Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Use Case Description
OS Type	OS Type
Source External IPs
Resource Type
Job Family	Job Family
OS Version	OS Version
Pre Nat Destination Port	The destination port before NAT.
External Sub Category ID
Error Code
Device Id	Device Id
userAccountControl	userAccountControl
Status Reason
CVSS
Post Nat Destination IP	The destination IP address after NAT.
Device Hash	Device Hash
Parent CMD line
File Hash
Team name
Investigation Stage	The stage of the investigation.
Triage SLA	The time it took to investigate and enrich incident information.
Command Line	Command Line
IP Reputation
Device External IP	Device External IP
Campaign Name
Department	Department
Registration Email
Bugtraq
Parent Process File Path
Hostnames	The hostname in the event.
Policy ID
Closing User	The closing user.
Last Modified On
Asset Name
Last Modified By
Audit Logs
OutgoingMirrorError
Technique
Item Owner Email
Tags
RemovedFromCampaigns
Additional Email Addresses
Password Reset Successfully	Whether the password has been successfully reset.
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Detection End Time
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
External Sub Category Name
Srcs	The source values.
Detected User
Verdict
Full Name	Person's Full Name
Number of Related Incidents
Employee Manager Email	The email address of the employee's manager.
Tool Usage Found
Source IP	The IP Address that the user initially logged in from.
External Severity
Suspicious Executions Found
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Verification Status	The status of the user verification.
Tools
URLs
CMD
Number of similar files
DNS Name	The DNS name of the asset.
Destination Hostname	Destination hostname
Event ID	Event ID
app channel name
Cost Center	Cost Center
Classification	Incident Classification
sAMAccountName	User sAMAAccountName
Additional Data
Application Path
Alert Rules
Personal Email
Custom Query Results
Reporter Email Address	The email address of the user who reported the email.
Source Hostname	The hostname that performed the port scan.
Technical Owner Contact	The contact details for the technical owner.
Ticket Number
Country Code
Parent Process MD5
Exposure Level
Title	Title
Protocol - Event	The network protocol in the event.
UUID	UUID as received from the integration JSON
Resource URL
First Name	First Name
Operation Name
Street Address
Device External IPs
Log Source Type	The log source type associated with the event.
Process Names
Manager Name	Manager Name
Org Level 2
Source Id
Last Name	Last Name
Process Name
MITRE Technique ID
File Path
Process ID
Username	The username of the account who logged in.
Ticket Opened Date
Location Region	Location Region
Device Username	The username of the user that owns the device
File Relationships
Rule Name	The name of a YARA rule
Log Source	Log Source
Mobile Device Model
Parent Process IDs
Ticket Closed Date
Detected IPs
Alert Action	Alert action as received from the integration JSON
Parent Process Name
Parent Process SHA256
Cloud Resource List
Alert Category	The category of the alert
Job Code	Job Code
Sensor Name
IncomingMirrorError
Process Paths
Endpoints Details
Threat Hunting Detected IP
Risk Score
File Paths
High Level Categories	The high level categories in the events.
External Category Name
Assigned User	Assigned User
Source Status
Source Updated by
Device Time	The time from the original logging device when the event occurred.
Detection ID
ASN Name
MITRE Tactic Name
Low Level Categories Events	The low level category of the event.
Policy Recommendation
User SID
Phone Number	Phone number
City
Sensor IP
Number Of Log Sources	The number of log sources related to the offense.
Traffic Direction	The direction of the traffic in the event.
Process Path
CVE
File Name
Approval Status	The status for the approval of the request.
Manager Email Address
Agents ID
Destination IPV6	The destination IPV6 address.
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Dest NT Domain	Destination NT Domain
Work Phone
Dest	Destination
Event Descriptions	The description of the event name.
Policy Remediable
External Link
Src Hostname	Source hostname
Category Count	The number of categories that are associated with the offense.
Post Nat Source IP	The source IP address after NAT.
Technical Owner	The technical owner of the asset.
Device MAC Address
Registry Value Type
PID	PID
Event Names	The event name (translated QID ) in the event.
App
Related Alerts
Rendered HTML	The HTML content in a rendered form.
User Anomaly Count
Agent Version	Reporting Agent/Sensor Version
External Addresses
Endpoint Isolation Status
Src OS	Src OS
Related Report
Tactic
Domain Name
Destination Networks
Risk Name
Org Level 3
Destination MAC Address	The destination MAC address in an event.
EmailCampaignSnippets
Source Priority
String Similarity Results
Password Changed Date
Cloud Account ID
Detected Internal Hosts	Detected internal hosts
External System ID
Account Name	Account Name
Post Nat Source Port	The source port after NAT.
User Agent
Source Networks
Dsts	The destination values.
External Start Time
Referenced Resource ID
Alert Source
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Application Name	Application Name
Events	The events associated with the offense.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Org Unit
Destination Network
Log Source Name	The log source name associated with the event.
External End Time
Detected Endpoints
Resource Name
Containment SLA	The time it took to contain the incident.
Assignment Group
EmailCampaignSummary
SHA512	SHA512
Source Network
Device Local IP	Device Local IP
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
External Category ID
State	State
Device Status
Account Status
Zip Code	Zip Code
Email Sent Successfully	Whether the email has been successfully sent.
User Risk Level
Process CMD
Block Indicators Status
File MD5
Detected Users	Detected users
ASN
Resource ID
Compliance Notes	Notes regarding the assets compliance.
Signature
Is Active	Alert status
User Creation Time
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Number Of Found Related Alerts	Medium or Higher Severity Alerts
MAC Address	MAC Address
Display Name	Display Name
Region
Approver	The person who approved or needs to approve the request.
Child Process
Source Geolocation	The source geolocation of the event.
Similar incidents Dbot
Cloud Service
Cloud Instance ID	Cloud Instance ID
Country	The country from which the user logged in.
Endpoint
Close Time	The closing time.
Alert Name	Alert name as received from the integration JSON
MITRE Tactic ID
Hunt Results Count
Policy Severity
Birthday	Person's Birthday
Pre Nat Source IP	The source IP before NAT.
Parent Process CMD
Domain Registrar Abuse Email
Group ID
Comment	The comments related with the incident
Alert tags
Related Campaign
Policy Actions
Alert Attack Time
Last Update Time
Affected Hosts
Follow Up	True if marked for follow up.
Tactic ID
Incident Link
Usernames	The username in the event.
Employee Email	The email address of the employee.
Vulnerability Category
Technical User	The technical user of the asset.
Policy Type
Protocols
Users Details
Post Nat Destination Port	The destination port after NAT.
Report Name
Duration
User Id	User Id
Ticket Acknowledged Date
Source Create time
Process SHA256
Src Ports	The source ports of the event.
First Seen
High Risky Hosts
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
IP Blocked Status
Categories	The categories for the incident.
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Detected Internal IPs	Detected internal IPs
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Given Name	Given Name
Acquisition Hire
Policy Details
Risk Rating
SHA256	SHA256
Pre Nat Source Port	The source port before NAT.
Dst Ports	The destination ports of the event.
Org Level 1
Cloud Operation Type
Employee Display Name	The display name of the employee.
Device Model	Device Model
Source MAC Address	The source MAC address in an event.
Changed	The user who changed this incident
Parent Process Path
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
CMD line
Destination IPs	The destination IPs of the event.
Device OS Name
Source Port	The source port that was used
Error Message	The error message that contains details about the error that occurred.
Alert Malicious	Whether the alert is malicious.
File SHA1
External Last Updated Time
EmailCampaignCanvas
CVE ID
Location	Location
Attack Mode	Attack mode as received from the integration JSON
List Of Rules - Event	The list of rules associated to an event.
Protocol	Protocol
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Description	The description of the incident
Related Endpoints
Cloud Region List
Leadership
End Time	The time when the offense ended.
Rating
Email	Primary Email Address
SSDeep
Item Owner
Device OU	Device's OU path in Active Directory
Caller
File Names
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
External ID
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Source Username	The username that was the source of the attack.
File SHA256
Src	Source
CVE Published
External Confidence
User Block Status
Vendor Product
SKU TIER
Escalation
Asset ID
EmailCampaignMutualIndicators
Closing Reason	The closing reason
Device Internal IPs
Raw Event	The unparsed event data.
Event Type	Event Type
Isolated	Isolated
Destination Port	The destination port used.
Internal Addresses
Process MD5
Source Category
Appliance ID	Appliance ID as received from the integration JSON
Vulnerable Product
External Status
OS	The operating system.
Start Time	The time when the offense started.
Source Created By
Timezone
Alert ID	Alert ID as received from the integration JSON
Appliance Name	Appliance name as received from the integration JSON
Registry Hive
File Creation Date
Policy URI
Account ID
High Risky Users
SHA1	SHA1
Surname	Surname
Src User	Source User
Alert URL	Alert URL as received from the integration JSON
Detected External IPs	Detected external IPs
Identity Type
Attack Patterns
Referenced Resource Name
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Registry Value
Additional Indicators
Account Member Of
Vendor ID
Alert Type ID
Dest Hostname	Destination hostname
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Destination Geolocation	The destination geolocation of the event.
Tenant Name	Tenant Name
Subtype	Subtype
Triggered Security Profile	Triggered Security Profile
Project ID
Process Creation Time
Detection Update Time
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Domain Updated Date
Source IPV6	The source IPV6 address.
Command Line Verdict
MITRE Technique Name
Src NT Domain	Source NT Domain
Region ID
Users
Dest OS	Destination OS
Blocked Action	Blocked Action
Verification Method	The method used to verify the user.
Source Urgency	Source Urgency
Unique Ports
User Groups
Policy Deleted
Selected Indicators	Includes the indicators selected by the user.
User Engagement Response
Policy Description
Device OS Version
App message
Destination IP	The IP address the impossible traveler logged in to.
File Size	File Size
MD5	MD5
Sub Category	The sub category
Scenario
Device Name	Device Name
Registry Key
Threat Hunting Detected Hostnames
Cost Center Code	Cost Center Code
Agent ID	Agent ID
Objective
Country Name	Country Name
SKU Name
Detection URL	URL of the ExtraHop Reveal(x) detection
Country Code Number
Protocol names
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Source IPs	The source IPs of the event.
Job Function	Job Function
Technique ID
Application Id	Application Id
Mobile Phone
Detected External Hosts	Detected external hosts
File Access Date
Affected Users
Suspicious Executions
similarIncidents
Parent Process
Last Seen
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate

Incident Types

Name	Description
Indicator Feed
DoS
Authentication
Defacement
Lateral Movement
Network
Reconnaissance
Policy Violation
UnknownBinary
Vulnerability
Exfiltration
C2Communication
Exploit
Job
Hunt
Simulation

Indicator Fields

Name	Description
Registrar Name
STIX Threat Actor Types
Registrar Abuse Email
PEM	Certificate in PEM format.
Publications
Detections
Goals
MD5
Subject Alternative Names
DHCP Server
File Type
Validity Not After	Specifies the date on which the certificate validity period ends.
Vulnerable Products
Memory
Rank	Used to display rank from different sources
Cost Center
DNS
Signature File Version
Cost Center Code
Samples
Query Language
Campaign
Community Notes
Reports
Source Original Severity	The original score/severity provided by the source without DBot translation.
Country Name
Internal
CVSS
Manager Email Address
Service	The specific service of a feed integration from which an indicator was ingested.
Leadership
Quarantined	Whether the indicator is quarantined or isolated
Subdomains
Country Code Number
Threat Actor Types
Office365ExpressRoute
Targets
Mitre Tactics
Validity Not Before	Specifies the date on which the certificate validity period begins.
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
CVE Description
Published
Registrant Name
Architecture
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Organization Last Seen	Date and time when the indicator was last seen in the organization.
CVSS3
Domain Name
DNS Records
Org Level 3
Certificate Names
STIX Malware Types
Signature Algorithm
Author
State
Vulnerabilities
Serial Number
Office365Category
STIX Tool Types
STIX Sophistication
Region
Updated Date
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Certificate Validation Checks
Account Type
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Street Address
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Signature Description
Mitre ID
Product
Detection Engines	Total number of engines that checked the indicator
CVSS Table
Domain Referring IPs
imphash
Geo Location
Signature Internal Name
Certificates
Certificate Signature
Malware types
STIX Description
X.509 v3 Extensions
Subject DN	Subject Distinguished Name
Given Name	Given Name
Subject
Global Prevalence	The number of times the indicator is detected across all organizations.
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Port
CVSS Score
Whois Records
Extension
Signature Authentihash
Department	Department
Org Level 2
Assigned role
SHA1
Surname	Surname
Number of subkeys
STIX Aliases	Alternative names used to identify this object
Name Servers
STIX Goals
Organization First Seen	Date and time when the indicator was first seen in the organization.
Admin Name
Tool Version
Name
AS Owner
Short Description
Operating System Refs
CVSS Version
Implementation Languages
Malware Family
Registrar Abuse Address
Organization
Issuer DN	Issuer Distinguished Name
Admin Email
Display Name
Associations	Known associations to other pieces of Threat Data.
Sophistication
Secondary Motivations
Applications
Zip Code
STIX Roles
Tool Types
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Domains
Hostname
Infrastructure Types
First Seen By Source	The first time the indicator was seen by the source vendor.
Action
Blocked
Description
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Assigned user
Job Family
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Registrant Phone
Download URL
Objective
Roles
Email Address
Commands
Category
Vendor
File Extension
Definition
Username
CVE Modified
Organizational Unit (OU)
SHA512
Job Code	Job Code
Geo Country
Personal Email
Name Field
Operating System Version
Tags
Issuer
STIX Secondary Motivations
Processor
MAC Address
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Size
SHA256
ASN
Force Sync	Whether to force user synchronization.
Path
Org Level 1
Is Processed
Capabilities
STIX Primary Motivation.
OS Version
Domain IDN Name
SSDeep
Report Object References	A list of STIX IDs referenced in the report.
Registrant Email
Device Model
STIX Is Malware Family
Indicator Identification
Organization Type
STIX Resource Level
Key Value
CVSS Vector
Primary Motivation
Resource Level
Report type
Creation Date
Version
IP Address
Registrant Country
City	City
Title	Title
Entry ID
Email
Aliases	Alternative names used to identify this object
Mobile Phone
Expiration Date
Signature Original Name
Registrar Abuse Name
Signed
Confidence
Operating System
Registrar Abuse Network
Location
Actor
SWID	Specifies the Software Identification (SWID) tags entry for the software
Source Priority
Manager Name	Manager Name
Acquisition Hire	Whether the employee is an acquisition hire.
Job Function
BIOS Version
User ID
STIX Tool Version
Organization Prevalence	The number of times the indicator is detected in the organization.
Feed Related Indicators
Processors
Signature Copyright
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Positive Detections	Number of engines that positively detected the indicator as malicious
Paths
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Admin Phone
Is Malware Family
Public Key
Registrar Abuse Phone
Admin Country
Office365Required
Registrar Abuse Country
Domain Referring Subnets
Location Region
Associated File Names
Domain Status
Groups
Work Phone
Country Code
Behavior
Org Unit

Layouts

Name	Description
Campaign	Campaign Indicator Layout
IP Indicator	IP Indicator Layout
URL Indicator	URL Indicator Layout
Report	Report Indicator Layout
Identity	Identity indicator layout
Intrusion Set	Intrusion Set Layout
Domain Indicator	Domain Indicator Layout
ASN	ASN Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Indicator Feed Incident
Software	Software Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Malware Indicator	Malware Indicator Layout
Account Indicator	Account Indicator Layout
Vulnerability Incident
Attack Pattern	Attack Pattern Indicator Layout
X509 Certificate	CVE Indicator Layout
CVE Indicator	CVE Indicator Layout
File Indicator	File Indicator Layout
Tool Indicator	Tool Indicator Layout
Mutex	Mutex indicator layout
Tactic Layout	Tactic Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Course of Action	Course of Action Indicator Layout
Email Indicator	Email Indicator Layout
Location	Location indicator layout
Host Indicator	Host indicator layout

Indicator Types

Name	Description
Malware
Email
File SHA-1
ssdeep
Mutex
Tactic
IPv6CIDR
File SHA-256
Report
Campaign
Attack Pattern
Software
CIDR
File
Host
Registry Key
IPv6
Identity
Tool
X509 Certificate
Infrastructure
ASN
Course of Action
CVE
Threat Actor
Intrusion Set
Domain
File MD5
Onion Address
URL
IP
DomainGlob
Account
Location

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Policy Type
Team name
MITRE Technique Name
Tenant Name	Tenant Name
Compliance Notes	Notes regarding the assets compliance.
Error Code
Device Internal IPs
IncomingMirrorError
Triage SLA	The time it took to investigate and enrich incident information.
Isolated	Isolated
Process MD5
Policy Details
Item Owner
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Registry Value Type
Risk Score
Device Model	Device Model
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Mobile Phone
Rendered HTML	The HTML content in a rendered form.
Policy Deleted
Parent Process File Path
Audit Logs
Personal Email
Country Code Number
Hunt Results Count
Source Create time
Pre Nat Destination Port	The destination port before NAT.
Technical Owner	The technical owner of the asset.
Cloud Service
Scenario
OutgoingMirrorError
Objective
OS Type	OS Type
Last Update Time
Referenced Resource Name
App message
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Org Level 3
Block Indicators Status
High Risky Users
Alert Malicious	Whether the alert is malicious.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Related Alerts
EmailCampaignCanvas
Source Networks
IP Blocked Status
Employee Display Name	The display name of the employee.
similarIncidents
Classification	Incident Classification
Dest OS	Destination OS
User SID
EmailCampaignSnippets
High Risky Hosts
Account ID
Command Line Verdict
Selected Indicators	Includes the indicators selected by the user.
Given Name	Given Name
Additional Data
UUID	UUID as received from the integration JSON
Campaign Name
Technical User	The technical user of the asset.
Risk Rating
Close Time	The closing time.
Category Count	The number of categories that are associated with the offense.
Assigned User	Assigned User
Report Name
Risk Name
Org Unit
External Severity
Source Priority
Asset Name
Manager Email Address
File Creation Date
Changed	The user who changed this incident
Event Descriptions	The description of the event name.
Tactic ID
Pre Nat Source IP	The source IP before NAT.
User Creation Time
Endpoints Details
First Seen
Display Name	Display Name
Rule Name	The name of a YARA rule
External Status
Incident Link
Internal Addresses
Resource URL
SKU Name
Vulnerability Category
Policy Remediable
External Sub Category ID
Pre Nat Source Port	The source port before NAT.
ASN
Policy Description
Caller
Technical Owner Contact	The contact details for the technical owner.
Referenced Resource ID
Source Category
Last Seen
Password Changed Date
Account Member Of
Destination Geolocation	The destination geolocation of the event.
Users Details
Ticket Closed Date
Location	Location
Tools
Original Alert ID	Alert ID as received from the integration JSON
Post Nat Source IP	The source IP address after NAT.
Event ID	Event ID
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Verification Method	The method used to verify the user.
Surname	Surname
External Last Updated Time
Process SHA256
String Similarity Results
Device Id	Device Id
Job Family	Job Family
Tactic
URLs
Log Source Type	The log source type associated with the event.
Mobile Device Model
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Leadership
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Org Level 2
Cost Center	Cost Center
Region ID
Vendor Product
EmailCampaignMutualIndicators
Protocol names
Source Status
SSDeep
Additional Indicators
Raw Event	The unparsed event data.
User Engagement Response
Comment	The comments related with the incident
User Groups
End Time	The time when the offense ended.
EmailCampaignSummary
Domain Registrar Abuse Email
Related Campaign
Destination IPV6	The destination IPV6 address.
City
Vulnerable Product
Approval Status	The status for the approval of the request.
Related Endpoints
First Name	First Name
Log Source Name	The log source name associated with the event.
Device MAC Address
Process Paths
Start Time	The time when the offense started.
Location Region	Location Region
User Anomaly Count
Last Modified On
Detection ID
Email	Primary Email Address
Closing User	The closing user.
MITRE Tactic Name
Domain Name
Cloud Account ID
Policy Recommendation
Technique
Last Modified By
Process CMD
Cloud Resource List
Source Urgency	Source Urgency
IP Reputation
Item Owner Email
Use Case Description
Alert Action	Alert action as received from the integration JSON
Dsts	The destination values.
User Id	User Id
Approver	The person who approved or needs to approve the request.
Agent Version	Reporting Agent/Sensor Version
Tool Usage Found
Containment SLA	The time it took to contain the incident.
Zip Code	Zip Code
Log Source	Log Source
Ticket Number
Registry Key
Asset ID
Device Hash	Device Hash
Detected External IPs	Detected external IPs
Original Description	The description of the incident
Suspicious Executions Found
Operation Name
Triggered Security Profile	Triggered Security Profile
Number Of Log Sources	The number of log sources related to the offense.
File Size	File Size
Cost Center Code	Cost Center Code
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Error Message	The error message that contains details about the error that occurred.
CVE ID
Parent Process IDs
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Employee Manager Email	The email address of the employee's manager.
Src OS	Src OS
Rating
Original Alert Source
Project ID
Related Report
Sensor IP
Resource Name
Number of Related Incidents
Parent Process Name
Cloud Region List
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Group ID
userAccountControl	userAccountControl
Resource Type
Sub Category	The sub category
Street Address
Subtype	Subtype
Traffic Direction	The direction of the traffic in the event.
Signature
User Block Status
Account Status
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Ticket Acknowledged Date
File Access Date
Custom Query Results
Detection End Time
External Confidence
Process Names
Status Reason
Event Names	The event name (translated QID ) in the event.
Post Nat Destination Port	The destination port after NAT.
Parent Process Path
Policy Actions
Source Created By
MITRE Technique ID
Source External IPs
Email Sent Successfully	Whether the email has been successfully sent.
Escalation
Manager Name	Manager Name
Similar incidents Dbot
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Source Updated by
Department	Department
Application Path
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Org Level 1
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
app channel name
Original Alert Name	Alert name as received from the integration JSON
Device OS Version
Low Level Categories Events	The low level category of the event.
Detected Internal Hosts	Detected internal hosts
Acquisition Hire
Original Events	The events associated with the offense.
CVE
sAMAccountName	User sAMAAccountName
Investigation Stage	The stage of the investigation.
ASN Name
Assignment Group
Identity Type
External Link
SHA1	SHA1
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Last Name	Last Name
Detected Endpoints
List Of Rules - Event	The list of rules associated to an event.
Additional Email Addresses
External Category ID
Duration
Suspicious Executions
Job Code	Job Code
External Start Time
Domain Updated Date
External Sub Category Name
Source Geolocation	The source geolocation of the event.
SKU TIER
Number of similar files
Affected Users
Technique ID
Registration Email
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Region
Timezone
Attack Patterns
Password Reset Successfully	Whether the password has been successfully reset.
Cloud Instance ID	Cloud Instance ID
Registry Hive
Device Time	The time from the original logging device when the event occurred.
Process ID
Parent Process SHA256
Vendor ID
Parent Process CMD
Verification Status	The status of the user verification.
Endpoint Isolation Status
Full Name	Person's Full Name
External End Time
Policy Severity
Bugtraq
Follow Up	True if marked for follow up.
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Alert Rules
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
External Category Name
MITRE Tactic ID
Source Id
SHA512	SHA512
Registry Value
Blocked Action	Blocked Action
Device OU	Device's OU path in Active Directory
Exposure Level
State	State
Device Name	Device Name
Is Active	Alert status
Process Creation Time
Device Status
Unique Ports
External System ID
Verdict
Title	Title
Post Nat Destination IP	The destination IP address after NAT.
Policy ID
Job Function	Job Function
Employee Email	The email address of the employee.
File Hash
Affected Hosts
CVE Published
Device External IPs
File SHA1
OS	The operating system.
File Relationships
Alert tags
Alert Type ID
CVSS
Policy URI
Device OS Name
Agents ID
Post Nat Source Port	The source port after NAT.
Phone Number	Phone number
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Attack Mode	Attack mode as received from the integration JSON
Parent Process MD5
Detection URL	URL of the ExtraHop Reveal(x) detection
RemovedFromCampaigns
Birthday	Person's Birthday
Closing Reason	The closing reason
Country Code
Reporter Email Address	The email address of the user who reported the email.
Destination Networks
Work Phone
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.

Incident Types

Name	Description
Authentication
Lateral Movement
C2Communication
Reconnaissance
Simulation
Indicator Feed
Exfiltration
Job
Network
Policy Violation
DoS
Hunt
Defacement
Vulnerability
Exploit
UnknownBinary

Indicator Fields

Name	Description
AS Owner
Entry ID
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Updated Date
Manager Email Address
DNS
Subject
Org Level 1
Author
Signature Authentihash
Force Sync	Whether to force user synchronization.
Street Address
Acquisition Hire	Whether the employee is an acquisition hire.
Registrant Name
Assigned user
Architecture
Indicator Identification
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Public Key
Internal
Job Family
Username
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Samples
City	City
Operating System
Whois Records
Port
Country Code
Mitre Tactics
Product
First Seen By Source	The first time the indicator was seen by the source vendor.
IP Address
Groups
Threat Actor Types
Objective
Global Prevalence	The number of times the indicator is detected across all organizations.
Campaign
Department	Department
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Associations	Known associations to other pieces of Threat Data.
Is Processed
Validity Not Before	Specifies the date on which the certificate validity period begins.
Domain Referring IPs
Name
Malware Family
Published
Validity Not After	Specifies the date on which the certificate validity period ends.
Office365Category
Source Priority
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Tool Types
Personal Email
Roles
SHA512
Detection Engines	Total number of engines that checked the indicator
CVSS Score
Positive Detections	Number of engines that positively detected the indicator as malicious
Aliases	Alternative names used to identify this object
Processor
Mobile Phone
Size
Geo Location
Domain Referring Subnets
Issuer
Capabilities
Memory
Surname	Surname
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Org Level 3
Email Address
Vendor
Name Servers
Operating System Version
Secondary Motivations
STIX Primary Motivation.
Goals
Leadership
OS Version
Infrastructure Types
Creation Date
Cost Center Code
Resource Level
Region
Registrar Name
Signature Internal Name
Service	The specific service of a feed integration from which an indicator was ingested.
Signature File Version
X.509 v3 Extensions
Download URL
Report type
Processors
Key Value
Tool Version
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
MD5
Rank	Used to display rank from different sources
State
Registrant Email
Geo Country
Domain Status
Domain IDN Name
Mitre ID
Hostname
Description
Subject Alternative Names
Country Name
SHA256
Country Code Number
Vulnerable Products
Operating System Refs
Certificates
Feed Related Indicators
STIX Malware Types
Extension
Certificate Validation Checks
Cost Center
Organizational Unit (OU)
File Type
BIOS Version
Paths
CVSS Table
Org Unit
Registrar Abuse Country
Definition
Issuer DN	Issuer Distinguished Name
Location Region
Path
Registrar Abuse Network
Office365Required
STIX Threat Actor Types
CVSS
Expiration Date
Title	Title
Blocked
Assigned role
Confidence
Certificate Signature
Commands
CVE Modified
Actor
Domains
CVSS Version
Implementation Languages
STIX Resource Level
SSDeep
Subdomains
SHA1
Given Name	Given Name
DHCP Server
Display Name
imphash
Registrant Country
Signature Original Name
Admin Phone
Device Model
CVE Description
Work Phone
Tags
SWID	Specifies the Software Identification (SWID) tags entry for the software
Organization Prevalence	The number of times the indicator is detected in the organization.
Email
CVSS3
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Admin Email
Serial Number
Report Object References	A list of STIX IDs referenced in the report.
Signature Description
Account Type
Vulnerabilities
Manager Name	Manager Name
Query Language
STIX Tool Types
Registrar Abuse Name
Signed
Short Description
Action
Publications
Sophistication
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Malware types
Registrar Abuse Phone
STIX Aliases	Alternative names used to identify this object
STIX Goals
Version
Registrar Abuse Email
Number of subkeys
Admin Country
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
CVSS Vector
STIX Description
Detections
Source Original Severity	The original score/severity provided by the source without DBot translation.
Organization First Seen	Date and time when the indicator was first seen in the organization.
Registrar Abuse Address
DNS Records
Domain Name
STIX Secondary Motivations
STIX Is Malware Family
Reports
Quarantined	Whether the indicator is quarantined or isolated
Registrant Phone
File Extension
Organization Type
STIX Roles
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Behavior
Location
Category
Org Level 2
Certificate Names
STIX Tool Version
Organization
Community Notes
Zip Code
User ID
Targets
Admin Name
Name Field
PEM	Certificate in PEM format.
STIX Sophistication
Applications
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Is Malware Family
Associated File Names
ASN
Subject DN	Subject Distinguished Name
Job Code	Job Code
Office365ExpressRoute
Signature Algorithm
Primary Motivation
Signature Copyright
Job Function

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
Intrusion Set	Intrusion Set Layout
Infrastructure	Infrastructure Indicator Layout
Malware Indicator	Malware Indicator Layout
File Indicator	File Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Report	Report Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
IP Indicator	IP Indicator Layout
CVE Indicator	CVE Indicator Layout
Email Indicator	Email Indicator Layout
Host Indicator	Host indicator layout
Mutex	Mutex indicator layout
X509 Certificate	CVE Indicator Layout
URL Indicator	URL Indicator Layout
Vulnerability Incident
Tool Indicator	Tool Indicator Layout
Threat Actor	Threat Actor Indicator Layout
ASN	ASN Indicator Layout
Indicator Feed Incident
Identity	Identity indicator layout
Course of Action	Course of Action Indicator Layout
Domain Indicator	Domain Indicator Layout
Campaign	Campaign Indicator Layout
Tactic Layout	Tactic Indicator Layout
Account Indicator	Account Indicator Layout
Software	Software Indicator Layout
Location	Location indicator layout

Indicator Types

Name	Description
Threat Actor
DomainGlob
ssdeep
Onion Address
Malware
X509 Certificate
Course of Action
Registry Key
Attack Pattern
File MD5
Intrusion Set
ASN
Tool
Identity
Software
File SHA-256
IPv6
Account
IPv6CIDR
URL
Report
Domain
File
Mutex
Infrastructure
CIDR
File SHA-1
Campaign
Location
Tactic
IP
Email
Host
CVE

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (57)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1900707 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1621428 (November 11, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	June 15, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Pack Contributors:

Pack Contributors:

Indicator Types

Indicator Types

Incident Fields

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Layouts

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications

New: Definition

Indicator Types

Incident Fields

Indicator Fields

Validity Not Before

Validity Not After

Layouts

Indicator Types

Incident Fields

Indicator Types

Layouts

Indicator Fields

Primary Motivation

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Indicator Types

Indicator Types

Incident Fields

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Indicator Types

Incident Fields

Layouts

Incident Fields

Indicator Types

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications