Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Device OS Version
Asset Name
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
OS Version	OS Version
External End Time
File SHA256
Is Active	Alert status
Full Name	Person's Full Name
Alert URL	Alert URL as received from the integration JSON
Operation Name
Dst Ports	The destination ports of the event.
Comment	The comments related with the incident
OS Type	OS Type
Report Name
Block Indicators Status
Manager Name	Manager Name
File Name
Source Create time
Job Code	Job Code
Personal Email
Source IPV6	The source IPV6 address.
Caller
Hostnames	The hostname in the event.
External Status
Mobile Device Model
CMD line
Log Source Name	The log source name associated with the event.
Rating
Changed	The user who changed this incident
Risk Name
Users
Country Name	Country Name
Device Internal IPs
User Block Status
Destination Hostname	Destination hostname
similarIncidents
MAC Address	MAC Address
MITRE Technique Name
Timezone
Employee Display Name	The display name of the employee.
Parent Process CMD
Vulnerable Product
Country	The country from which the user logged in.
Device Local IP	Device Local IP
Subtype	Subtype
Parent Process MD5
Email Sent Successfully	Whether the email has been successfully sent.
Source Hostname	The hostname that performed the port scan.
Cloud Instance ID	Cloud Instance ID
Country Code
User Id	User Id
Pre Nat Source Port	The source port before NAT.
Vulnerability Category
Protocol - Event	The network protocol in the event.
First Seen
Policy Severity
Protocol	Protocol
Threat Hunting Detected Hostnames
Device Model	Device Model
Protocol names
Src User	Source User
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
userAccountControl	userAccountControl
Additional Indicators
External Category ID
CVE ID
IP Reputation
File Names
Source Networks
Triggered Security Profile	Triggered Security Profile
File Paths
Threat Hunting Detected IP
Resource URL
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Application Name	Application Name
Account ID
EmailCampaignSnippets
Last Seen
SHA256	SHA256
Unique Ports
Child Process
Approval Status	The status for the approval of the request.
EmailCampaignCanvas
Source Category
Password Changed Date
Sensor IP
Detection ID
User SID
Raw Event	The unparsed event data.
ASN
Technique ID
Manager Email Address
Source Priority
MITRE Tactic Name
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Mobile Phone
Approver	The person who approved or needs to approve the request.
File SHA1
Account Name	Account Name
Post Nat Source Port	The source port after NAT.
Related Campaign
Agent Version	Reporting Agent/Sensor Version
Asset ID
Assignment Group
Detected Internal IPs	Detected internal IPs
City
User Anomaly Count
Process Names
Assigned User	Assigned User
Verification Status	The status of the user verification.
External System ID
Events	The events associated with the offense.
Leadership
Alert Name	Alert name as received from the integration JSON
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Pre Nat Source IP	The source IP before NAT.
Description	The description of the incident
Src Ports	The source ports of the event.
Source Network
Alert Category	The category of the alert
Investigation Stage	The stage of the investigation.
Agents ID
User Risk Level
Policy Recommendation
Source Updated by
Dest Hostname	Destination hostname
Low Level Categories Events	The low level category of the event.
Event Descriptions	The description of the event name.
CVSS
Device Name	Device Name
Ticket Number
External Last Updated Time
Destination Geolocation	The destination geolocation of the event.
Device External IP	Device External IP
External Severity
Technical Owner Contact	The contact details for the technical owner.
Detected User
External Category Name
Policy ID
Device OU	Device's OU path in Active Directory
Device OS Name
Risk Score
Srcs	The source values.
Number Of Log Sources	The number of log sources related to the offense.
Tenant Name	Tenant Name
Rule Name	The name of a YARA rule
List Of Rules - Event	The list of rules associated to an event.
Custom Query Results
Process MD5
User Engagement Response
Isolated	Isolated
Org Level 3
Attack Patterns
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Registry Value Type
File MD5
Process CMD
Street Address
Process Paths
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Campaign Name
Parent Process SHA256
Device Time	The time from the original logging device when the event occurred.
app channel name
Cloud Operation Type
Org Unit
Tactic
Resource Type
First Name	First Name
Team name
Attack Mode	Attack mode as received from the integration JSON
Classification	Incident Classification
Last Modified By
User Creation Time
Parent Process File Path
Ticket Opened Date
Process SHA256
Source Urgency	Source Urgency
DNS Name	The DNS name of the asset.
Status Reason
EmailCampaignSummary
Registry Value
Resource ID
sAMAccountName	User sAMAAccountName
Job Function	Job Function
MITRE Tactic ID
Detected External IPs	Detected external IPs
External Addresses
Vendor ID
Destination MAC Address	The destination MAC address in an event.
Display Name	Display Name
Tools
Resource Name
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Item Owner
Error Message	The error message that contains details about the error that occurred.
Internal Addresses
Event ID	Event ID
Org Level 2
Destination Network
Affected Users
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Group ID
Event Names	The event name (translated QID ) in the event.
Alert Action	Alert action as received from the integration JSON
Alert tags
Verification Method	The method used to verify the user.
Hunt Results Count
Parent Process Path
Referenced Resource ID
Source IP	The IP Address that the user initially logged in from.
Closing User	The closing user.
Org Level 1
Policy Deleted
Application Path
File Hash
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Device MAC Address
Signature
Src OS	Src OS
Src	Source
File Access Date
App message
Referenced Resource Name
Pre Nat Destination Port	The destination port before NAT.
Source Id
Usernames	The username in the event.
Project ID
Log Source	Log Source
OS	The operating system.
EmailCampaignMutualIndicators
Account Status
Alert Rules
MITRE Technique ID
Cloud Account ID
SHA1	SHA1
Duration
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Categories	The categories for the incident.
Post Nat Destination IP	The destination IP address after NAT.
Agent ID	Agent ID
Tactic ID
Policy Description
Detected Endpoints
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Escalation
External ID
Detected IPs
Use Case Description
Destination IPs	The destination IPs of the event.
Domain Updated Date
Affected Hosts
Blocked Action	Blocked Action
Protocols
Policy Actions
Tags
Cloud Resource List
Detection URL	URL of the ExtraHop Reveal(x) detection
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Close Time	The closing time.
Application Id	Application Id
High Level Categories	The high level categories in the events.
Given Name	Given Name
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Closing Reason	The closing reason
Tool Usage Found
Birthday	Person's Birthday
External Start Time
OutgoingMirrorError
App
End Time	The time when the offense ended.
Rendered HTML	The HTML content in a rendered form.
String Similarity Results
Detected Users	Detected users
Source MAC Address	The source MAC address in an event.
Device Hash	Device Hash
Src NT Domain	Source NT Domain
Department	Department
Country Code Number
Additional Data
State	State
Region
Device Id	Device Id
User Agent
Endpoints Details
Username	The username of the account who logged in.
Appliance ID	Appliance ID as received from the integration JSON
Parent Process IDs
Alert Attack Time
Start Time	The time when the offense started.
Source External IPs
RemovedFromCampaigns
Alert Source
Process ID
Technical Owner	The technical owner of the asset.
Parent Process
Related Report
High Risky Users
Device Username	The username of the user that owns the device
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Location	Location
Identity Type
IP Blocked Status
Related Alerts
SKU Name
Detected External Hosts	Detected external hosts
Location Region	Location Region
Additional Email Addresses
Registration Email
Registry Key
Surname	Surname
Policy Remediable
Source Status
Email	Primary Email Address
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Appliance Name	Appliance name as received from the integration JSON
Post Nat Destination Port	The destination port after NAT.
Exposure Level
Dsts	The destination values.
Alert ID	Alert ID as received from the integration JSON
Parent Process Name
Process Name
Reporter Email Address	The email address of the user who reported the email.
Cost Center	Cost Center
File Size	File Size
Users Details
Category Count	The number of categories that are associated with the offense.
SHA512	SHA512
External Confidence
Alert Malicious	Whether the alert is malicious.
Sub Category	The sub category
Incident Link
Verdict
Dest NT Domain	Destination NT Domain
Cloud Service
Event Type	Event Type
Alert Type ID
External Sub Category ID
Traffic Direction	The direction of the traffic in the event.
Post Nat Source IP	The source IP address after NAT.
Technical User	The technical user of the asset.
Last Modified On
Number of similar files
Policy Type
Process Creation Time
PID	PID
Destination Port	The destination port used.
Dest	Destination
Detection Update Time
Endpoint
Process Path
Command Line Verdict
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Suspicious Executions Found
Follow Up	True if marked for follow up.
Policy URI
File Creation Date
File Path
Bugtraq
External Sub Category Name
Detected Internal Hosts	Detected internal hosts
Source Created By
IncomingMirrorError
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Cloud Region List
Item Owner Email
Domain Name
Registry Hive
MD5	MD5
Employee Manager Email	The email address of the employee's manager.
Source IPs	The source IPs of the event.
Work Phone
Src Hostname	Source hostname
CVE
User Groups
Domain Registrar Abuse Email
Suspicious Executions
Destination IP	The IP address the impossible traveler logged in to.
Last Name	Last Name
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
UUID	UUID as received from the integration JSON
Source Username	The username that was the source of the attack.
Job Family	Job Family
Objective
Device Status
Log Source Type	The log source type associated with the event.
Ticket Closed Date
Parent CMD line
Password Reset Successfully	Whether the password has been successfully reset.
Triage SLA	The time it took to investigate and enrich incident information.
Scenario
SSDeep
Source Geolocation	The source geolocation of the event.
High Risky Hosts
Destination IPV6	The destination IPV6 address.
Ticket Acknowledged Date
Error Code
Endpoint Isolation Status
Related Endpoints
Device External IPs
Similar incidents Dbot
Phone Number	Phone number
Risk Rating
Vendor Product
Account Member Of
Policy Details
Source Port	The source port that was used
Detection End Time
File Relationships
Dest OS	Destination OS
Title	Title
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
ASN Name
Cost Center Code	Cost Center Code
External Link
Region ID
Containment SLA	The time it took to contain the incident.
SKU TIER
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Number of Related Incidents
Acquisition Hire
Technique
Sensor Name
URLs
Zip Code	Zip Code
Destination Networks
Employee Email	The email address of the employee.
Compliance Notes	Notes regarding the assets compliance.
Command Line	Command Line
CVE Published
CMD
Last Update Time
Selected Indicators	Includes the indicators selected by the user.

Incident Types

Name	Description
Hunt
Exfiltration
C2Communication
UnknownBinary
Simulation
Job
DoS
Indicator Feed
Lateral Movement
Vulnerability
Reconnaissance
Exploit
Network
Authentication
Policy Violation
Defacement

Indicator Fields

Name	Description
CVSS Table
Work Phone
Registrar Abuse Country
Admin Country
Name Field
Operating System
CVSS3
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Infrastructure Types
Subdomains
Report Object References	A list of STIX IDs referenced in the report.
SSDeep
Manager Name	Manager Name
Objective
Sophistication
Cost Center
Job Function
IP Address
Signature Algorithm
Account Type
Organization Type
Operating System Refs
Domain Referring Subnets
Confidence
Download URL
Title	Title
Validity Not After	Specifies the date on which the certificate validity period ends.
First Seen By Source	The first time the indicator was seen by the source vendor.
Report type
Issuer DN	Issuer Distinguished Name
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Aliases	Alternative names used to identify this object
Organizational Unit (OU)
Capabilities
Domain Referring IPs
Personal Email
X.509 v3 Extensions
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
CVE Modified
Version
Updated Date
Indicator Identification
Job Family
Positive Detections	Number of engines that positively detected the indicator as malicious
Source Priority
Certificate Validation Checks
STIX Is Malware Family
ASN
Country Code Number
Operating System Version
Detection Engines	Total number of engines that checked the indicator
STIX Sophistication
Geo Country
Registrant Name
DHCP Server
Entry ID
Department	Department
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Blocked
User ID
Admin Name
STIX Roles
Commands
Country Name
Geo Location
Registrant Phone
Primary Motivation
Action
Registrant Country
STIX Primary Motivation.
Malware types
Size
Reports
Mitre ID
Assigned user
File Type
Detections
Product
Publications
Signature Copyright
Service	The specific service of a feed integration from which an indicator was ingested.
STIX Tool Types
Surname	Surname
Actor
Global Prevalence	The number of times the indicator is detected across all organizations.
Cost Center Code
Assigned role
Email
Path
PEM	Certificate in PEM format.
Roles
Implementation Languages
SHA1
CVSS Score
STIX Aliases	Alternative names used to identify this object
STIX Malware Types
Rank	Used to display rank from different sources
Certificates
DNS
Signed
Display Name
Mitre Tactics
Public Key
CVSS
Subject
Tool Types
Port
Username
Behavior
Admin Phone
Org Unit
Processors
Organization Prevalence	The number of times the indicator is detected in the organization.
Short Description
Registrar Abuse Address
STIX Resource Level
Samples
Targets
Tool Version
Job Code	Job Code
Mobile Phone
Community Notes
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Registrant Email
Serial Number
Org Level 3
Signature Original Name
City	City
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Domains
Is Malware Family
Organization
Domain Status
Domain Name
Name
Query Language
Definition
Given Name	Given Name
MAC Address
Internal
Registrar Name
CVE Description
Acquisition Hire	Whether the employee is an acquisition hire.
Is Processed
Subject Alternative Names
imphash
Office365Category
Source Original Severity	The original score/severity provided by the source without DBot translation.
Key Value
Creation Date
Registrar Abuse Name
Applications
State
Tags
Leadership
Office365Required
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Domain IDN Name
Vulnerabilities
SHA512
Signature File Version
File Extension
Vulnerable Products
Certificate Signature
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Secondary Motivations
Email Address
STIX Tool Version
DNS Records
Admin Email
Architecture
Registrar Abuse Email
OS Version
Hostname
Quarantined	Whether the indicator is quarantined or isolated
STIX Goals
Issuer
Number of subkeys
Organization First Seen	Date and time when the indicator was first seen in the organization.
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Description
Certificate Names
CVSS Version
Street Address
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
BIOS Version
STIX Threat Actor Types
SWID	Specifies the Software Identification (SWID) tags entry for the software
Subject DN	Subject Distinguished Name
Memory
Manager Email Address
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Malware Family
Resource Level
Signature Internal Name
Org Level 2
Region
Device Model
STIX Secondary Motivations
Force Sync	Whether to force user synchronization.
Zip Code
Threat Actor Types
Expiration Date
Published
Paths
Name Servers
Location
Vendor
Extension
Author
Signature Authentihash
Country Code
Registrar Abuse Network
Whois Records
Category
MD5
Feed Related Indicators
Validity Not Before	Specifies the date on which the certificate validity period begins.
Signature Description
Location Region
Goals
CVSS Vector
Associations	Known associations to other pieces of Threat Data.
SHA256
AS Owner
Office365ExpressRoute
Org Level 1
Registrar Abuse Phone
STIX Description
Processor
Groups
Associated File Names
Campaign

Layouts

Name	Description
Location	Location indicator layout
File Indicator	File Indicator Layout
Software	Software Indicator Layout
Host Indicator	Host indicator layout
IP Indicator	IP Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Email Indicator	Email Indicator Layout
CVE Indicator	CVE Indicator Layout
Campaign	Campaign Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Account Indicator	Account Indicator Layout
Domain Indicator	Domain Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Report	Report Indicator Layout
Tactic Layout	Tactic Indicator Layout
Vulnerability Incident
Tool Indicator	Tool Indicator Layout
Indicator Feed Incident
Course of Action	Course of Action Indicator Layout
Malware Indicator	Malware Indicator Layout
Mutex	Mutex indicator layout
X509 Certificate	CVE Indicator Layout
URL Indicator	URL Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Intrusion Set	Intrusion Set Layout
ASN	ASN Indicator Layout
Identity	Identity indicator layout

Indicator Types

Name	Description
Campaign
ssdeep
Tactic
URL
Course of Action
DomainGlob
Attack Pattern
Threat Actor
Registry Key
X509 Certificate
Software
CIDR
IP
File SHA-256
CVE
IPv6
Tool
Malware
Report
Onion Address
Intrusion Set
File
Mutex
Account
Identity
Infrastructure
ASN
File MD5
File SHA-1
Location
Email
Host
Domain
IPv6CIDR

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Alert tags
Policy Type
Reporter Email Address	The email address of the user who reported the email.
Command Line Verdict
Policy ID
Surname	Surname
File Hash
List Of Rules - Event	The list of rules associated to an event.
Asset Name
Country Code
Unique Ports
Start Time	The time when the offense started.
Process MD5
Org Level 3
URLs
Birthday	Person's Birthday
Attack Mode	Attack mode as received from the integration JSON
Number of similar files
Display Name	Display Name
OS	The operating system.
Policy URI
Tactic
Is Active	Alert status
Vendor Product
Bugtraq
Endpoint Isolation Status
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
File Size	File Size
Original Alert Source
Cost Center Code	Cost Center Code
app channel name
Agents ID
Source Status
Mobile Phone
Approval Status	The status for the approval of the request.
Technical Owner Contact	The contact details for the technical owner.
Resource Name
Location Region	Location Region
Dsts	The destination values.
Compliance Notes	Notes regarding the assets compliance.
External Sub Category Name
Rating
Parent Process Path
Event Descriptions	The description of the event name.
Event Names	The event name (translated QID ) in the event.
Pre Nat Source Port	The source port before NAT.
Verification Method	The method used to verify the user.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Affected Hosts
Scenario
Process Creation Time
Acquisition Hire
User Anomaly Count
Ticket Number
Sensor IP
External System ID
Process Names
Registry Value Type
Duration
Device OS Version
Post Nat Source Port	The source port after NAT.
Related Endpoints
Work Phone
Team name
Related Campaign
Selected Indicators	Includes the indicators selected by the user.
ASN
IP Reputation
Escalation
Job Family	Job Family
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Risk Score
Containment SLA	The time it took to contain the incident.
Password Reset Successfully	Whether the password has been successfully reset.
Ticket Closed Date
MITRE Technique ID
Number of Related Incidents
Source Updated by
RemovedFromCampaigns
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Signature
Use Case Description
Parent Process IDs
Policy Actions
File SHA1
Changed	The user who changed this incident
Cloud Instance ID	Cloud Instance ID
Source Geolocation	The source geolocation of the event.
Cloud Account ID
Full Name	Person's Full Name
Region ID
Technique ID
sAMAccountName	User sAMAAccountName
Registry Key
Item Owner Email
Alert Malicious	Whether the alert is malicious.
Destination Networks
Personal Email
Category Count	The number of categories that are associated with the offense.
Original Alert ID	Alert ID as received from the integration JSON
Employee Email	The email address of the employee.
User Engagement Response
Exposure Level
Password Changed Date
Street Address
Agent Version	Reporting Agent/Sensor Version
Post Nat Source IP	The source IP address after NAT.
Vulnerable Product
File Creation Date
Parent Process File Path
Detection URL	URL of the ExtraHop Reveal(x) detection
Rendered HTML	The HTML content in a rendered form.
Account Status
Post Nat Destination IP	The destination IP address after NAT.
Policy Remediable
SKU Name
Additional Data
Detection ID
Post Nat Destination Port	The destination port after NAT.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Policy Details
Process CMD
Parent Process MD5
Raw Event	The unparsed event data.
Device Time	The time from the original logging device when the event occurred.
Caller
Detected Internal Hosts	Detected internal hosts
Technique
Given Name	Given Name
Registry Hive
Blocked Action	Blocked Action
Classification	Incident Classification
Alert Type ID
Technical Owner	The technical owner of the asset.
Mobile Device Model
Project ID
Additional Email Addresses
EmailCampaignSnippets
Error Message	The error message that contains details about the error that occurred.
Custom Query Results
Vendor ID
Registry Value
Registration Email
Account ID
External Link
Pre Nat Destination Port	The destination port before NAT.
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Original Alert Name	Alert name as received from the integration JSON
User Block Status
Destination Geolocation	The destination geolocation of the event.
Related Alerts
Status Reason
Log Source Type	The log source type associated with the event.
Employee Manager Email	The email address of the employee's manager.
Department	Department
Related Report
Process ID
userAccountControl	userAccountControl
Affected Users
Low Level Categories Events	The low level category of the event.
Phone Number	Phone number
Error Code
Event ID	Event ID
Job Code	Job Code
CVE ID
Resource Type
CVE Published
String Similarity Results
Risk Name
Verification Status	The status of the user verification.
Assigned User	Assigned User
Manager Name	Manager Name
Closing Reason	The closing reason
Device Name	Device Name
Resource URL
EmailCampaignSummary
Users Details
Original Events	The events associated with the offense.
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Pre Nat Source IP	The source IP before NAT.
EmailCampaignMutualIndicators
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Report Name
Detected External IPs	Detected external IPs
Org Unit
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Title	Title
Last Name	Last Name
Comment	The comments related with the incident
Tactic ID
Rule Name	The name of a YARA rule
SKU TIER
Verdict
Device Hash	Device Hash
IP Blocked Status
SHA1	SHA1
Identity Type
Source Urgency	Source Urgency
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Internal Addresses
Objective
Item Owner
Alert Action	Alert action as received from the integration JSON
File Access Date
Traffic Direction	The direction of the traffic in the event.
Tool Usage Found
Isolated	Isolated
Source External IPs
Src OS	Src OS
External End Time
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
MITRE Technique Name
Source Create time
MITRE Tactic Name
Parent Process CMD
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Ticket Acknowledged Date
App message
Source Id
SHA512	SHA512
Referenced Resource ID
Vulnerability Category
Job Function	Job Function
CVSS Availability Requirement	The CVSS availability requirement for the asset.
UUID	UUID as received from the integration JSON
Group ID
Device Internal IPs
Org Level 2
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Leadership
Triage SLA	The time it took to investigate and enrich incident information.
CVE
Incident Link
End Time	The time when the offense ended.
Tools
Alert Rules
File Relationships
Parent Process SHA256
External Confidence
OutgoingMirrorError
Campaign Name
Device External IPs
External Category ID
Device Id	Device Id
Last Modified On
Domain Name
Log Source Name	The log source name associated with the event.
Policy Recommendation
Device OS Name
Operation Name
Number Of Log Sources	The number of log sources related to the offense.
Device MAC Address
Manager Email Address
Timezone
Closing User	The closing user.
ASN Name
External Start Time
Referenced Resource Name
High Risky Users
CVSS
Asset ID
Source Priority
Assignment Group
Application Path
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
External Severity
MITRE Tactic ID
Process SHA256
Last Modified By
Cloud Resource List
Similar incidents Dbot
External Status
External Sub Category ID
IncomingMirrorError
Last Seen
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
SSDeep
Cloud Region List
Attack Patterns
Block Indicators Status
Technical User	The technical user of the asset.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Follow Up	True if marked for follow up.
Email	Primary Email Address
Close Time	The closing time.
Policy Severity
Source Created By
Dest OS	Destination OS
Email Sent Successfully	Whether the email has been successfully sent.
Country Code Number
Zip Code	Zip Code
Device Model	Device Model
Tenant Name	Tenant Name
First Name	First Name
Triggered Security Profile	Triggered Security Profile
Hunt Results Count
Process Paths
Last Update Time
Protocol names
Detected Endpoints
Domain Registrar Abuse Email
Cost Center	Cost Center
Suspicious Executions Found
Account Member Of
Sub Category	The sub category
Location	Location
EmailCampaignCanvas
similarIncidents
Region
State	State
First Seen
Parent Process Name
Source Networks
OS Type	OS Type
User Creation Time
City
Suspicious Executions
Device OU	Device's OU path in Active Directory
Endpoints Details
User Id	User Id
External Category Name
User Groups
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Policy Description
Destination IPV6	The destination IPV6 address.
Org Level 1
High Risky Hosts
Policy Deleted
Investigation Stage	The stage of the investigation.
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Risk Rating
Source Category
Domain Updated Date
Detection End Time
Subtype	Subtype
User SID
Approver	The person who approved or needs to approve the request.
Additional Indicators
Log Source	Log Source
Cloud Service
Device Status
Original Description	The description of the incident
External Last Updated Time
Employee Display Name	The display name of the employee.

Incident Types

Name	Description
Defacement
Reconnaissance
Exploit
UnknownBinary
Vulnerability
Authentication
Policy Violation
Simulation
DoS
C2Communication
Indicator Feed
Job
Exfiltration
Hunt
Network
Lateral Movement

Indicator Fields

Name	Description
Acquisition Hire	Whether the employee is an acquisition hire.
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Signed
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Number of subkeys
Goals
Positive Detections	Number of engines that positively detected the indicator as malicious
Report Object References	A list of STIX IDs referenced in the report.
Indicator Identification
User ID
Malware Family
Reports
Job Code	Job Code
Registrar Abuse Email
Secondary Motivations
Is Processed
Domain Status
Email Address
BIOS Version
File Extension
Zip Code
Work Phone
Leadership
Service	The specific service of a feed integration from which an indicator was ingested.
Force Sync	Whether to force user synchronization.
CVSS
Whois Records
X.509 v3 Extensions
CVSS Score
Internal
Registrant Name
Registrar Abuse Address
Account Type
Primary Motivation
Name
Product
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Domain IDN Name
Org Level 3
Vendor
Serial Number
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Feed Related Indicators
Expiration Date
Creation Date
Targets
MD5
Tool Types
Domain Referring IPs
Job Function
Location
Operating System
Definition
Public Key
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
SHA256
Domain Name
Mobile Phone
Admin Country
Registrant Email
Aliases	Alternative names used to identify this object
Objective
Commands
STIX Tool Version
STIX Goals
STIX Sophistication
Processor
Mitre ID
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
CVSS3
Certificate Signature
Admin Email
State
Assigned user
Name Servers
File Type
Username
Signature File Version
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Community Notes
Mitre Tactics
DNS Records
Registrar Abuse Name
Cost Center
Country Code
Issuer DN	Issuer Distinguished Name
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
STIX Resource Level
Department	Department
Org Unit
IP Address
City	City
STIX Tool Types
STIX Is Malware Family
Device Model
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Personal Email
Infrastructure Types
Size
Samples
Processors
Groups
Report type
Registrant Phone
Associations	Known associations to other pieces of Threat Data.
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Operating System Version
Capabilities
Key Value
Domains
Campaign
DHCP Server
Malware types
CVSS Table
Path
Hostname
Organization Type
SHA512
STIX Primary Motivation.
Manager Email Address
STIX Description
Query Language
Actor
Assigned role
Signature Description
STIX Threat Actor Types
Geo Location
Architecture
imphash
First Seen By Source	The first time the indicator was seen by the source vendor.
Applications
Quarantined	Whether the indicator is quarantined or isolated
Port
Version
ASN
Certificate Names
Memory
Published
Detection Engines	Total number of engines that checked the indicator
Registrar Name
Resource Level
Subject DN	Subject Distinguished Name
OS Version
Domain Referring Subnets
Street Address
Location Region
Office365Required
Sophistication
Registrant Country
Tags
Organization Prevalence	The number of times the indicator is detected in the organization.
Manager Name	Manager Name
PEM	Certificate in PEM format.
Org Level 1
Updated Date
Country Name
Certificate Validation Checks
Download URL
Region
STIX Secondary Motivations
Admin Name
Organization First Seen	Date and time when the indicator was first seen in the organization.
Description
CVE Description
Country Code Number
Registrar Abuse Phone
Issuer
STIX Aliases	Alternative names used to identify this object
Subject Alternative Names
CVSS Vector
Display Name
DNS
Entry ID
SSDeep
Author
CVSS Version
Vulnerabilities
Extension
Signature Algorithm
Short Description
Organization
CVE Modified
Confidence
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Admin Phone
STIX Malware Types
SHA1
Surname	Surname
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Rank	Used to display rank from different sources
Tool Version
Is Malware Family
Signature Original Name
Associated File Names
Cost Center Code
Validity Not Before	Specifies the date on which the certificate validity period begins.
Office365ExpressRoute
Action
Category
Implementation Languages
Source Original Severity	The original score/severity provided by the source without DBot translation.
Global Prevalence	The number of times the indicator is detected across all organizations.
Given Name	Given Name
Name Field
Org Level 2
Roles
Threat Actor Types
Publications
Organizational Unit (OU)
Registrar Abuse Network
AS Owner
Paths
Signature Copyright
Behavior
Source Priority
STIX Roles
Blocked
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Email
Registrar Abuse Country
Signature Authentihash
Subject
Vulnerable Products
Job Family
Subdomains
Detections
Certificates
Office365Category
Geo Country
Operating System Refs
SWID	Specifies the Software Identification (SWID) tags entry for the software
Signature Internal Name
Title	Title
Validity Not After	Specifies the date on which the certificate validity period ends.

Layoutrule

Name	Description
Indicator Feed Layout Rule
Vulnerability Layout Rule

Layouts

Name	Description
Campaign	Campaign Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
CVE Indicator	CVE Indicator Layout
Mutex	Mutex indicator layout
ASN	ASN Indicator Layout
Account Indicator	Account Indicator Layout
URL Indicator	URL Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Malware Indicator	Malware Indicator Layout
Tool Indicator	Tool Indicator Layout
File Indicator	File Indicator Layout
Email Indicator	Email Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Intrusion Set	Intrusion Set Layout
IP Indicator	IP Indicator Layout
X509 Certificate	CVE Indicator Layout
Host Indicator	Host indicator layout
Tactic Layout	Tactic Indicator Layout
Vulnerability Incident
Course of Action	Course of Action Indicator Layout
Location	Location indicator layout
Domain Indicator	Domain Indicator Layout
Identity	Identity indicator layout
Indicator Feed Incident
Registry Key Indicator	Registry Key Indicator Layout
Report	Report Indicator Layout
Software	Software Indicator Layout

Indicator Types

Name	Description
X509 Certificate
Domain
ssdeep
DomainGlob
Intrusion Set
File MD5
Tool
CVE
Attack Pattern
File
Registry Key
Threat Actor
Identity
IPv6
File SHA-256
Account
Malware
Mutex
Software
Host
Email
IPv6CIDR
Course of Action
Campaign
Report
URL
ASN
Onion Address
CIDR
IP
Location
Infrastructure
Tactic
File SHA-1

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (56)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.5.5 - 1082615 (June 10, 2024)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

3.5.4 - 1061293 (June 2, 2024)

Indicator Types

Email

Related pull requests:
- 33924

Download

3.5.3 - 1021616 (May 16, 2024)

Indicator Fields

Kill Chain Phases
- Added a missing phase, Resource Development, to multi-select list

Related pull requests:
- 33786

Download

3.5.2 - 998827 (May 6, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Indicator Fields

Author

Related pull requests:
- 33839

Download

3.5.0 - 995825 (May 5, 2024)

Incident Fields

New: Registration Email
New: Domain Updated Date
New: Domain Registrar Abuse Email

Related pull requests:
- 32924

Download

3.4.10 - 951066 (April 11, 2024)

Incident Fields

Policy Type
New: CVE ID
New: Resource URL
New: User Anomaly Count
New: CVE Published
Policy Recommendation
New: Vulnerable Product
New: Alert Rules

Related pull requests:
- 33781

Download

3.4.9 - 948301 (April 10, 2024)

Incident Fields

Compliance Notes - Added the Prisma Cloud Compute Compliance v2 incident type as an associated types.

Related pull requests:
- 32936

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1900707 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1621428 (November 11, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.5.5 - 1082615 (June 10, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

3.5.4 - 1063016 (June 2, 2024)

Indicator Types

Email

Related pull requests:
- 33924

Download

3.5.3 - 1021616 (May 16, 2024)

Indicator Fields

Kill Chain Phases
- Added a missing phase, Resource Development, to multi-select list

Related pull requests:
- 33786

Download

3.5.2 - 998827 (May 6, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Indicator Fields

Author

Related pull requests:
- 33839

Download

3.5.0 - 995825 (May 5, 2024)

Incident Fields

New: Registration Email
New: Domain Updated Date
New: Domain Registrar Abuse Email

Related pull requests:
- 32924

Download

3.4.10 - 951066 (April 11, 2024)

Incident Fields

Policy Type
New: CVE ID
New: Resource URL
New: User Anomaly Count
New: CVE Published
Policy Recommendation
New: Vulnerable Product
New: Alert Rules

Related pull requests:
- 33781

Download

3.4.9 - 948301 (April 10, 2024)

Incident Fields

Compliance Notes - Added the Prisma Cloud Compute Compliance v2 incident type as an associated types.

Related pull requests:
- 32936

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	April 6, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Common Types

Pack Contributors:

Pack Contributors:

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Layouts

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications

New: Definition

Indicator Types

Incident Fields

Indicator Fields

Validity Not Before

Validity Not After

Layouts

Indicator Types

Incident Fields

Indicator Types

Layouts

Indicator Fields

Primary Motivation

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Common Types

Indicator Types

Indicator Fields

Common Types

Indicator Fields

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category