Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Command Line Verdict
Country	The country from which the user logged in.
Policy URI
Triggered Security Profile	Triggered Security Profile
Registration Email
DNS Name	The DNS name of the asset.
Child Process
User SID
Alert Malicious	Whether the alert is malicious.
Vendor ID
Number of Related Incidents
Detected Users	Detected users
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Ticket Acknowledged Date
Employee Email	The email address of the employee.
Risk Rating
Destination IPs	The destination IPs of the event.
Asset ID
Error Code
End Time	The time when the offense ended.
Region ID
Department	Department
Blocked Action	Blocked Action
Risk Name
Detected Internal Hosts	Detected internal hosts
Low Level Categories Events	The low level category of the event.
Application Path
SKU TIER
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Cost Center	Cost Center
City
Categories	The categories for the incident.
MITRE Tactic ID
Related Report
Alert Category	The category of the alert
Registry Hive
Unique Ports
Tags
Policy Details
Given Name	Given Name
Source Network
Source Create time
Domain Registrar Abuse Email
Policy Actions
Source IP	The IP Address that the user initially logged in from.
Phone Number	Phone number
Technique
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
External Sub Category ID
Device Internal IPs
Custom Query Results
Campaign Name
Policy Recommendation
Domain Updated Date
MD5	MD5
External Start Time
Hostnames	The hostname in the event.
Pre Nat Destination Port	The destination port before NAT.
User Creation Time
Log Source Type	The log source type associated with the event.
File Access Date
ASN
Process Name
CVSS Availability Requirement	The CVSS availability requirement for the asset.
External ID
File SHA1
Start Time	The time when the offense started.
Related Alerts
Signature
Source Id
RemovedFromCampaigns
Event Names	The event name (translated QID ) in the event.
sAMAccountName	User sAMAAccountName
Job Function	Job Function
User Groups
Referenced Resource Name
Triage SLA	The time it took to investigate and enrich incident information.
Source Networks
Tenant Name	Tenant Name
Manager Name	Manager Name
Process CMD
Org Level 1
Compliance Notes	Notes regarding the assets compliance.
similarIncidents
Description	The description of the incident
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Parent CMD line
Subtype	Subtype
Domain Name
Detected External Hosts	Detected external hosts
Classification	Incident Classification
File SHA256
Device Hash	Device Hash
Detection Update Time
Detection End Time
Destination Networks
Title	Title
Device MAC Address
Country Code
Investigation Stage	The stage of the investigation.
Parent Process Name
Asset Name
Timezone
Parent Process Path
Device Time	The time from the original logging device when the event occurred.
Dest	Destination
Suspicious Executions
Ticket Opened Date
Process ID
Reporter Email Address	The email address of the user who reported the email.
MITRE Technique ID
Affected Users
Cloud Instance ID	Cloud Instance ID
EmailCampaignCanvas
Leadership
Full Name	Person's Full Name
First Seen
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Account Status
CMD
Cloud Resource List
Escalation
Country Code Number
Objective
Process Paths
EmailCampaignSummary
Alert tags
External Addresses
Alert Type ID
External Confidence
Status Reason
Job Family	Job Family
External Category ID
Cloud Service
Is Active	Alert status
Destination MAC Address	The destination MAC address in an event.
Number Of Log Sources	The number of log sources related to the offense.
SSDeep
Related Campaign
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Event Descriptions	The description of the event name.
Device OS Name
Policy Deleted
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Resource Name
Source External IPs
High Level Categories	The high level categories in the events.
Src OS	Src OS
Ticket Number
Device Id	Device Id
Process MD5
Detection SLA	The time it took from incident creation until the maliciousness was determined.
User Anomaly Count
app channel name
Policy Description
Source Hostname	The hostname that performed the port scan.
Destination Geolocation	The destination geolocation of the event.
User Risk Level
PID	PID
Source Urgency	Source Urgency
ASN Name
Agents ID
Source Geolocation	The source geolocation of the event.
Resource Type
Zip Code	Zip Code
Registry Value
Alert Rules
Org Unit
Command Line	Command Line
Source IPs	The source IPs of the event.
Application Id	Application Id
Containment SLA	The time it took to contain the incident.
File Relationships
Detected IPs
Pre Nat Source Port	The source port before NAT.
SKU Name
Incident Link
Detected Endpoints
Personal Email
Post Nat Source IP	The source IP address after NAT.
Source Priority
Appliance ID	Appliance ID as received from the integration JSON
App message
Country Name	Country Name
Users
Detected User
Parent Process CMD
Referenced Resource ID
Last Name	Last Name
Device Model	Device Model
Registry Value Type
Process Names
OS	The operating system.
Use Case Description
Internal Addresses
External Last Updated Time
Closing User	The closing user.
Alert Action	Alert action as received from the integration JSON
Process Path
App
First Name	First Name
Source MAC Address	The source MAC address in an event.
Device Local IP	Device Local IP
Source IPV6	The source IPV6 address.
Rating
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
File MD5
Traffic Direction	The direction of the traffic in the event.
Team name
Tools
Raw Event	The unparsed event data.
Post Nat Destination IP	The destination IP address after NAT.
Log Source	Log Source
Source Username	The username that was the source of the attack.
Org Level 3
Policy Type
CMD line
Approver	The person who approved or needs to approve the request.
Org Level 2
IP Reputation
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Parent Process SHA256
Affected Hosts
Policy ID
Vendor Product
Technical User	The technical user of the asset.
Users Details
Location	Location
Alert URL	Alert URL as received from the integration JSON
Additional Email Addresses
Src Hostname	Source hostname
OS Type	OS Type
String Similarity Results
File Paths
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
External End Time
Group ID
SHA512	SHA512
Identity Type
Protocols
Scenario
Device OS Version
File Creation Date
Employee Display Name	The display name of the employee.
File Names
File Size	File Size
Last Seen
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Operation Name
Process SHA256
External Severity
IncomingMirrorError
Dest NT Domain	Destination NT Domain
Close Time	The closing time.
Street Address
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Last Modified By
Region
userAccountControl	userAccountControl
Protocol	Protocol
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Parent Process
Technique ID
Manager Email Address
Device External IPs
External Sub Category Name
Events	The events associated with the offense.
Acquisition Hire
Source Updated by
OS Version	OS Version
Agent Version	Reporting Agent/Sensor Version
Usernames	The username in the event.
MAC Address	MAC Address
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Verdict
Device OU	Device's OU path in Active Directory
Caller
Parent Process MD5
Rendered HTML	The HTML content in a rendered form.
CVE ID
External Category Name
Project ID
Birthday	Person's Birthday
Email	Primary Email Address
Location Region	Location Region
CVE
SHA256	SHA256
Assigned User	Assigned User
Last Modified On
Display Name	Display Name
Detection ID
Src User	Source User
Number of similar files
Pre Nat Source IP	The source IP before NAT.
Appliance Name	Appliance name as received from the integration JSON
Resource ID
Event ID	Event ID
Item Owner
Detected Internal IPs	Detected internal IPs
EmailCampaignMutualIndicators
Error Message	The error message that contains details about the error that occurred.
Suspicious Executions Found
Dest Hostname	Destination hostname
Cloud Region List
Verification Status	The status of the user verification.
Destination IPV6	The destination IPV6 address.
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Source Category
Destination Hostname	Destination hostname
Detection URL	URL of the ExtraHop Reveal(x) detection
List Of Rules - Event	The list of rules associated to an event.
Username	The username of the account who logged in.
Surname	Surname
Vulnerability Category
Event Type	Event Type
Work Phone
Verification Method	The method used to verify the user.
User Id	User Id
Comment	The comments related with the incident
Job Code	Job Code
Report Name
Threat Hunting Detected IP
SHA1	SHA1
Endpoint
Employee Manager Email	The email address of the employee's manager.
CVE Published
Risk Score
Threat Hunting Detected Hostnames
Endpoints Details
Hunt Results Count
External Status
Ticket Closed Date
MITRE Technique Name
Source Port	The source port that was used
Resource URL
Source Status
Tactic
Assignment Group
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Password Reset Successfully	Whether the password has been successfully reset.
Tactic ID
User Engagement Response
File Name
Protocol names
Account Member Of
Sensor IP
Post Nat Destination Port	The destination port after NAT.
Password Changed Date
Application Name	Application Name
Sub Category	The sub category
Parent Process IDs
Detected External IPs	Detected external IPs
Alert Name	Alert name as received from the integration JSON
Vulnerable Product
Destination IP	The IP address the impossible traveler logged in to.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Cloud Account ID
Agent ID	Agent ID
External System ID
Mobile Device Model
Approval Status	The status for the approval of the request.
Account Name	Account Name
UUID	UUID as received from the integration JSON
Account ID
URLs
Bugtraq
Destination Network
Tool Usage Found
High Risky Hosts
Dst Ports	The destination ports of the event.
Process Creation Time
Attack Patterns
Duration
Technical Owner	The technical owner of the asset.
Dest OS	Destination OS
File Hash
High Risky Users
Block Indicators Status
Source Created By
Log Source Name	The log source name associated with the event.
IP Blocked Status
Category Count	The number of categories that are associated with the offense.
User Block Status
Email Sent Successfully	Whether the email has been successfully sent.
Endpoint Isolation Status
MITRE Tactic Name
Sensor Name
Post Nat Source Port	The source port after NAT.
Device Name	Device Name
Additional Data
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Protocol - Event	The network protocol in the event.
Mobile Phone
External Link
Attack Mode	Attack mode as received from the integration JSON
Audit Logs
Registry Key
Technical Owner Contact	The contact details for the technical owner.
CVSS
Destination Port	The destination port used.
Last Update Time
Src Ports	The source ports of the event.
Alert Attack Time
User Agent
Cloud Operation Type
Dsts	The destination values.
Exposure Level
Alert Source
Changed	The user who changed this incident
Rule Name	The name of a YARA rule
Isolated	Isolated
Closing Reason	The closing reason
Policy Severity
Similar incidents Dbot
Parent Process File Path
Src	Source
Alert ID	Alert ID as received from the integration JSON
Device Status
Follow Up	True if marked for follow up.
Item Owner Email
OutgoingMirrorError
Related Endpoints
Src NT Domain	Source NT Domain
Cost Center Code	Cost Center Code
Device Username	The username of the user that owns the device
File Path
Device External IP	Device External IP
State	State
Srcs	The source values.
Selected Indicators	Includes the indicators selected by the user.
EmailCampaignSnippets
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Additional Indicators
Policy Remediable

Incident Types

Name	Description
C2Communication
Hunt
Reconnaissance
Lateral Movement
Network
Exploit
Defacement
Policy Violation
Indicator Feed
Exfiltration
Simulation
Vulnerability
UnknownBinary
Job
Authentication
DoS

Indicator Fields

Name	Description
Org Level 2
Hostname
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Admin Phone
Signature Algorithm
Number of subkeys
Infrastructure Types
Registrant Email
Geo Country
Serial Number
Roles
Creation Date
CVE Description
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Work Phone
STIX Is Malware Family
Personal Email
CVSS3
CVSS Score
Feed Related Indicators
Reports
STIX Primary Motivation.
Validity Not After	Specifies the date on which the certificate validity period ends.
Registrar Abuse Phone
X.509 v3 Extensions
OS Version
State
Job Code	Job Code
Short Description
Processor
Org Level 3
Source Priority
Secondary Motivations
Associations	Known associations to other pieces of Threat Data.
SHA512
Service	The specific service of a feed integration from which an indicator was ingested.
File Extension
Published
Detections
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
AS Owner
Validity Not Before	Specifies the date on which the certificate validity period begins.
Org Unit
Sophistication
Campaign
Signature Authentihash
Registrant Name
Rank	Used to display rank from different sources
File Type
Subdomains
STIX Description
Report Object References	A list of STIX IDs referenced in the report.
Certificate Names
Certificate Signature
Country Name
Expiration Date
Source Original Severity	The original score/severity provided by the source without DBot translation.
Registrar Abuse Country
STIX Sophistication
Organization
Signature Description
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Registrar Name
Tool Version
Signature Copyright
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
CVSS Version
Action
City	City
Query Language
Street Address
Resource Level
Author
Implementation Languages
Organization Type
Zip Code
Domain Name
SHA1
Description
Signed
Associated File Names
CVSS Vector
Capabilities
Job Family
Report type
Location Region
Tool Types
Cost Center Code
Org Level 1
Title	Title
Organizational Unit (OU)
SHA256
Product
Country Code
Community Notes
IP Address
Username
Cost Center
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Domains
Actor
CVSS Table
Extension
Updated Date
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Office365Required
Certificate Validation Checks
Key Value
Office365ExpressRoute
Quarantined	Whether the indicator is quarantined or isolated
Architecture
STIX Tool Version
STIX Roles
MAC Address
Groups
STIX Malware Types
Domain IDN Name
SWID	Specifies the Software Identification (SWID) tags entry for the software
STIX Threat Actor Types
Port
Acquisition Hire	Whether the employee is an acquisition hire.
ASN
Subject
Whois Records
Mitre ID
Public Key
Country Code Number
Behavior
Organization Prevalence	The number of times the indicator is detected in the organization.
Name Field
Assigned user
Malware Family
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Mitre Tactics
Signature Original Name
Vulnerable Products
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Location
Primary Motivation
User ID
Processors
Given Name	Given Name
Domain Referring Subnets
Positive Detections	Number of engines that positively detected the indicator as malicious
Manager Email Address
Registrant Country
Is Processed
Detection Engines	Total number of engines that checked the indicator
Paths
Indicator Identification
Samples
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Admin Country
Registrant Phone
Domain Referring IPs
Leadership
Registrar Abuse Network
Name Servers
Vendor
Definition
Registrar Abuse Name
STIX Aliases	Alternative names used to identify this object
Is Malware Family
Size
Organization First Seen	Date and time when the indicator was first seen in the organization.
Global Prevalence	The number of times the indicator is detected across all organizations.
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Signature File Version
PEM	Certificate in PEM format.
Blocked
Mobile Phone
Category
Display Name
Email
Force Sync	Whether to force user synchronization.
Job Function
Malware types
imphash
Entry ID
Path
Memory
Threat Actor Types
Account Type
Issuer
STIX Goals
Geo Location
Region
Operating System Refs
BIOS Version
Registrar Abuse Email
Domain Status
SSDeep
Office365Category
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Registrar Abuse Address
Aliases	Alternative names used to identify this object
MD5
Certificates
Email Address
Operating System
Version
Download URL
Manager Name	Manager Name
Subject DN	Subject Distinguished Name
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Name
Applications
DNS
Issuer DN	Issuer Distinguished Name
Confidence
Tags
Admin Name
CVE Modified
Internal
Operating System Version
STIX Resource Level
Admin Email
Commands
Goals
Assigned role
DNS Records
STIX Secondary Motivations
STIX Tool Types
CVSS
Department	Department
First Seen By Source	The first time the indicator was seen by the source vendor.
Vulnerabilities
Targets
Objective
Publications
Signature Internal Name
Surname	Surname
DHCP Server
Device Model
Subject Alternative Names

Layouts

Name	Description
Campaign	Campaign Indicator Layout
Domain Indicator	Domain Indicator Layout
CVE Indicator	CVE Indicator Layout
File Indicator	File Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Tool Indicator	Tool Indicator Layout
URL Indicator	URL Indicator Layout
Infrastructure	Infrastructure Indicator Layout
ASN	ASN Indicator Layout
Mutex	Mutex indicator layout
IP Indicator	IP Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Account Indicator	Account Indicator Layout
Software	Software Indicator Layout
Location	Location indicator layout
Tactic Layout	Tactic Indicator Layout
Host Indicator	Host indicator layout
Intrusion Set	Intrusion Set Layout
Indicator Feed Incident
Course of Action	Course of Action Indicator Layout
Email Indicator	Email Indicator Layout
Malware Indicator	Malware Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
X509 Certificate	CVE Indicator Layout
Identity	Identity indicator layout
Report	Report Indicator Layout
Vulnerability Incident

Indicator Types

Name	Description
Email
Attack Pattern
ASN
Malware
File SHA-256
IPv6
Onion Address
Intrusion Set
Threat Actor
Location
Report
Software
File
File SHA-1
Course of Action
CIDR
Registry Key
Campaign
Tactic
Account
X509 Certificate
URL
IPv6CIDR
File MD5
Identity
IP
Tool
Host
Mutex
CVE
ssdeep
DomainGlob
Infrastructure
Domain

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
IP Blocked Status
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Log Source Name	The log source name associated with the event.
MITRE Tactic ID
ASN Name
IP Reputation
Last Name	Last Name
Similar incidents Dbot
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Source Priority
Affected Hosts
Device Status
Item Owner
ASN
Process Creation Time
CVE ID
Org Unit
Low Level Categories Events	The low level category of the event.
Changed	The user who changed this incident
Alert Action	Alert action as received from the integration JSON
Cloud Resource List
Device OU	Device's OU path in Active Directory
Blocked Action	Blocked Action
Parent Process Path
Source Status
Zip Code	Zip Code
SSDeep
External System ID
Sensor IP
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Vendor ID
Detected Internal Hosts	Detected internal hosts
Country Code
Closing Reason	The closing reason
String Similarity Results
Org Level 2
Additional Data
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Destination Geolocation	The destination geolocation of the event.
Source Created By
Parent Process CMD
Additional Email Addresses
Technique ID
Objective
Rule Name	The name of a YARA rule
Timezone
Original Description	The description of the incident
Error Message	The error message that contains details about the error that occurred.
Vulnerability Category
Technical Owner	The technical owner of the asset.
Closing User	The closing user.
High Risky Hosts
Region ID
Password Changed Date
Post Nat Source Port	The source port after NAT.
Mobile Device Model
Job Code	Job Code
External Confidence
Leadership
Number of Related Incidents
Account Status
Signature
User Groups
Pre Nat Source IP	The source IP before NAT.
Display Name	Display Name
Registry Value
Attack Mode	Attack mode as received from the integration JSON
Ticket Closed Date
Assignment Group
Item Owner Email
MITRE Technique Name
Resource URL
Bugtraq
Street Address
Resource Name
Isolated	Isolated
Process Paths
Identity Type
Attack Patterns
Personal Email
Policy Remediable
Referenced Resource Name
Reporter Email Address	The email address of the user who reported the email.
OS	The operating system.
Original Alert Name	Alert name as received from the integration JSON
Alert Type ID
Verification Status	The status of the user verification.
Given Name	Given Name
Event Names	The event name (translated QID ) in the event.
Employee Manager Email	The email address of the employee's manager.
Policy Type
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Approver	The person who approved or needs to approve the request.
OS Type	OS Type
Cloud Region List
Tactic ID
Detection ID
Risk Name
Source Updated by
External Last Updated Time
Country Code Number
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Email Sent Successfully	Whether the email has been successfully sent.
City
File Creation Date
List Of Rules - Event	The list of rules associated to an event.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Policy URI
Start Time	The time when the offense started.
External Status
Device Model	Device Model
RemovedFromCampaigns
User Creation Time
Device MAC Address
Last Modified On
Internal Addresses
Rating
Process CMD
File SHA1
Agent Version	Reporting Agent/Sensor Version
Raw Event	The unparsed event data.
Original Events	The events associated with the offense.
EmailCampaignCanvas
Birthday	Person's Birthday
Post Nat Destination Port	The destination port after NAT.
State	State
Asset Name
Mobile Phone
Report Name
Surname	Surname
Location	Location
Pre Nat Source Port	The source port before NAT.
External Sub Category ID
EmailCampaignSnippets
Cloud Service
Number Of Log Sources	The number of log sources related to the offense.
userAccountControl	userAccountControl
Manager Name	Manager Name
Verification Method	The method used to verify the user.
Technical Owner Contact	The contact details for the technical owner.
Sub Category	The sub category
IncomingMirrorError
Detected External IPs	Detected external IPs
Campaign Name
Subtype	Subtype
Cloud Account ID
Tenant Name	Tenant Name
Number of similar files
Destination Networks
Policy Severity
Users Details
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Custom Query Results
Vendor Product
External End Time
Tool Usage Found
Phone Number	Phone number
Detected Endpoints
sAMAccountName	User sAMAAccountName
Destination IPV6	The destination IPV6 address.
Related Alerts
Protocol names
External Category Name
User SID
App message
Error Code
High Risky Users
Status Reason
Incident Link
Classification	Incident Classification
Referenced Resource ID
Manager Email Address
Risk Rating
Command Line Verdict
User Engagement Response
Policy ID
similarIncidents
Follow Up	True if marked for follow up.
Process SHA256
Registry Value Type
app channel name
Hunt Results Count
External Start Time
CVE
Org Level 1
Source Create time
Cost Center	Cost Center
Process Names
External Category ID
CVSS
Src OS	Src OS
Project ID
Domain Name
Device Id	Device Id
Tactic
Asset ID
Event ID	Event ID
Email	Primary Email Address
Duration
Policy Details
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Endpoint Isolation Status
OutgoingMirrorError
MITRE Technique ID
Source Urgency	Source Urgency
Additional Indicators
SKU TIER
Related Report
Location Region	Location Region
End Time	The time when the offense ended.
Parent Process Name
Detection URL	URL of the ExtraHop Reveal(x) detection
Registry Key
Cloud Instance ID	Cloud Instance ID
Dest OS	Destination OS
Job Function	Job Function
User Anomaly Count
Acquisition Hire
Source External IPs
Selected Indicators	Includes the indicators selected by the user.
EmailCampaignSummary
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Operation Name
Source Category
Exposure Level
Block Indicators Status
Device OS Version
Policy Deleted
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Policy Recommendation
Log Source Type	The log source type associated with the event.
File Size	File Size
Use Case Description
Source Id
Parent Process IDs
Log Source	Log Source
CVE Published
Parent Process File Path
Application Path
Region
File Relationships
Endpoints Details
Agents ID
Category Count	The number of categories that are associated with the offense.
Device Name	Device Name
Device Time	The time from the original logging device when the event occurred.
Account ID
UUID	UUID as received from the integration JSON
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
File Hash
Pre Nat Destination Port	The destination port before NAT.
External Link
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Technical User	The technical user of the asset.
Source Geolocation	The source geolocation of the event.
Device External IPs
First Name	First Name
Affected Users
Event Descriptions	The description of the event name.
Process MD5
Process ID
Device Internal IPs
Compliance Notes	Notes regarding the assets compliance.
Detection End Time
MITRE Tactic Name
EmailCampaignMutualIndicators
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Cost Center Code	Cost Center Code
Audit Logs
Employee Display Name	The display name of the employee.
Group ID
Ticket Number
Triage SLA	The time it took to investigate and enrich incident information.
Department	Department
First Seen
Suspicious Executions
Last Seen
Full Name	Person's Full Name
Dsts	The destination values.
URLs
Team name
Account Member Of
Source Networks
Last Modified By
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Technique
SKU Name
Traffic Direction	The direction of the traffic in the event.
Is Active	Alert status
Parent Process MD5
Registry Hive
Risk Score
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Domain Updated Date
Vulnerable Product
Unique Ports
Policy Description
Related Campaign
Registration Email
Close Time	The closing time.
Caller
Domain Registrar Abuse Email
Containment SLA	The time it took to contain the incident.
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Job Family	Job Family
User Block Status
Alert Rules
Original Alert Source
Related Endpoints
Approval Status	The status for the approval of the request.
Ticket Acknowledged Date
Work Phone
Rendered HTML	The HTML content in a rendered form.
Tools
Alert tags
Password Reset Successfully	Whether the password has been successfully reset.
Resource Type
Employee Email	The email address of the employee.
Original Alert ID	Alert ID as received from the integration JSON
Post Nat Destination IP	The destination IP address after NAT.
Assigned User	Assigned User
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Scenario
Device OS Name
Suspicious Executions Found
Comment	The comments related with the incident
SHA1	SHA1
Policy Actions
Verdict
Post Nat Source IP	The source IP address after NAT.
Title	Title
Org Level 3
Last Mirrored Time Stamp	The last time the incident was mirrored in.
SHA512	SHA512
User Id	User Id
Investigation Stage	The stage of the investigation.
Last Update Time
External Sub Category Name
Alert Malicious	Whether the alert is malicious.
Escalation
External Severity
Parent Process SHA256
File Access Date
Triggered Security Profile	Triggered Security Profile
Device Hash	Device Hash

Incident Types

Name	Description
Vulnerability
Reconnaissance
Job
DoS
Lateral Movement
Defacement
Exploit
Authentication
Hunt
UnknownBinary
Network
Policy Violation
Exfiltration
C2Communication
Indicator Feed
Simulation

Indicator Fields

Name	Description
Tool Version
File Type
Tags
Last Seen By Source	The last time the indicator was seen by the Source vendor.
First Seen By Source	The first time the indicator was seen by the source vendor.
Zip Code
Office365ExpressRoute
Manager Email Address
Applications
Issuer DN	Issuer Distinguished Name
BIOS Version
Is Processed
STIX Sophistication
Number of subkeys
Category
STIX Primary Motivation.
STIX Aliases	Alternative names used to identify this object
Registrar Abuse Phone
Public Key
Manager Name	Manager Name
Signature File Version
Account Type
Country Name
Detections
Quarantined	Whether the indicator is quarantined or isolated
SHA256
Community Notes
Targets
Vulnerable Products
Email Address
Region
Behavior
Issuer
Confidence
STIX Description
Implementation Languages
Subject DN	Subject Distinguished Name
Memory
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Mitre ID
Registrar Abuse Email
Hostname
Extension
Admin Phone
Domain Status
Organization Prevalence	The number of times the indicator is detected in the organization.
Roles
Internal
Processors
Aliases	Alternative names used to identify this object
Rank	Used to display rank from different sources
Report Object References	A list of STIX IDs referenced in the report.
Vulnerabilities
Org Level 2
Job Code	Job Code
Subject Alternative Names
Objective
Source Original Severity	The original score/severity provided by the source without DBot translation.
CVSS Vector
Acquisition Hire	Whether the employee is an acquisition hire.
Serial Number
Sophistication
Registrant Phone
Entry ID
STIX Tool Types
CVSS Score
Job Family
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Domains
Name Servers
Secondary Motivations
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Description
CVSS Version
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Signature Description
DNS
Threat Actor Types
STIX Threat Actor Types
Definition
Geo Country
Organizational Unit (OU)
DHCP Server
Given Name	Given Name
Commands
Version
Signature Original Name
Associated File Names
Paths
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Location
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
User ID
Registrant Name
Query Language
CVE Modified
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Registrant Email
Device Model
Signature Internal Name
Country Code
Publications
PEM	Certificate in PEM format.
Assigned role
Download URL
Operating System Version
Cost Center
Assigned user
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Leadership
Title	Title
Positive Detections	Number of engines that positively detected the indicator as malicious
Admin Name
Certificate Names
MD5
Signature Algorithm
CVSS Table
Infrastructure Types
Name
SSDeep
Processor
Country Code Number
Key Value
STIX Secondary Motivations
Job Function
Size
STIX Malware Types
SHA1
X.509 v3 Extensions
Domain Name
Registrar Name
Vendor
Associations	Known associations to other pieces of Threat Data.
Architecture
ASN
Domain Referring IPs
Samples
STIX Resource Level
Organization First Seen	Date and time when the indicator was first seen in the organization.
Admin Country
Product
Creation Date
Work Phone
AS Owner
Registrar Abuse Name
File Extension
Signature Copyright
Certificates
Blocked
Published
Global Prevalence	The number of times the indicator is detected across all organizations.
Email
Org Level 1
Operating System
imphash
Groups
State
CVE Description
Personal Email
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Organization
Domain Referring Subnets
Validity Not After	Specifies the date on which the certificate validity period ends.
Service	The specific service of a feed integration from which an indicator was ingested.
Is Malware Family
Registrant Country
Tool Types
Primary Motivation
Source Priority
Goals
Indicator Identification
OS Version
Reports
Campaign
IP Address
Street Address
Signature Authentihash
SWID	Specifies the Software Identification (SWID) tags entry for the software
Force Sync	Whether to force user synchronization.
Signed
STIX Is Malware Family
Geo Location
Resource Level
Org Unit
Cost Center Code
Username
Office365Category
Certificate Signature
Registrar Abuse Network
Surname	Surname
Mobile Phone
CVSS3
Actor
Short Description
Action
STIX Roles
Malware types
Mitre Tactics
Certificate Validation Checks
Org Level 3
Port
Office365Required
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
DNS Records
Display Name
City	City
Whois Records
Subject
Admin Email
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Location Region
Operating System Refs
STIX Tool Version
Department	Department
Author
Report type
Name Field
Domain IDN Name
Feed Related Indicators
Malware Family
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Capabilities
Updated Date
Path
Registrar Abuse Country
CVSS
STIX Goals
Validity Not Before	Specifies the date on which the certificate validity period begins.
Organization Type
Detection Engines	Total number of engines that checked the indicator
Expiration Date
Registrar Abuse Address
Subdomains
SHA512

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
Infrastructure	Infrastructure Indicator Layout
CVE Indicator	CVE Indicator Layout
Report	Report Indicator Layout
Account Indicator	Account Indicator Layout
IP Indicator	IP Indicator Layout
URL Indicator	URL Indicator Layout
Course of Action	Course of Action Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
File Indicator	File Indicator Layout
Malware Indicator	Malware Indicator Layout
Campaign	Campaign Indicator Layout
Identity	Identity indicator layout
Intrusion Set	Intrusion Set Layout
Threat Actor	Threat Actor Indicator Layout
ASN	ASN Indicator Layout
Tool Indicator	Tool Indicator Layout
Domain Indicator	Domain Indicator Layout
Location	Location indicator layout
Email Indicator	Email Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Host Indicator	Host indicator layout
Indicator Feed Incident
Mutex	Mutex indicator layout
Software	Software Indicator Layout
Vulnerability Incident
X509 Certificate	CVE Indicator Layout
Tactic Layout	Tactic Indicator Layout

Indicator Types

Name	Description
ASN
File SHA-256
Attack Pattern
Malware
URL
Tactic
IPv6
CVE
Tool
DomainGlob
Onion Address
Identity
Intrusion Set
CIDR
X509 Certificate
IP
Mutex
Registry Key
IPv6CIDR
Report
Account
Domain
Host
Location
Software
Threat Actor
File SHA-1
File MD5
Email
ssdeep
File
Course of Action
Infrastructure
Campaign

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (57)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

3.9.7 - 5888286 (November 16, 2025)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1900707 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	November 16, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.