Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Description	The description of the incident
Process Name
Approver	The person who approved or needs to approve the request.
Vulnerable Product
Detected User
Parent Process
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Ticket Acknowledged Date
Close Time	The closing time.
MITRE Tactic ID
Detection Update Time
Street Address
Source MAC Address	The source MAC address in an event.
Agent Version	Reporting Agent/Sensor Version
Email Sent Successfully	Whether the email has been successfully sent.
External ID
OutgoingMirrorError
Application Id	Application Id
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Device MAC Address
Is Active	Alert status
Post Nat Source Port	The source port after NAT.
Related Endpoints
Display Name	Display Name
Source Hostname	The hostname that performed the port scan.
Technical Owner	The technical owner of the asset.
IP Reputation
Start Time	The time when the offense started.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Detected External Hosts	Detected external hosts
Approval Status	The status for the approval of the request.
Error Code
Src Ports	The source ports of the event.
Assigned User	Assigned User
Tenant Name	Tenant Name
Destination Hostname	Destination hostname
Policy Details
Alert Action	Alert action as received from the integration JSON
Changed	The user who changed this incident
Detected Internal IPs	Detected internal IPs
Detected External IPs	Detected external IPs
ASN
userAccountControl	userAccountControl
Cloud Account ID
Manager Name	Manager Name
Event Names	The event name (translated QID ) in the event.
Alert Category	The category of the alert
User Id	User Id
Number Of Found Related Alerts	Medium or Higher Severity Alerts
End Time	The time when the offense ended.
High Risky Hosts
similarIncidents
MITRE Technique ID
Risk Name
Employee Manager Email	The email address of the employee's manager.
Detected Internal Hosts	Detected internal hosts
Password Changed Date
Category Count	The number of categories that are associated with the offense.
Policy Description
External System ID
Technical Owner Contact	The contact details for the technical owner.
Policy Actions
Parent Process Name
Usernames	The username in the event.
Region ID
Country Code
External Sub Category Name
Surname	Surname
Compliance Notes	Notes regarding the assets compliance.
Error Message	The error message that contains details about the error that occurred.
Attack Patterns
Internal Addresses
Device External IP	Device External IP
Account Name	Account Name
MITRE Technique Name
Alert Source
Source External IPs
Employee Display Name	The display name of the employee.
Source Urgency	Source Urgency
Event ID	Event ID
Sensor IP
Team name
Suspicious Executions
Process Path
Alert Attack Time
Destination Geolocation	The destination geolocation of the event.
Manager Email Address
Similar incidents Dbot
Unique Ports
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Username	The username of the account who logged in.
Related Campaign
Source Create time
Job Family	Job Family
Cloud Service
Tactic ID
Src Hostname	Source hostname
Parent CMD line
Appliance ID	Appliance ID as received from the integration JSON
Number Of Log Sources	The number of log sources related to the offense.
Asset Name
Pre Nat Destination Port	The destination port before NAT.
First Seen
CVSS
Pre Nat Source IP	The source IP before NAT.
Policy Deleted
Suspicious Executions Found
Tactic
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Country Name	Country Name
File MD5
Policy Severity
Given Name	Given Name
Rendered HTML	The HTML content in a rendered form.
File Relationships
Users
Traffic Direction	The direction of the traffic in the event.
Destination IPs	The destination IPs of the event.
Sub Category	The sub category
Verification Method	The method used to verify the user.
Closing User	The closing user.
File Size	File Size
Duration
Email	Primary Email Address
Event Descriptions	The description of the event name.
File SHA1
Alert Name	Alert name as received from the integration JSON
Assignment Group
Raw Event	The unparsed event data.
Src NT Domain	Source NT Domain
Country	The country from which the user logged in.
Srcs	The source values.
EmailCampaignSummary
Alert tags
Asset ID
Identity Type
Report Name
Application Name	Application Name
Mobile Phone
Operation Name
High Level Categories	The high level categories in the events.
Post Nat Source IP	The source IP address after NAT.
Tool Usage Found
Protocol names
Registry Value
External Confidence
Log Source Name	The log source name associated with the event.
Destination IPV6	The destination IPV6 address.
Detected IPs
Hostnames	The hostname in the event.
Project ID
SSDeep
Last Mirrored Time Stamp	The last time the incident was mirrored in.
SHA512	SHA512
IncomingMirrorError
Leadership
External Severity
Zip Code	Zip Code
Command Line Verdict
Closing Reason	The closing reason
OS	The operating system.
User Creation Time
Number of similar files
Bugtraq
Device Username	The username of the user that owns the device
Cloud Operation Type
App message
Source Category
Classification	Incident Classification
Device OU	Device's OU path in Active Directory
CVE Published
Last Seen
Timezone
EmailCampaignMutualIndicators
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Affected Hosts
Technique ID
Risk Rating
Verification Status	The status of the user verification.
Custom Query Results
Detected Endpoints
User Groups
User Anomaly Count
Department	Department
Account ID
Exposure Level
Parent Process File Path
Registry Key
File Hash
CVE
Last Modified By
Destination MAC Address	The destination MAC address in an event.
Subtype	Subtype
External Category ID
Command Line	Command Line
File Name
Resource URL
Policy URI
Org Level 2
Log Source Type	The log source type associated with the event.
Isolated	Isolated
External Addresses
External Link
Comment	The comments related with the incident
Application Path
Device Time	The time from the original logging device when the event occurred.
Additional Email Addresses
Cost Center Code	Cost Center Code
Device Name	Device Name
Location Region	Location Region
Blocked Action	Blocked Action
Endpoint
Risk Score
Post Nat Destination Port	The destination port after NAT.
IP Blocked Status
Appliance Name	Appliance name as received from the integration JSON
Ticket Opened Date
Device Model	Device Model
UUID	UUID as received from the integration JSON
Registration Email
Destination IP	The IP address the impossible traveler logged in to.
App
URLs
Policy Type
Cloud Region List
Domain Registrar Abuse Email
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Source Port	The source port that was used
File Names
Block Indicators Status
Referenced Resource Name
Group ID
Objective
Policy Remediable
Destination Network
Additional Data
Containment SLA	The time it took to contain the incident.
User Block Status
External End Time
Use Case Description
Cost Center	Cost Center
Hunt Results Count
Tags
OS Version	OS Version
Phone Number	Phone number
Signature
Device Id	Device Id
Vendor Product
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Password Reset Successfully	Whether the password has been successfully reset.
Device OS Version
User SID
Title	Title
File SHA256
DNS Name	The DNS name of the asset.
MITRE Tactic Name
File Creation Date
Parent Process MD5
Job Function	Job Function
SHA1	SHA1
Src User	Source User
User Agent
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Pre Nat Source Port	The source port before NAT.
Org Level 1
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Attack Mode	Attack mode as received from the integration JSON
Process ID
External Status
Full Name	Person's Full Name
Source Status
ASN Name
Region
Post Nat Destination IP	The destination IP address after NAT.
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Process SHA256
CMD line
Device Local IP	Device Local IP
Registry Hive
Threat Hunting Detected Hostnames
Device Status
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Source Priority
app channel name
Device Internal IPs
Endpoint Isolation Status
Protocols
Account Status
Last Update Time
Dsts	The destination values.
Additional Indicators
Dst Ports	The destination ports of the event.
Events	The events associated with the offense.
Personal Email
Rating
Process Names
Policy ID
Source Network
Related Report
Number of Related Incidents
Mobile Device Model
Log Source	Log Source
Affected Users
Dest OS	Destination OS
Source IPs	The source IPs of the event.
Source Username	The username that was the source of the attack.
Alert Malicious	Whether the alert is malicious.
Tools
Process CMD
Agents ID
Caller
High Risky Users
Vendor ID
Domain Name
Verdict
Vulnerability Category
External Sub Category ID
sAMAccountName	User sAMAAccountName
MAC Address	MAC Address
Account Member Of
Alert ID	Alert ID as received from the integration JSON
Source Id
Parent Process SHA256
Alert Rules
Country Code Number
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Protocol - Event	The network protocol in the event.
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Agent ID	Agent ID
Item Owner Email
Detected Users	Detected users
Source Geolocation	The source geolocation of the event.
Work Phone
Resource Name
Rule Name	The name of a YARA rule
Resource Type
Policy Recommendation
First Name	First Name
Technical User	The technical user of the asset.
Triggered Security Profile	Triggered Security Profile
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Threat Hunting Detected IP
User Engagement Response
Endpoints Details
Selected Indicators	Includes the indicators selected by the user.
Source Updated by
Item Owner
SKU TIER
Src	Source
Org Level 3
Triage SLA	The time it took to investigate and enrich incident information.
Last Modified On
Low Level Categories Events	The low level category of the event.
User Risk Level
Scenario
Categories	The categories for the incident.
Birthday	Person's Birthday
Protocol	Protocol
Ticket Closed Date
Users Details
External Start Time
Referenced Resource ID
Job Code	Job Code
List Of Rules - Event	The list of rules associated to an event.
Reporter Email Address	The email address of the user who reported the email.
City
Source IPV6	The source IPV6 address.
CVE ID
Destination Networks
String Similarity Results
EmailCampaignCanvas
Escalation
File Path
Source IP	The IP Address that the user initially logged in from.
File Paths
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
SHA256	SHA256
Location	Location
Event Type	Event Type
Process MD5
External Category Name
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Investigation Stage	The stage of the investigation.
Employee Email	The email address of the employee.
Parent Process IDs
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Domain Updated Date
Source Networks
Process Paths
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
SKU Name
Detection URL	URL of the ExtraHop Reveal(x) detection
Device Hash	Device Hash
Detection End Time
Related Alerts
Alert Type ID
OS Type	OS Type
Dest Hostname	Destination hostname
Alert URL	Alert URL as received from the integration JSON
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Status Reason
File Access Date
State	State
Parent Process CMD
Last Name	Last Name
RemovedFromCampaigns
Destination Port	The destination port used.
PID	PID
Org Unit
CMD
EmailCampaignSnippets
Device OS Name
Src OS	Src OS
Registry Value Type
Ticket Number
MD5	MD5
Technique
Follow Up	True if marked for follow up.
Child Process
Acquisition Hire
Device External IPs
Sensor Name
Resource ID
Source Created By
Dest	Destination
Campaign Name
Cloud Instance ID	Cloud Instance ID
Incident Link
External Last Updated Time
Dest NT Domain	Destination NT Domain
Detection ID
Parent Process Path
Process Creation Time
Cloud Resource List

Incident Types

Name	Description
Reconnaissance
Policy Violation
Defacement
Exploit
Vulnerability
Exfiltration
Lateral Movement
C2Communication
UnknownBinary
Hunt
Indicator Feed
Simulation
Network
Authentication
Job
DoS

Indicator Fields

Name	Description
Detection Engines	Total number of engines that checked the indicator
X.509 v3 Extensions
Registrar Name
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Indicator Identification
City	City
Registrar Abuse Email
Mobile Phone
Given Name	Given Name
Operating System Refs
Organization Type
Job Family
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Infrastructure Types
Organization Prevalence	The number of times the indicator is detected in the organization.
Account Type
CVSS Score
Size
Certificate Signature
Goals
SHA256
Rank	Used to display rank from different sources
Targets
Threat Actor Types
MD5
Validity Not After	Specifies the date on which the certificate validity period ends.
User ID
Positive Detections	Number of engines that positively detected the indicator as malicious
Commands
Force Sync	Whether to force user synchronization.
Actor
PEM	Certificate in PEM format.
CVSS
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Office365Required
MAC Address
Operating System
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Mitre ID
DHCP Server
Associated File Names
Updated Date
Cost Center Code
STIX Description
SWID	Specifies the Software Identification (SWID) tags entry for the software
Category
STIX Resource Level
Registrar Abuse Country
Registrant Country
STIX Primary Motivation.
Aliases	Alternative names used to identify this object
Domains
CVSS Version
STIX Sophistication
Registrar Abuse Name
Vendor
Org Level 3
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Subject DN	Subject Distinguished Name
Groups
Work Phone
Reports
Country Code Number
CVSS Table
Geo Country
Signature Authentihash
Subject Alternative Names
Campaign
ASN
Tool Version
Street Address
Assigned user
Query Language
STIX Aliases	Alternative names used to identify this object
Domain IDN Name
Name Field
State
Signature Original Name
Community Notes
SSDeep
CVSS Vector
Job Function
Report Object References	A list of STIX IDs referenced in the report.
Organization
Description
Certificates
Acquisition Hire	Whether the employee is an acquisition hire.
CVSS3
Publications
Source Priority
Region
Geo Location
Issuer
Blocked
Registrar Abuse Address
Objective
CVE Description
Name Servers
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Domain Name
Author
Manager Email Address
Org Level 1
Port
Action
Location Region
STIX Goals
STIX Malware Types
Secondary Motivations
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
BIOS Version
Vulnerabilities
Source Original Severity	The original score/severity provided by the source without DBot translation.
Admin Phone
Quarantined	Whether the indicator is quarantined or isolated
Service	The specific service of a feed integration from which an indicator was ingested.
Creation Date
STIX Secondary Motivations
Office365ExpressRoute
Paths
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Admin Email
Display Name
Capabilities
Username
DNS
OS Version
Subject
Device Model
Cost Center
Office365Category
Processors
Operating System Version
Registrant Name
Implementation Languages
Sophistication
Subdomains
File Extension
Published
Manager Name	Manager Name
imphash
Organization First Seen	Date and time when the indicator was first seen in the organization.
Behavior
Registrar Abuse Phone
First Seen By Source	The first time the indicator was seen by the source vendor.
Issuer DN	Issuer Distinguished Name
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Email Address
Download URL
Admin Name
Confidence
Definition
Country Code
SHA1
Registrant Phone
Memory
Org Unit
Report type
Location
Malware Family
Resource Level
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
STIX Roles
Applications
Path
Signature Algorithm
File Type
Certificate Names
Number of subkeys
Admin Country
Product
Feed Related Indicators
CVE Modified
Key Value
Malware types
Primary Motivation
Extension
Title	Title
Whois Records
Signature File Version
Domain Referring IPs
Registrant Email
SHA512
Email
Associations	Known associations to other pieces of Threat Data.
Entry ID
Validity Not Before	Specifies the date on which the certificate validity period begins.
Hostname
Signed
STIX Threat Actor Types
DNS Records
Certificate Validation Checks
IP Address
Tags
Name
Vulnerable Products
Public Key
Expiration Date
Serial Number
Detections
AS Owner
Personal Email
Roles
Job Code	Job Code
Signature Internal Name
STIX Tool Types
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Internal
Is Processed
Surname	Surname
Organizational Unit (OU)
Processor
Samples
Version
Zip Code
Country Name
Leadership
STIX Tool Version
Architecture
Short Description
Is Malware Family
Signature Description
Department	Department
Domain Status
Registrar Abuse Network
Tool Types
Global Prevalence	The number of times the indicator is detected across all organizations.
Assigned role
Mitre Tactics
STIX Is Malware Family
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Domain Referring Subnets
Signature Copyright
Org Level 2
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info

Layouts

Name	Description
Threat Actor	Threat Actor Indicator Layout
Report	Report Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Intrusion Set	Intrusion Set Layout
Attack Pattern	Attack Pattern Indicator Layout
Indicator Feed Incident
CVE Indicator	CVE Indicator Layout
Mutex	Mutex indicator layout
Vulnerability Incident
ASN	ASN Indicator Layout
URL Indicator	URL Indicator Layout
Host Indicator	Host indicator layout
Course of Action	Course of Action Indicator Layout
Identity	Identity indicator layout
Account Indicator	Account Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Tool Indicator	Tool Indicator Layout
IP Indicator	IP Indicator Layout
Domain Indicator	Domain Indicator Layout
Email Indicator	Email Indicator Layout
Campaign	Campaign Indicator Layout
X509 Certificate	CVE Indicator Layout
File Indicator	File Indicator Layout
Software	Software Indicator Layout
Location	Location indicator layout
Malware Indicator	Malware Indicator Layout
Tactic Layout	Tactic Indicator Layout

Indicator Types

Name	Description
Host
Attack Pattern
Email
Infrastructure
ssdeep
URL
Registry Key
CVE
Tool
Course of Action
Intrusion Set
Onion Address
CIDR
Identity
Threat Actor
File MD5
File
IPv6
ASN
Mutex
Campaign
Malware
Report
Account
Tactic
X509 Certificate
DomainGlob
Software
Location
File SHA-256
IP
IPv6CIDR
File SHA-1
Domain

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Detected Internal Hosts	Detected internal hosts
Subtype	Subtype
Dsts	The destination values.
Follow Up	True if marked for follow up.
Cost Center Code	Cost Center Code
SKU TIER
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Title	Title
Event ID	Event ID
Sensor IP
External Start Time
Tactic
Original Alert ID	Alert ID as received from the integration JSON
Approval Status	The status for the approval of the request.
Policy Description
Affected Hosts
Acquisition Hire
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Source Id
Device External IPs
File SHA1
Detection ID
Personal Email
Display Name	Display Name
Risk Rating
Surname	Surname
Cloud Service
Work Phone
Account Status
Rating
Operation Name
Post Nat Destination Port	The destination port after NAT.
Tool Usage Found
Unique Ports
Department	Department
Pre Nat Source Port	The source port before NAT.
Location	Location
Internal Addresses
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
CVE
Parent Process IDs
First Seen
Last Modified By
Agent Version	Reporting Agent/Sensor Version
Technical Owner	The technical owner of the asset.
Affected Users
Suspicious Executions
Post Nat Source IP	The source IP address after NAT.
External Confidence
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Registry Value Type
Isolated	Isolated
Signature
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Device MAC Address
Technical Owner Contact	The contact details for the technical owner.
Bugtraq
Org Unit
Device Name	Device Name
Selected Indicators	Includes the indicators selected by the user.
MITRE Tactic Name
Attack Patterns
Policy URI
Log Source Type	The log source type associated with the event.
Start Time	The time when the offense started.
SSDeep
State	State
Tools
Parent Process MD5
Identity Type
User Id	User Id
IncomingMirrorError
Source Status
userAccountControl	userAccountControl
End Time	The time when the offense ended.
Process ID
Device Model	Device Model
Email Sent Successfully	Whether the email has been successfully sent.
Policy Type
Resource Type
Last Update Time
Registry Key
EmailCampaignCanvas
EmailCampaignMutualIndicators
Verification Status	The status of the user verification.
External Sub Category ID
Policy Deleted
Ticket Closed Date
Compliance Notes	Notes regarding the assets compliance.
List Of Rules - Event	The list of rules associated to an event.
App message
Manager Email Address
Source Networks
Attack Mode	Attack mode as received from the integration JSON
Item Owner Email
Registry Hive
Domain Name
MITRE Technique Name
Reporter Email Address	The email address of the user who reported the email.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Number of Related Incidents
Original Description	The description of the incident
Password Reset Successfully	Whether the password has been successfully reset.
Blocked Action	Blocked Action
High Risky Users
Cloud Resource List
Device OS Version
Triggered Security Profile	Triggered Security Profile
Post Nat Source Port	The source port after NAT.
User Anomaly Count
OS	The operating system.
Risk Name
External Severity
Event Names	The event name (translated QID ) in the event.
Mobile Device Model
Process Paths
Parent Process Name
Classification	Incident Classification
Related Report
Related Endpoints
Policy Details
Location Region	Location Region
Detected External IPs	Detected external IPs
Device Hash	Device Hash
Policy Severity
Resource Name
Detected Endpoints
File Relationships
Device Internal IPs
SHA1	SHA1
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Event Descriptions	The description of the event name.
Alert Action	Alert action as received from the integration JSON
Vulnerable Product
Birthday	Person's Birthday
Objective
Approver	The person who approved or needs to approve the request.
Source Updated by
Category Count	The number of categories that are associated with the offense.
Password Changed Date
Referenced Resource Name
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Campaign Name
Error Message	The error message that contains details about the error that occurred.
IP Blocked Status
Detection End Time
Cloud Region List
Pre Nat Destination Port	The destination port before NAT.
Src OS	Src OS
Users Details
Custom Query Results
High Risky Hosts
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Closing User	The closing user.
Resource URL
Policy Actions
Parent Process SHA256
Employee Display Name	The display name of the employee.
UUID	UUID as received from the integration JSON
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Source Category
Org Level 2
Similar incidents Dbot
Number of similar files
Use Case Description
User Groups
Registration Email
Technical User	The technical user of the asset.
Vulnerability Category
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Pre Nat Source IP	The source IP before NAT.
Agents ID
Verdict
Account ID
Related Alerts
Hunt Results Count
External End Time
Technique
Last Name	Last Name
Endpoint Isolation Status
User Block Status
Job Code	Job Code
SKU Name
File Size	File Size
Additional Indicators
Verification Method	The method used to verify the user.
Assigned User	Assigned User
Parent Process CMD
Region
Project ID
URLs
Ticket Acknowledged Date
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Caller
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Related Campaign
External Category Name
app channel name
Vendor Product
Destination Geolocation	The destination geolocation of the event.
Risk Score
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Assignment Group
External Link
File Access Date
Full Name	Person's Full Name
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
User Engagement Response
Device Time	The time from the original logging device when the event occurred.
Incident Link
Item Owner
Cloud Instance ID	Cloud Instance ID
Last Modified On
Parent Process File Path
MITRE Tactic ID
Org Level 1
CVSS
File Creation Date
Country Code Number
Alert Type ID
ASN Name
Block Indicators Status
Policy ID
IP Reputation
Application Path
Mobile Phone
Policy Recommendation
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Asset Name
Email	Primary Email Address
Policy Remediable
Process Names
Domain Updated Date
Endpoints Details
User Creation Time
Process MD5
Status Reason
Tenant Name	Tenant Name
Last Seen
External Status
Detection URL	URL of the ExtraHop Reveal(x) detection
Account Member Of
Alert tags
Triage SLA	The time it took to investigate and enrich incident information.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
CVE ID
Group ID
Additional Data
Process Creation Time
Report Name
Sub Category	The sub category
Comment	The comments related with the incident
Source Geolocation	The source geolocation of the event.
Street Address
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Scenario
Source Urgency	Source Urgency
User SID
Timezone
Close Time	The closing time.
Domain Registrar Abuse Email
sAMAccountName	User sAMAAccountName
Tactic ID
First Name	First Name
Dest OS	Destination OS
Source Create time
File Hash
Team name
RemovedFromCampaigns
Raw Event	The unparsed event data.
Parent Process Path
Additional Email Addresses
Protocol names
Referenced Resource ID
Cost Center	Cost Center
Job Family	Job Family
Process SHA256
External Category ID
Job Function	Job Function
Employee Email	The email address of the employee.
Original Alert Source
External Last Updated Time
Closing Reason	The closing reason
Investigation Stage	The stage of the investigation.
External System ID
Employee Manager Email	The email address of the employee's manager.
Technique ID
Log Source Name	The log source name associated with the event.
CVE Published
Org Level 3
Asset ID
Traffic Direction	The direction of the traffic in the event.
Escalation
Command Line Verdict
Manager Name	Manager Name
Destination IPV6	The destination IPV6 address.
Process CMD
Exposure Level
Original Events	The events associated with the offense.
similarIncidents
Number Of Log Sources	The number of log sources related to the offense.
Leadership
SHA512	SHA512
Country Code
MITRE Technique ID
Original Alert Name	Alert name as received from the integration JSON
String Similarity Results
Device OU	Device's OU path in Active Directory
Log Source	Log Source
Alert Rules
Source Priority
ASN
Given Name	Given Name
Rule Name	The name of a YARA rule
City
Zip Code	Zip Code
OS Type	OS Type
Vendor ID
Containment SLA	The time it took to contain the incident.
Low Level Categories Events	The low level category of the event.
EmailCampaignSnippets
Device Id	Device Id
Alert Malicious	Whether the alert is malicious.
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Phone Number	Phone number
Duration
Source Created By
Suspicious Executions Found
Device Status
EmailCampaignSummary
Post Nat Destination IP	The destination IP address after NAT.
Registry Value
Changed	The user who changed this incident
Is Active	Alert status
Source External IPs
Ticket Number
External Sub Category Name
Destination Networks
Error Code
Region ID
OutgoingMirrorError
Cloud Account ID
Rendered HTML	The HTML content in a rendered form.
Device OS Name

Incident Types

Name	Description
Hunt
Job
Reconnaissance
Authentication
Policy Violation
UnknownBinary
Exploit
DoS
Lateral Movement
Simulation
Defacement
Exfiltration
Vulnerability
Network
C2Communication
Indicator Feed

Indicator Fields

Name	Description
Title	Title
Positive Detections	Number of engines that positively detected the indicator as malicious
Office365Category
Cost Center
Operating System Version
X.509 v3 Extensions
Geo Country
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Processor
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Organization
Registrar Abuse Country
Personal Email
Groups
Primary Motivation
Implementation Languages
STIX Primary Motivation.
Objective
Detection Engines	Total number of engines that checked the indicator
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Issuer DN	Issuer Distinguished Name
CVSS3
Number of subkeys
Key Value
Country Name
Size
Registrar Abuse Email
STIX Is Malware Family
Goals
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
OS Version
Subject DN	Subject Distinguished Name
Roles
Category
Expiration Date
Feed Related Indicators
Infrastructure Types
Country Code Number
Rank	Used to display rank from different sources
Port
File Extension
Signature Description
Detections
Leadership
Hostname
Name Field
Secondary Motivations
Behavior
Certificate Validation Checks
Manager Name	Manager Name
Assigned user
DHCP Server
Tool Types
Community Notes
Processors
Threat Actor Types
Short Description
Display Name
Associated File Names
Indicator Identification
Vulnerable Products
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Account Type
Targets
SWID	Specifies the Software Identification (SWID) tags entry for the software
Org Unit
Registrant Phone
Job Function
Subdomains
Signature File Version
Malware Family
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Registrant Country
Certificate Signature
Office365ExpressRoute
Report Object References	A list of STIX IDs referenced in the report.
Confidence
Entry ID
Vendor
Author
Updated Date
CVSS Score
Internal
Blocked
Signed
Publications
imphash
SHA512
Email
Org Level 1
IP Address
BIOS Version
Resource Level
Admin Phone
Registrar Abuse Network
Country Code
STIX Malware Types
Aliases	Alternative names used to identify this object
Department	Department
State
Validity Not Before	Specifies the date on which the certificate validity period begins.
STIX Secondary Motivations
Issuer
Action
Domains
Device Model
Job Family
Subject
Mobile Phone
Name
SHA256
SHA1
Manager Email Address
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
PEM	Certificate in PEM format.
Validity Not After	Specifies the date on which the certificate validity period ends.
Query Language
Organization Prevalence	The number of times the indicator is detected in the organization.
Service	The specific service of a feed integration from which an indicator was ingested.
STIX Tool Version
Version
Definition
CVSS Version
STIX Roles
Force Sync	Whether to force user synchronization.
Mitre Tactics
Registrar Abuse Address
Registrant Name
Domain Referring IPs
Public Key
Office365Required
STIX Tool Types
Assigned role
Admin Country
Tool Version
Whois Records
Operating System
Commands
SSDeep
Reports
Signature Original Name
City	City
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Location
Geo Location
Tags
Samples
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Campaign
Domain Referring Subnets
Work Phone
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Org Level 2
Name Servers
STIX Sophistication
Job Code	Job Code
Applications
Source Original Severity	The original score/severity provided by the source without DBot translation.
Certificate Names
Organizational Unit (OU)
Creation Date
Certificates
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Given Name	Given Name
Operating System Refs
Domain Status
STIX Description
STIX Goals
Region
Memory
Signature Copyright
Cost Center Code
Path
Registrant Email
Capabilities
CVSS Table
Subject Alternative Names
Is Malware Family
User ID
STIX Aliases	Alternative names used to identify this object
Published
Source Priority
Description
Domain Name
Actor
Street Address
CVSS
Associations	Known associations to other pieces of Threat Data.
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Username
Admin Name
CVE Modified
Organization First Seen	Date and time when the indicator was first seen in the organization.
Email Address
Global Prevalence	The number of times the indicator is detected across all organizations.
DNS Records
File Type
Sophistication
Signature Authentihash
Signature Algorithm
Registrar Abuse Phone
Domain IDN Name
STIX Resource Level
Mitre ID
Registrar Abuse Name
Download URL
Organization Type
Location Region
ASN
Admin Email
CVE Description
Is Processed
First Seen By Source	The first time the indicator was seen by the source vendor.
Registrar Name
STIX Threat Actor Types
MD5
Vulnerabilities
Paths
Product
Architecture
Signature Internal Name
Report type
Quarantined	Whether the indicator is quarantined or isolated
Serial Number
Surname	Surname
Zip Code
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Malware types
Extension
CVSS Vector
DNS
Org Level 3
Acquisition Hire	Whether the employee is an acquisition hire.
AS Owner

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
Host Indicator	Host indicator layout
Tactic Layout	Tactic Indicator Layout
Course of Action	Course of Action Indicator Layout
Malware Indicator	Malware Indicator Layout
Software	Software Indicator Layout
Intrusion Set	Intrusion Set Layout
Registry Key Indicator	Registry Key Indicator Layout
Domain Indicator	Domain Indicator Layout
Infrastructure	Infrastructure Indicator Layout
IP Indicator	IP Indicator Layout
Tool Indicator	Tool Indicator Layout
Email Indicator	Email Indicator Layout
File Indicator	File Indicator Layout
Campaign	Campaign Indicator Layout
Indicator Feed Incident
Account Indicator	Account Indicator Layout
Location	Location indicator layout
Identity	Identity indicator layout
Threat Actor	Threat Actor Indicator Layout
URL Indicator	URL Indicator Layout
Mutex	Mutex indicator layout
CVE Indicator	CVE Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Vulnerability Incident
Report	Report Indicator Layout
ASN	ASN Indicator Layout
X509 Certificate	CVE Indicator Layout

Indicator Types

Name	Description
Tactic
Malware
Attack Pattern
Onion Address
ssdeep
IP
DomainGlob
Campaign
Email
CIDR
Infrastructure
Registry Key
Tool
File SHA-256
Host
Report
File MD5
Threat Actor
File SHA-1
X509 Certificate
Location
CVE
Course of Action
IPv6
Account
Domain
File
Mutex
URL
Identity
ASN
Software
Intrusion Set
IPv6CIDR

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (56)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.5.5 - 1082615 (June 10, 2024)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

3.5.4 - 1061293 (June 2, 2024)

Indicator Types

Email

Related pull requests:
- 33924

Download

3.5.3 - 1021616 (May 16, 2024)

Indicator Fields

Kill Chain Phases
- Added a missing phase, Resource Development, to multi-select list

Related pull requests:
- 33786

Download

3.5.2 - 998827 (May 6, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Indicator Fields

Author

Related pull requests:
- 33839

Download

3.5.0 - 995825 (May 5, 2024)

Incident Fields

New: Registration Email
New: Domain Updated Date
New: Domain Registrar Abuse Email

Related pull requests:
- 32924

Download

3.4.10 - 951066 (April 11, 2024)

Incident Fields

Policy Type
New: CVE ID
New: Resource URL
New: User Anomaly Count
New: CVE Published
Policy Recommendation
New: Vulnerable Product
New: Alert Rules

Related pull requests:
- 33781

Download

3.4.9 - 948301 (April 10, 2024)

Incident Fields

Compliance Notes - Added the Prisma Cloud Compute Compliance v2 incident type as an associated types.

Related pull requests:
- 32936

Download

3.4.8 - 927547 (April 1, 2024)

Indicator Types

URL
Updated the regex to capture URLs with commas.

Related pull requests:
- 33688

Download

3.4.7 - 904622 (March 20, 2024)

Incident Fields

Containment SLA
- Updated to be searchable
Incident Duration
- Updated to be searchable
Triage SLA
- Updated to be searchable

Indicator Fields

New: Number of subkeys
New: Samples

Related pull requests:
- 33419

Download

3.4.5 - 882064 (March 11, 2024)

Incident Fields

New: Additional Email Addresses

Related pull requests:
- 33129

Download

3.4.4 - 870683 (March 5, 2024)

Indicator Fields

New: Subject
New: Issuer
New: Certificate Names
New: Validity Not Before
New: PEM
New: Certificate Signature
New: Extension
New: X.509 v3 Extensions
New: Certificate Validation Checks
New: Issuer DN
New: SPKI SHA256
New: Validity Not After
New: Serial Number
New: Signature Algorithm
New: Public Key
New: Subject Alternative Names
New: Domains
New: Subject DN

Layouts

New: X509 Certificate
layout for the new X509 indicator type (Available from Cortex XSOAR 6.0.0).

Related pull requests:
- 31341

Download

3.4.3 - 865088 (March 3, 2024)

Incident Fields

New: Alert tags
New: User Risk Level

Related pull requests:
- 32470

Download

3.4.2 - 860237 (February 29, 2024)

Incident Fields

Added the CrowdStrike Falcon Mobile Detection incident type to the following incident fields:

Email
Detection ID
Last Update Time
Vendor Product
Display Name

Related pull requests:
- 33072

Download

3.4.1 - R828628 (February 14, 2024)

Indicator Types

URL
Fixed an issue with the regex not capturing quoted slashes.

Related pull requests:
- 32719

Download

3.4.0 - 778227 (January 22, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

3.3.99 - 764361 (January 15, 2024)

Indicator Fields

Blocked

Related pull requests:
- 32218

Download

3.3.98 - 737854 (January 2, 2024)

Incident Fields

New: Status Reason

Related pull requests:
- 31187

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	December 31, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Common Types

Pack Contributors:

Pack Contributors:

Incident Fields

Layouts

Incident Fields

Indicator Types

Layouts

Indicator Types

Indicator Fields

New: Organization Prevalence

New: Global Prevalence

New: Organization First Seen

New: Organization Last Seen

Indicator Types

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications

New: Definition

Indicator Types

Incident Fields

Indicator Fields

Validity Not Before

Validity Not After

Layouts

Indicator Types

Incident Fields

Indicator Types

Layouts

Indicator Fields

Primary Motivation

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Common Types

Indicator Types

Indicator Fields

Common Types

Indicator Fields

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Indicator Fields

Incident Fields

Indicator Fields

Layouts

Incident Fields

Incident Fields

Indicator Types

Common Types

Indicator Fields

Incident Fields

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER