Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Tenant Name	Tenant Name
Detected External Hosts	Detected external hosts
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Start Time	The time when the offense started.
Threat Hunting Detected Hostnames
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Parent Process CMD
Policy Severity
Group ID
Number Of Log Sources	The number of log sources related to the offense.
File SHA1
Closing User	The closing user.
Status Reason
Source MAC Address	The source MAC address in an event.
Employee Email	The email address of the employee.
Signature
Protocol	Protocol
Scenario
Detected User
Device OS Version
Cloud Resource List
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
End Time	The time when the offense ended.
Post Nat Source IP	The source IP address after NAT.
Source Network
Mobile Phone
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
IP Reputation
User Agent
Mobile Device Model
Number of similar files
Categories	The categories for the incident.
Asset Name
Event Names	The event name (translated QID ) in the event.
Operation Name
Duration
Protocol names
External Last Updated Time
Country Code Number
userAccountControl	userAccountControl
Protocols
Org Level 3
Last Modified By
Manager Email Address
Identity Type
CMD line
Job Code	Job Code
CVE
Assignment Group
Item Owner
List Of Rules - Event	The list of rules associated to an event.
State	State
Account Name	Account Name
Alert tags
Agents ID
Tactic ID
Follow Up	True if marked for follow up.
Cost Center	Cost Center
External System ID
Process Path
Last Name	Last Name
External ID
Risk Rating
Related Report
Technical Owner Contact	The contact details for the technical owner.
OS	The operating system.
Job Function	Job Function
Source Id
Policy Recommendation
Resource Type
Password Changed Date
Last Seen
Device Local IP	Device Local IP
Birthday	Person's Birthday
Rendered HTML	The HTML content in a rendered form.
Process MD5
Pre Nat Destination Port	The destination port before NAT.
Source External IPs
Dst Ports	The destination ports of the event.
EmailCampaignSnippets
Containment SLA	The time it took to contain the incident.
Threat Hunting Detected IP
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Destination Network
High Risky Hosts
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Verification Status	The status of the user verification.
External Link
Child Process
Source Create time
Org Level 1
Destination Networks
SHA1	SHA1
High Level Categories	The high level categories in the events.
SKU TIER
Cloud Instance ID	Cloud Instance ID
ASN
Unique Ports
Attack Patterns
Title	Title
Campaign Name
Source Username	The username that was the source of the attack.
MD5	MD5
File Name
External Confidence
Approval Status	The status for the approval of the request.
Event ID	Event ID
Alert Rules
Project ID
External Sub Category ID
User Anomaly Count
Job Family	Job Family
MITRE Technique Name
Number of Related Incidents
Risk Name
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Tools
Policy URI
Region
OS Type	OS Type
Country Code
Manager Name	Manager Name
Post Nat Source Port	The source port after NAT.
Device External IP	Device External IP
Report Name
Username	The username of the account who logged in.
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Src	Source
External Category ID
Alert Attack Time
Event Descriptions	The description of the event name.
Device Model	Device Model
CVSS Availability Requirement	The CVSS availability requirement for the asset.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Escalation
UUID	UUID as received from the integration JSON
Post Nat Destination Port	The destination port after NAT.
Email	Primary Email Address
User Block Status
Attack Mode	Attack mode as received from the integration JSON
External Addresses
External Severity
Dest	Destination
Triggered Security Profile	Triggered Security Profile
Similar incidents Dbot
Event Type	Event Type
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Source Updated by
Detected Internal IPs	Detected internal IPs
Technique ID
Alert Type ID
EmailCampaignSummary
Item Owner Email
Dsts	The destination values.
SHA256	SHA256
File SHA256
Parent Process
Registration Email
Device MAC Address
IncomingMirrorError
File Hash
Resource Name
Cloud Operation Type
CVSS
Src Ports	The source ports of the event.
Destination Geolocation	The destination geolocation of the event.
Org Level 2
Zip Code	Zip Code
Source Created By
IP Blocked Status
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
External Status
Source Port	The source port that was used
DNS Name	The DNS name of the asset.
Sensor Name
Sub Category	The sub category
Street Address
Suspicious Executions
EmailCampaignMutualIndicators
Endpoint Isolation Status
Last Update Time
External Sub Category Name
Device Id	Device Id
Detection Update Time
Policy Type
File Paths
File Relationships
Caller
Parent Process MD5
Src NT Domain	Source NT Domain
Device Status
Full Name	Person's Full Name
Surname	Surname
Asset ID
Source Urgency	Source Urgency
Related Alerts
Detected Internal Hosts	Detected internal hosts
Log Source Name	The log source name associated with the event.
Detected Endpoints
Application Path
User SID
sAMAccountName	User sAMAAccountName
Agent ID	Agent ID
CVE Published
Is Active	Alert status
User Risk Level
Log Source	Log Source
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Usernames	The username in the event.
External Category Name
Verification Method	The method used to verify the user.
Risk Score
File Path
Vulnerability Category
User Id	User Id
Destination IPs	The destination IPs of the event.
Email Sent Successfully	Whether the email has been successfully sent.
Error Code
Additional Email Addresses
Dest Hostname	Destination hostname
Source Status
Appliance Name	Appliance name as received from the integration JSON
Endpoints Details
Custom Query Results
Region ID
Display Name	Display Name
Technique
Destination IP	The IP address the impossible traveler logged in to.
Ticket Closed Date
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Approver	The person who approved or needs to approve the request.
Policy Actions
Comment	The comments related with the incident
Sensor IP
Cloud Account ID
OutgoingMirrorError
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
External End Time
Description	The description of the incident
Country Name	Country Name
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Policy ID
Employee Display Name	The display name of the employee.
Command Line	Command Line
Pre Nat Source IP	The source IP before NAT.
First Seen
Srcs	The source values.
Account Member Of
Parent Process Name
CVE ID
Src OS	Src OS
Vendor Product
Tags
App message
Source Category
Low Level Categories Events	The low level category of the event.
Pre Nat Source Port	The source port before NAT.
Rule Name	The name of a YARA rule
MITRE Tactic ID
Cloud Service
Alert ID	Alert ID as received from the integration JSON
Process Names
OS Version	OS Version
Detected IPs
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Domain Updated Date
SSDeep
Cost Center Code	Cost Center Code
CMD
EmailCampaignCanvas
Verdict
Destination MAC Address	The destination MAC address in an event.
Hostnames	The hostname in the event.
Users
Process CMD
Parent Process File Path
Source IP	The IP Address that the user initially logged in from.
URLs
Detection URL	URL of the ExtraHop Reveal(x) detection
Related Endpoints
Tactic
Additional Indicators
Source Networks
Leadership
Timezone
Detected Users	Detected users
Phone Number	Phone number
Compliance Notes	Notes regarding the assets compliance.
Tool Usage Found
Domain Name
Triage SLA	The time it took to investigate and enrich incident information.
Location Region	Location Region
RemovedFromCampaigns
PID	PID
App
Additional Data
Domain Registrar Abuse Email
Appliance ID	Appliance ID as received from the integration JSON
Source IPV6	The source IPV6 address.
Error Message	The error message that contains details about the error that occurred.
Referenced Resource Name
Reporter Email Address	The email address of the user who reported the email.
Registry Hive
File Size	File Size
Suspicious Executions Found
Last Modified On
Affected Users
Agent Version	Reporting Agent/Sensor Version
Policy Remediable
Alert Name	Alert name as received from the integration JSON
Rating
User Engagement Response
File Creation Date
User Groups
Investigation Stage	The stage of the investigation.
Application Name	Application Name
Assigned User	Assigned User
File Access Date
Selected Indicators	Includes the indicators selected by the user.
Vulnerable Product
File Names
Device Hash	Device Hash
Registry Key
Alert URL	Alert URL as received from the integration JSON
Dest OS	Destination OS
Vendor ID
Device Time	The time from the original logging device when the event occurred.
Source Priority
Ticket Acknowledged Date
MAC Address	MAC Address
Source IPs	The source IPs of the event.
Exposure Level
Device OS Name
Country	The country from which the user logged in.
City
Src Hostname	Source hostname
Device Username	The username of the user that owns the device
Command Line Verdict
Endpoint
Category Count	The number of categories that are associated with the offense.
Parent Process IDs
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Audit Logs
Policy Details
Detected External IPs	Detected external IPs
Process Creation Time
Closing Reason	The closing reason
Source Hostname	The hostname that performed the port scan.
ASN Name
MITRE Technique ID
SKU Name
Hunt Results Count
Protocol - Event	The network protocol in the event.
MITRE Tactic Name
SHA512	SHA512
Resource URL
Parent Process SHA256
Ticket Number
Employee Manager Email	The email address of the employee's manager.
Process Paths
Technical Owner	The technical owner of the asset.
Process SHA256
Post Nat Destination IP	The destination IP address after NAT.
Subtype	Subtype
Device OU	Device's OU path in Active Directory
Resource ID
Referenced Resource ID
Detection End Time
app channel name
Detection ID
Team name
Process ID
Given Name	Given Name
Events	The events associated with the offense.
Isolated	Isolated
Department	Department
Device Internal IPs
Alert Malicious	Whether the alert is malicious.
Process Name
Device External IPs
First Name	First Name
Registry Value Type
External Start Time
Bugtraq
Internal Addresses
Location	Location
Device Name	Device Name
Destination IPV6	The destination IPV6 address.
Personal Email
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Alert Action	Alert action as received from the integration JSON
Registry Value
Source Geolocation	The source geolocation of the event.
Destination Hostname	Destination hostname
Alert Category	The category of the alert
Objective
Changed	The user who changed this incident
Acquisition Hire
Related Campaign
Technical User	The technical user of the asset.
Parent CMD line
similarIncidents
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Policy Deleted
Log Source Type	The log source type associated with the event.
Policy Description
Incident Link
Ticket Opened Date
Users Details
Blocked Action	Blocked Action
Alert Source
Org Unit
User Creation Time
Close Time	The closing time.
Account Status
Password Reset Successfully	Whether the password has been successfully reset.
High Risky Users
Affected Hosts
Dest NT Domain	Destination NT Domain
Src User	Source User
Work Phone
Block Indicators Status
Application Id	Application Id
Raw Event	The unparsed event data.
File MD5
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Cloud Region List
Parent Process Path
Account ID
String Similarity Results
Destination Port	The destination port used.
Traffic Direction	The direction of the traffic in the event.
Classification	Incident Classification
Use Case Description

Incident Types

Name	Description
UnknownBinary
Exploit
Policy Violation
DoS
Lateral Movement
Exfiltration
Defacement
Vulnerability
Reconnaissance
Job
Indicator Feed
C2Communication
Simulation
Network
Hunt
Authentication

Indicator Fields

Name	Description
Domain Referring Subnets
Email
Signature Copyright
Name Field
Resource Level
City	City
Detection Engines	Total number of engines that checked the indicator
Org Level 3
Sophistication
Creation Date
CVSS Vector
Domain Referring IPs
Positive Detections	Number of engines that positively detected the indicator as malicious
Organization Prevalence	The number of times the indicator is detected in the organization.
Indicator Identification
Download URL
User ID
Signature Internal Name
Office365Category
File Type
Global Prevalence	The number of times the indicator is detected across all organizations.
Tool Version
Issuer DN	Issuer Distinguished Name
Email Address
Domain Status
Malware Family
Detections
Org Level 2
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Country Code
Registrar Abuse Network
Report type
Vendor
Processors
Public Key
Operating System Version
Targets
OS Version
Commands
Display Name
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Is Malware Family
Mitre ID
SSDeep
Job Family
Registrar Abuse Email
Admin Phone
Capabilities
Report Object References	A list of STIX IDs referenced in the report.
STIX Aliases	Alternative names used to identify this object
Rank	Used to display rank from different sources
Registrar Abuse Name
Registrar Name
Key Value
Signed
Operating System
Internal
Location
DHCP Server
imphash
Applications
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Certificate Names
Organization First Seen	Date and time when the indicator was first seen in the organization.
Vulnerable Products
DNS
Community Notes
Extension
Office365ExpressRoute
Goals
SHA512
Device Model
CVE Modified
SWID	Specifies the Software Identification (SWID) tags entry for the software
Country Code Number
Geo Country
Tags
Samples
Signature Algorithm
Behavior
STIX Is Malware Family
Service	The specific service of a feed integration from which an indicator was ingested.
Primary Motivation
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Is Processed
Aliases	Alternative names used to identify this object
Subject
Manager Name	Manager Name
CVSS Table
Port
Admin Country
Certificates
Domains
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Job Code	Job Code
IP Address
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Implementation Languages
Personal Email
Manager Email Address
Reports
Signature Original Name
Vulnerabilities
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Username
Job Function
Author
Assigned role
Street Address
Confidence
Version
Org Level 1
STIX Secondary Motivations
Quarantined	Whether the indicator is quarantined or isolated
STIX Primary Motivation.
Country Name
STIX Description
Certificate Validation Checks
Description
Entry ID
Tool Types
BIOS Version
CVE Description
Registrar Abuse Country
Org Unit
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Short Description
SHA256
Admin Name
Source Priority
Surname	Surname
Groups
X.509 v3 Extensions
Office365Required
CVSS Score
Domain IDN Name
Leadership
Associations	Known associations to other pieces of Threat Data.
CVSS
Category
Assigned user
Expiration Date
Malware types
MAC Address
State
Mobile Phone
Blocked
Registrar Abuse Phone
STIX Goals
Processor
Validity Not Before	Specifies the date on which the certificate validity period begins.
Whois Records
STIX Resource Level
Name
Architecture
STIX Tool Types
Subdomains
Account Type
CVSS Version
Definition
Title	Title
Number of subkeys
Product
DNS Records
Memory
ASN
Serial Number
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Publications
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Acquisition Hire	Whether the employee is an acquisition hire.
Force Sync	Whether to force user synchronization.
Validity Not After	Specifies the date on which the certificate validity period ends.
Last Seen By Source	The last time the indicator was seen by the Source vendor.
STIX Roles
Certificate Signature
AS Owner
Cost Center Code
Secondary Motivations
Infrastructure Types
Name Servers
Signature Authentihash
Action
Feed Related Indicators
Operating System Refs
Subject DN	Subject Distinguished Name
STIX Threat Actor Types
First Seen By Source	The first time the indicator was seen by the source vendor.
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
File Extension
Work Phone
Query Language
STIX Tool Version
Signature Description
Published
Mitre Tactics
Source Original Severity	The original score/severity provided by the source without DBot translation.
STIX Sophistication
Organizational Unit (OU)
Roles
Location Region
Cost Center
Zip Code
Updated Date
Admin Email
Hostname
Geo Location
Size
Domain Name
Signature File Version
Associated File Names
Path
Paths
Objective
CVSS3
MD5
Campaign
PEM	Certificate in PEM format.
Issuer
SHA1
STIX Malware Types
Department	Department
Registrant Phone
Given Name	Given Name
Actor
Registrant Name
Registrant Email
Region
Organization Type
Subject Alternative Names
Threat Actor Types
Registrar Abuse Address
Organization
Registrant Country

Layouts

Name	Description
File Indicator	File Indicator Layout
IP Indicator	IP Indicator Layout
CVE Indicator	CVE Indicator Layout
ASN	ASN Indicator Layout
Host Indicator	Host indicator layout
Location	Location indicator layout
Vulnerability Incident
Email Indicator	Email Indicator Layout
Tactic Layout	Tactic Indicator Layout
Campaign	Campaign Indicator Layout
Tool Indicator	Tool Indicator Layout
Report	Report Indicator Layout
X509 Certificate	CVE Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Intrusion Set	Intrusion Set Layout
Identity	Identity indicator layout
Account Indicator	Account Indicator Layout
Indicator Feed Incident
Domain Indicator	Domain Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
URL Indicator	URL Indicator Layout
Course of Action	Course of Action Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Mutex	Mutex indicator layout
Malware Indicator	Malware Indicator Layout
Software	Software Indicator Layout

Indicator Types

Name	Description
Infrastructure
Tool
Onion Address
ASN
Email
Report
IPv6CIDR
Attack Pattern
Host
Software
ssdeep
File SHA-1
DomainGlob
Malware
IP
Identity
File MD5
File SHA-256
Course of Action
CIDR
Mutex
Location
Campaign
Registry Key
Tactic
URL
X509 Certificate
IPv6
Account
Threat Actor
Domain
File
Intrusion Set
CVE

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Personal Email
Pre Nat Destination Port	The destination port before NAT.
sAMAccountName	User sAMAAccountName
Domain Name
Source Category
Region ID
External Start Time
Display Name	Display Name
Custom Query Results
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Manager Email Address
SSDeep
Full Name	Person's Full Name
SKU TIER
Cost Center Code	Cost Center Code
Manager Name	Manager Name
Objective
ASN
Technical Owner	The technical owner of the asset.
Process Paths
Alert Rules
Related Endpoints
File Creation Date
Source Create time
Source Created By
Parent Process IDs
Selected Indicators	Includes the indicators selected by the user.
Comment	The comments related with the incident
Parent Process MD5
UUID	UUID as received from the integration JSON
Job Function	Job Function
MITRE Technique Name
Asset Name
Device Time	The time from the original logging device when the event occurred.
ASN Name
Mobile Device Model
Title	Title
Vendor Product
City
Post Nat Destination IP	The destination IP address after NAT.
Org Level 1
Protocol names
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Phone Number	Phone number
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Tactic
Ticket Closed Date
Policy Type
Last Update Time
Parent Process File Path
Alert Malicious	Whether the alert is malicious.
Source Updated by
Leadership
Device Model	Device Model
Related Report
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Policy Actions
Process Creation Time
Follow Up	True if marked for follow up.
Registration Email
Policy Recommendation
First Name	First Name
Technique ID
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Given Name	Given Name
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Compliance Notes	Notes regarding the assets compliance.
Department	Department
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Triggered Security Profile	Triggered Security Profile
app channel name
User Groups
Isolated	Isolated
Agents ID
Post Nat Destination Port	The destination port after NAT.
Detected Endpoints
List Of Rules - Event	The list of rules associated to an event.
External Status
MITRE Technique ID
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Alert Type ID
First Seen
User Id	User Id
Destination Networks
Item Owner
Rule Name	The name of a YARA rule
External Category ID
Device Hash	Device Hash
Referenced Resource Name
Escalation
Identity Type
Tactic ID
Rendered HTML	The HTML content in a rendered form.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Asset ID
Number of similar files
Error Code
Error Message	The error message that contains details about the error that occurred.
External Sub Category Name
Cloud Account ID
Source Priority
Risk Rating
Agent Version	Reporting Agent/Sensor Version
Parent Process CMD
OutgoingMirrorError
Vulnerable Product
Zip Code	Zip Code
Additional Data
Technical User	The technical user of the asset.
Closing Reason	The closing reason
Policy Details
File SHA1
Employee Display Name	The display name of the employee.
Original Alert Name	Alert name as received from the integration JSON
Exposure Level
Policy Remediable
Operation Name
Similar incidents Dbot
Reporter Email Address	The email address of the user who reported the email.
Number Of Log Sources	The number of log sources related to the offense.
Registry Key
Surname	Surname
Email	Primary Email Address
EmailCampaignSummary
Number of Related Incidents
Subtype	Subtype
Audit Logs
Tools
Hunt Results Count
Internal Addresses
Event ID	Event ID
Technique
Process MD5
External Category Name
Domain Registrar Abuse Email
Location Region	Location Region
MITRE Tactic ID
Ticket Number
Log Source Type	The log source type associated with the event.
Application Path
Employee Manager Email	The email address of the employee's manager.
Device External IPs
Last Modified By
Last Name	Last Name
Device OU	Device's OU path in Active Directory
OS	The operating system.
Process Names
Classification	Incident Classification
Org Level 3
Password Reset Successfully	Whether the password has been successfully reset.
Attack Patterns
Endpoint Isolation Status
Group ID
Street Address
End Time	The time when the offense ended.
Related Campaign
Src OS	Src OS
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Project ID
Policy Severity
Detection End Time
String Similarity Results
Device Internal IPs
Destination IPV6	The destination IPV6 address.
Detected Internal Hosts	Detected internal hosts
Use Case Description
Domain Updated Date
Registry Value
Technical Owner Contact	The contact details for the technical owner.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Event Descriptions	The description of the event name.
User Anomaly Count
Approval Status	The status for the approval of the request.
CVE ID
Source Networks
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Alert Action	Alert action as received from the integration JSON
Parent Process Name
Signature
External Sub Category ID
User SID
Cloud Service
External Link
Tenant Name	Tenant Name
Post Nat Source IP	The source IP address after NAT.
Log Source Name	The log source name associated with the event.
File Access Date
Device OS Name
Sub Category	The sub category
similarIncidents
Referenced Resource ID
Account Member Of
Original Alert Source
Verification Status	The status of the user verification.
Assigned User	Assigned User
Assignment Group
Pre Nat Source Port	The source port before NAT.
Close Time	The closing time.
Item Owner Email
Raw Event	The unparsed event data.
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Alert tags
Device OS Version
Cloud Resource List
Source Status
URLs
Post Nat Source Port	The source port after NAT.
Suspicious Executions
Resource Type
Suspicious Executions Found
Detection URL	URL of the ExtraHop Reveal(x) detection
Duration
Parent Process SHA256
Risk Name
Source Id
Rating
Parent Process Path
Event Names	The event name (translated QID ) in the event.
Process SHA256
Category Count	The number of categories that are associated with the offense.
Resource URL
Location	Location
OS Type	OS Type
Account ID
Original Alert ID	Alert ID as received from the integration JSON
Users Details
Device Id	Device Id
Job Family	Job Family
File Hash
Dest OS	Destination OS
Birthday	Person's Birthday
Bugtraq
Job Code	Job Code
External Confidence
Source External IPs
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Policy Description
Policy ID
Registry Hive
Investigation Stage	The stage of the investigation.
Last Modified On
RemovedFromCampaigns
Related Alerts
User Creation Time
Threat Name	Define the threat name such as malware/exploit/phishing/etc
External Severity
Device Name	Device Name
Vulnerability Category
Device Status
Additional Indicators
Ticket Acknowledged Date
Country Code Number
File Size	File Size
User Engagement Response
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Account Status
Containment SLA	The time it took to contain the incident.
Pre Nat Source IP	The source IP before NAT.
IncomingMirrorError
Password Changed Date
Report Name
Policy Deleted
Vendor ID
SHA512	SHA512
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Last Seen
Work Phone
Log Source	Log Source
Status Reason
Timezone
Org Unit
Registry Value Type
User Block Status
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Additional Email Addresses
Org Level 2
SHA1	SHA1
Verdict
Process CMD
Cost Center	Cost Center
Blocked Action	Blocked Action
EmailCampaignCanvas
Email Sent Successfully	Whether the email has been successfully sent.
Original Description	The description of the incident
Approver	The person who approved or needs to approve the request.
Endpoints Details
Start Time	The time when the offense started.
Affected Users
SKU Name
Sensor IP
External Last Updated Time
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Block Indicators Status
Changed	The user who changed this incident
MITRE Tactic Name
Resource Name
IP Reputation
Detected External IPs	Detected external IPs
Original Events	The events associated with the offense.
Source Urgency	Source Urgency
Low Level Categories Events	The low level category of the event.
Scenario
Attack Mode	Attack mode as received from the integration JSON
Triage SLA	The time it took to investigate and enrich incident information.
Destination Geolocation	The destination geolocation of the event.
EmailCampaignSnippets
Closing User	The closing user.
Device MAC Address
App message
Unique Ports
Verification Method	The method used to verify the user.
Traffic Direction	The direction of the traffic in the event.
Detection ID
EmailCampaignMutualIndicators
Region
Acquisition Hire
Team name
Process ID
Risk Score
userAccountControl	userAccountControl
External System ID
CVSS
Command Line Verdict
CVE
IP Blocked Status
Country Code
High Risky Users
Incident Link
Mobile Phone
Source Geolocation	The source geolocation of the event.
Cloud Instance ID	Cloud Instance ID
Tool Usage Found
File Relationships
Cloud Region List
High Risky Hosts
External End Time
Caller
Policy URI
Campaign Name
Is Active	Alert status
Affected Hosts
Employee Email	The email address of the employee.
CVE Published
State	State
Dsts	The destination values.

Incident Types

Name	Description
Reconnaissance
Policy Violation
Vulnerability
UnknownBinary
Job
C2Communication
Defacement
Lateral Movement
Simulation
Network
Authentication
Exfiltration
Indicator Feed
DoS
Hunt
Exploit

Indicator Fields

Name	Description
Registrant Phone
PEM	Certificate in PEM format.
SHA256
Organization
STIX Description
Personal Email
Indicator Identification
Country Name
Samples
File Type
CVE Description
STIX Roles
Definition
Reports
Assigned role
Leadership
Name Servers
AS Owner
IP Address
Action
Sophistication
Paths
Email Address
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Country Code
CVSS Table
Org Level 3
Size
Whois Records
Path
Domain Referring Subnets
Registrant Country
Campaign
Targets
Short Description
Admin Name
Zip Code
Domain Status
Location Region
Creation Date
STIX Goals
Mobile Phone
CVSS3
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Name
STIX Primary Motivation.
Processors
Behavior
Resource Level
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Tool Types
Query Language
Geo Location
Job Function
Region
Signature Internal Name
Email
DNS Records
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Office365Required
STIX Tool Types
Name Field
Category
Extension
Given Name	Given Name
Vendor
Goals
Subdomains
STIX Tool Version
Public Key
Is Processed
Report Object References	A list of STIX IDs referenced in the report.
Is Malware Family
Groups
Number of subkeys
Org Level 1
Primary Motivation
Associated File Names
Actor
Account Type
Updated Date
Roles
Architecture
Registrar Abuse Network
DHCP Server
Commands
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Org Unit
Organization First Seen	Date and time when the indicator was first seen in the organization.
ASN
City	City
Registrar Abuse Address
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
MD5
Secondary Motivations
Registrant Email
Validity Not Before	Specifies the date on which the certificate validity period begins.
Office365Category
Certificate Names
Serial Number
Department	Department
Admin Email
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
STIX Aliases	Alternative names used to identify this object
Domain IDN Name
Job Code	Job Code
Download URL
Global Prevalence	The number of times the indicator is detected across all organizations.
Vulnerabilities
CVE Modified
Malware types
Registrar Abuse Email
Quarantined	Whether the indicator is quarantined or isolated
Tags
imphash
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Operating System
STIX Is Malware Family
Tool Version
Signature Algorithm
Cost Center
Confidence
Manager Name	Manager Name
Registrar Name
Community Notes
Registrar Abuse Country
Organizational Unit (OU)
X.509 v3 Extensions
STIX Secondary Motivations
Signature Description
Geo Country
Registrar Abuse Phone
Source Original Severity	The original score/severity provided by the source without DBot translation.
Associations	Known associations to other pieces of Threat Data.
Work Phone
Certificate Validation Checks
Objective
Threat Actor Types
Subject DN	Subject Distinguished Name
Rank	Used to display rank from different sources
Port
Implementation Languages
Processor
STIX Malware Types
Author
Hostname
Domain Referring IPs
Organization Prevalence	The number of times the indicator is detected in the organization.
Source Priority
Issuer DN	Issuer Distinguished Name
Manager Email Address
File Extension
STIX Sophistication
CVSS Score
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
STIX Threat Actor Types
Capabilities
Certificate Signature
Detections
CVSS
Key Value
Entry ID
Signed
Infrastructure Types
CVSS Vector
Operating System Version
Assigned user
Blocked
CVSS Version
SHA1
Device Model
Signature Authentihash
Acquisition Hire	Whether the employee is an acquisition hire.
DNS
Service	The specific service of a feed integration from which an indicator was ingested.
State
Office365ExpressRoute
Mitre ID
BIOS Version
Detection Engines	Total number of engines that checked the indicator
Organization Type
Validity Not After	Specifies the date on which the certificate validity period ends.
OS Version
Org Level 2
Feed Related Indicators
Operating System Refs
Subject Alternative Names
Vulnerable Products
Surname	Surname
Signature File Version
Mitre Tactics
Product
Report type
Job Family
Domain Name
Title	Title
User ID
Subject
Admin Country
Aliases	Alternative names used to identify this object
Published
Expiration Date
Memory
Cost Center Code
Malware Family
Certificates
SHA512
Admin Phone
Force Sync	Whether to force user synchronization.
STIX Resource Level
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Version
Publications
Display Name
Signature Original Name
Registrant Name
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Positive Detections	Number of engines that positively detected the indicator as malicious
Signature Copyright
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
First Seen By Source	The first time the indicator was seen by the source vendor.
Username
SSDeep
Registrar Abuse Name
Street Address
Country Code Number
Domains
Location
Applications
Issuer
Internal
SWID	Specifies the Software Identification (SWID) tags entry for the software
Description

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
Threat Actor	Threat Actor Indicator Layout
IP Indicator	IP Indicator Layout
Malware Indicator	Malware Indicator Layout
Tool Indicator	Tool Indicator Layout
Account Indicator	Account Indicator Layout
Report	Report Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Host Indicator	Host indicator layout
Mutex	Mutex indicator layout
Infrastructure	Infrastructure Indicator Layout
Tactic Layout	Tactic Indicator Layout
CVE Indicator	CVE Indicator Layout
X509 Certificate	CVE Indicator Layout
Intrusion Set	Intrusion Set Layout
Email Indicator	Email Indicator Layout
URL Indicator	URL Indicator Layout
Location	Location indicator layout
Course of Action	Course of Action Indicator Layout
Campaign	Campaign Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Vulnerability Incident
ASN	ASN Indicator Layout
File Indicator	File Indicator Layout
Domain Indicator	Domain Indicator Layout
Software	Software Indicator Layout
Indicator Feed Incident
Identity	Identity indicator layout

Indicator Types

Name	Description
ASN
File SHA-1
IPv6CIDR
Software
X509 Certificate
File MD5
Mutex
Malware
Host
Tactic
Threat Actor
Attack Pattern
Onion Address
Domain
Email
Account
Registry Key
IP
File
Campaign
Identity
Location
Infrastructure
ssdeep
Tool
CVE
Intrusion Set
IPv6
DomainGlob
Report
Course of Action
URL
CIDR
File SHA-256

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (59)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
Trellix Email Security - Cloud	By: Cortex XSOAR
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GravityZone	By: Bitdefender
Akamai GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (4)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7389211 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920594 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7379405 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920581 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	March 23, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Mandiant Automated Defense (Formerly Respond Software)

Symantec Data Loss Prevention (Deprecated)

VMware Carbon Black Endpoint Standard (Deprecated)

Palo Alto Networks - Prisma Cloud Compute

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.