Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
EmailCampaignSnippets
File Names
External Sub Category ID
File SHA1
Policy Deleted
Protocols
Unique Ports
Detected Internal IPs	Detected internal IPs
Process Names
File Creation Date
File Access Date
Detected User
Timezone
Referenced Resource ID
Source IPs	The source IPs of the event.
Comment	The comments related with the incident
MITRE Technique Name
External Start Time
IP Blocked Status
Rule Name	The name of a YARA rule
Surname	Surname
Containment SLA	The time it took to contain the incident.
External Severity
Investigation Stage	The stage of the investigation.
User Risk Level
Ticket Opened Date
User SID
Parent Process IDs
Dsts	The destination values.
Destination IPV6	The destination IPV6 address.
Parent Process
Block Indicators Status
Device Internal IPs
Employee Manager Email	The email address of the employee's manager.
Srcs	The source values.
String Similarity Results
Registry Value Type
Leadership
CVE
Source Network
Asset ID
Duration
High Level Categories	The high level categories in the events.
Technical Owner	The technical owner of the asset.
Log Source	Log Source
Given Name	Given Name
Blocked Action	Blocked Action
Dst Ports	The destination ports of the event.
Source Updated by
app channel name
PID	PID
Additional Indicators
Process ID
Related Campaign
Follow Up	True if marked for follow up.
SKU Name
OS Version	OS Version
Reporter Email Address	The email address of the user who reported the email.
Triggered Security Profile	Triggered Security Profile
CVSS
App
Cloud Operation Type
Post Nat Source Port	The source port after NAT.
Closing Reason	The closing reason
Account ID
Escalation
Attack Patterns
Process CMD
Mobile Phone
Manager Name	Manager Name
External Status
Traffic Direction	The direction of the traffic in the event.
Policy Type
Street Address
User Groups
Source Created By
Vendor ID
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Manager Email Address
Country Code Number
Phone Number	Phone number
Source Urgency	Source Urgency
Internal Addresses
Number Of Log Sources	The number of log sources related to the offense.
Approver	The person who approved or needs to approve the request.
Cost Center Code	Cost Center Code
Alert Action	Alert action as received from the integration JSON
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
MAC Address	MAC Address
SKU TIER
Similar incidents Dbot
Country Code
Password Reset Successfully	Whether the password has been successfully reset.
File Name
File SHA256
Endpoint Isolation Status
Project ID
Detected Users	Detected users
Assignment Group
User Creation Time
Tenant Name	Tenant Name
Destination Network
Policy ID
OS	The operating system.
Parent Process SHA256
ASN Name
CVE Published
Source External IPs
Resource Type
Process Name
Endpoints Details
Resource ID
Employee Display Name	The display name of the employee.
Alert Name	Alert name as received from the integration JSON
Risk Name
Related Report
Bugtraq
Campaign Name
Job Code	Job Code
Log Source Type	The log source type associated with the event.
Agent Version	Reporting Agent/Sensor Version
Item Owner Email
Rendered HTML	The HTML content in a rendered form.
Destination Hostname	Destination hostname
OutgoingMirrorError
CMD line
Command Line	Command Line
Technique ID
Event Names	The event name (translated QID ) in the event.
MD5	MD5
Source MAC Address	The source MAC address in an event.
High Risky Users
Vulnerability Category
Resource Name
EmailCampaignCanvas
Low Level Categories Events	The low level category of the event.
CVE ID
Destination Port	The destination port used.
Title	Title
Dest Hostname	Destination hostname
Pre Nat Destination Port	The destination port before NAT.
Related Alerts
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Raw Event	The unparsed event data.
Parent Process Name
Users Details
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Device OS Name
Registry Value
Account Status
Approval Status	The status for the approval of the request.
Domain Name
Source Id
Identity Type
Caller
Referenced Resource Name
Technical Owner Contact	The contact details for the technical owner.
Alert Source
Scenario
Display Name	Display Name
Agents ID
Full Name	Person's Full Name
Source Status
SHA1	SHA1
Endpoint
Hunt Results Count
Device External IPs
External Link
Dest	Destination
Appliance Name	Appliance name as received from the integration JSON
Status Reason
External End Time
Alert tags
Last Modified By
Device Username	The username of the user that owns the device
Sub Category	The sub category
Detected Internal Hosts	Detected internal hosts
Process SHA256
Item Owner
Users
Source IPV6	The source IPV6 address.
Post Nat Destination Port	The destination port after NAT.
Child Process
List Of Rules - Event	The list of rules associated to an event.
Ticket Closed Date
Number of similar files
Vendor Product
MITRE Technique ID
Source Create time
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Destination IPs	The destination IPs of the event.
End Time	The time when the offense ended.
Alert Category	The category of the alert
Selected Indicators	Includes the indicators selected by the user.
Password Changed Date
Tactic
Device MAC Address
User Agent
Account Name	Account Name
Verdict
Registry Hive
Device OS Version
Group ID
Compliance Notes	Notes regarding the assets compliance.
Country Name	Country Name
Additional Data
Domain Updated Date
Agent ID	Agent ID
Source Networks
User Block Status
Events	The events associated with the offense.
Device Local IP	Device Local IP
Last Modified On
Tactic ID
Last Seen
Device Name	Device Name
Attack Mode	Attack mode as received from the integration JSON
Detected External Hosts	Detected external hosts
Job Function	Job Function
SSDeep
IP Reputation
Error Message	The error message that contains details about the error that occurred.
Categories	The categories for the incident.
Last Name	Last Name
Org Level 3
File Paths
Process MD5
Isolated	Isolated
Tool Usage Found
Hostnames	The hostname in the event.
Verification Status	The status of the user verification.
Source Hostname	The hostname that performed the port scan.
OS Type	OS Type
High Risky Hosts
File Path
userAccountControl	userAccountControl
Technique
Region
SHA256	SHA256
City
Org Level 1
App message
Ticket Acknowledged Date
Last Update Time
Pre Nat Source IP	The source IP before NAT.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Cloud Resource List
Rating
Process Creation Time
Device External IP	Device External IP
Assigned User	Assigned User
Username	The username of the account who logged in.
Detected IPs
Org Unit
Threat Hunting Detected Hostnames
Mobile Device Model
Destination MAC Address	The destination MAC address in an event.
Usernames	The username in the event.
Birthday	Person's Birthday
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Verification Method	The method used to verify the user.
First Seen
Resource URL
External Last Updated Time
Affected Users
Protocol - Event	The network protocol in the event.
Application Name	Application Name
URLs
Tools
Parent CMD line
Src	Source
ASN
Alert Attack Time
First Name	First Name
Suspicious Executions Found
Process Path
Source Category
sAMAccountName	User sAMAAccountName
Application Id	Application Id
SHA512	SHA512
Objective
Parent Process CMD
Event Descriptions	The description of the event name.
MITRE Tactic ID
Error Code
EmailCampaignSummary
Affected Hosts
Src NT Domain	Source NT Domain
MITRE Tactic Name
Source Username	The username that was the source of the attack.
Signature
Domain Registrar Abuse Email
Pre Nat Source Port	The source port before NAT.
Parent Process Path
Policy Description
Sensor IP
Device Hash	Device Hash
Device Id	Device Id
similarIncidents
Employee Email	The email address of the employee.
Detection Update Time
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Close Time	The closing time.
Detected External IPs	Detected external IPs
Use Case Description
IncomingMirrorError
Cloud Service
Location	Location
Custom Query Results
Number of Related Incidents
Alert Malicious	Whether the alert is malicious.
RemovedFromCampaigns
Report Name
Src Ports	The source ports of the event.
Destination Geolocation	The destination geolocation of the event.
External Category Name
Alert ID	Alert ID as received from the integration JSON
Cloud Instance ID	Cloud Instance ID
Classification	Incident Classification
Policy URI
Policy Details
Policy Actions
Changed	The user who changed this incident
External Sub Category Name
Policy Recommendation
Personal Email
Tags
State	State
DNS Name	The DNS name of the asset.
Asset Name
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
File Relationships
EmailCampaignMutualIndicators
User Anomaly Count
Suspicious Executions
Sensor Name
Account Member Of
Destination IP	The IP address the impossible traveler logged in to.
Event ID	Event ID
Threat Hunting Detected IP
Source IP	The IP Address that the user initially logged in from.
Source Priority
Application Path
Category Count	The number of categories that are associated with the offense.
Post Nat Source IP	The source IP address after NAT.
Src User	Source User
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Registry Key
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Dest OS	Destination OS
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Email	Primary Email Address
Detection ID
User Id	User Id
Post Nat Destination IP	The destination IP address after NAT.
Zip Code	Zip Code
Operation Name
Email Sent Successfully	Whether the email has been successfully sent.
Cloud Account ID
Src Hostname	Source hostname
Vulnerable Product
Exposure Level
Department	Department
Ticket Number
File Size	File Size
Protocol	Protocol
External Confidence
Detection End Time
Risk Rating
Country	The country from which the user logged in.
External System ID
Subtype	Subtype
Start Time	The time when the offense started.
Policy Severity
Dest NT Domain	Destination NT Domain
Source Port	The source port that was used
Protocol names
Src OS	Src OS
CMD
External Addresses
Risk Score
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Parent Process MD5
Work Phone
Technical User	The technical user of the asset.
Region ID
Acquisition Hire
Log Source Name	The log source name associated with the event.
Alert Type ID
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Cost Center	Cost Center
Cloud Region List
Location Region	Location Region
Parent Process File Path
Team name
Device Time	The time from the original logging device when the event occurred.
Alert URL	Alert URL as received from the integration JSON
Job Family	Job Family
Description	The description of the incident
Detected Endpoints
Device Model	Device Model
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Is Active	Alert status
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Related Endpoints
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Closing User	The closing user.
Alert Rules
File Hash
External Category ID
File MD5
Event Type	Event Type
Appliance ID	Appliance ID as received from the integration JSON
Org Level 2
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
UUID	UUID as received from the integration JSON
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Source Geolocation	The source geolocation of the event.
Device Status
Destination Networks
Audit Logs
Detection URL	URL of the ExtraHop Reveal(x) detection
User Engagement Response
Device OU	Device's OU path in Active Directory
Policy Remediable
Incident Link
Command Line Verdict
Last Mirrored Time Stamp	The last time the incident was mirrored in.
External ID
Triage SLA	The time it took to investigate and enrich incident information.
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Registration Email
Additional Email Addresses
Process Paths

Incident Types

Name	Description
Exploit
Network
Exfiltration
Lateral Movement
Simulation
Hunt
Defacement
Policy Violation
UnknownBinary
DoS
Indicator Feed
C2Communication
Authentication
Job
Reconnaissance
Vulnerability

Indicator Fields

Name	Description
Street Address
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Certificate Validation Checks
Issuer DN	Issuer Distinguished Name
Associations	Known associations to other pieces of Threat Data.
Serial Number
Size
City	City
Signed
Internal
Zip Code
Commands
STIX Malware Types
Targets
Download URL
AS Owner
Country Name
STIX Resource Level
Account Type
State
STIX Aliases	Alternative names used to identify this object
Global Prevalence	The number of times the indicator is detected across all organizations.
Admin Phone
Updated Date
Resource Level
Registrant Country
Signature Description
Region
Assigned role
Secondary Motivations
Applications
Service	The specific service of a feed integration from which an indicator was ingested.
Behavior
IP Address
Goals
Organization Type
Name
Report type
Registrar Abuse Name
Assigned user
Mobile Phone
Published
Certificate Names
Feed Related Indicators
Job Code	Job Code
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Community Notes
Office365Category
Query Language
Operating System
Tags
Blocked
File Type
Mitre Tactics
STIX Sophistication
CVSS Vector
CVE Modified
Vulnerabilities
Registrar Abuse Address
Domain Status
First Seen By Source	The first time the indicator was seen by the source vendor.
Admin Country
STIX Goals
Creation Date
Subdomains
Operating System Version
Given Name	Given Name
Number of subkeys
Primary Motivation
Signature Original Name
STIX Is Malware Family
Signature File Version
Subject
Report Object References	A list of STIX IDs referenced in the report.
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
CVSS Version
Name Field
Port
Display Name
Author
BIOS Version
Short Description
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Org Level 3
Department	Department
SWID	Specifies the Software Identification (SWID) tags entry for the software
Public Key
MAC Address
STIX Primary Motivation.
Vendor
DNS
Geo Location
Reports
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
CVSS
Certificate Signature
SHA512
Version
Organizational Unit (OU)
Organization First Seen	Date and time when the indicator was first seen in the organization.
Malware types
Validity Not Before	Specifies the date on which the certificate validity period begins.
Country Code Number
Is Processed
Operating System Refs
CVE Description
Signature Algorithm
Title	Title
Confidence
OS Version
User ID
Admin Email
Cost Center Code
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
STIX Description
Objective
Personal Email
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Positive Detections	Number of engines that positively detected the indicator as malicious
Registrant Phone
Device Model
ASN
Whois Records
Malware Family
Admin Name
CVSS Score
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Action
Name Servers
Org Level 1
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Office365Required
CVSS Table
Work Phone
Entry ID
Infrastructure Types
Geo Country
Location Region
Mitre ID
Signature Authentihash
Memory
Email
imphash
Organization
Campaign
Job Family
Registrant Name
Tool Types
Location
Roles
Registrant Email
Email Address
Force Sync	Whether to force user synchronization.
Product
STIX Secondary Motivations
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Registrar Abuse Phone
Quarantined	Whether the indicator is quarantined or isolated
Organization Prevalence	The number of times the indicator is detected in the organization.
Country Code
Org Level 2
Is Malware Family
MD5
Username
Hostname
Registrar Name
Domain Referring Subnets
Source Priority
Issuer
PEM	Certificate in PEM format.
Domain Referring IPs
Publications
Manager Email Address
Vulnerable Products
DHCP Server
Detection Engines	Total number of engines that checked the indicator
Validity Not After	Specifies the date on which the certificate validity period ends.
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
STIX Tool Version
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Groups
File Extension
Surname	Surname
Registrar Abuse Network
Signature Copyright
Cost Center
Samples
Domains
Domain IDN Name
Job Function
Registrar Abuse Country
Subject DN	Subject Distinguished Name
SSDeep
Signature Internal Name
Rank	Used to display rank from different sources
Paths
Path
Expiration Date
X.509 v3 Extensions
STIX Roles
Architecture
Org Unit
Domain Name
SHA256
Tool Version
Actor
Source Original Severity	The original score/severity provided by the source without DBot translation.
Leadership
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Extension
Acquisition Hire	Whether the employee is an acquisition hire.
STIX Tool Types
Category
Description
DNS Records
Capabilities
Indicator Identification
Aliases	Alternative names used to identify this object
Registrar Abuse Email
Subject Alternative Names
SHA1
Detections
Sophistication
Manager Name	Manager Name
Definition
Processors
CVSS3
Processor
Key Value
STIX Threat Actor Types
Threat Actor Types
Implementation Languages
Office365ExpressRoute
Associated File Names
Certificates

Layouts

Name	Description
Tool Indicator	Tool Indicator Layout
Domain Indicator	Domain Indicator Layout
Intrusion Set	Intrusion Set Layout
File Indicator	File Indicator Layout
Identity	Identity indicator layout
Campaign	Campaign Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Location	Location indicator layout
URL Indicator	URL Indicator Layout
Malware Indicator	Malware Indicator Layout
X509 Certificate	CVE Indicator Layout
Email Indicator	Email Indicator Layout
Account Indicator	Account Indicator Layout
ASN	ASN Indicator Layout
Host Indicator	Host indicator layout
Tactic Layout	Tactic Indicator Layout
Mutex	Mutex indicator layout
Software	Software Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Vulnerability Incident
Course of Action	Course of Action Indicator Layout
IP Indicator	IP Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Report	Report Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
CVE Indicator	CVE Indicator Layout
Indicator Feed Incident

Indicator Types

Name	Description
Intrusion Set
Attack Pattern
Host
Registry Key
Tool
Report
File
Tactic
Email
Software
File SHA-256
IPv6
Domain
Threat Actor
IPv6CIDR
Mutex
CVE
ASN
Malware
File MD5
CIDR
Identity
ssdeep
Location
Infrastructure
URL
Campaign
Account
Onion Address
DomainGlob
Course of Action
IP
X509 Certificate
File SHA-1

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Last Modified By
Email Sent Successfully	Whether the email has been successfully sent.
User Engagement Response
EmailCampaignCanvas
Caller
Street Address
Org Level 1
Process Names
High Risky Hosts
External Category ID
Related Report
File Creation Date
Device MAC Address
Employee Email	The email address of the employee.
Tenant Name	Tenant Name
Process Creation Time
External End Time
Source Networks
Detection ID
Last Name	Last Name
Policy Details
userAccountControl	userAccountControl
Policy Remediable
Block Indicators Status
Post Nat Source Port	The source port after NAT.
Org Unit
User Block Status
External Confidence
Detected Internal Hosts	Detected internal hosts
Log Source Name	The log source name associated with the event.
Tactic
App message
Investigation Stage	The stage of the investigation.
Closing User	The closing user.
CVE
Technical Owner	The technical owner of the asset.
Containment SLA	The time it took to contain the incident.
Report Name
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
sAMAccountName	User sAMAAccountName
High Risky Users
Cloud Account ID
String Similarity Results
Account Member Of
Original Description	The description of the incident
Isolated	Isolated
Policy ID
Detected External IPs	Detected external IPs
Asset Name
Detection URL	URL of the ExtraHop Reveal(x) detection
Zip Code	Zip Code
Process ID
Country Code Number
Related Alerts
MITRE Technique Name
Asset ID
Password Changed Date
Source Geolocation	The source geolocation of the event.
Alert Malicious	Whether the alert is malicious.
Post Nat Destination Port	The destination port after NAT.
Detection End Time
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Detected Endpoints
Item Owner Email
Verification Method	The method used to verify the user.
Src OS	Src OS
User Creation Time
Attack Mode	Attack mode as received from the integration JSON
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Device Hash	Device Hash
Protocol names
Start Time	The time when the offense started.
Referenced Resource ID
Rating
Registration Email
Timezone
Policy Type
Employee Manager Email	The email address of the employee's manager.
Source Created By
Device Time	The time from the original logging device when the event occurred.
Account ID
Domain Name
Email	Primary Email Address
Triggered Security Profile	Triggered Security Profile
Cloud Resource List
IP Blocked Status
Identity Type
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Source Urgency	Source Urgency
Original Alert Source
Org Level 2
List Of Rules - Event	The list of rules associated to an event.
Source Updated by
Internal Addresses
Full Name	Person's Full Name
External Last Updated Time
Technique ID
EmailCampaignSnippets
Job Family	Job Family
Changed	The user who changed this incident
Vulnerability Category
Device OS Name
Attack Patterns
Domain Updated Date
Parent Process IDs
Vendor Product
Group ID
Selected Indicators	Includes the indicators selected by the user.
Team name
Process MD5
ASN
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Job Function	Job Function
Source Priority
Mobile Phone
Employee Display Name	The display name of the employee.
Threat Name	Define the threat name such as malware/exploit/phishing/etc
File SHA1
Device Internal IPs
Item Owner
Birthday	Person's Birthday
Last Update Time
State	State
Closing Reason	The closing reason
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Additional Data
Command Line Verdict
Password Reset Successfully	Whether the password has been successfully reset.
Last Modified On
Policy Actions
Rendered HTML	The HTML content in a rendered form.
OS	The operating system.
Title	Title
Job Code	Job Code
Bugtraq
Parent Process Name
Follow Up	True if marked for follow up.
Registry Hive
Process Paths
Suspicious Executions
Incident Link
Cloud Region List
Duration
Policy Severity
Comment	The comments related with the incident
Cost Center Code	Cost Center Code
Assigned User	Assigned User
Parent Process MD5
Parent Process Path
MITRE Tactic ID
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Location Region	Location Region
Escalation
Custom Query Results
Manager Name	Manager Name
Post Nat Source IP	The source IP address after NAT.
Additional Indicators
External System ID
First Name	First Name
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Country Code
Technical Owner Contact	The contact details for the technical owner.
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
External Status
Rule Name	The name of a YARA rule
Mobile Device Model
Location	Location
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
External Link
Event Names	The event name (translated QID ) in the event.
Status Reason
Source Category
Log Source	Log Source
Category Count	The number of categories that are associated with the offense.
IP Reputation
Registry Key
Vendor ID
Operation Name
Device Id	Device Id
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
External Sub Category ID
Verification Status	The status of the user verification.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Objective
Exposure Level
Tool Usage Found
External Sub Category Name
Campaign Name
EmailCampaignMutualIndicators
File Relationships
Cost Center	Cost Center
Approval Status	The status for the approval of the request.
SKU TIER
Alert Rules
Referenced Resource Name
Number of Related Incidents
IncomingMirrorError
Error Code
Triage SLA	The time it took to investigate and enrich incident information.
Last Seen
Risk Score
Region
Blocked Action	Blocked Action
Event Descriptions	The description of the event name.
Tools
Destination Networks
Related Campaign
Org Level 3
Work Phone
CVSS
Vulnerable Product
Agents ID
Device External IPs
Acquisition Hire
Process CMD
Alert Action	Alert action as received from the integration JSON
Error Message	The error message that contains details about the error that occurred.
Post Nat Destination IP	The destination IP address after NAT.
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Assignment Group
Registry Value Type
Users Details
app channel name
ASN Name
Phone Number	Phone number
CVE Published
Parent Process CMD
Device OS Version
Source Create time
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Is Active	Alert status
Tactic ID
Resource Name
Policy Recommendation
Destination IPV6	The destination IPV6 address.
Device Status
Pre Nat Source IP	The source IP before NAT.
End Time	The time when the offense ended.
Pre Nat Destination Port	The destination port before NAT.
Subtype	Subtype
Raw Event	The unparsed event data.
Alert tags
Device OU	Device's OU path in Active Directory
Audit Logs
Cloud Instance ID	Cloud Instance ID
Signature
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Region ID
Surname	Surname
Policy Description
Use Case Description
Policy URI
Personal Email
Device Name	Device Name
Resource URL
Approver	The person who approved or needs to approve the request.
User Id	User Id
Endpoint Isolation Status
Process SHA256
SSDeep
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Project ID
Agent Version	Reporting Agent/Sensor Version
Technique
Source Id
User Anomaly Count
Similar incidents Dbot
Display Name	Display Name
Number of similar files
Dsts	The destination values.
Manager Email Address
CVE ID
External Category Name
Original Alert Name	Alert name as received from the integration JSON
External Start Time
Log Source Type	The log source type associated with the event.
Original Events	The events associated with the offense.
Suspicious Executions Found
Sensor IP
Unique Ports
MITRE Technique ID
Verdict
Given Name	Given Name
Department	Department
Classification	Incident Classification
Event ID	Event ID
Traffic Direction	The direction of the traffic in the event.
Technical User	The technical user of the asset.
External Severity
Domain Registrar Abuse Email
Ticket Number
First Seen
File Size	File Size
Registry Value
Scenario
SHA512	SHA512
Ticket Acknowledged Date
similarIncidents
SHA1	SHA1
Cloud Service
File Hash
UUID	UUID as received from the integration JSON
Source Status
Affected Hosts
OS Type	OS Type
Device Model	Device Model
Source External IPs
Resource Type
RemovedFromCampaigns
EmailCampaignSummary
Hunt Results Count
Low Level Categories Events	The low level category of the event.
Leadership
Original Alert ID	Alert ID as received from the integration JSON
Additional Email Addresses
OutgoingMirrorError
Policy Deleted
City
Ticket Closed Date
Risk Rating
URLs
User Groups
Account Status
MITRE Tactic Name
Sub Category	The sub category
User SID
Parent Process File Path
Compliance Notes	Notes regarding the assets compliance.
Dest OS	Destination OS
Affected Users
Application Path
Close Time	The closing time.
Pre Nat Source Port	The source port before NAT.
Risk Name
Related Endpoints
Alert Type ID
Destination Geolocation	The destination geolocation of the event.
File Access Date
Reporter Email Address	The email address of the user who reported the email.
Parent Process SHA256
Endpoints Details
SKU Name
Number Of Log Sources	The number of log sources related to the offense.

Incident Types

Name	Description
Simulation
Hunt
C2Communication
Vulnerability
DoS
Exfiltration
UnknownBinary
Defacement
Exploit
Authentication
Reconnaissance
Network
Policy Violation
Indicator Feed
Job
Lateral Movement

Indicator Fields

Name	Description
STIX Tool Version
Department	Department
Operating System Version
Certificate Validation Checks
Manager Name	Manager Name
Admin Phone
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Validity Not Before	Specifies the date on which the certificate validity period begins.
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Primary Motivation
Org Unit
Rank	Used to display rank from different sources
Cost Center Code
Job Family
Resource Level
Serial Number
Subject Alternative Names
Category
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Signature Original Name
Objective
Given Name	Given Name
Device Model
Vulnerable Products
X.509 v3 Extensions
Port
Action
Subject DN	Subject Distinguished Name
Positive Detections	Number of engines that positively detected the indicator as malicious
Query Language
Name Field
STIX Threat Actor Types
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Extension
City	City
Signature Internal Name
Source Original Severity	The original score/severity provided by the source without DBot translation.
Admin Email
Blocked
STIX Tool Types
Global Prevalence	The number of times the indicator is detected across all organizations.
Sophistication
Download URL
CVSS
Organization Prevalence	The number of times the indicator is detected in the organization.
Report type
Location
Hostname
Signature Authentihash
Geo Location
CVE Modified
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Admin Country
Domain IDN Name
Size
Registrant Country
STIX Description
Registrant Email
Updated Date
Title	Title
Domain Referring IPs
Internal
CVE Description
SHA512
STIX Primary Motivation.
Username
Email Address
Registrant Name
Org Level 2
First Seen By Source	The first time the indicator was seen by the source vendor.
Registrar Abuse Address
Report Object References	A list of STIX IDs referenced in the report.
Registrar Name
Detections
Vendor
Tags
Expiration Date
DNS Records
STIX Roles
Acquisition Hire	Whether the employee is an acquisition hire.
CVSS Score
Zip Code
Leadership
Certificate Names
Is Processed
Roles
Detection Engines	Total number of engines that checked the indicator
Tool Types
Manager Email Address
Architecture
Cost Center
Admin Name
Subdomains
Entry ID
ASN
Processor
State
Domain Status
Name
Goals
SSDeep
Number of subkeys
Malware Family
Groups
Secondary Motivations
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Organization
Community Notes
Domains
Org Level 3
Account Type
Registrar Abuse Name
Confidence
Force Sync	Whether to force user synchronization.
AS Owner
Signed
Key Value
Assigned role
Source Priority
Work Phone
Creation Date
Actor
Registrant Phone
IP Address
SHA1
Surname	Surname
STIX Sophistication
Malware types
Reports
Registrar Abuse Email
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Definition
SHA256
Mitre Tactics
File Extension
Organization Type
CVSS Version
Registrar Abuse Country
Author
Service	The specific service of a feed integration from which an indicator was ingested.
STIX Resource Level
Office365ExpressRoute
Organizational Unit (OU)
Office365Required
Targets
STIX Aliases	Alternative names used to identify this object
Publications
Subject
DNS
Paths
Signature File Version
Issuer
Display Name
Behavior
Org Level 1
Infrastructure Types
PEM	Certificate in PEM format.
Country Code Number
Mobile Phone
Associations	Known associations to other pieces of Threat Data.
Country Name
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
STIX Is Malware Family
Certificate Signature
Capabilities
Whois Records
Vulnerabilities
Location Region
Feed Related Indicators
STIX Secondary Motivations
Aliases	Alternative names used to identify this object
Is Malware Family
Threat Actor Types
Registrar Abuse Network
Country Code
Public Key
Path
Short Description
Campaign
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Email
imphash
Commands
Job Function
File Type
User ID
Indicator Identification
Validity Not After	Specifies the date on which the certificate validity period ends.
Job Code	Job Code
Registrar Abuse Phone
Name Servers
Organization First Seen	Date and time when the indicator was first seen in the organization.
CVSS Table
Issuer DN	Issuer Distinguished Name
STIX Malware Types
Version
Street Address
Signature Algorithm
Description
Operating System
Certificates
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Tool Version
MD5
Signature Copyright
Quarantined	Whether the indicator is quarantined or isolated
Signature Description
Published
Associated File Names
STIX Goals
Processors
DHCP Server
OS Version
Geo Country
Samples
Domain Name
Applications
BIOS Version
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
CVSS Vector
Domain Referring Subnets
Product
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
SWID	Specifies the Software Identification (SWID) tags entry for the software
Personal Email
Memory
Implementation Languages
Office365Category
CVSS3
Region
Assigned user
Mitre ID
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Operating System Refs

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
URL Indicator	URL Indicator Layout
Host Indicator	Host indicator layout
X509 Certificate	CVE Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Tool Indicator	Tool Indicator Layout
Vulnerability Incident
Campaign	Campaign Indicator Layout
CVE Indicator	CVE Indicator Layout
Domain Indicator	Domain Indicator Layout
Location	Location indicator layout
Registry Key Indicator	Registry Key Indicator Layout
File Indicator	File Indicator Layout
Malware Indicator	Malware Indicator Layout
ASN	ASN Indicator Layout
IP Indicator	IP Indicator Layout
Identity	Identity indicator layout
Email Indicator	Email Indicator Layout
Account Indicator	Account Indicator Layout
Indicator Feed Incident
Threat Actor	Threat Actor Indicator Layout
Mutex	Mutex indicator layout
Course of Action	Course of Action Indicator Layout
Report	Report Indicator Layout
Intrusion Set	Intrusion Set Layout
Tactic Layout	Tactic Indicator Layout
Software	Software Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout

Indicator Types

Name	Description
DomainGlob
IPv6
CVE
Malware
Tactic
File MD5
Report
Software
Attack Pattern
Location
CIDR
Identity
Host
Onion Address
Tool
Email
X509 Certificate
Mutex
Account
Infrastructure
Campaign
Threat Actor
ASN
File SHA-1
IPv6CIDR
ssdeep
Domain
File SHA-256
Registry Key
URL
IP
Course of Action
File
Intrusion Set

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (57)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.5.5 - 1082615 (June 10, 2024)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

3.5.4 - 1061293 (June 2, 2024)

Indicator Types

Email

Related pull requests:
- 33924

Download

3.5.3 - 1021616 (May 16, 2024)

Indicator Fields

Kill Chain Phases
- Added a missing phase, Resource Development, to multi-select list

Related pull requests:
- 33786

Download

3.5.2 - 998827 (May 6, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Indicator Fields

Author

Related pull requests:
- 33839

Download

3.5.0 - 995825 (May 5, 2024)

Incident Fields

New: Registration Email
New: Domain Updated Date
New: Domain Registrar Abuse Email

Related pull requests:
- 32924

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1900707 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1621428 (November 11, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.5.5 - 1082615 (June 10, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

3.5.4 - 1063016 (June 2, 2024)

Indicator Types

Email

Related pull requests:
- 33924

Download

3.5.3 - 1021616 (May 16, 2024)

Indicator Fields

Kill Chain Phases
- Added a missing phase, Resource Development, to multi-select list

Related pull requests:
- 33786

Download

3.5.2 - 998827 (May 6, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Indicator Fields

Author

Related pull requests:
- 33839

Download

3.5.0 - 995825 (May 5, 2024)

Incident Fields

New: Registration Email
New: Domain Updated Date
New: Domain Registrar Abuse Email

Related pull requests:
- 32924

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	April 20, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Common Types

Pack Contributors:

Pack Contributors:

Indicator Types

Incident Fields

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Layouts

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications

New: Definition

Indicator Types

Incident Fields

Indicator Fields

Validity Not Before

Validity Not After

Layouts

Indicator Types

Incident Fields

Indicator Types

Layouts

Indicator Fields

Primary Motivation

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Common Types

Indicator Types

Indicator Fields

Common Types

Indicator Fields

Incident Fields

Indicator Types

Incident Fields

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields