Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Common Types
- Details
- Content
- Dependencies
- Version History
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Threat Hunting Detected IP | |
External End Time | |
Detection End Time | |
Threat Hunting Detected Hostnames | |
Status Reason | |
Related Campaign | |
Parent Process Path | |
Employee Display Name | The display name of the employee. |
File SHA256 | |
Assigned User | Assigned User |
Cloud Region List | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Event ID | Event ID |
Additional Data | |
Compliance Notes | Notes regarding the assets compliance. |
Destination IPs | The destination IPs of the event. |
User Risk Level | |
Region ID | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
RemovedFromCampaigns | |
Policy Remediable | |
User Creation Time | |
Log Source | Log Source |
Sensor Name | |
Mobile Device Model | |
App message | |
User Id | User Id |
Comment | The comments related with the incident |
Parent Process | |
Event Names | The event name (translated QID ) in the event. |
Objective | |
Cost Center | Cost Center |
Closing User | The closing user. |
First Name | First Name |
Tools | |
Org Level 1 | |
Endpoint Isolation Status | |
Vendor Product | |
Traffic Direction | The direction of the traffic in the event. |
Department | Department |
Escalation | |
Duration | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
File MD5 | |
CVE ID | |
App | |
Srcs | The source values. |
Agents ID | |
Detected User | |
Policy Actions | |
Report Name | |
Device Local IP | Device Local IP |
Attack Patterns | |
Agent Version | Reporting Agent/Sensor Version |
Dest | Destination |
User SID | |
Reporter Email Address | The email address of the user who reported the email. |
Approval Status | The status for the approval of the request. |
Users Details | |
Endpoint | |
Appliance Name | Appliance name as received from the integration JSON |
File Creation Date | |
Additional Indicators | |
Application Name | Application Name |
Triage SLA | The time it took to investigate and enrich incident information. |
External Addresses | |
Protocol | Protocol |
MITRE Technique ID | |
Dest NT Domain | Destination NT Domain |
Country Code Number | |
Verification Status | The status of the user verification. |
Last Modified On | |
Leadership | |
Dest OS | Destination OS |
OS | The operating system. |
Employee Manager Email | The email address of the employee's manager. |
Source Priority | |
Log Source Type | The log source type associated with the event. |
Sensor IP | |
Source IPV6 | The source IPV6 address. |
Password Changed Date | |
Device Model | Device Model |
File Relationships | |
Street Address | |
Resource URL | |
SKU Name | |
Source Status | |
EmailCampaignMutualIndicators | |
Surname | Surname |
Changed | The user who changed this incident |
Isolated | Isolated |
OS Version | OS Version |
External Severity | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
List Of Rules - Event | The list of rules associated to an event. |
IP Reputation | |
Device Username | The username of the user that owns the device |
Timezone | |
High Risky Hosts | |
File SHA1 | |
Risk Score | |
Source Geolocation | The source geolocation of the event. |
Alert Source | |
sAMAccountName | User sAMAAccountName |
Title | Title |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
First Seen | |
Hunt Results Count | |
Tactic | |
Verdict | |
Detected External Hosts | Detected external hosts |
Alert Type ID | |
Device Id | Device Id |
Dst Ports | The destination ports of the event. |
Source Created By | |
City | |
Alert Rules | |
Device External IP | Device External IP |
IncomingMirrorError | |
Policy URI | |
Command Line | Command Line |
Alert Action | Alert action as received from the integration JSON |
Audit Logs | |
Protocol names | |
Phone Number | Phone number |
Ticket Acknowledged Date | |
External Sub Category Name | |
Related Report | |
SKU TIER | |
Device Hash | Device Hash |
Username | The username of the account who logged in. |
Destination IPV6 | The destination IPV6 address. |
CVSS | |
File Access Date | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Post Nat Destination IP | The destination IP address after NAT. |
Post Nat Source IP | The source IP address after NAT. |
Signature | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Source Username | The username that was the source of the attack. |
EmailCampaignCanvas | |
Detected IPs | |
Policy Type | |
File Names | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Device Name | Device Name |
User Engagement Response | |
MITRE Technique Name | |
Src Ports | The source ports of the event. |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
User Block Status | |
Log Source Name | The log source name associated with the event. |
Related Endpoints | |
Tags | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Affected Users | |
MAC Address | MAC Address |
Cost Center Code | Cost Center Code |
Agent ID | Agent ID |
Is Active | Alert status |
End Time | The time when the offense ended. |
Cloud Operation Type | |
Post Nat Source Port | The source port after NAT. |
Rating | |
Detection Update Time | |
Ticket Number | |
Parent Process SHA256 | |
Parent Process File Path | |
File Path | |
Cloud Account ID | |
Containment SLA | The time it took to contain the incident. |
Application Id | Application Id |
User Anomaly Count | |
Src | Source |
Identity Type | |
Events | The events associated with the offense. |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
File Name | |
Detected External IPs | Detected external IPs |
External Category Name | |
Destination Port | The destination port used. |
Internal Addresses | |
Vulnerable Product | |
Source Updated by | |
Process Names | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Alert Attack Time | |
Personal Email | |
Src User | Source User |
MD5 | MD5 |
Related Alerts | |
Registry Value | |
Operation Name | |
File Hash | |
Tool Usage Found | |
Detection ID | |
Custom Query Results | |
Scenario | |
Policy Severity | |
EmailCampaignSummary | |
File Size | File Size |
Item Owner Email | |
Category Count | The number of categories that are associated with the offense. |
ASN Name | |
Parent Process CMD | |
Destination Hostname | Destination hostname |
SSDeep | |
Process Paths | |
Country Code | |
Primary Email Address | |
Attack Mode | Attack mode as received from the integration JSON |
Referenced Resource ID | |
Source Id | |
Process SHA256 | |
Ticket Opened Date | |
Pre Nat Source IP | The source IP before NAT. |
Description | The description of the incident |
Full Name | Person's Full Name |
Alert Malicious | Whether the alert is malicious. |
Error Message | The error message that contains details about the error that occurred. |
Triggered Security Profile | Triggered Security Profile |
Policy Description | |
Affected Hosts | |
Vendor ID | |
Source Hostname | The hostname that performed the port scan. |
Email Sent Successfully | Whether the email has been successfully sent. |
Number Of Log Sources | The number of log sources related to the offense. |
Project ID | |
Acquisition Hire | |
String Similarity Results | |
Technical Owner Contact | The contact details for the technical owner. |
URLs | |
EmailCampaignSnippets | |
Investigation Stage | The stage of the investigation. |
Parent Process Name | |
Mobile Phone | |
Pre Nat Source Port | The source port before NAT. |
Close Time | The closing time. |
External Confidence | |
Last Update Time | |
Work Phone | |
Protocol - Event | The network protocol in the event. |
Rule Name | The name of a YARA rule |
Source IPs | The source IPs of the event. |
Source MAC Address | The source MAC address in an event. |
Src OS | Src OS |
Country | The country from which the user logged in. |
UUID | UUID as received from the integration JSON |
Device OS Version | |
Source Category | |
Event Descriptions | The description of the event name. |
Cloud Instance ID | Cloud Instance ID |
External Link | |
Verification Method | The method used to verify the user. |
Follow Up | True if marked for follow up. |
Bugtraq | |
MITRE Tactic ID | |
Vulnerability Category | |
Sub Category | The sub category |
Destination Geolocation | The destination geolocation of the event. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Destination Networks | |
Region | |
Raw Event | The unparsed event data. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Additional Email Addresses | |
Manager Name | Manager Name |
Job Function | Job Function |
Technical User | The technical user of the asset. |
Detected Endpoints | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Resource Name | |
Dest Hostname | Destination hostname |
Location | Location |
Account ID | |
Password Reset Successfully | Whether the password has been successfully reset. |
Policy ID | |
Manager Email Address | |
Resource Type | |
Registry Value Type | |
Process CMD | |
OS Type | OS Type |
File Paths | |
Last Modified By | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Selected Indicators | Includes the indicators selected by the user. |
Usernames | The username in the event. |
Categories | The categories for the incident. |
Destination MAC Address | The destination MAC address in an event. |
Exposure Level | |
Registry Key | |
Item Owner | |
CVE | |
PID | PID |
External Status | |
Account Member Of | |
Asset ID | |
Pre Nat Destination Port | The destination port before NAT. |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Error Code | |
Referenced Resource Name | |
Location Region | Location Region |
State | State |
Domain Registrar Abuse Email | |
Campaign Name | |
Policy Recommendation | |
Alert Name | Alert name as received from the integration JSON |
Src NT Domain | Source NT Domain |
Device Time | The time from the original logging device when the event occurred. |
CMD | |
Source Network | |
Endpoints Details | |
Account Status | |
User Groups | |
Alert Category | The category of the alert |
Device MAC Address | |
Team name | |
Display Name | Display Name |
Source Port | The source port that was used |
Approver | The person who approved or needs to approve the request. |
userAccountControl | userAccountControl |
Technique ID | |
Command Line Verdict | |
Process Name | |
Destination IP | The IP address the impossible traveler logged in to. |
Src Hostname | Source hostname |
Job Code | Job Code |
Group ID | |
Tenant Name | Tenant Name |
External Start Time | |
CVE Published | |
External Last Updated Time | |
Hostnames | The hostname in the event. |
Zip Code | Zip Code |
Incident Link | |
Registry Hive | |
Closing Reason | The closing reason |
Appliance ID | Appliance ID as received from the integration JSON |
Suspicious Executions | |
Given Name | Given Name |
Last Name | Last Name |
Alert URL | Alert URL as received from the integration JSON |
Parent CMD line | |
Event Type | Event Type |
SHA1 | SHA1 |
Registration Email | |
User Agent | |
Org Level 3 | |
Device OS Name | |
SHA512 | SHA512 |
CMD line | |
SHA256 | SHA256 |
Child Process | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
IP Blocked Status | |
Policy Deleted | |
Detected Users | Detected users |
Device External IPs | |
External Category ID | |
similarIncidents | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Source Networks | |
Suspicious Executions Found | |
Assignment Group | |
Use Case Description | |
Process Path | |
Destination Network | |
MITRE Tactic Name | |
Process Creation Time | |
External System ID | |
Device Internal IPs | |
app channel name | |
Job Family | Job Family |
Domain Updated Date | |
Rendered HTML | The HTML content in a rendered form. |
Post Nat Destination Port | The destination port after NAT. |
Org Unit | |
Parent Process IDs | |
Number of Related Incidents | |
Policy Details | |
Parent Process MD5 | |
Risk Name | |
Process ID | |
Subtype | Subtype |
Number of similar files | |
Low Level Categories Events | The low level category of the event. |
Risk Rating | |
Org Level 2 | |
Classification | Incident Classification |
Source Create time | |
Account Name | Account Name |
Dsts | The destination values. |
High Risky Users | |
Birthday | Person's Birthday |
Source Urgency | Source Urgency |
Users | |
Start Time | The time when the offense started. |
External Sub Category ID | |
Last Seen | |
Employee Email | The email address of the employee. |
Process MD5 | |
Alert tags | |
Block Indicators Status | |
High Level Categories | The high level categories in the events. |
Device Status | |
Technical Owner | The technical owner of the asset. |
Ticket Closed Date | |
Detected Internal IPs | Detected internal IPs |
Asset Name | |
Source IP | The IP Address that the user initially logged in from. |
OutgoingMirrorError | |
Cloud Resource List | |
Detected Internal Hosts | Detected internal hosts |
Application Path | |
Domain Name | |
Source External IPs | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Device OU | Device's OU path in Active Directory |
Alert ID | Alert ID as received from the integration JSON |
ASN | |
Tactic ID | |
DNS Name | The DNS name of the asset. |
Blocked Action | Blocked Action |
Country Name | Country Name |
Similar incidents Dbot | |
External ID | |
Protocols | |
Resource ID | |
Unique Ports | |
Cloud Service | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Technique | |
Caller |
Incident Types
| Name | Description |
|---|---|
Indicator Feed | |
C2Communication | |
Exploit | |
Hunt | |
UnknownBinary | |
Authentication | |
Policy Violation | |
Network | |
Simulation | |
Vulnerability | |
Defacement | |
Reconnaissance | |
Lateral Movement | |
Exfiltration | |
DoS | |
Job |
Indicator Fields
| Name | Description |
|---|---|
Domain Referring IPs | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Updated Date | |
Samples | |
Vulnerable Products | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Geo Location | |
Actor | |
Job Function | |
Malware Family | |
Is Processed | |
STIX Is Malware Family | |
Definition | |
CVSS | |
Hostname | |
Is Malware Family | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
PEM | Certificate in PEM format. |
Registrar Abuse Country | |
Resource Level | |
Vulnerabilities | |
SHA1 | |
Signature Description | |
CVE Description | |
Category | |
Name Servers | |
Country Code Number | |
Cost Center Code | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Entry ID | |
Assigned user | |
Report Object References | A list of STIX IDs referenced in the report. |
Registrar Abuse Network | |
Memory | |
STIX Tool Types | |
CVSS3 | |
Registrant Email | |
Capabilities | |
DNS | |
Serial Number | |
Detection Engines | Total number of engines that checked the indicator |
STIX Resource Level | |
Targets | |
Internal | |
IP Address | |
Port | |
STIX Aliases | Alternative names used to identify this object |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
STIX Description | |
Description | |
Product | |
Signature Algorithm | |
Extension | |
Organizational Unit (OU) | |
Account Type | |
Publications | |
Community Notes | |
Geo Country | |
Groups | |
Office365Category | |
State | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Path | |
Org Level 3 | |
Reports | |
Admin Country | |
Detections | |
Mitre Tactics | |
Tags | |
Quarantined | Whether the indicator is quarantined or isolated |
STIX Roles | |
Subject | |
Org Level 2 | |
Manager Email Address | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Domain IDN Name | |
STIX Goals | |
Size | |
Registrar Abuse Address | |
Signature File Version | |
Source Priority | |
Published | |
CVE Modified | |
Street Address | |
STIX Secondary Motivations | |
Action | |
Certificate Signature | |
X.509 v3 Extensions | |
Department | Department |
Query Language | |
DHCP Server | |
Download URL | |
Registrar Abuse Email | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Country Code | |
STIX Primary Motivation. | |
Processors | |
Mitre ID | |
Device Model | |
Goals | |
Assigned role | |
Confidence | |
Name | |
Expiration Date | |
Operating System Refs | |
STIX Tool Version | |
Office365Required | |
File Extension | |
Cost Center | |
Admin Phone | |
Display Name | |
Feed Related Indicators | |
Author | |
Report type | |
File Type | |
Commands | |
Issuer DN | Issuer Distinguished Name |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Personal Email | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Indicator Identification | |
ASN | |
Location Region | |
User ID | |
Campaign | |
City | City |
Org Unit | |
Job Family | |
Short Description | |
Version | |
DNS Records | |
Subdomains | |
Behavior | |
Roles | |
Org Level 1 | |
Username | |
Aliases | Alternative names used to identify this object |
SSDeep | |
Job Code | Job Code |
Domain Name | |
Processor | |
STIX Threat Actor Types | |
Registrar Name | |
Associations | Known associations to other pieces of Threat Data. |
Mobile Phone | |
Registrant Country | |
Rank | Used to display rank from different sources |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Subject DN | Subject Distinguished Name |
Location | |
Region | |
Signature Authentihash | |
Whois Records | |
Email Address | |
SHA512 | |
Signature Original Name | |
Registrar Abuse Name | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Registrant Phone | |
Country Name | |
Associated File Names | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Organization | |
Applications | |
Issuer | |
Acquisition Hire | Whether the employee is an acquisition hire. |
CVSS Vector | |
SHA256 | |
BIOS Version | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Sophistication | |
STIX Malware Types | |
STIX Sophistication | |
OS Version | |
Creation Date | |
AS Owner | |
Registrar Abuse Phone | |
Certificates | |
Primary Motivation | |
Tool Types | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Leadership | |
Title | Title |
Organization Type | |
Vendor | |
Domain Referring Subnets | |
Infrastructure Types | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Objective | |
Operating System | |
Implementation Languages | |
Manager Name | Manager Name |
Public Key | |
CVSS Score | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Force Sync | Whether to force user synchronization. |
CVSS Table | |
Key Value | |
Surname | Surname |
Zip Code | |
Given Name | Given Name |
Threat Actor Types | |
MD5 | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
imphash | |
Operating System Version | |
Signature Internal Name | |
Architecture | |
Blocked | |
Admin Email | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Name Field | |
Tool Version | |
Admin Name | |
Domains | |
Number of subkeys | |
Signature Copyright | |
Malware types | |
Subject Alternative Names | |
Paths | |
Certificate Validation Checks | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
CVSS Version | |
Certificate Names | |
Office365ExpressRoute | |
Registrant Name | |
Secondary Motivations | |
Domain Status | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
MAC Address | |
Signed | |
Work Phone |
Layouts
| Name | Description |
|---|---|
Account Indicator | Account Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Mutex | Mutex indicator layout |
Host Indicator | Host indicator layout |
Malware Indicator | Malware Indicator Layout |
File Indicator | File Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Tool Indicator | Tool Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Indicator Feed Incident | |
Location | Location indicator layout |
URL Indicator | URL Indicator Layout |
Identity | Identity indicator layout |
X509 Certificate | CVE Indicator Layout |
IP Indicator | IP Indicator Layout |
Email Indicator | Email Indicator Layout |
Software | Software Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Vulnerability Incident | |
Report | Report Indicator Layout |
ASN | ASN Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Campaign | Campaign Indicator Layout |
Indicator Types
| Name | Description |
|---|---|
File | |
Report | |
Attack Pattern | |
Tool | |
CIDR | |
Software | |
Location | |
ASN | |
Mutex | |
Onion Address | |
URL | |
File MD5 | |
Threat Actor | |
Identity | |
Account | |
Registry Key | |
Domain | |
IPv6CIDR | |
CVE | |
IPv6 | |
IP | |
Campaign | |
Intrusion Set | |
Malware | |
File SHA-256 | |
Course of Action | |
Infrastructure | |
DomainGlob | |
ssdeep | |
X509 Certificate | |
File SHA-1 | |
Tactic | |
Host |
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
User Anomaly Count | |
Full Name | Person's Full Name |
Referenced Resource ID | |
Employee Display Name | The display name of the employee. |
Technique ID | |
External End Time | |
Use Case Description | |
similarIncidents | |
Pre Nat Source Port | The source port before NAT. |
Process CMD | |
Parent Process CMD | |
Hunt Results Count | |
Policy Actions | |
Rating | |
Surname | Surname |
Resource Name | |
Policy URI | |
Comment | The comments related with the incident |
Technical Owner | The technical owner of the asset. |
Objective | |
Device Time | The time from the original logging device when the event occurred. |
Policy Severity | |
CVSS | |
User Id | User Id |
Error Message | The error message that contains details about the error that occurred. |
Classification | Incident Classification |
User Groups | |
Incident Link | |
Employee Email | The email address of the employee. |
Detected Endpoints | |
Source Priority | |
MITRE Technique Name | |
Mobile Device Model | |
Custom Query Results | |
Verification Method | The method used to verify the user. |
Duration | |
Region ID | |
Job Family | Job Family |
EmailCampaignSnippets | |
Policy Recommendation | |
Work Phone | |
Dest OS | Destination OS |
Bugtraq | |
Job Code | Job Code |
Asset Name | |
Suspicious Executions Found | |
High Risky Users | |
SSDeep | |
Triggered Security Profile | Triggered Security Profile |
Post Nat Source Port | The source port after NAT. |
External System ID | |
State | State |
Last Modified On | |
List Of Rules - Event | The list of rules associated to an event. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Primary Email Address | |
Org Unit | |
Org Level 1 | |
Unique Ports | |
Number of similar files | |
High Risky Hosts | |
Raw Event | The unparsed event data. |
Cloud Service | |
Process ID | |
Alert Malicious | Whether the alert is malicious. |
Account ID | |
Additional Indicators | |
Timezone | |
External Confidence | |
SHA1 | SHA1 |
URLs | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Street Address | |
ASN Name | |
Caller | |
Post Nat Destination IP | The destination IP address after NAT. |
Affected Hosts | |
Endpoints Details | |
Attack Patterns | |
Users Details | |
Ticket Closed Date | |
Resource URL | |
EmailCampaignCanvas | |
Error Code | |
Rendered HTML | The HTML content in a rendered form. |
Isolated | Isolated |
Technical User | The technical user of the asset. |
Source Geolocation | The source geolocation of the event. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Tactic | |
Start Time | The time when the offense started. |
Block Indicators Status | |
Selected Indicators | Includes the indicators selected by the user. |
Parent Process Path | |
Group ID | |
Phone Number | Phone number |
Suspicious Executions | |
Source Created By | |
Vendor ID | |
Closing Reason | The closing reason |
Application Path | |
Device Hash | Device Hash |
Tools | |
Device Internal IPs | |
Original Description | The description of the incident |
Assigned User | Assigned User |
Detection End Time | |
Device OS Name | |
Traffic Direction | The direction of the traffic in the event. |
Is Active | Alert status |
Original Alert Name | Alert name as received from the integration JSON |
First Seen | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
UUID | UUID as received from the integration JSON |
User Block Status | |
Operation Name | |
Rule Name | The name of a YARA rule |
File SHA1 | |
Related Endpoints | |
Device Name | Device Name |
Report Name | |
Tactic ID | |
Verdict | |
Source Updated by | |
Policy Description | |
Project ID | |
Asset ID | |
Log Source | Log Source |
Verification Status | The status of the user verification. |
Process Paths | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Parent Process Name | |
Org Level 2 | |
Process SHA256 | |
Destination IPV6 | The destination IPV6 address. |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Source External IPs | |
IncomingMirrorError | |
Registry Hive | |
Command Line Verdict | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Blocked Action | Blocked Action |
File Size | File Size |
Escalation | |
Event ID | Event ID |
sAMAccountName | User sAMAAccountName |
Similar incidents Dbot | |
Device Id | Device Id |
Agents ID | |
Country Code | |
Attack Mode | Attack mode as received from the integration JSON |
Title | Title |
Cost Center Code | Cost Center Code |
Country Code Number | |
External Start Time | |
External Category ID | |
CVE ID | |
Low Level Categories Events | The low level category of the event. |
Alert Action | Alert action as received from the integration JSON |
Technique | |
Sensor IP | |
Original Alert Source | |
Policy Remediable | |
Password Reset Successfully | Whether the password has been successfully reset. |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Src OS | Src OS |
Detected External IPs | Detected external IPs |
OS | The operating system. |
External Sub Category ID | |
Agent Version | Reporting Agent/Sensor Version |
Given Name | Given Name |
Triage SLA | The time it took to investigate and enrich incident information. |
Scenario | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Registry Value Type | |
OS Type | OS Type |
Policy Type | |
MITRE Technique ID | |
Assignment Group | |
Investigation Stage | The stage of the investigation. |
Device Model | Device Model |
Ticket Acknowledged Date | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Original Alert ID | Alert ID as received from the integration JSON |
Process Names | |
Additional Email Addresses | |
IP Blocked Status | |
Alert Type ID | |
Number of Related Incidents | |
User SID | |
EmailCampaignSummary | |
Protocol names | |
Related Campaign | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Related Report | |
CVE Published | |
SKU Name | |
Reporter Email Address | The email address of the user who reported the email. |
Pre Nat Destination Port | The destination port before NAT. |
Post Nat Destination Port | The destination port after NAT. |
Item Owner Email | |
Location | Location |
Email Sent Successfully | Whether the email has been successfully sent. |
User Creation Time | |
Original Events | The events associated with the offense. |
Manager Email Address | |
App message | |
EmailCampaignMutualIndicators | |
Team name | |
Exposure Level | |
Detection ID | |
Device OS Version | |
External Sub Category Name | |
Cost Center | Cost Center |
Password Changed Date | |
Zip Code | Zip Code |
Parent Process MD5 | |
RemovedFromCampaigns | |
Acquisition Hire | |
Close Time | The closing time. |
Last Name | Last Name |
Policy ID | |
Closing User | The closing user. |
Dsts | The destination values. |
Registry Key | |
Cloud Instance ID | Cloud Instance ID |
Follow Up | True if marked for follow up. |
Source Category | |
Vendor Product | |
Vulnerable Product | |
Additional Data | |
Source Id | |
Event Names | The event name (translated QID ) in the event. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Campaign Name | |
Department | Department |
Pre Nat Source IP | The source IP before NAT. |
Audit Logs | |
Risk Score | |
Resource Type | |
Registry Value | |
Source Create time | |
Compliance Notes | Notes regarding the assets compliance. |
User Engagement Response | |
Policy Deleted | |
Location Region | Location Region |
Risk Name | |
Subtype | Subtype |
Ticket Number | |
City | |
External Status | |
IP Reputation | |
Source Networks | |
Device MAC Address | |
Cloud Region List | |
External Link | |
Org Level 3 | |
File Relationships | |
MITRE Tactic ID | |
Destination Geolocation | The destination geolocation of the event. |
Display Name | Display Name |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Alert Rules | |
Tenant Name | Tenant Name |
Policy Details | |
Alert tags | |
Vulnerability Category | |
Domain Updated Date | |
Parent Process IDs | |
First Name | First Name |
Source Urgency | Source Urgency |
OutgoingMirrorError | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Region | |
Job Function | Job Function |
Domain Registrar Abuse Email | |
End Time | The time when the offense ended. |
Registration Email | |
Post Nat Source IP | The source IP address after NAT. |
Number Of Log Sources | The number of log sources related to the offense. |
Account Status | |
Sub Category | The sub category |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Manager Name | Manager Name |
SHA512 | SHA512 |
Detected Internal Hosts | Detected internal hosts |
Last Seen | |
Birthday | Person's Birthday |
String Similarity Results | |
Signature | |
MITRE Tactic Name | |
Containment SLA | The time it took to contain the incident. |
userAccountControl | userAccountControl |
SKU TIER | |
Mobile Phone | |
External Severity | |
Source Status | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Status Reason | |
Device Status | |
File Hash | |
Log Source Type | The log source type associated with the event. |
Item Owner | |
Process Creation Time | |
Technical Owner Contact | The contact details for the technical owner. |
File Creation Date | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Category Count | The number of categories that are associated with the offense. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Employee Manager Email | The email address of the employee's manager. |
Referenced Resource Name | |
Cloud Resource List | |
app channel name | |
Personal Email | |
External Category Name | |
Parent Process File Path | |
Last Modified By | |
Approval Status | The status for the approval of the request. |
Destination Networks | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Internal Addresses | |
File Access Date | |
Process MD5 | |
Device OU | Device's OU path in Active Directory |
Changed | The user who changed this incident |
Last Update Time | |
Leadership | |
Related Alerts | |
Domain Name | |
Endpoint Isolation Status | |
ASN | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Affected Users | |
CVE | |
Event Descriptions | The description of the event name. |
Tool Usage Found | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Device External IPs | |
Account Member Of | |
Log Source Name | The log source name associated with the event. |
Parent Process SHA256 | |
Risk Rating | |
External Last Updated Time | |
Cloud Account ID | |
Identity Type | |
Approver | The person who approved or needs to approve the request. |
Incident Types
| Name | Description |
|---|---|
Reconnaissance | |
Network | |
DoS | |
Policy Violation | |
Hunt | |
Job | |
Lateral Movement | |
Defacement | |
Indicator Feed | |
Exploit | |
Authentication | |
Vulnerability | |
UnknownBinary | |
Exfiltration | |
Simulation | |
C2Communication |
Indicator Fields
| Name | Description |
|---|---|
Signature Algorithm | |
Domain Status | |
Mitre Tactics | |
Whois Records | |
STIX Goals | |
Leadership | |
Office365Required | |
Author | |
Serial Number | |
Org Level 2 | |
Secondary Motivations | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
CVE Modified | |
File Extension | |
Issuer | |
Name Servers | |
Geo Country | |
Name | |
STIX Sophistication | |
Domain Referring Subnets | |
Hostname | |
Tags | |
Registrant Phone | |
Domain IDN Name | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Organization Type | |
DNS Records | |
Cost Center Code | |
STIX Tool Types | |
Actor | |
imphash | |
Tool Version | |
Certificate Names | |
Path | |
Issuer DN | Issuer Distinguished Name |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Definition | |
CVSS Score | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Location | |
STIX Secondary Motivations | |
Manager Email Address | |
Associated File Names | |
Admin Email | |
CVSS Table | |
State | |
Port | |
Subject DN | Subject Distinguished Name |
Memory | |
STIX Is Malware Family | |
Aliases | Alternative names used to identify this object |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Registrant Name | |
Rank | Used to display rank from different sources |
Certificate Validation Checks | |
Vulnerable Products | |
Device Model | |
IP Address | |
Malware types | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Entry ID | |
CVSS Version | |
Given Name | Given Name |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Threat Actor Types | |
Office365Category | |
Detection Engines | Total number of engines that checked the indicator |
STIX Description | |
Extension | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Region | |
Org Unit | |
File Type | |
Username | |
Report type | |
Feed Related Indicators | |
Targets | |
Community Notes | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
DNS | |
Report Object References | A list of STIX IDs referenced in the report. |
PEM | Certificate in PEM format. |
City | City |
Street Address | |
Registrar Name | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Source Priority | |
SSDeep | |
MD5 | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Malware Family | |
Office365ExpressRoute | |
Domain Referring IPs | |
Registrar Abuse Phone | |
Surname | Surname |
Action | |
Job Function | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Certificate Signature | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Mobile Phone | |
Name Field | |
Subdomains | |
STIX Roles | |
STIX Malware Types | |
Objective | |
SHA1 | |
Title | Title |
Campaign | |
Vulnerabilities | |
BIOS Version | |
CVSS3 | |
Admin Phone | |
Goals | |
Processors | |
Reports | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Department | Department |
Capabilities | |
Expiration Date | |
Registrar Abuse Address | |
Indicator Identification | |
Country Code | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Domains | |
AS Owner | |
Location Region | |
DHCP Server | |
Signature Authentihash | |
Personal Email | |
Groups | |
STIX Tool Version | |
Tool Types | |
Organizational Unit (OU) | |
OS Version | |
Registrar Abuse Name | |
Infrastructure Types | |
Primary Motivation | |
Creation Date | |
SHA256 | |
Quarantined | Whether the indicator is quarantined or isolated |
Query Language | |
STIX Threat Actor Types | |
Published | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Operating System | |
STIX Resource Level | |
Version | |
Associations | Known associations to other pieces of Threat Data. |
Signature File Version | |
Registrar Abuse Network | |
Architecture | |
STIX Aliases | Alternative names used to identify this object |
CVSS | |
Detections | |
Category | |
Org Level 3 | |
Sophistication | |
Geo Location | |
Force Sync | Whether to force user synchronization. |
Operating System Version | |
Registrar Abuse Email | |
Description | |
User ID | |
Roles | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Signature Original Name | |
Number of subkeys | |
Admin Name | |
ASN | |
Is Processed | |
Confidence | |
STIX Primary Motivation. | |
Manager Name | Manager Name |
Mitre ID | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Zip Code | |
Is Malware Family | |
Paths | |
X.509 v3 Extensions | |
Implementation Languages | |
Blocked | |
Behavior | |
Signature Copyright | |
Subject Alternative Names | |
Account Type | |
SHA512 | |
Key Value | |
Org Level 1 | |
Email Address | |
Country Code Number | |
Applications | |
Domain Name | |
Display Name | |
Work Phone | |
Resource Level | |
Organization | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Processor | |
Assigned user | |
Job Family | |
Signed | |
Internal | |
Country Name | |
Job Code | Job Code |
Samples | |
Product | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Registrar Abuse Country | |
Certificates | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Assigned role | |
CVSS Vector | |
Operating System Refs | |
Registrant Country | |
Signature Description | |
Cost Center | |
Signature Internal Name | |
Publications | |
Commands | |
Registrant Email | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Size | |
Subject | |
Short Description | |
Admin Country | |
CVE Description | |
Vendor | |
Public Key | |
Download URL | |
Updated Date |
Layoutrule
| Name | Description |
|---|---|
Indicator Feed Layout Rule | |
Vulnerability Layout Rule |
Layouts
| Name | Description |
|---|---|
Mutex | Mutex indicator layout |
Threat Actor | Threat Actor Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Host Indicator | Host indicator layout |
Account Indicator | Account Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Vulnerability Incident | |
X509 Certificate | CVE Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Domain Indicator | Domain Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
File Indicator | File Indicator Layout |
ASN | ASN Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Software | Software Indicator Layout |
IP Indicator | IP Indicator Layout |
Report | Report Indicator Layout |
Campaign | Campaign Indicator Layout |
Identity | Identity indicator layout |
Location | Location indicator layout |
Indicator Feed Incident | |
URL Indicator | URL Indicator Layout |
Email Indicator | Email Indicator Layout |
Indicator Types
| Name | Description |
|---|---|
Report | |
File | |
Attack Pattern | |
CIDR | |
DomainGlob | |
Software | |
Infrastructure | |
IP | |
Course of Action | |
Onion Address | |
URL | |
Intrusion Set | |
Identity | |
Registry Key | |
Threat Actor | |
Malware | |
ASN | |
File MD5 | |
Tactic | |
CVE | |
File SHA-256 | |
Host | |
ssdeep | |
Domain | |
Tool | |
File SHA-1 | |
X509 Certificate | |
IPv6CIDR | |
Mutex | |
IPv6 | |
Location | |
Campaign | |
Account |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
Optional Content Packs (59)
All level dependencies (4)
| Pack Name | Pack By |
|---|---|
| Cortex REST API | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Aggregated Scripts | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
3.10.1 - 6920594 (January 28, 2026)
- 42762
Download
Incident Fields
Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.
- 42762
Download
3.10.0 - 6802612 (January 20, 2026)
- 42537
Download
Incident Fields
Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
- 42537
Download
3.9.5 - 5208238 (September 30, 2025)
- 41462
Download
Indicator Fields
Primary Motivation
- Updated the Primary Motivation indicator field to include additional values.
Indicator Types
- File
- Updated the file formatter to include the
imphashincident field.
Layouts
- Threat Actor
- Updated the Threat Actor layout to include additional incident fields.
- 41462
Download
3.9.0 - 4121830 (July 10, 2025)
- 40208
Download
Incident Fields
Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
- 40208
Download
3.10.1 - 6920581 (January 28, 2026)
- 42762
Download
Incident Fields
Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.
- 42762
Download
3.10.0 - 6802612 (January 20, 2026)
- 42537
Download
Incident Fields
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
- 42537
Download
3.9.5 - 5212533 (October 1, 2025)
- 41462
Download
Indicator Fields
Primary Motivation
- Updated the Primary Motivation indicator field to include additional values.
Indicator Types
- File
- Updated the file formatter to include the
imphashincident field.
Layouts
- Threat Actor
- Updated the Threat Actor layout to include additional incident fields.
- 41462
Download
3.9.0 - 4118212 (July 9, 2025)
- 40208
Download
Incident Fields
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
- 40208
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 26, 2020 | |
| Last Release | March 8, 2026 |