Error Message | The error message that contains details about the error that occurred. |
Manager Email Address | |
Process ID | |
Assignment Group | |
Custom Query Results | |
User Block Status | |
Post Nat Source IP | The source IP address after NAT. |
Post Nat Destination Port | The destination port after NAT. |
First Seen | |
Command Line Verdict | |
External System ID | |
Alert Malicious | Whether the alert is malicious. |
Original Description | The description of the incident |
Rule Name | The name of a YARA rule |
Sensor IP | |
Country Code | |
Group ID | |
Manager Name | Manager Name |
Policy URI | |
Last Name | Last Name |
Birthday | Person's Birthday |
Acquisition Hire | |
Display Name | Display Name |
Endpoints Details | |
Cost Center | Cost Center |
Log Source Name | The log source name associated with the event. |
Affected Users | |
IncomingMirrorError | |
Bugtraq | |
Job Function | Job Function |
External Link | |
Approval Status | The status for the approval of the request. |
Policy Actions | |
External End Time | |
Email Sent Successfully | Whether the email has been successfully sent. |
Tools | |
Dest OS | Destination OS |
Policy Remediable | |
File Hash | |
Last Update Time | |
Cloud Service | |
Detected Internal Hosts | Detected internal hosts |
Last Modified On | |
Job Family | Job Family |
Referenced Resource Name | |
Traffic Direction | The direction of the traffic in the event. |
File Size | File Size |
SKU Name | |
Objective | |
Ticket Acknowledged Date | |
Duration | |
CVE | |
Alert Type ID | |
User Id | User Id |
Vendor Product | |
Source Id | |
ASN | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Last Seen | |
Verification Status | The status of the user verification. |
Destination Geolocation | The destination geolocation of the event. |
Cost Center Code | Cost Center Code |
Log Source | Log Source |
Caller | |
Device Internal IPs | |
Alert tags | |
Device Status | |
Parent Process IDs | |
ASN Name | |
IP Reputation | |
Use Case Description | |
Exposure Level | |
Risk Name | |
Low Level Categories Events | The low level category of the event. |
External Category Name | |
Ticket Number | |
Comment | The comments related with the incident |
EmailCampaignSummary | |
Device Model | Device Model |
Registry Hive | |
Incident Link | |
Event Descriptions | The description of the event name. |
External Sub Category Name | |
Post Nat Destination IP | The destination IP address after NAT. |
Department | Department |
Additional Data | |
File Relationships | |
Verification Method | The method used to verify the user. |
Operation Name | |
Referenced Resource ID | |
Policy Recommendation | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Process CMD | |
Close Time | The closing time. |
Subtype | Subtype |
Identity Type | |
Users Details | |
Asset Name | |
Suspicious Executions Found | |
Destination IPV6 | The destination IPV6 address. |
Parent Process MD5 | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Region ID | |
app channel name | |
Last Modified By | |
Employee Display Name | The display name of the employee. |
User Engagement Response | |
similarIncidents | |
Device OU | Device's OU path in Active Directory |
Detected External IPs | Detected external IPs |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Full Name | Person's Full Name |
MITRE Tactic ID | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Region | |
Number Of Log Sources | The number of log sources related to the offense. |
Technical User | The technical user of the asset. |
Resource Name | |
Selected Indicators | Includes the indicators selected by the user. |
EmailCampaignCanvas | |
Tenant Name | Tenant Name |
Changed | The user who changed this incident |
Technique ID | |
RemovedFromCampaigns | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Vulnerable Product | |
Similar incidents Dbot | |
Error Code | |
Personal Email | |
Source Status | |
Device Name | Device Name |
Device Time | The time from the original logging device when the event occurred. |
Source Create time | |
High Risky Users | |
Registry Key | |
Hunt Results Count | |
Original Alert Source | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Verdict | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
OS | The operating system. |
Cloud Region List | |
OS Type | OS Type |
Block Indicators Status | |
Vulnerability Category | |
SSDeep | |
Triage SLA | The time it took to investigate and enrich incident information. |
User Creation Time | |
File SHA1 | |
Source Geolocation | The source geolocation of the event. |
Internal Addresses | |
Leadership | |
Device Id | Device Id |
Registry Value Type | |
Account ID | |
Phone Number | Phone number |
Audit Logs | |
Policy Severity | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Escalation | |
Project ID | |
EmailCampaignSnippets | |
Cloud Instance ID | Cloud Instance ID |
Process MD5 | |
Agent Version | Reporting Agent/Sensor Version |
Number of similar files | |
Item Owner | |
Original Alert Name | Alert name as received from the integration JSON |
CVSS | |
Team name | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Item Owner Email | |
File Access Date | |
Parent Process CMD | |
Source Urgency | Source Urgency |
Mobile Device Model | |
Sub Category | The sub category |
Device OS Name | |
Log Source Type | The log source type associated with the event. |
Title | Title |
Rendered HTML | The HTML content in a rendered form. |
Domain Updated Date | |
Tactic |
Name | Description |
---|---|
Policy Violation | |
Network | |
C2Communication | |
Exploit | |
Reconnaissance | |
Exfiltration | |
Defacement | |
Lateral Movement | |
Hunt | |
Simulation | |
Job | |
UnknownBinary | |
Authentication | |
Vulnerability | |
Indicator Feed | |
DoS |
Name | Description |
---|---|
Name Field | |
DNS | |
Certificate Signature | |
Geo Location | |
File Extension | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Download URL | |
OS Version | |
PEM | Certificate in PEM format. |
Detection Engines | Total number of engines that checked the indicator |
Reports | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Detections | |
CVSS3 | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Job Code | Job Code |
Indicator Identification | |
Certificate Validation Checks | |
STIX Goals | |
Registrar Abuse Email | |
Org Level 3 | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
SHA1 | |
Organizational Unit (OU) | |
X.509 v3 Extensions | |
Serial Number | |
Zip Code | |
Public Key | |
Domain Referring Subnets | |
Internal | |
Geo Country | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Name | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Product | |
Issuer DN | Issuer Distinguished Name |
Creation Date | |
Org Level 1 | |
Secondary Motivations | |
Job Function | |
Report Object References | A list of STIX IDs referenced in the report. |
Country Code Number | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Given Name | Given Name |
Is Processed | |
SSDeep | |
Key Value | |
Assigned user | |
Subject DN | Subject Distinguished Name |
Operating System Refs | |
STIX Resource Level | |
Signature Internal Name | |
Mobile Phone | |
Aliases | Alternative names used to identify this object |
Signature File Version | |
Force Sync | Whether to force user synchronization. |
Blocked | |
Registrar Abuse Name | |
Username | |
Memory | |
Signature Original Name | |
STIX Tool Version | |
Registrar Abuse Network | |
Primary Motivation | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Email Address | |
imphash | |
Updated Date | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Resource Level | |
Registrant Name | |
Number of subkeys | |
CVSS Vector | |
Signed | |
Threat Actor Types | |
CVSS Version | |
Registrar Abuse Address | |
Feed Related Indicators | |
Samples | |
Expiration Date | |
Account Type | |
Leadership | |
Work Phone | |
STIX Threat Actor Types | |
Signature Authentihash | |
CVSS Score | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Organization Type | |
Report type | |
Behavior | |
Processor | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
BIOS Version | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Registrar Abuse Country | |
IP Address | |
Org Level 2 | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Vulnerabilities | |
Device Model | |
SHA256 | |
STIX Roles | |
Office365Category | |
Street Address | |
Assigned role | |
Path | |
Location | |
Subject Alternative Names | |
User ID | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Sophistication | |
Groups | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Whois Records | |
Operating System | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Description | |
Mitre ID | |
Objective | |
Issuer | |
Cost Center | |
Manager Name | Manager Name |
Name Servers | |
Infrastructure Types | |
Region | |
Published | |
Signature Copyright | |
Signature Algorithm | |
Applications | |
Version | |
Surname | Surname |
MD5 | |
Quarantined | Whether the indicator is quarantined or isolated |
City | City |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Office365Required | |
Extension | |
Action | |
Architecture | |
Location Region | |
STIX Malware Types | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Vendor | |
Actor | |
SHA512 | |
Certificates | |
Subject | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Port | |
Source Priority | |
Organization | |
Tool Types | |
Roles | |
Title | Title |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Registrant Email | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Office365ExpressRoute | |
Signature Description | |
Manager Email Address | |
Display Name | |
STIX Sophistication | |
STIX Secondary Motivations | |
Admin Email | |
CVSS | |
Subdomains | |
CVE Modified | |
Registrar Abuse Phone | |
CVSS Table | |
Entry ID | |
Definition | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Commands | |
Processors | |
Malware types | |
AS Owner | |
Size | |
CVE Description | |
Certificate Names | |
Domains | |
Domain Name | |
Admin Country | |
Capabilities | |
Associations | Known associations to other pieces of Threat Data. |
Domain Referring IPs | |
Query Language | |
Malware Family | |
Admin Phone | |
Tags | |
STIX Description | |
Short Description | |
Campaign | |
Is Malware Family | |
Admin Name | |
Author | |
Registrant Country | |
Rank | Used to display rank from different sources |
Goals | |
Vulnerable Products | |
Domain Status | |
STIX Aliases | Alternative names used to identify this object |
Hostname | |
Implementation Languages | |
Org Unit | |
Mitre Tactics | |
Tool Version | |
Country Code | |
Category | |
Cost Center Code | |
Domain IDN Name | |
Community Notes | |
Job Family | |
DHCP Server | |
Country Name | |
Operating System Version | |
STIX Primary Motivation. | |
STIX Tool Types | |
Targets | |
Registrant Phone | |
Publications | |
File Type | |
ASN | |
Paths | |
State | |
STIX Is Malware Family | |
Confidence | |
Registrar Name | |
DNS Records | |
Associated File Names | |
Personal Email | |
Department | Department |
Name | Description |
---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Name | Description |
---|---|
Course of Action | Course of Action Indicator Layout |
File Indicator | File Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Email Indicator | Email Indicator Layout |
Campaign | Campaign Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Host Indicator | Host indicator layout |
Indicator Feed Incident | |
Tactic Layout | Tactic Indicator Layout |
Location | Location indicator layout |
Registry Key Indicator | Registry Key Indicator Layout |
URL Indicator | URL Indicator Layout |
IP Indicator | IP Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Software | Software Indicator Layout |
Account Indicator | Account Indicator Layout |
Mutex | Mutex indicator layout |
Intrusion Set | Intrusion Set Layout |
Report | Report Indicator Layout |
Domain Indicator | Domain Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Tool Indicator | Tool Indicator Layout |
ASN | ASN Indicator Layout |
Identity | Identity indicator layout |
Vulnerability Incident |
Name | Description |
---|---|
ASN | |
File SHA-1 | |
CVE | |
X509 Certificate | |
Location | |
Campaign | |
Mutex | |
Course of Action | |
Host | |
IPv6 | |
Tool | |
File | |
Report | |
Malware | |
Intrusion Set | |
Infrastructure | |
IPv6CIDR | |
Onion Address | |
File SHA-256 | |
Domain | |
Identity | |
Threat Actor | |
Account | |
Attack Pattern | |
Registry Key | |
File MD5 | |
ssdeep | |
Software | |
CIDR | |
URL | |
DomainGlob | |
IP | |
Tactic |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Cortex REST API | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Added new number field which represents the number of times the indicator is detected in the organization.
Added new number field which represents the number of times the indicator is detected across all organizations.
Added new date field which represents when the indicator was first seen in the organization.
Added new date field which represents when the indicator was last seen in the organization.
File
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
File.OrganizationPrevalence |
globalprevalence |
File.GlobalPrevalence |
organizationfirstseen |
File.OrganizationFirstSeen |
organizationlastseen |
File.OrganizationLastSeen |
firstseenbysource |
File.FirstSeenBySource |
lastseenbysource |
File.LastSeenBySource |
Domain
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
Domain.OrganizationPrevalence |
globalprevalence |
Domain.GlobalPrevalence |
organizationfirstseen |
Domain.OrganizationFirstSeen |
organizationlastseen |
Domain.OrganizationLastSeen |
firstseenbysource |
Domain.FirstSeenBySource |
lastseenbysource |
Domain.LastSeenBySource |
URL
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
URL.OrganizationPrevalence |
globalprevalence |
URL.GlobalPrevalence |
organizationfirstseen |
URL.OrganizationFirstSeen |
organizationlastseen |
URL.OrganizationLastSeen |
firstseenbysource |
URL.FirstSeenBySource |
lastseenbysource |
URL.LastSeenBySource |
IP
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
IP.OrganizationPrevalence |
globalprevalence |
IP.GlobalPrevalence |
organizationfirstseen |
IP.OrganizationFirstSeen |
organizationlastseen |
IP.OrganizationLastSeen |
firstseenbysource |
IP.FirstSeenBySource |
lastseenbysource |
IP.LastSeenBySource |
IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence
| IPv6.OrganizationPrevalence |
| globalprevalence
| IPv6.GlobalPrevalence |
| organizationfirstseen
| IPv6.OrganizationFirstSeen |
| organizationlastseen
| IPv6.OrganizationLastSeen |
| firstseenbysource
| IPv6.FirstSeenBySource |
| lastseenbysource
| IPv6.LastSeenBySource |
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
File Indicator
Updated layout with canvas
tab.
Account Indicator
Updated layout with canvas
tab.
Report
Updated layout with canvas
tab.
Threat Actor
Updated layout with canvas
tab.
URL Indicator
Updated layout with canvas
tab.
X509 Certificate
Updated layout with canvas
tab.
Mutex
Updated layout with canvas
tab.
Campaign
Updated layout with canvas
tab.
Location
Updated layout with canvas
tab.
Tool Indicator
Updated layout with canvas
tab.
Attack Pattern
Updated layout with canvas
tab.
Infrastructure
Updated layout with canvas
tab.
IP Indicator
Updated layout with canvas
tab.
Malware Indicator
Updated layout with canvas
tab.
Course of Action
Updated layout with canvas
tab.
Host Indicator
Updated layout with canvas
tab.
Tool
Updated layout with canvas
tab.
Email Indicator
Updated layout with canvas
tab.
CVE Indicator
Updated layout with canvas
tab.
Domain Indicator
Updated layout with canvas
tab.
Identity
Updated layout with canvas
tab.
Software
Updated layout with canvas
tab.
Intrusion Set
Updated layout with canvas
tab.
ASN
Updated layout with canvas
tab.
Registry Key Indicator
Updated layout with canvas
tab.
Malware
Updated layout with canvas
tab.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection
incident type as an associated type.
Added new number field which represents the number of times the indicator is detected in the organization.
Added new number field which represents the number of times the indicator is detected across all organizations.
Added new date field which represents when the indicator was first seen in the organization.
Added new date field which represents when the indicator was last seen in the organization.
File
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
File.OrganizationPrevalence |
globalprevalence |
File.GlobalPrevalence |
organizationfirstseen |
File.OrganizationFirstSeen |
organizationlastseen |
File.OrganizationLastSeen |
firstseenbysource |
File.FirstSeenBySource |
lastseenbysource |
File.LastSeenBySource |
Domain
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
Domain.OrganizationPrevalence |
globalprevalence |
Domain.GlobalPrevalence |
organizationfirstseen |
Domain.OrganizationFirstSeen |
organizationlastseen |
Domain.OrganizationLastSeen |
firstseenbysource |
Domain.FirstSeenBySource |
lastseenbysource |
Domain.LastSeenBySource |
URL
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
URL.OrganizationPrevalence |
globalprevalence |
URL.GlobalPrevalence |
organizationfirstseen |
URL.OrganizationFirstSeen |
organizationlastseen |
URL.OrganizationLastSeen |
firstseenbysource |
URL.FirstSeenBySource |
lastseenbysource |
URL.LastSeenBySource |
IP
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
IP.OrganizationPrevalence |
globalprevalence |
IP.GlobalPrevalence |
organizationfirstseen |
IP.OrganizationFirstSeen |
organizationlastseen |
IP.OrganizationLastSeen |
firstseenbysource |
IP.FirstSeenBySource |
lastseenbysource |
IP.LastSeenBySource |
IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence
| IPv6.OrganizationPrevalence |
| globalprevalence
| IPv6.GlobalPrevalence |
| organizationfirstseen
| IPv6.OrganizationFirstSeen |
| organizationlastseen
| IPv6.OrganizationLastSeen |
| firstseenbysource
| IPv6.FirstSeenBySource |
| lastseenbysource
| IPv6.LastSeenBySource |
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
File Indicator
Updated layout with canvas
tab.
Account Indicator
Updated layout with canvas
tab.
Report
Updated layout with canvas
tab.
Threat Actor
Updated layout with canvas
tab.
URL Indicator
Updated layout with canvas
tab.
X509 Certificate
Updated layout with canvas
tab.
Mutex
Updated layout with canvas
tab.
Campaign
Updated layout with canvas
tab.
Location
Updated layout with canvas
tab.
Tool Indicator
Updated layout with canvas
tab.
Attack Pattern
Updated layout with canvas
tab.
Infrastructure
Updated layout with canvas
tab.
IP Indicator
Updated layout with canvas
tab.
Malware Indicator
Updated layout with canvas
tab.
Course of Action
Updated layout with canvas
tab.
Host Indicator
Updated layout with canvas
tab.
Tool
Updated layout with canvas
tab.
Email Indicator
Updated layout with canvas
tab.
CVE Indicator
Updated layout with canvas
tab.
Domain Indicator
Updated layout with canvas
tab.
Identity
Updated layout with canvas
tab.
Software
Updated layout with canvas
tab.
Intrusion Set
Updated layout with canvas
tab.
ASN
Updated layout with canvas
tab.
Registry Key Indicator
Updated layout with canvas
tab.
Malware
Updated layout with canvas
tab.
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | September 9, 2025 |