Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Common Types
Platform:
Cortex XSOAR
- Details
- Content
- Dependencies
- Version History
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Policy Details | |
Post Nat Source IP | The source IP address after NAT. |
Risk Rating | |
SHA256 | SHA256 |
Given Name | Given Name |
Related Report | |
Job Code | Job Code |
Source Status | |
Vulnerability Category | |
PID | PID |
External Severity | |
Rule Name | The name of a YARA rule |
Application Id | Application Id |
Alert Attack Time | |
Pre Nat Source Port | The source port before NAT. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Risk Score | |
RemovedFromCampaigns | |
Device OS Name | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Device Local IP | Device Local IP |
Containment SLA | The time it took to contain the incident. |
IP Blocked Status | |
Technique | |
Hunt Results Count | |
Follow Up | True if marked for follow up. |
IP Reputation | |
Policy Type | |
Suspicious Executions | |
Ticket Acknowledged Date | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Surname | Surname |
Cloud Service | |
External Addresses | |
Source Create time | |
Detected Endpoints | |
Escalation | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Employee Manager Email | The email address of the employee's manager. |
Verification Status | The status of the user verification. |
Process CMD | |
Traffic Direction | The direction of the traffic in the event. |
Block Indicators Status | |
High Risky Hosts | |
User Engagement Response | |
CVSS | |
Command Line Verdict | |
SKU Name | |
Unique Ports | |
Additional Email Addresses | |
Tenant Name | Tenant Name |
Vendor Product | |
userAccountControl | userAccountControl |
Device OU | Device's OU path in Active Directory |
Detected External Hosts | Detected external hosts |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Process Path | |
Closing User | The closing user. |
External Sub Category Name | |
Mobile Phone | |
Source External IPs | |
Tags | |
Threat Hunting Detected IP | |
Registry Hive | |
Duration | |
Raw Event | The unparsed event data. |
Org Level 1 | |
Cloud Resource List | |
Agent Version | Reporting Agent/Sensor Version |
Tactic ID | |
Source Urgency | Source Urgency |
Device Status | |
Caller | |
File Size | File Size |
Pre Nat Source IP | The source IP before NAT. |
Vulnerable Product | |
Parent Process Name | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Org Level 2 | |
External Start Time | |
EmailCampaignMutualIndicators | |
Project ID | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Policy Description | |
Device Model | Device Model |
Cloud Instance ID | Cloud Instance ID |
Alert Category | The category of the alert |
Agents ID | |
Parent Process IDs | |
sAMAccountName | User sAMAAccountName |
Protocol - Event | The network protocol in the event. |
Affected Users | |
Technical Owner Contact | The contact details for the technical owner. |
Start Time | The time when the offense started. |
Tools | |
Alert Type ID | |
Src Hostname | Source hostname |
Process Creation Time | |
Employee Email | The email address of the employee. |
Event Type | Event Type |
CMD line | |
Sensor IP | |
Destination Geolocation | The destination geolocation of the event. |
EmailCampaignCanvas | |
Comment | The comments related with the incident |
File Creation Date | |
Group ID | |
Use Case Description | |
Child Process | |
File Name | |
Srcs | The source values. |
File MD5 | |
Post Nat Destination Port | The destination port after NAT. |
Parent Process MD5 | |
Application Path | |
Detected Users | Detected users |
Last Update Time | |
Password Reset Successfully | Whether the password has been successfully reset. |
SSDeep | |
Source Username | The username that was the source of the attack. |
Referenced Resource Name | |
Threat Hunting Detected Hostnames | |
Description | The description of the incident |
Protocol names | |
Scenario | |
File Path | |
External ID | |
Resource Type | |
Alert Rules | |
Campaign Name | |
Manager Name | Manager Name |
Endpoint Isolation Status | |
Source Priority | |
Internal Addresses | |
Technical User | The technical user of the asset. |
Primary Email Address | |
Last Modified By | |
Bugtraq | |
Source Created By | |
Acquisition Hire | |
IncomingMirrorError | |
Dest Hostname | Destination hostname |
Destination Hostname | Destination hostname |
Source IPs | The source IPs of the event. |
Events | The events associated with the offense. |
Source Updated by | |
String Similarity Results | |
Src User | Source User |
Command Line | Command Line |
User Risk Level | |
Src Ports | The source ports of the event. |
Policy Remediable | |
Identity Type | |
Title | Title |
OS | The operating system. |
Process ID | |
Detection ID | |
Investigation Stage | The stage of the investigation. |
Signature | |
Asset ID | |
Last Seen | |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
User Groups | |
Device Time | The time from the original logging device when the event occurred. |
Account Status | |
Log Source Type | The log source type associated with the event. |
Categories | The categories for the incident. |
Org Level 3 | |
Zip Code | Zip Code |
Approver | The person who approved or needs to approve the request. |
Additional Data | |
Detection End Time | |
ASN Name | |
Process MD5 | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Resource ID | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Verification Method | The method used to verify the user. |
Destination IP | The IP address the impossible traveler logged in to. |
Device Hash | Device Hash |
External System ID | |
Registry Key | |
Source Id | |
Source Network | |
External Sub Category ID | |
Org Unit | |
Hostnames | The hostname in the event. |
User Agent | |
User Creation Time | |
UUID | UUID as received from the integration JSON |
Device Internal IPs | |
Exposure Level | |
CVE ID | |
Alert tags | |
Country Code | |
Asset Name | |
Domain Name | |
Source Hostname | The hostname that performed the port scan. |
Device Name | Device Name |
Source Geolocation | The source geolocation of the event. |
Detected User | |
Dst Ports | The destination ports of the event. |
Changed | The user who changed this incident |
Work Phone | |
OS Version | OS Version |
Device Username | The username of the user that owns the device |
Alert URL | Alert URL as received from the integration JSON |
Timezone | |
SKU TIER | |
Email Sent Successfully | Whether the email has been successfully sent. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Cloud Operation Type | |
File Paths | |
Isolated | Isolated |
Alert Malicious | Whether the alert is malicious. |
Destination Networks | |
MD5 | MD5 |
Source MAC Address | The source MAC address in an event. |
Display Name | Display Name |
Location | Location |
Related Alerts | |
Country | The country from which the user logged in. |
Dest NT Domain | Destination NT Domain |
Destination IPs | The destination IPs of the event. |
Reporter Email Address | The email address of the user who reported the email. |
User Block Status | |
Process Paths | |
Cloud Account ID | |
Number Of Log Sources | The number of log sources related to the offense. |
Birthday | Person's Birthday |
Source IP | The IP Address that the user initially logged in from. |
Verdict | |
MITRE Technique ID | |
Suspicious Executions Found | |
Parent Process File Path | |
Detection Update Time | |
Vendor ID | |
Parent Process CMD | |
Rendered HTML | The HTML content in a rendered form. |
Detected Internal Hosts | Detected internal hosts |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Subtype | Subtype |
Attack Mode | Attack mode as received from the integration JSON |
Device External IPs | |
MAC Address | MAC Address |
SHA512 | SHA512 |
Cost Center Code | Cost Center Code |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Policy URI | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
External Category Name | |
User Id | User Id |
Destination IPV6 | The destination IPV6 address. |
Policy ID | |
Dsts | The destination values. |
Domain Updated Date | |
Number of similar files | |
Street Address | |
Close Time | The closing time. |
Sensor Name | |
Device OS Version | |
High Level Categories | The high level categories in the events. |
Region | |
Password Changed Date | |
Category Count | The number of categories that are associated with the offense. |
Destination Network | |
Usernames | The username in the event. |
Account Name | Account Name |
Detected External IPs | Detected external IPs |
Employee Display Name | The display name of the employee. |
Device Id | Device Id |
Process Names | |
Status Reason | |
Endpoint | |
Low Level Categories Events | The low level category of the event. |
Account ID | |
Number of Related Incidents | |
Parent Process | |
Alert ID | Alert ID as received from the integration JSON |
CMD | |
Appliance Name | Appliance name as received from the integration JSON |
Rating | |
EmailCampaignSummary | |
Assignment Group | |
Report Name | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Job Function | Job Function |
External End Time | |
Blocked Action | Blocked Action |
Destination MAC Address | The destination MAC address in an event. |
High Risky Users | |
app channel name | |
Selected Indicators | Includes the indicators selected by the user. |
Mobile Device Model | |
Related Campaign | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Ticket Number | |
Custom Query Results | |
Policy Severity | |
Similar incidents Dbot | |
File Access Date | |
Log Source | Log Source |
Registration Email | |
Personal Email | |
Source Networks | |
Item Owner | |
OutgoingMirrorError | |
Domain Registrar Abuse Email | |
CVE | |
Last Modified On | |
Phone Number | Phone number |
Policy Deleted | |
Src OS | Src OS |
User SID | |
Resource Name | |
Event Names | The event name (translated QID ) in the event. |
Additional Indicators | |
Protocols | |
File Relationships | |
External Last Updated Time | |
URLs | |
First Seen | |
Department | Department |
Incident Link | |
Event ID | Event ID |
City | |
EmailCampaignSnippets | |
SHA1 | SHA1 |
Referenced Resource ID | |
Cloud Region List | |
Device MAC Address | |
Tactic | |
First Name | First Name |
Country Name | Country Name |
Account Member Of | |
Username | The username of the account who logged in. |
Objective | |
Sub Category | The sub category |
Last Name | Last Name |
Assigned User | Assigned User |
File Hash | |
Triggered Security Profile | Triggered Security Profile |
Dest OS | Destination OS |
Source Port | The source port that was used |
Detected Internal IPs | Detected internal IPs |
Agent ID | Agent ID |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
MITRE Technique Name | |
Alert Source | |
Post Nat Destination IP | The destination IP address after NAT. |
Closing Reason | The closing reason |
Source IPV6 | The source IPV6 address. |
Parent CMD line | |
OS Type | OS Type |
Attack Patterns | |
State | State |
Detection URL | URL of the ExtraHop Reveal(x) detection |
List Of Rules - Event | The list of rules associated to an event. |
External Confidence | |
Job Family | Job Family |
External Status | |
Technique ID | |
Alert Name | Alert name as received from the integration JSON |
Cost Center | Cost Center |
Detected IPs | |
Policy Actions | |
Error Code | |
External Category ID | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
File SHA256 | |
Team name | |
Leadership | |
CVE Published | |
App message | |
Country Code Number | |
Ticket Opened Date | |
Region ID | |
MITRE Tactic ID | |
Technical Owner | The technical owner of the asset. |
Src | Source |
Device External IP | Device External IP |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Parent Process Path | |
ASN | |
Triage SLA | The time it took to investigate and enrich incident information. |
Protocol | Protocol |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Compliance Notes | Notes regarding the assets compliance. |
Alert Action | Alert action as received from the integration JSON |
Dest | Destination |
Registry Value Type | |
MITRE Tactic Name | |
Manager Email Address | |
DNS Name | The DNS name of the asset. |
Pre Nat Destination Port | The destination port before NAT. |
Process Name | |
Classification | Incident Classification |
Post Nat Source Port | The source port after NAT. |
Appliance ID | Appliance ID as received from the integration JSON |
User Anomaly Count | |
Risk Name | |
Related Endpoints | |
Registry Value | |
Full Name | Person's Full Name |
Resource URL | |
File SHA1 | |
Users Details | |
Operation Name | |
Ticket Closed Date | |
Application Name | Application Name |
Parent Process SHA256 | |
Approval Status | The status for the approval of the request. |
Tool Usage Found | |
Item Owner Email | |
Process SHA256 | |
Endpoints Details | |
App | |
Affected Hosts | |
Is Active | Alert status |
Policy Recommendation | |
similarIncidents | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Destination Port | The destination port used. |
Error Message | The error message that contains details about the error that occurred. |
File Names | |
Source Category | |
End Time | The time when the offense ended. |
External Link | |
Users | |
Log Source Name | The log source name associated with the event. |
Event Descriptions | The description of the event name. |
Src NT Domain | Source NT Domain |
Location Region | Location Region |
Incident Types
| Name | Description |
|---|---|
Defacement | |
Exploit | |
DoS | |
Reconnaissance | |
UnknownBinary | |
Exfiltration | |
Indicator Feed | |
Network | |
Authentication | |
Lateral Movement | |
Vulnerability | |
C2Communication | |
Job | |
Hunt | |
Policy Violation | |
Simulation |
Indicator Fields
| Name | Description |
|---|---|
Vulnerabilities | |
Source Priority | |
Username | |
Malware Family | |
Force Sync | Whether to force user synchronization. |
Port | |
Campaign | |
Groups | |
Signature Description | |
DNS | |
Location Region | |
Certificate Validation Checks | |
Updated Date | |
CVSS Version | |
Registrant Email | |
Goals | |
Author | |
Operating System Refs | |
Capabilities | |
Cost Center | |
Department | Department |
Domain Status | |
Implementation Languages | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Signed | |
SSDeep | |
Zip Code | |
Published | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Work Phone | |
Query Language | |
Product | |
Associated File Names | |
Office365Category | |
Memory | |
Name Field | |
Registrant Country | |
BIOS Version | |
Samples | |
SHA256 | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Vendor | |
STIX Tool Types | |
STIX Sophistication | |
Job Family | |
Definition | |
STIX Roles | |
Number of subkeys | |
Aliases | Alternative names used to identify this object |
Description | |
Organization | |
Detections | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Internal | |
Signature Original Name | |
Admin Phone | |
MD5 | |
Size | |
CVSS Score | |
Geo Location | |
Organizational Unit (OU) | |
Mitre ID | |
Confidence | |
MAC Address | |
Action | |
Name Servers | |
Issuer DN | Issuer Distinguished Name |
Signature File Version | |
STIX Threat Actor Types | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Subject | |
CVSS Table | |
Short Description | |
Tool Types | |
Domain Name | |
Registrant Name | |
Processors | |
Country Code | |
ASN | |
STIX Tool Version | |
Registrar Name | |
Tool Version | |
Secondary Motivations | |
Subject Alternative Names | |
Mitre Tactics | |
Domains | |
Targets | |
IP Address | |
Domain Referring Subnets | |
Signature Copyright | |
STIX Goals | |
Title | Title |
File Type | |
CVE Description | |
Office365Required | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
File Extension | |
Report type | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Signature Authentihash | |
STIX Secondary Motivations | |
PEM | Certificate in PEM format. |
Feed Related Indicators | |
City | City |
Applications | |
Geo Country | |
Actor | |
Registrant Phone | |
STIX Primary Motivation. | |
Given Name | Given Name |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Public Key | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Street Address | |
Community Notes | |
CVSS | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Resource Level | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
SHA512 | |
Org Unit | |
X.509 v3 Extensions | |
Admin Country | |
Signature Internal Name | |
Infrastructure Types | |
Serial Number | |
Processor | |
User ID | |
State | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Org Level 2 | |
Email Address | |
Publications | |
Extension | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Cost Center Code | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
imphash | |
Manager Name | Manager Name |
Surname | Surname |
STIX Is Malware Family | |
AS Owner | |
Display Name | |
STIX Description | |
Architecture | |
Objective | |
Download URL | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Personal Email | |
DNS Records | |
Primary Motivation | |
Quarantined | Whether the indicator is quarantined or isolated |
Job Function | |
Registrar Abuse Country | |
Registrar Abuse Name | |
Expiration Date | |
Device Model | |
Whois Records | |
Region | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Issuer | |
OS Version | |
Name | |
Category | |
Creation Date | |
CVSS3 | |
Commands | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Registrar Abuse Phone | |
Leadership | |
Domain Referring IPs | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Certificates | |
Entry ID | |
Blocked | |
Operating System | |
Domain IDN Name | |
Assigned role | |
Registrar Abuse Email | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Assigned user | |
CVE Modified | |
Manager Email Address | |
Signature Algorithm | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Certificate Signature | |
Rank | Used to display rank from different sources |
Organization Type | |
Associations | Known associations to other pieces of Threat Data. |
Operating System Version | |
Org Level 3 | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Admin Email | |
Is Processed | |
Malware types | |
Office365ExpressRoute | |
Indicator Identification | |
Paths | |
Key Value | |
Is Malware Family | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Version | |
Behavior | |
Detection Engines | Total number of engines that checked the indicator |
Sophistication | |
Roles | |
STIX Aliases | Alternative names used to identify this object |
Certificate Names | |
Threat Actor Types | |
Report Object References | A list of STIX IDs referenced in the report. |
Country Code Number | |
Subject DN | Subject Distinguished Name |
Vulnerable Products | |
Location | |
SHA1 | |
Mobile Phone | |
Admin Name | |
CVSS Vector | |
STIX Resource Level | |
Country Name | |
DHCP Server | |
Tags | |
Org Level 1 | |
Registrar Abuse Address | |
Hostname | |
Path | |
Account Type | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Job Code | Job Code |
Subdomains | |
Registrar Abuse Network | |
Reports | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
STIX Malware Types |
Layouts
| Name | Description |
|---|---|
Malware Indicator | Malware Indicator Layout |
IP Indicator | IP Indicator Layout |
Host Indicator | Host indicator layout |
URL Indicator | URL Indicator Layout |
ASN | ASN Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Account Indicator | Account Indicator Layout |
Mutex | Mutex indicator layout |
Identity | Identity indicator layout |
Indicator Feed Incident | |
Infrastructure | Infrastructure Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Software | Software Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Campaign | Campaign Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Vulnerability Incident | |
Threat Actor | Threat Actor Indicator Layout |
File Indicator | File Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Location | Location indicator layout |
Tactic Layout | Tactic Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Email Indicator | Email Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Report | Report Indicator Layout |
Indicator Types
| Name | Description |
|---|---|
Identity | |
IPv6 | |
CIDR | |
File MD5 | |
Intrusion Set | |
Malware | |
File SHA-256 | |
ASN | |
Registry Key | |
Domain | |
Onion Address | |
ssdeep | |
Tool | |
File SHA-1 | |
Report | |
DomainGlob | |
Host | |
Attack Pattern | |
File | |
Threat Actor | |
Course of Action | |
X509 Certificate | |
Account | |
IP | |
URL | |
Mutex | |
Software | |
Tactic | |
IPv6CIDR | |
Campaign | |
Location | |
CVE | |
Infrastructure |
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Triggered Security Profile | Triggered Security Profile |
Domain Name | |
Attack Mode | Attack mode as received from the integration JSON |
IncomingMirrorError | |
userAccountControl | userAccountControl |
OS | The operating system. |
Source Category | |
Signature | |
CVE Published | |
Source Created By | |
Endpoint Isolation Status | |
Referenced Resource Name | |
Event ID | Event ID |
Policy Deleted | |
Referenced Resource ID | |
Post Nat Destination IP | The destination IP address after NAT. |
Command Line Verdict | |
App message | |
Affected Hosts | |
Country Code | |
Verification Method | The method used to verify the user. |
CVE | |
Number of similar files | |
Technique | |
Domain Updated Date | |
Rule Name | The name of a YARA rule |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Operation Name | |
Scenario | |
Tools | |
Device OS Name | |
External Last Updated Time | |
Org Level 1 | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Cloud Service | |
Block Indicators Status | |
Policy Description | |
Region | |
Tenant Name | Tenant Name |
OS Type | OS Type |
EmailCampaignMutualIndicators | |
Related Endpoints | |
Verdict | |
Asset ID | |
Original Alert ID | Alert ID as received from the integration JSON |
Protocol names | |
Employee Email | The email address of the employee. |
OutgoingMirrorError | |
Policy Remediable | |
Sub Category | The sub category |
State | State |
Device Internal IPs | |
Compliance Notes | Notes regarding the assets compliance. |
External Confidence | |
Custom Query Results | |
Resource URL | |
Personal Email | |
Work Phone | |
SHA512 | SHA512 |
Follow Up | True if marked for follow up. |
Last Seen | |
Internal Addresses | |
MITRE Tactic Name | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Log Source Name | The log source name associated with the event. |
Leadership | |
Registration Email | |
Is Active | Alert status |
Isolated | Isolated |
Original Description | The description of the incident |
File Creation Date | |
List Of Rules - Event | The list of rules associated to an event. |
Detection ID | |
File Size | File Size |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Alert Malicious | Whether the alert is malicious. |
Device MAC Address | |
Mobile Device Model | |
Ticket Closed Date | |
Manager Name | Manager Name |
Traffic Direction | The direction of the traffic in the event. |
Sensor IP | |
Policy Severity | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Policy Actions | |
Closing Reason | The closing reason |
External End Time | |
Job Function | Job Function |
Surname | Surname |
User Block Status | |
Destination Networks | |
Vulnerability Category | |
SKU TIER | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Number of Related Incidents | |
Subtype | Subtype |
URLs | |
RemovedFromCampaigns | |
MITRE Technique ID | |
Changed | The user who changed this incident |
EmailCampaignSnippets | |
Reporter Email Address | The email address of the user who reported the email. |
Vendor Product | |
Tactic ID | |
Source Status | |
Hunt Results Count | |
Source Create time | |
Parent Process MD5 | |
Employee Manager Email | The email address of the employee's manager. |
Alert Rules | |
Exposure Level | |
SKU Name | |
Policy URI | |
Job Family | Job Family |
Job Code | Job Code |
Additional Indicators | |
Rendered HTML | The HTML content in a rendered form. |
Containment SLA | The time it took to contain the incident. |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Zip Code | Zip Code |
File Access Date | |
Device OU | Device's OU path in Active Directory |
Technical Owner Contact | The contact details for the technical owner. |
Number Of Log Sources | The number of log sources related to the offense. |
File Relationships | |
Src OS | Src OS |
Original Alert Source | |
Process CMD | |
Pre Nat Source Port | The source port before NAT. |
Device External IPs | |
Status Reason | |
Device Id | Device Id |
Resource Name | |
Ticket Number | |
First Name | First Name |
Device Status | |
Suspicious Executions | |
Last Modified By | |
Mobile Phone | |
Error Message | The error message that contains details about the error that occurred. |
EmailCampaignCanvas | |
Blocked Action | Blocked Action |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
similarIncidents | |
Org Unit | |
End Time | The time when the offense ended. |
Affected Users | |
Resource Type | |
Process SHA256 | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Comment | The comments related with the incident |
Application Path | |
Full Name | Person's Full Name |
Country Code Number | |
Destination Geolocation | The destination geolocation of the event. |
Cost Center Code | Cost Center Code |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
External Sub Category Name | |
Item Owner | |
Vendor ID | |
String Similarity Results | |
Log Source | Log Source |
Related Campaign | |
ASN | |
Approver | The person who approved or needs to approve the request. |
Account Member Of | |
Domain Registrar Abuse Email | |
Additional Email Addresses | |
External Status | |
Low Level Categories Events | The low level category of the event. |
Similar incidents Dbot | |
Last Name | Last Name |
Account Status | |
Registry Key | |
Detected Endpoints | |
Event Descriptions | The description of the event name. |
User SID | |
Process MD5 | |
Process Names | |
Title | Title |
Risk Name | |
Original Events | The events associated with the offense. |
IP Reputation | |
Primary Email Address | |
High Risky Hosts | |
Raw Event | The unparsed event data. |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Cloud Region List | |
EmailCampaignSummary | |
File Hash | |
Suspicious Executions Found | |
Parent Process File Path | |
app channel name | |
Identity Type | |
Pre Nat Source IP | The source IP before NAT. |
Policy Recommendation | |
Error Code | |
Selected Indicators | Includes the indicators selected by the user. |
Parent Process IDs | |
Pre Nat Destination Port | The destination port before NAT. |
Vulnerable Product | |
Process Paths | |
Cost Center | Cost Center |
External Category ID | |
Cloud Instance ID | Cloud Instance ID |
Detected Internal Hosts | Detected internal hosts |
Original Alert Name | Alert name as received from the integration JSON |
External System ID | |
User Id | User Id |
Policy Type | |
External Severity | |
Approval Status | The status for the approval of the request. |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Source Networks | |
Location | Location |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
External Category Name | |
Closing User | The closing user. |
Triage SLA | The time it took to investigate and enrich incident information. |
External Link | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Escalation | |
Parent Process Name | |
Endpoints Details | |
Source Id | |
Duration | |
City | |
Tactic | |
Email Sent Successfully | Whether the email has been successfully sent. |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Registry Value | |
Tool Usage Found | |
Device Model | Device Model |
CVSS | |
Dsts | The destination values. |
sAMAccountName | User sAMAAccountName |
Alert Action | Alert action as received from the integration JSON |
External Start Time | |
Phone Number | Phone number |
Close Time | The closing time. |
Source Geolocation | The source geolocation of the event. |
Registry Value Type | |
Birthday | Person's Birthday |
Agent Version | Reporting Agent/Sensor Version |
Destination IPV6 | The destination IPV6 address. |
Last Update Time | |
Street Address | |
CVE ID | |
Device OS Version | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
SHA1 | SHA1 |
Cloud Account ID | |
Device Time | The time from the original logging device when the event occurred. |
Assignment Group | |
Start Time | The time when the offense started. |
Item Owner Email | |
Display Name | Display Name |
External Sub Category ID | |
Org Level 3 | |
MITRE Technique Name | |
Technical User | The technical user of the asset. |
Source Updated by | |
IP Blocked Status | |
Risk Score | |
Post Nat Source IP | The source IP address after NAT. |
Use Case Description | |
Log Source Type | The log source type associated with the event. |
User Engagement Response | |
Classification | Incident Classification |
Employee Display Name | The display name of the employee. |
Unique Ports | |
Source Priority | |
Related Alerts | |
Rating | |
Risk Rating | |
Objective | |
Registry Hive | |
Process ID | |
Device Hash | Device Hash |
Bugtraq | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
MITRE Tactic ID | |
Process Creation Time | |
Caller | |
Category Count | The number of categories that are associated with the offense. |
ASN Name | |
Policy Details | |
Department | Department |
High Risky Users | |
Location Region | Location Region |
Users Details | |
Alert tags | |
Given Name | Given Name |
Last Modified On | |
Cloud Resource List | |
Asset Name | |
Team name | |
Additional Data | |
Device Name | Device Name |
Parent Process Path | |
Account ID | |
Ticket Acknowledged Date | |
Policy ID | |
Agents ID | |
Technique ID | |
User Groups | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Group ID | |
Event Names | The event name (translated QID ) in the event. |
Assigned User | Assigned User |
First Seen | |
Technical Owner | The technical owner of the asset. |
Source External IPs | |
Parent Process SHA256 | |
Password Reset Successfully | Whether the password has been successfully reset. |
Campaign Name | |
Source Urgency | Source Urgency |
Post Nat Destination Port | The destination port after NAT. |
Report Name | |
Parent Process CMD | |
Timezone | |
Acquisition Hire | |
User Creation Time | |
Attack Patterns | |
File SHA1 | |
Detection End Time | |
Dest OS | Destination OS |
User Anomaly Count | |
Region ID | |
Project ID | |
Password Changed Date | |
Alert Type ID | |
Verification Status | The status of the user verification. |
Related Report | |
Detected External IPs | Detected external IPs |
Incident Link | |
Post Nat Source Port | The source port after NAT. |
SSDeep | |
UUID | UUID as received from the integration JSON |
Org Level 2 | |
Manager Email Address | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Investigation Stage | The stage of the investigation. |
Incident Types
| Name | Description |
|---|---|
DoS | |
Policy Violation | |
Vulnerability | |
Indicator Feed | |
Network | |
Exploit | |
Lateral Movement | |
Defacement | |
UnknownBinary | |
C2Communication | |
Reconnaissance | |
Hunt | |
Simulation | |
Exfiltration | |
Job | |
Authentication |
Indicator Fields
| Name | Description |
|---|---|
SHA256 | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Groups | |
Name Servers | |
Report type | |
Action | |
Domain Referring Subnets | |
Manager Email Address | |
Location Region | |
Path | |
Vulnerable Products | |
Roles | |
Creation Date | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Country Name | |
Device Model | |
Registrar Abuse Address | |
Certificate Validation Checks | |
Account Type | |
Subject Alternative Names | |
Operating System Refs | |
Issuer | |
Secondary Motivations | |
Number of subkeys | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
PEM | Certificate in PEM format. |
Size | |
Processors | |
Tags | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Personal Email | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Zip Code | |
Indicator Identification | |
Category | |
Publications | |
Subdomains | |
Detections | |
STIX Secondary Motivations | |
Job Family | |
Org Level 3 | |
STIX Malware Types | |
STIX Tool Types | |
Registrar Abuse Network | |
Geo Location | |
CVSS3 | |
STIX Sophistication | |
Tool Types | |
Product | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
DHCP Server | |
Work Phone | |
Registrant Phone | |
Registrar Abuse Country | |
DNS | |
Job Function | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Mitre Tactics | |
Goals | |
Country Code | |
CVSS Score | |
State | |
Operating System Version | |
Job Code | Job Code |
STIX Description | |
Quarantined | Whether the indicator is quarantined or isolated |
CVSS Version | |
Domain IDN Name | |
Signature Authentihash | |
Office365Category | |
imphash | |
Manager Name | Manager Name |
Signature Copyright | |
Internal | |
Admin Country | |
Signature Internal Name | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Registrant Email | |
STIX Is Malware Family | |
Given Name | Given Name |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Signature Original Name | |
SHA512 | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Certificates | |
Display Name | |
Registrant Name | |
Subject | |
Registrar Name | |
Confidence | |
Location | |
Vendor | |
Extension | |
Domain Status | |
Public Key | |
Domain Name | |
Memory | |
Mitre ID | |
SHA1 | |
X.509 v3 Extensions | |
CVE Modified | |
Org Unit | |
Signature Description | |
Registrar Abuse Email | |
Associations | Known associations to other pieces of Threat Data. |
Capabilities | |
Organization | |
Architecture | |
Certificate Names | |
ASN | |
Applications | |
SSDeep | |
Reports | |
Mobile Phone | |
Threat Actor Types | |
Domain Referring IPs | |
Infrastructure Types | |
Primary Motivation | |
Processor | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Leadership | |
Malware types | |
Office365ExpressRoute | |
Registrar Abuse Name | |
Source Priority | |
IP Address | |
File Extension | |
Organization Type | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Admin Email | |
Name | |
Geo Country | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Description | |
Operating System | |
Subject DN | Subject Distinguished Name |
Region | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
STIX Primary Motivation. | |
Aliases | Alternative names used to identify this object |
Admin Name | |
Author | |
Street Address | |
Username | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
City | City |
Force Sync | Whether to force user synchronization. |
Key Value | |
Registrar Abuse Phone | |
Feed Related Indicators | |
OS Version | |
Whois Records | |
MD5 | |
Cost Center Code | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Blocked | |
Download URL | |
Tool Version | |
Is Processed | |
Port | |
Department | Department |
STIX Aliases | Alternative names used to identify this object |
Short Description | |
CVSS Table | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Rank | Used to display rank from different sources |
Registrant Country | |
DNS Records | |
Name Field | |
Query Language | |
AS Owner | |
Hostname | |
Targets | |
Certificate Signature | |
Report Object References | A list of STIX IDs referenced in the report. |
Domains | |
Objective | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Actor | |
Issuer DN | Issuer Distinguished Name |
Admin Phone | |
Org Level 1 | |
Vulnerabilities | |
Surname | Surname |
Detection Engines | Total number of engines that checked the indicator |
Acquisition Hire | Whether the employee is an acquisition hire. |
Serial Number | |
Version | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Assigned role | |
Country Code Number | |
CVSS | |
Sophistication | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Title | Title |
Assigned user | |
Signature File Version | |
CVE Description | |
Email Address | |
Associated File Names | |
Resource Level | |
Commands | |
Paths | |
File Type | |
STIX Tool Version | |
Office365Required | |
BIOS Version | |
Published | |
Signature Algorithm | |
STIX Roles | |
Organizational Unit (OU) | |
Malware Family | |
Community Notes | |
Samples | |
Entry ID | |
CVSS Vector | |
Implementation Languages | |
Behavior | |
STIX Resource Level | |
Org Level 2 | |
STIX Threat Actor Types | |
Campaign | |
User ID | |
Updated Date | |
STIX Goals | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Expiration Date | |
Definition | |
Cost Center | |
Is Malware Family | |
Signed |
Layoutrule
| Name | Description |
|---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Layouts
| Name | Description |
|---|---|
Campaign | Campaign Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Infrastructure | Infrastructure Indicator Layout |
Malware Indicator | Malware Indicator Layout |
IP Indicator | IP Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Report | Report Indicator Layout |
ASN | ASN Indicator Layout |
X509 Certificate | CVE Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Host Indicator | Host indicator layout |
Location | Location indicator layout |
Registry Key Indicator | Registry Key Indicator Layout |
Account Indicator | Account Indicator Layout |
File Indicator | File Indicator Layout |
Identity | Identity indicator layout |
Mutex | Mutex indicator layout |
Vulnerability Incident | |
Threat Actor | Threat Actor Indicator Layout |
URL Indicator | URL Indicator Layout |
Email Indicator | Email Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Software | Software Indicator Layout |
Indicator Feed Incident |
Indicator Types
| Name | Description |
|---|---|
URL | |
Onion Address | |
File SHA-256 | |
Intrusion Set | |
File SHA-1 | |
Tool | |
Identity | |
Attack Pattern | |
Malware | |
Tactic | |
Course of Action | |
Report | |
IPv6CIDR | |
Software | |
DomainGlob | |
CVE | |
File MD5 | |
Account | |
X509 Certificate | |
Infrastructure | |
IPv6 | |
IP | |
Threat Actor | |
Mutex | |
Location | |
Host | |
ssdeep | |
File | |
Domain | |
Campaign | |
ASN | |
CIDR | |
Registry Key |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
Optional Content Packs (56)
All level dependencies (3)
| Pack Name | Pack By |
|---|---|
| Cortex REST API | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
3.8.3 - 2086795 (January 27, 2025)
- 38269
Download
Indicator Types
- IPv6
- Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
- Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.
- 38269
Download
3.8.2 - 1903608 (December 31, 2024)
3.8.0 - 1873754 (December 25, 2024)
- 37659
Download
Incident Fields
Username
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Cloud Service
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.First Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Display Name
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Device Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Vendor Product
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Update Time
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.User Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.
- 37659
Download
3.7.0 - 1834150 (December 18, 2024)
3.6.0 - 1663384 (November 18, 2024)
- 37022
Download
Indicator Fields
New: Organization Prevalence
Added new number field which represents the number of times the indicator is detected in the organization.
New: Global Prevalence
Added new number field which represents the number of times the indicator is detected across all organizations.
New: Organization First Seen
Added new date field which represents when the indicator was first seen in the organization.
New: Organization Last Seen
Added new date field which represents when the indicator was last seen in the organization.
Indicator Types
File
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceFile.OrganizationPrevalence globalprevalenceFile.GlobalPrevalence organizationfirstseenFile.OrganizationFirstSeen organizationlastseenFile.OrganizationLastSeen firstseenbysourceFile.FirstSeenBySource lastseenbysourceFile.LastSeenBySource Domain
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceDomain.OrganizationPrevalence globalprevalenceDomain.GlobalPrevalence organizationfirstseenDomain.OrganizationFirstSeen organizationlastseenDomain.OrganizationLastSeen firstseenbysourceDomain.FirstSeenBySource lastseenbysourceDomain.LastSeenBySource URL
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceURL.OrganizationPrevalence globalprevalenceURL.GlobalPrevalence organizationfirstseenURL.OrganizationFirstSeen organizationlastseenURL.OrganizationLastSeen firstseenbysourceURL.FirstSeenBySource lastseenbysourceURL.LastSeenBySource IP
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceIP.OrganizationPrevalence globalprevalenceIP.GlobalPrevalence organizationfirstseenIP.OrganizationFirstSeen organizationlastseenIP.OrganizationLastSeen firstseenbysourceIP.FirstSeenBySource lastseenbysourceIP.LastSeenBySource IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
|organizationprevalence| IPv6.OrganizationPrevalence |
|globalprevalence| IPv6.GlobalPrevalence |
|organizationfirstseen| IPv6.OrganizationFirstSeen |
|organizationlastseen| IPv6.OrganizationLastSeen |
|firstseenbysource| IPv6.FirstSeenBySource |
|lastseenbysource| IPv6.LastSeenBySource |
- 37022
Download
3.5.24 - 1609112 (November 7, 2024)
- 37071
Download
Layouts
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
- 37071
Download
3.5.20 - 1445410 (September 29, 2024)
3.5.18 - 1419889 (September 23, 2024)
3.5.16 - 1370357 (September 11, 2024)
- 36021
Download
Layouts
File Indicator
Updated layout with
canvastab.Account Indicator
Updated layout with
canvastab.Report
Updated layout with
canvastab.Threat Actor
Updated layout with
canvastab.URL Indicator
Updated layout with
canvastab.X509 Certificate
Updated layout with
canvastab.Mutex
Updated layout with
canvastab.Campaign
Updated layout with
canvastab.Location
Updated layout with
canvastab.Tool Indicator
Updated layout with
canvastab.Attack Pattern
Updated layout with
canvastab.Infrastructure
Updated layout with
canvastab.IP Indicator
Updated layout with
canvastab.Malware Indicator
Updated layout with
canvastab.Course of Action
Updated layout with
canvastab.Host Indicator
Updated layout with
canvastab.Tool
Updated layout with
canvastab.Email Indicator
Updated layout with
canvastab.CVE Indicator
Updated layout with
canvastab.Domain Indicator
Updated layout with
canvastab.Identity
Updated layout with
canvastab.Software
Updated layout with
canvastab.Intrusion Set
Updated layout with
canvastab.ASN
Updated layout with
canvastab.Registry Key Indicator
Updated layout with
canvastab.Malware
Updated layout with
canvastab.
- 36021
Download
3.5.14 - 1340401 (September 3, 2024)
- 35794
Download
Incident Fields
External ID
Added support for the External ID field in the Exabeam Security Operations Platform.Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.
- 35794
Download
3.5.12 - 1284734 (August 18, 2024)
- 35705
Download
Layouts
File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
- 35705
Download
3.5.9 - R1189290 (July 18, 2024)
- 34900
Download
Incident Fields
Location
Added support for incident type Exabeam Notable User.Department
Added support for incident type Exabeam Notable User.End Time
Added support for incident type Exabeam Notable User.Work Phone
Added support for incident type Exabeam Notable User.Start Time
Added support for incident type Exabeam Notable User.First Seen
Added support for incident type Exabeam Notable User.Last Seen
Added support for incident type Exabeam Notable User.Mobile Phone
Added support for incident type Exabeam Notable User.Manager Name
Added support for incident type Exabeam Notable User.User Groups
Added support for incident type Exabeam Notable User.Title
Added support for incident type Exabeam Notable User.Email
Added support for incident type Exabeam Notable User.Username
Added support for incident type Exabeam Notable User.Risk Score
Added support for incident type Exabeam Notable User.
- 34900
Download
3.5.8 - 1170213 (July 11, 2024)
- 34805
Download
Incident Fields
Display Name
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.Last Update Time
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.Vendor Product
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.Device Id
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.
- 34805
Download
3.8.3 - 2086795 (January 27, 2025)
- 38269
Download
Indicator Types
- IPv6
- Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
- Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.
- 38269
Download
3.8.2 - 1900707 (December 31, 2024)
3.8.0 - 1873754 (December 25, 2024)
- 37659
Download
Incident Fields
Cloud Service
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.First Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Display Name
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Device Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Vendor Product
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Update Time
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.User Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.
- 37659
Download
3.6.0 - 1663384 (November 18, 2024)
- 37022
Download
Indicator Fields
New: Organization Prevalence
Added new number field which represents the number of times the indicator is detected in the organization.
New: Global Prevalence
Added new number field which represents the number of times the indicator is detected across all organizations.
New: Organization First Seen
Added new date field which represents when the indicator was first seen in the organization.
New: Organization Last Seen
Added new date field which represents when the indicator was last seen in the organization.
Indicator Types
File
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceFile.OrganizationPrevalence globalprevalenceFile.GlobalPrevalence organizationfirstseenFile.OrganizationFirstSeen organizationlastseenFile.OrganizationLastSeen firstseenbysourceFile.FirstSeenBySource lastseenbysourceFile.LastSeenBySource Domain
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceDomain.OrganizationPrevalence globalprevalenceDomain.GlobalPrevalence organizationfirstseenDomain.OrganizationFirstSeen organizationlastseenDomain.OrganizationLastSeen firstseenbysourceDomain.FirstSeenBySource lastseenbysourceDomain.LastSeenBySource URL
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceURL.OrganizationPrevalence globalprevalenceURL.GlobalPrevalence organizationfirstseenURL.OrganizationFirstSeen organizationlastseenURL.OrganizationLastSeen firstseenbysourceURL.FirstSeenBySource lastseenbysourceURL.LastSeenBySource IP
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceIP.OrganizationPrevalence globalprevalenceIP.GlobalPrevalence organizationfirstseenIP.OrganizationFirstSeen organizationlastseenIP.OrganizationLastSeen firstseenbysourceIP.FirstSeenBySource lastseenbysourceIP.LastSeenBySource IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
|organizationprevalence| IPv6.OrganizationPrevalence |
|globalprevalence| IPv6.GlobalPrevalence |
|organizationfirstseen| IPv6.OrganizationFirstSeen |
|organizationlastseen| IPv6.OrganizationLastSeen |
|firstseenbysource| IPv6.FirstSeenBySource |
|lastseenbysource| IPv6.LastSeenBySource |
- 37022
Download
3.5.24 - 1609112 (November 7, 2024)
- 37071
Download
Layouts
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
- 37071
Download
3.5.20 - 1445410 (September 29, 2024)
3.5.18 - 1419889 (September 23, 2024)
3.5.16 - 1370357 (September 11, 2024)
- 36021
Download
Layouts
File Indicator
Updated layout with
canvastab.Account Indicator
Updated layout with
canvastab.Report
Updated layout with
canvastab.Threat Actor
Updated layout with
canvastab.URL Indicator
Updated layout with
canvastab.X509 Certificate
Updated layout with
canvastab.Mutex
Updated layout with
canvastab.Campaign
Updated layout with
canvastab.Location
Updated layout with
canvastab.Tool Indicator
Updated layout with
canvastab.Attack Pattern
Updated layout with
canvastab.Infrastructure
Updated layout with
canvastab.IP Indicator
Updated layout with
canvastab.Malware Indicator
Updated layout with
canvastab.Course of Action
Updated layout with
canvastab.Host Indicator
Updated layout with
canvastab.Tool
Updated layout with
canvastab.Email Indicator
Updated layout with
canvastab.CVE Indicator
Updated layout with
canvastab.Domain Indicator
Updated layout with
canvastab.Identity
Updated layout with
canvastab.Software
Updated layout with
canvastab.Intrusion Set
Updated layout with
canvastab.ASN
Updated layout with
canvastab.Registry Key Indicator
Updated layout with
canvastab.Malware
Updated layout with
canvastab.
- 36021
Download
3.5.12 - 1284734 (August 18, 2024)
- 35705
Download
Layouts
File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
- 35705
Download
3.5.9 - R1189290 (July 18, 2024)
- 34900
Download
Incident Fields
Location
Added support for incident type Exabeam Notable User.Department
Added support for incident type Exabeam Notable User.End Time
Added support for incident type Exabeam Notable User.Work Phone
Added support for incident type Exabeam Notable User.Start Time
Added support for incident type Exabeam Notable User.First Seen
Added support for incident type Exabeam Notable User.Last Seen
Added support for incident type Exabeam Notable User.Mobile Phone
Added support for incident type Exabeam Notable User.Manager Name
Added support for incident type Exabeam Notable User.User Groups
Added support for incident type Exabeam Notable User.Title
Added support for incident type Exabeam Notable User.Email
Added support for incident type Exabeam Notable User.Risk Score
Added support for incident type Exabeam Notable User.
- 34900
Download
3.5.8 - 1170213 (July 11, 2024)
- 34805
Download
Incident Fields
Display Name
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.Last Update Time
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.Vendor Product
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.Device Id
Added theCrowdStrike Falcon On-Demand Scans Detectionincident type as an associated type.
- 34805
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 26, 2020 | |
| Last Release | March 9, 2025 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
