Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Alert Type ID
Duration
Status Reason
Mobile Phone
Campaign Name
Technique ID
Users
Risk Score
Alert tags
End Time	The time when the offense ended.
Tools
Custom Query Results
Child Process
String Similarity Results
Category Count	The number of categories that are associated with the offense.
Affected Hosts
Related Report
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Verdict
Employee Display Name	The display name of the employee.
Traffic Direction	The direction of the traffic in the event.
Appliance Name	Appliance name as received from the integration JSON
Report Name
File Path
ASN Name
Src User	Source User
File Size	File Size
File MD5
Region ID
Email	Primary Email Address
External End Time
Isolated	Isolated
Location Region	Location Region
PID	PID
Triage SLA	The time it took to investigate and enrich incident information.
Raw Event	The unparsed event data.
Device MAC Address
External ID
External Last Updated Time
Org Level 1
Device External IP	Device External IP
Tool Usage Found
Destination Port	The destination port used.
Command Line	Command Line
App message
Parent Process MD5
File Names
Triggered Security Profile	Triggered Security Profile
Suspicious Executions
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Source External IPs
File SHA256
Dest OS	Destination OS
Registration Email
Post Nat Destination Port	The destination port after NAT.
sAMAccountName	User sAMAAccountName
Src Ports	The source ports of the event.
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
External Start Time
Related Campaign
Tactic ID
Source Id
Vendor ID
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Exposure Level
Rule Name	The name of a YARA rule
Last Name	Last Name
Cloud Instance ID	Cloud Instance ID
Agents ID
Threat Hunting Detected Hostnames
Work Phone
External Category ID
Protocol	Protocol
Domain Registrar Abuse Email
File Paths
Item Owner
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Org Unit
Event Type	Event Type
Signature
Src OS	Src OS
Users Details
File Hash
External Sub Category ID
Dest NT Domain	Destination NT Domain
Log Source Type	The log source type associated with the event.
Detected Internal Hosts	Detected internal hosts
Number of Related Incidents
Destination Geolocation	The destination geolocation of the event.
Source Username	The username that was the source of the attack.
Parent Process File Path
OutgoingMirrorError
IP Reputation
Follow Up	True if marked for follow up.
Attack Patterns
Alert ID	Alert ID as received from the integration JSON
Dest Hostname	Destination hostname
UUID	UUID as received from the integration JSON
Pre Nat Destination Port	The destination port before NAT.
Blocked Action	Blocked Action
EmailCampaignCanvas
Department	Department
Compliance Notes	Notes regarding the assets compliance.
SKU TIER
Project ID
Device Hash	Device Hash
Detected Users	Detected users
Destination Network
Process Creation Time
IncomingMirrorError
Vendor Product
RemovedFromCampaigns
Application Path
Closing User	The closing user.
Log Source	Log Source
Log Source Name	The log source name associated with the event.
Src Hostname	Source hostname
Srcs	The source values.
Source MAC Address	The source MAC address in an event.
ASN
Number Of Found Related Alerts	Medium or Higher Severity Alerts
app channel name
Command Line Verdict
Password Changed Date
similarIncidents
Events	The events associated with the offense.
Similar incidents Dbot
City
Ticket Acknowledged Date
Classification	Incident Classification
Destination Hostname	Destination hostname
Application Name	Application Name
Source Priority
Hunt Results Count
SKU Name
Source Geolocation	The source geolocation of the event.
CMD
Assignment Group
MITRE Technique Name
Country Name	Country Name
Password Reset Successfully	Whether the password has been successfully reset.
Hostnames	The hostname in the event.
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Scenario
Policy Deleted
Parent Process SHA256
Org Level 2
Destination IPV6	The destination IPV6 address.
File Creation Date
Close Time	The closing time.
Src	Source
User Block Status
Detected Internal IPs	Detected internal IPs
MITRE Technique ID
Account ID
Referenced Resource ID
Org Level 3
Post Nat Destination IP	The destination IP address after NAT.
Acquisition Hire
Alert Attack Time
Country Code Number
Registry Hive
Referenced Resource Name
Event Descriptions	The description of the event name.
Last Update Time
Device Name	Device Name
Related Endpoints
First Name	First Name
Identity Type
Resource Name
Destination IPs	The destination IPs of the event.
Team name
Post Nat Source Port	The source port after NAT.
Number Of Log Sources	The number of log sources related to the offense.
userAccountControl	userAccountControl
Device Status
Cloud Region List
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Endpoints Details
OS	The operating system.
Escalation
Title	Title
Error Code
Vulnerability Category
Alert Name	Alert name as received from the integration JSON
Detection Update Time
Source Created By
CVE Published
Account Member Of
Device External IPs
Parent Process IDs
Job Family	Job Family
Vulnerable Product
Dsts	The destination values.
Affected Users
Country	The country from which the user logged in.
Process ID
Additional Data
MAC Address	MAC Address
List Of Rules - Event	The list of rules associated to an event.
Post Nat Source IP	The source IP address after NAT.
Verification Status	The status of the user verification.
Personal Email
Rating
CVE ID
Endpoint
Bugtraq
Containment SLA	The time it took to contain the incident.
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Alert Source
Start Time	The time when the offense started.
Source IPs	The source IPs of the event.
Operation Name
SHA256	SHA256
Technical Owner Contact	The contact details for the technical owner.
Alert URL	Alert URL as received from the integration JSON
Source Hostname	The hostname that performed the port scan.
Device Internal IPs
Parent Process Name
Birthday	Person's Birthday
Street Address
Risk Rating
Pre Nat Source IP	The source IP before NAT.
Sub Category	The sub category
Comment	The comments related with the incident
Policy Type
Region
Destination MAC Address	The destination MAC address in an event.
MD5	MD5
Ticket Number
Destination IP	The IP address the impossible traveler logged in to.
User SID
User Agent
Source IP	The IP Address that the user initially logged in from.
Device OS Name
Incident Link
Display Name	Display Name
High Risky Users
File Name
Event Names	The event name (translated QID ) in the event.
Process CMD
Changed	The user who changed this incident
Assigned User	Assigned User
Technical User	The technical user of the asset.
Unique Ports
Phone Number	Phone number
Description	The description of the incident
Number of similar files
External Sub Category Name
File SHA1
User Engagement Response
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Domain Updated Date
DNS Name	The DNS name of the asset.
MITRE Tactic ID
Policy Severity
Suspicious Executions Found
Sensor Name
Registry Value Type
Country Code
Job Code	Job Code
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Parent Process
Ticket Closed Date
Caller
First Seen
Parent CMD line
Policy ID
Leadership
Alert Action	Alert action as received from the integration JSON
Protocol - Event	The network protocol in the event.
Sensor IP
Process Path
Device Model	Device Model
Employee Manager Email	The email address of the employee's manager.
Resource URL
Objective
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Threat Hunting Detected IP
Detection URL	URL of the ExtraHop Reveal(x) detection
Location	Location
Agent Version	Reporting Agent/Sensor Version
Technique
Mobile Device Model
Asset Name
Process SHA256
Alert Category	The category of the alert
Detection End Time
Source Network
Source Status
Parent Process Path
Group ID
External Category Name
Resource ID
Source Networks
Rendered HTML	The HTML content in a rendered form.
Cloud Account ID
Low Level Categories Events	The low level category of the event.
User Groups
SHA1	SHA1
Categories	The categories for the incident.
MITRE Tactic Name
High Level Categories	The high level categories in the events.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Endpoint Isolation Status
Appliance ID	Appliance ID as received from the integration JSON
EmailCampaignMutualIndicators
URLs
Pre Nat Source Port	The source port before NAT.
External Link
Username	The username of the account who logged in.
Risk Name
Internal Addresses
External Status
Parent Process CMD
Subtype	Subtype
IP Blocked Status
Additional Email Addresses
Approver	The person who approved or needs to approve the request.
Protocol names
Manager Name	Manager Name
Source Urgency	Source Urgency
Domain Name
Usernames	The username in the event.
Alert Rules
Technical Owner	The technical owner of the asset.
External System ID
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
User Creation Time
Email Sent Successfully	Whether the email has been successfully sent.
Device Local IP	Device Local IP
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
External Severity
OS Version	OS Version
Investigation Stage	The stage of the investigation.
Policy Description
Is Active	Alert status
Approval Status	The status for the approval of the request.
Policy Recommendation
OS Type	OS Type
Ticket Opened Date
CVE
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Device OS Version
Cloud Service
Application Id	Application Id
Source Updated by
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Asset ID
Detected IPs
Device Time	The time from the original logging device when the event occurred.
Source IPV6	The source IPV6 address.
Process Names
External Confidence
Additional Indicators
File Access Date
Tactic
Full Name	Person's Full Name
Employee Email	The email address of the employee.
Policy Details
Selected Indicators	Includes the indicators selected by the user.
SSDeep
App
Protocols
Audit Logs
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Account Name	Account Name
Device OU	Device's OU path in Active Directory
Source Port	The source port that was used
Destination Networks
Dest	Destination
Related Alerts
Use Case Description
Manager Email Address
EmailCampaignSnippets
File Relationships
Timezone
Src NT Domain	Source NT Domain
Device Username	The username of the user that owns the device
Policy Remediable
CVSS Availability Requirement	The CVSS availability requirement for the asset.
SHA512	SHA512
Detected External IPs	Detected external IPs
Block Indicators Status
Detected User
Detected Endpoints
Cost Center	Cost Center
Last Modified On
Process Name
External Addresses
Given Name	Given Name
Process MD5
Resource Type
Verification Method	The method used to verify the user.
User Anomaly Count
Agent ID	Agent ID
Device Id	Device Id
Event ID	Event ID
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Cloud Resource List
Item Owner Email
Source Create time
Attack Mode	Attack mode as received from the integration JSON
Alert Malicious	Whether the alert is malicious.
EmailCampaignSummary
User Risk Level
Job Function	Job Function
Source Category
Account Status
Tags
Cloud Operation Type
Error Message	The error message that contains details about the error that occurred.
Detection ID
User Id	User Id
Process Paths
CMD line
Zip Code	Zip Code
CVSS
Policy Actions
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Detected External Hosts	Detected external hosts
Closing Reason	The closing reason
Dst Ports	The destination ports of the event.
Registry Key
Tenant Name	Tenant Name
Registry Value
Last Modified By
State	State
Cost Center Code	Cost Center Code
Policy URI
Reporter Email Address	The email address of the user who reported the email.
Surname	Surname
Last Seen
High Risky Hosts

Incident Types

Name	Description
Exploit
Network
Indicator Feed
UnknownBinary
Job
Vulnerability
Authentication
Exfiltration
Defacement
Hunt
DoS
Simulation
C2Communication
Policy Violation
Reconnaissance
Lateral Movement

Indicator Fields

Name	Description
Primary Motivation
Country Code Number
Memory
ASN
CVSS3
BIOS Version
Action
Expiration Date
Cost Center
Issuer DN	Issuer Distinguished Name
Reports
STIX Malware Types
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Report type
Surname	Surname
Last Seen By Source	The last time the indicator was seen by the Source vendor.
STIX Primary Motivation.
Leadership
Download URL
Country Code
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
CVE Description
STIX Resource Level
Registrant Name
Published
Registrant Country
Vulnerable Products
Internal
Global Prevalence	The number of times the indicator is detected across all organizations.
Work Phone
Subject Alternative Names
Certificate Signature
Path
Domains
SHA512
Geo Location
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Name
Implementation Languages
Domain Referring IPs
Malware types
Commands
STIX Goals
Signature Authentihash
PEM	Certificate in PEM format.
Goals
Aliases	Alternative names used to identify this object
Admin Phone
STIX Tool Types
Manager Email Address
Registrar Abuse Network
Definition
Quarantined	Whether the indicator is quarantined or isolated
Subject
Validity Not After	Specifies the date on which the certificate validity period ends.
Capabilities
Source Original Severity	The original score/severity provided by the source without DBot translation.
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
MAC Address
Organization First Seen	Date and time when the indicator was first seen in the organization.
Description
Signature Internal Name
Given Name	Given Name
Mitre Tactics
Actor
Blocked
Confidence
Tool Types
Positive Detections	Number of engines that positively detected the indicator as malicious
Resource Level
Groups
User ID
Author
Validity Not Before	Specifies the date on which the certificate validity period begins.
Organization Prevalence	The number of times the indicator is detected in the organization.
CVSS Vector
Subdomains
Tool Version
Port
Key Value
STIX Is Malware Family
Infrastructure Types
Number of subkeys
Product
DNS Records
Vulnerabilities
Malware Family
Secondary Motivations
Targets
Country Name
Registrar Abuse Address
Title	Title
Registrar Abuse Phone
Updated Date
Operating System
STIX Roles
Admin Name
Domain Status
Signature Description
Registrant Email
Architecture
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
CVSS Table
imphash
CVSS
Department	Department
SHA1
Personal Email
Registrar Name
Cost Center Code
Acquisition Hire	Whether the employee is an acquisition hire.
Certificate Validation Checks
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Job Family
Device Model
Issuer
City	City
Paths
File Type
Vendor
Job Code	Job Code
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Manager Name	Manager Name
Signature Copyright
OS Version
Street Address
CVE Modified
Service	The specific service of a feed integration from which an indicator was ingested.
Org Unit
Operating System Version
Org Level 3
STIX Description
Signed
Office365ExpressRoute
SWID	Specifies the Software Identification (SWID) tags entry for the software
STIX Tool Version
Mitre ID
Zip Code
Domain Name
Signature File Version
Organizational Unit (OU)
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Creation Date
Subject DN	Subject Distinguished Name
Domain IDN Name
Processor
Registrar Abuse Name
Rank	Used to display rank from different sources
STIX Secondary Motivations
Job Function
MD5
Admin Email
Registrant Phone
Associated File Names
Assigned user
CVSS Version
Processors
Signature Algorithm
Behavior
Signature Original Name
Registrar Abuse Country
Tags
DNS
Force Sync	Whether to force user synchronization.
IP Address
Detection Engines	Total number of engines that checked the indicator
Location
Detections
Display Name
AS Owner
Sophistication
Public Key
Admin Country
Short Description
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
STIX Threat Actor Types
Certificate Names
Domain Referring Subnets
Whois Records
Assigned role
State
Size
Hostname
SHA256
Email Address
Operating System Refs
Geo Country
Account Type
Associations	Known associations to other pieces of Threat Data.
Office365Required
SSDeep
Query Language
Registrar Abuse Email
CVSS Score
Threat Actor Types
Location Region
Name Servers
Indicator Identification
First Seen By Source	The first time the indicator was seen by the source vendor.
Extension
Mobile Phone
DHCP Server
Version
Publications
STIX Sophistication
Roles
X.509 v3 Extensions
Objective
Serial Number
Community Notes
Username
Samples
Organization Type
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
File Extension
Category
Name Field
Entry ID
Is Processed
Source Priority
Applications
Is Malware Family
Email
Feed Related Indicators
Campaign
Organization
Office365Category
Report Object References	A list of STIX IDs referenced in the report.
Org Level 1
STIX Aliases	Alternative names used to identify this object
Certificates
Org Level 2
Region

Layouts

Name	Description
Intrusion Set	Intrusion Set Layout
CVE Indicator	CVE Indicator Layout
File Indicator	File Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Tactic Layout	Tactic Indicator Layout
Vulnerability Incident
Domain Indicator	Domain Indicator Layout
IP Indicator	IP Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Course of Action	Course of Action Indicator Layout
Tool Indicator	Tool Indicator Layout
ASN	ASN Indicator Layout
Host Indicator	Host indicator layout
URL Indicator	URL Indicator Layout
Malware Indicator	Malware Indicator Layout
Identity	Identity indicator layout
Threat Actor	Threat Actor Indicator Layout
Software	Software Indicator Layout
Mutex	Mutex indicator layout
X509 Certificate	CVE Indicator Layout
Report	Report Indicator Layout
Email Indicator	Email Indicator Layout
Account Indicator	Account Indicator Layout
Campaign	Campaign Indicator Layout
Location	Location indicator layout
Indicator Feed Incident

Indicator Types

Name	Description
Tactic
Campaign
Attack Pattern
Host
Tool
Report
Intrusion Set
Malware
Software
URL
File MD5
DomainGlob
Email
File SHA-1
Infrastructure
IPv6
CVE
Mutex
Course of Action
X509 Certificate
Domain
Account
ASN
Threat Actor
File SHA-256
IPv6CIDR
Location
ssdeep
CIDR
Onion Address
IP
Identity
Registry Key
File

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Location Region	Location Region
Suspicious Executions Found
File Creation Date
Manager Email Address
Use Case Description
Source Urgency	Source Urgency
Log Source Name	The log source name associated with the event.
Operation Name
External Confidence
Triage SLA	The time it took to investigate and enrich incident information.
Campaign Name
ASN
Custom Query Results
Parent Process CMD
Process CMD
Users Details
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Affected Hosts
Post Nat Source IP	The source IP address after NAT.
Event ID	Event ID
Registry Value Type
IncomingMirrorError
Asset ID
Org Level 2
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
First Seen
Device External IPs
CVSS
User Groups
Hunt Results Count
CVE Published
Risk Score
Device OU	Device's OU path in Active Directory
Subtype	Subtype
Domain Updated Date
External Sub Category Name
Org Unit
MITRE Tactic Name
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Traffic Direction	The direction of the traffic in the event.
Detected Internal Hosts	Detected internal hosts
Device OS Name
Low Level Categories Events	The low level category of the event.
External System ID
Close Time	The closing time.
End Time	The time when the offense ended.
Device MAC Address
External Start Time
Process Creation Time
State	State
External End Time
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Email Sent Successfully	Whether the email has been successfully sent.
User Anomaly Count
Policy Actions
Asset Name
Device Name	Device Name
Account ID
EmailCampaignCanvas
Rendered HTML	The HTML content in a rendered form.
SKU TIER
Application Path
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Device OS Version
Tools
First Name	First Name
Email	Primary Email Address
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Pre Nat Destination Port	The destination port before NAT.
Registry Key
External Last Updated Time
Related Report
External Severity
Escalation
Given Name	Given Name
Alert Rules
Parent Process Name
Referenced Resource Name
Detection SLA	The time it took from incident creation until the maliciousness was determined.
File Access Date
Dsts	The destination values.
Unique Ports
Password Reset Successfully	Whether the password has been successfully reset.
Event Names	The event name (translated QID ) in the event.
Policy Recommendation
Alert Type ID
Parent Process File Path
Related Alerts
Job Code	Job Code
Item Owner Email
Post Nat Source Port	The source port after NAT.
Original Alert Source
Vendor Product
Process MD5
Device Status
Agent Version	Reporting Agent/Sensor Version
Detection End Time
Source Updated by
Classification	Incident Classification
MITRE Tactic ID
High Risky Hosts
Region ID
app channel name
SHA1	SHA1
EmailCampaignSnippets
Personal Email
Device Model	Device Model
High Risky Users
Endpoints Details
Parent Process Path
Original Alert ID	Alert ID as received from the integration JSON
Source External IPs
Bugtraq
Log Source Type	The log source type associated with the event.
similarIncidents
Resource URL
Street Address
Account Status
EmailCampaignMutualIndicators
Job Function	Job Function
Tenant Name	Tenant Name
sAMAccountName	User sAMAAccountName
Additional Email Addresses
Mobile Device Model
Full Name	Person's Full Name
Number of similar files
Cost Center	Cost Center
Endpoint Isolation Status
Duration
Verification Method	The method used to verify the user.
Resource Type
Is Active	Alert status
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Process Paths
Employee Email	The email address of the employee.
URLs
External Category Name
Follow Up	True if marked for follow up.
Registry Value
Rating
Ticket Closed Date
Source Id
Cost Center Code	Cost Center Code
Work Phone
Policy Type
Ticket Number
String Similarity Results
Assignment Group
Assigned User	Assigned User
Source Created By
Policy Description
Policy Deleted
Device Internal IPs
Attack Patterns
Risk Name
Policy ID
User Creation Time
Resource Name
Employee Manager Email	The email address of the employee's manager.
Vulnerable Product
Blocked Action	Blocked Action
Original Events	The events associated with the offense.
User Engagement Response
Additional Data
Block Indicators Status
Process Names
Source Category
Device Id	Device Id
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Protocol names
Verdict
Country Code Number
Employee Display Name	The display name of the employee.
Vendor ID
Selected Indicators	Includes the indicators selected by the user.
OS	The operating system.
Vulnerability Category
Sensor IP
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Exposure Level
Mobile Phone
SHA512	SHA512
Cloud Region List
Approval Status	The status for the approval of the request.
Destination IPV6	The destination IPV6 address.
Investigation Stage	The stage of the investigation.
Manager Name	Manager Name
Changed	The user who changed this incident
Signature
Registry Hive
Display Name	Display Name
CVE
Location	Location
Error Message	The error message that contains details about the error that occurred.
Password Changed Date
userAccountControl	userAccountControl
Registration Email
Threat Name	Define the threat name such as malware/exploit/phishing/etc
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Domain Name
Cloud Service
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Tool Usage Found
Command Line Verdict
External Link
EmailCampaignSummary
Referenced Resource ID
Post Nat Destination Port	The destination port after NAT.
Identity Type
Sub Category	The sub category
Source Networks
Pre Nat Source Port	The source port before NAT.
IP Reputation
Report Name
Related Endpoints
Related Campaign
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Additional Indicators
Parent Process MD5
Parent Process SHA256
Policy Remediable
List Of Rules - Event	The list of rules associated to an event.
Ticket Acknowledged Date
Cloud Instance ID	Cloud Instance ID
Group ID
Last Modified On
Destination Networks
Org Level 1
Closing Reason	The closing reason
Attack Mode	Attack mode as received from the integration JSON
Country Code
Tactic
Leadership
External Status
Process SHA256
Org Level 3
File Hash
Verification Status	The status of the user verification.
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Incident Link
Surname	Surname
Last Update Time
RemovedFromCampaigns
Event Descriptions	The description of the event name.
OS Type	OS Type
Start Time	The time when the offense started.
CVE ID
Timezone
Original Description	The description of the incident
Domain Registrar Abuse Email
SSDeep
Cloud Account ID
Dest OS	Destination OS
Team name
City
MITRE Technique Name
Policy URI
Policy Details
Scenario
Title	Title
Department	Department
Raw Event	The unparsed event data.
Rule Name	The name of a YARA rule
Affected Users
Detected External IPs	Detected external IPs
Number Of Log Sources	The number of log sources related to the offense.
Destination Geolocation	The destination geolocation of the event.
Objective
External Category ID
Pre Nat Source IP	The source IP before NAT.
Acquisition Hire
Suspicious Executions
Detection ID
Technical Owner	The technical owner of the asset.
Last Name	Last Name
Device Time	The time from the original logging device when the event occurred.
Post Nat Destination IP	The destination IP address after NAT.
Agents ID
Category Count	The number of categories that are associated with the offense.
Policy Severity
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
App message
Parent Process IDs
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Source Priority
Account Member Of
Technique ID
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
User Block Status
Tactic ID
User Id	User Id
Technique
Source Status
Reporter Email Address	The email address of the user who reported the email.
Containment SLA	The time it took to contain the incident.
Detection URL	URL of the ExtraHop Reveal(x) detection
User SID
Last Seen
Alert tags
Technical Owner Contact	The contact details for the technical owner.
Risk Rating
Last Modified By
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Audit Logs
Process ID
File Size	File Size
Device Hash	Device Hash
External Sub Category ID
Status Reason
Similar incidents Dbot
Triggered Security Profile	Triggered Security Profile
Alert Malicious	Whether the alert is malicious.
OutgoingMirrorError
Comment	The comments related with the incident
Cloud Resource List
Technical User	The technical user of the asset.
File SHA1
Zip Code	Zip Code
MITRE Technique ID
Job Family	Job Family
ASN Name
Src OS	Src OS
Item Owner
Alert Action	Alert action as received from the integration JSON
Approver	The person who approved or needs to approve the request.
Project ID
Caller
Region
Detected Endpoints
Error Code
Isolated	Isolated
IP Blocked Status
SKU Name
Source Geolocation	The source geolocation of the event.
Closing User	The closing user.
Original Alert Name	Alert name as received from the integration JSON
Source Create time
Internal Addresses
Log Source	Log Source
Number of Related Incidents
Compliance Notes	Notes regarding the assets compliance.
File Relationships
Birthday	Person's Birthday
UUID	UUID as received from the integration JSON
Phone Number	Phone number

Incident Types

Name	Description
Simulation
Network
Hunt
UnknownBinary
Vulnerability
Defacement
Exploit
Job
Policy Violation
DoS
Exfiltration
Lateral Movement
C2Communication
Reconnaissance
Indicator Feed
Authentication

Indicator Fields

Name	Description
Quarantined	Whether the indicator is quarantined or isolated
Signature Algorithm
Aliases	Alternative names used to identify this object
Display Name
Personal Email
STIX Aliases	Alternative names used to identify this object
Creation Date
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Publications
Commands
IP Address
Path
Name Field
Registrar Abuse Network
CVSS Vector
Manager Name	Manager Name
Signature Copyright
imphash
Registrar Abuse Address
Force Sync	Whether to force user synchronization.
X.509 v3 Extensions
CVSS Version
Validity Not Before	Specifies the date on which the certificate validity period begins.
Groups
Action
Key Value
Category
Confidence
Sophistication
Processor
Community Notes
Admin Email
Detection Engines	Total number of engines that checked the indicator
CVSS Table
Author
AS Owner
SHA1
Registrar Abuse Email
OS Version
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Country Code
Updated Date
Organization
Tags
Cost Center Code
Number of subkeys
Malware Family
Signature Original Name
Subdomains
SSDeep
Organization Last Seen	Date and time when the indicator was last seen in the organization.
STIX Malware Types
Threat Actor Types
File Type
DNS
STIX Is Malware Family
Registrant Email
Source Original Severity	The original score/severity provided by the source without DBot translation.
Cost Center
Signed
Rank	Used to display rank from different sources
ASN
MD5
Whois Records
Product
First Seen By Source	The first time the indicator was seen by the source vendor.
STIX Secondary Motivations
SHA512
Subject DN	Subject Distinguished Name
STIX Description
STIX Resource Level
File Extension
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Registrar Abuse Phone
Published
Malware types
Download URL
Is Malware Family
Roles
Expiration Date
Email Address
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Certificate Signature
Certificate Names
Mitre ID
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Country Name
CVE Modified
STIX Tool Version
Leadership
Query Language
Entry ID
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Signature Description
Processors
Extension
Job Code	Job Code
Operating System Version
Report Object References	A list of STIX IDs referenced in the report.
Operating System Refs
Office365Required
Vulnerabilities
Capabilities
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Organization First Seen	Date and time when the indicator was first seen in the organization.
Assigned user
Size
PEM	Certificate in PEM format.
Actor
Service	The specific service of a feed integration from which an indicator was ingested.
CVE Description
Description
Registrant Phone
Geo Country
Admin Country
Samples
BIOS Version
Registrant Name
Memory
Validity Not After	Specifies the date on which the certificate validity period ends.
Zip Code
Name Servers
Resource Level
Office365Category
Title	Title
CVSS
Serial Number
Org Unit
Certificate Validation Checks
Campaign
Job Function
Admin Name
Source Priority
Domain Referring Subnets
Global Prevalence	The number of times the indicator is detected across all organizations.
Feed Related Indicators
Infrastructure Types
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Username
STIX Primary Motivation.
Certificates
Reports
Vulnerable Products
Registrar Name
Registrar Abuse Name
SHA256
DNS Records
Manager Email Address
Domains
Primary Motivation
Registrar Abuse Country
Internal
Name
Organizational Unit (OU)
Targets
Public Key
Hostname
Department	Department
Issuer
Domain Name
Surname	Surname
Given Name	Given Name
Admin Phone
Signature Internal Name
Org Level 1
Org Level 3
Org Level 2
Domain IDN Name
Registrant Country
Location
Mobile Phone
Paths
Tool Types
Mitre Tactics
Tool Version
DHCP Server
Organization Type
STIX Sophistication
Signature Authentihash
State
Organization Prevalence	The number of times the indicator is detected in the organization.
Blocked
Definition
STIX Threat Actor Types
City	City
Version
Vendor
Domain Referring IPs
Subject
Operating System
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Domain Status
Assigned role
Region
CVSS3
Secondary Motivations
Goals
STIX Goals
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Port
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Report type
Associated File Names
STIX Tool Types
Subject Alternative Names
Objective
Email
Work Phone
Location Region
SWID	Specifies the Software Identification (SWID) tags entry for the software
Street Address
Detections
Geo Location
Account Type
Associations	Known associations to other pieces of Threat Data.
Short Description
Device Model
CVSS Score
Office365ExpressRoute
Signature File Version
Job Family
Acquisition Hire	Whether the employee is an acquisition hire.
Country Code Number
Applications
Behavior
STIX Roles
Implementation Languages
Is Processed
Issuer DN	Issuer Distinguished Name
User ID
Indicator Identification
Positive Detections	Number of engines that positively detected the indicator as malicious
Architecture

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
Host Indicator	Host indicator layout
Location	Location indicator layout
ASN	ASN Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Email Indicator	Email Indicator Layout
Course of Action	Course of Action Indicator Layout
Report	Report Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Tool Indicator	Tool Indicator Layout
IP Indicator	IP Indicator Layout
File Indicator	File Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Domain Indicator	Domain Indicator Layout
Tactic Layout	Tactic Indicator Layout
Campaign	Campaign Indicator Layout
Account Indicator	Account Indicator Layout
URL Indicator	URL Indicator Layout
Indicator Feed Incident
Mutex	Mutex indicator layout
CVE Indicator	CVE Indicator Layout
Vulnerability Incident
Software	Software Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Malware Indicator	Malware Indicator Layout
X509 Certificate	CVE Indicator Layout
Intrusion Set	Intrusion Set Layout
Identity	Identity indicator layout

Indicator Types

Name	Description
IP
Tool
Campaign
CIDR
Malware
ssdeep
File SHA-256
URL
Mutex
Software
Host
Onion Address
IPv6
Identity
Email
IPv6CIDR
Attack Pattern
DomainGlob
File
CVE
Intrusion Set
Tactic
ASN
Registry Key
Location
File SHA-1
X509 Certificate
Course of Action
Domain
Account
File MD5
Threat Actor
Infrastructure
Report

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (58)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
Trellix Email Security - Cloud	By: Cortex XSOAR
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
Akamai GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

3.10.1 - 6920594 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.10.1 - 6920581 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	January 28, 2026

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.