Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Threat Hunting Detected Hostnames
Technical Owner Contact	The contact details for the technical owner.
Location	Location
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Post Nat Source IP	The source IP address after NAT.
Ticket Number
Detected Internal Hosts	Detected internal hosts
SHA1	SHA1
app channel name
Source Create time
SSDeep
First Seen
similarIncidents
Src OS	Src OS
Src Hostname	Source hostname
Cloud Account ID
Alert Malicious	Whether the alert is malicious.
MD5	MD5
Post Nat Destination IP	The destination IP address after NAT.
Account Name	Account Name
Post Nat Source Port	The source port after NAT.
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
Policy Actions
Parent Process Path
Registry Value Type
Alert ID	Alert ID as received from the integration JSON
Rating
Cloud Region List
Use Case Description
Vendor Product
Threat Hunting Detected IP
User Engagement Response
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Ticket Opened Date
Location Region	Location Region
Full Name	Person's Full Name
Report Name
Endpoint Isolation Status
Similar incidents Dbot
Closing User	The closing user.
City
User Block Status
Detected External Hosts	Detected external hosts
Agent Version	Reporting Agent/Sensor Version
Domain Name
Approval Status	The status for the approval of the request.
Block Indicators Status
Account Status
Domain Updated Date
Number of Related Incidents
Destination Hostname	Destination hostname
Detection URL	URL of the ExtraHop Reveal(x) detection
Alert Rules
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Registry Key
Destination IPV6	The destination IPV6 address.
User Anomaly Count
External System ID
CVSS
Command Line	Command Line
Acquisition Hire
Event Type	Event Type
Surname	Surname
Event Names	The event name (translated QID ) in the event.
Related Report
External Sub Category Name
ASN Name
Protocol	Protocol
Parent Process File Path
Email Sent Successfully	Whether the email has been successfully sent.
Scenario
Domain Registrar Abuse Email
Dest OS	Destination OS
File Paths
File Path
Technical User	The technical user of the asset.
Personal Email
UUID	UUID as received from the integration JSON
Blocked Action	Blocked Action
Registry Hive
Application Name	Application Name
Birthday	Person's Birthday
Agent ID	Agent ID
Source Created By
App message
Subtype	Subtype
Source Port	The source port that was used
Item Owner Email
Device Id	Device Id
RemovedFromCampaigns
CVE ID
Destination IPs	The destination IPs of the event.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Is Active	Alert status
Job Code	Job Code
Device Model	Device Model
Device Username	The username of the user that owns the device
Additional Data
Categories	The categories for the incident.
Endpoints Details
Tool Usage Found
Process Path
Alert Category	The category of the alert
String Similarity Results
Detected External IPs	Detected external IPs
Cost Center	Cost Center
Org Level 3
Low Level Categories Events	The low level category of the event.
High Risky Hosts
App
Start Time	The time when the offense started.
IP Reputation
External Start Time
Dest NT Domain	Destination NT Domain
Country Name	Country Name
File Access Date
Alert Source
Related Alerts
Command Line Verdict
Detected Users	Detected users
Escalation
Cost Center Code	Cost Center Code
Password Reset Successfully	Whether the password has been successfully reset.
Changed	The user who changed this incident
Verdict
Source Updated by
Device Local IP	Device Local IP
Vulnerability Category
Policy Type
Policy ID
Org Unit
Destination Network
Process Paths
Alert Type ID
Destination Port	The destination port used.
Device Status
Device OS Name
Reporter Email Address	The email address of the user who reported the email.
Source Geolocation	The source geolocation of the event.
Policy URI
Suspicious Executions Found
External Confidence
Error Code
External End Time
Group ID
Policy Description
Agents ID
Process ID
External Status
Follow Up	True if marked for follow up.
Resource Name
Users
SHA512	SHA512
Country Code
Application Path
Assigned User	Assigned User
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Tactic
Events	The events associated with the offense.
Affected Users
Source Hostname	The hostname that performed the port scan.
Usernames	The username in the event.
IP Blocked Status
Work Phone
Technical Owner	The technical owner of the asset.
Registration Email
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Device External IP	Device External IP
Item Owner
Campaign Name
Source External IPs
MITRE Technique Name
Device Name	Device Name
Technique ID
EmailCampaignSummary
Device OS Version
Device Time	The time from the original logging device when the event occurred.
Pre Nat Source Port	The source port before NAT.
Suspicious Executions
Classification	Incident Classification
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Source IPV6	The source IPV6 address.
Sub Category	The sub category
End Time	The time when the offense ended.
Ticket Closed Date
Appliance ID	Appliance ID as received from the integration JSON
Hunt Results Count
Cloud Service
Event Descriptions	The description of the event name.
Src User	Source User
Internal Addresses
Org Level 2
User Groups
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Number Of Log Sources	The number of log sources related to the offense.
Department	Department
Detection End Time
Dest	Destination
Exposure Level
Street Address
Job Family	Job Family
sAMAccountName	User sAMAAccountName
Protocols
File Creation Date
Timezone
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
File Size	File Size
Parent CMD line
Device External IPs
Log Source	Log Source
Resource Type
Last Update Time
Description	The description of the incident
Rule Name	The name of a YARA rule
Objective
Username	The username of the account who logged in.
External Sub Category ID
Affected Hosts
Bugtraq
Source Id
MITRE Tactic ID
Process Creation Time
Child Process
Approver	The person who approved or needs to approve the request.
Number of similar files
Manager Email Address
Alert URL	Alert URL as received from the integration JSON
Investigation Stage	The stage of the investigation.
Rendered HTML	The HTML content in a rendered form.
Employee Email	The email address of the employee.
Given Name	Given Name
OutgoingMirrorError
Risk Score
External Last Updated Time
Isolated	Isolated
Post Nat Destination Port	The destination port after NAT.
Alert Action	Alert action as received from the integration JSON
Event ID	Event ID
Last Modified On
User Agent
Registry Value
Country Code Number
Device Hash	Device Hash
Appliance Name	Appliance name as received from the integration JSON
High Level Categories	The high level categories in the events.
First Name	First Name
Unique Ports
File Name
Process SHA256
Policy Remediable
Sensor IP
External Category Name
List Of Rules - Event	The list of rules associated to an event.
ASN
Asset Name
Verification Method	The method used to verify the user.
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Resource URL
Detection Update Time
Parent Process MD5
Destination Geolocation	The destination geolocation of the event.
SHA256	SHA256
Cloud Resource List
Tags
Pre Nat Source IP	The source IP before NAT.
Tenant Name	Tenant Name
High Risky Users
Identity Type
Containment SLA	The time it took to contain the incident.
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
MITRE Tactic Name
Operation Name
Category Count	The number of categories that are associated with the offense.
Vulnerable Product
Last Modified By
Dest Hostname	Destination hostname
Hostnames	The hostname in the event.
Caller
Triggered Security Profile	Triggered Security Profile
Log Source Name	The log source name associated with the event.
Source Networks
Asset ID
File MD5
Parent Process
User Id	User Id
Related Endpoints
Alert tags
Policy Details
Device Internal IPs
Related Campaign
Destination IP	The IP address the impossible traveler logged in to.
Users Details
Detected Endpoints
OS Type	OS Type
Log Source Type	The log source type associated with the event.
Number Of Found Related Alerts	Medium or Higher Severity Alerts
IncomingMirrorError
Zip Code	Zip Code
Detected IPs
Technique
CVE
Project ID
External Severity
Process Names
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Country	The country from which the user logged in.
Source IPs	The source IPs of the event.
Tools
Status Reason
Parent Process SHA256
Srcs	The source values.
External Category ID
Alert Name	Alert name as received from the integration JSON
Verification Status	The status of the user verification.
EmailCampaignCanvas
Source Network
Title	Title
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Cloud Operation Type
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
userAccountControl	userAccountControl
Detected Internal IPs	Detected internal IPs
MAC Address	MAC Address
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Error Message	The error message that contains details about the error that occurred.
DNS Name	The DNS name of the asset.
Detection ID
Leadership
OS Version	OS Version
Duration
Password Changed Date
Referenced Resource Name
Source Priority
Close Time	The closing time.
Src NT Domain	Source NT Domain
Referenced Resource ID
Mobile Device Model
CMD line
EmailCampaignSnippets
SKU TIER
Alert Attack Time
Detected User
External Addresses
Process MD5
Source Urgency	Source Urgency
Destination MAC Address	The destination MAC address in an event.
Additional Indicators
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Cloud Instance ID	Cloud Instance ID
Account ID
Compliance Notes	Notes regarding the assets compliance.
Attack Patterns
Selected Indicators	Includes the indicators selected by the user.
Src Ports	The source ports of the event.
Endpoint
Protocol names
Risk Name
CVE Published
Traffic Direction	The direction of the traffic in the event.
Additional Email Addresses
Parent Process Name
Process Name
Employee Display Name	The display name of the employee.
Risk Rating
Comment	The comments related with the incident
Source Category
File Hash
Triage SLA	The time it took to investigate and enrich incident information.
State	State
File Names
File SHA1
Dsts	The destination values.
Policy Recommendation
Sensor Name
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Manager Name	Manager Name
URLs
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Custom Query Results
Source IP	The IP Address that the user initially logged in from.
SKU Name
Job Function	Job Function
Pre Nat Destination Port	The destination port before NAT.
Src	Source
Raw Event	The unparsed event data.
Incident Link
Parent Process IDs
Tactic ID
File SHA256
Last Seen
Org Level 1
Device OU	Device's OU path in Active Directory
Dst Ports	The destination ports of the event.
Process CMD
Device MAC Address
Region ID
Policy Deleted
Account Member Of
Ticket Acknowledged Date
Signature
Resource ID
Closing Reason	The closing reason
Source Status
External ID
Phone Number	Phone number
Source Username	The username that was the source of the attack.
External Link
Parent Process CMD
Last Name	Last Name
File Relationships
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Policy Severity
User SID
CMD
MITRE Technique ID
Vendor ID
Email	Primary Email Address
Assignment Group
Employee Manager Email	The email address of the employee's manager.
Source MAC Address	The source MAC address in an event.
Protocol - Event	The network protocol in the event.
Destination Networks
User Creation Time
OS	The operating system.
Display Name	Display Name
User Risk Level
Team name
Attack Mode	Attack mode as received from the integration JSON
Application Id	Application Id
Mobile Phone
EmailCampaignMutualIndicators
Region
PID	PID

Incident Types

Name	Description
Lateral Movement
Simulation
UnknownBinary
Authentication
Exploit
Reconnaissance
Vulnerability
Indicator Feed
Hunt
DoS
Network
Job
Defacement
C2Communication
Exfiltration
Policy Violation

Indicator Fields

Name	Description
Org Unit
Org Level 1
DHCP Server
CVE Modified
Goals
Admin Country
Subject
DNS Records
STIX Secondary Motivations
Blocked
Work Phone
Service	The specific service of a feed integration from which an indicator was ingested.
CVSS Score
Key Value
Primary Motivation
Campaign
STIX Is Malware Family
Version
SHA256
User ID
X.509 v3 Extensions
Groups
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Malware Family
Applications
Definition
Size
Validity Not After	Specifies the date on which the certificate validity period ends.
Whois Records
Registrar Abuse Network
PEM	Certificate in PEM format.
Memory
Tool Version
Path
STIX Roles
Given Name	Given Name
CVSS
CVSS3
Country Name
Number of subkeys
Email Address
Query Language
Is Processed
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Quarantined	Whether the indicator is quarantined or isolated
Signature Algorithm
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
STIX Primary Motivation.
Manager Name	Manager Name
Positive Detections	Number of engines that positively detected the indicator as malicious
Office365ExpressRoute
Detections
Domain Status
Signature Copyright
Extension
Department	Department
Subdomains
Processor
Organizational Unit (OU)
Short Description
File Extension
Subject Alternative Names
BIOS Version
Resource Level
AS Owner
Processors
Country Code Number
Signed
Public Key
DNS
Personal Email
STIX Tool Types
Objective
Leadership
Vulnerable Products
SWID	Specifies the Software Identification (SWID) tags entry for the software
Name Field
State
Office365Category
Vendor
Operating System Version
Acquisition Hire	Whether the employee is an acquisition hire.
Targets
STIX Tool Version
Paths
imphash
Certificate Signature
STIX Description
IP Address
Implementation Languages
Issuer DN	Issuer Distinguished Name
Tags
Signature Internal Name
Source Priority
Registrar Abuse Address
Subject DN	Subject Distinguished Name
Domain Referring IPs
Samples
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Threat Actor Types
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Actor
CVSS Table
Account Type
Admin Phone
Job Function
Certificate Names
CVSS Vector
Product
First Seen By Source	The first time the indicator was seen by the source vendor.
MD5
Cost Center
Title	Title
Behavior
City	City
Operating System
STIX Threat Actor Types
Job Family
Download URL
Updated Date
Domain Referring Subnets
CVSS Version
Location Region
Domain IDN Name
STIX Sophistication
Street Address
Roles
Organization
Signature File Version
Geo Country
Region
Mitre ID
Office365Required
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Admin Name
Registrar Abuse Name
Tool Types
Report Object References	A list of STIX IDs referenced in the report.
Malware types
Registrar Abuse Country
Serial Number
Surname	Surname
STIX Resource Level
Country Code
Name Servers
SHA1
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Source Original Severity	The original score/severity provided by the source without DBot translation.
Name
Organization Type
Domain Name
SHA512
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Email
Community Notes
Feed Related Indicators
Architecture
Force Sync	Whether to force user synchronization.
Sophistication
Admin Email
File Type
ASN
Location
Author
Registrar Abuse Phone
Commands
STIX Malware Types
Signature Authentihash
Domains
Org Level 2
Signature Description
Assigned role
Job Code	Job Code
Description
Manager Email Address
Signature Original Name
Registrar Abuse Email
Certificates
SSDeep
Expiration Date
Secondary Motivations
STIX Aliases	Alternative names used to identify this object
STIX Goals
Registrant Country
Internal
Reports
Infrastructure Types
Entry ID
Registrar Name
Aliases	Alternative names used to identify this object
Port
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Creation Date
Report type
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Is Malware Family
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Associated File Names
Org Level 3
Mobile Phone
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Registrant Name
Registrant Email
Vulnerabilities
Display Name
Hostname
CVE Description
Rank	Used to display rank from different sources
Device Model
Capabilities
Action
Mitre Tactics
Indicator Identification
Published
Certificate Validation Checks
Confidence
Assigned user
Geo Location
Publications
Detection Engines	Total number of engines that checked the indicator
Zip Code
Validity Not Before	Specifies the date on which the certificate validity period begins.
Issuer
Username
Associations	Known associations to other pieces of Threat Data.
Cost Center Code
MAC Address
Category
Operating System Refs
OS Version
Registrant Phone

Layouts

Name	Description
Threat Actor	Threat Actor Indicator Layout
Intrusion Set	Intrusion Set Layout
Tool Indicator	Tool Indicator Layout
URL Indicator	URL Indicator Layout
Course of Action	Course of Action Indicator Layout
Report	Report Indicator Layout
IP Indicator	IP Indicator Layout
Domain Indicator	Domain Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Mutex	Mutex indicator layout
Email Indicator	Email Indicator Layout
X509 Certificate	CVE Indicator Layout
Software	Software Indicator Layout
File Indicator	File Indicator Layout
ASN	ASN Indicator Layout
Identity	Identity indicator layout
Account Indicator	Account Indicator Layout
Vulnerability Incident
Attack Pattern	Attack Pattern Indicator Layout
Host Indicator	Host indicator layout
Campaign	Campaign Indicator Layout
CVE Indicator	CVE Indicator Layout
Malware Indicator	Malware Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Indicator Feed Incident
Location	Location indicator layout

Indicator Types

Name	Description
Campaign
Software
Onion Address
ssdeep
Threat Actor
Tool
Infrastructure
IPv6
Location
Intrusion Set
DomainGlob
ASN
File
X509 Certificate
Malware
Report
File MD5
Email
Domain
IPv6CIDR
Identity
Host
CIDR
Course of Action
Registry Key
File SHA-256
Attack Pattern
URL
Account
IP
Mutex
CVE
File SHA-1

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Device Id	Device Id
Group ID
URLs
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
OS	The operating system.
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Org Level 3
External Status
Policy Description
Source Category
First Seen
Region
Employee Display Name	The display name of the employee.
User Id	User Id
Alert Rules
Vendor ID
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Category Count	The number of categories that are associated with the offense.
Tactic ID
Ticket Closed Date
Exposure Level
User Groups
Domain Updated Date
Device Model	Device Model
User Block Status
Close Time	The closing time.
Subtype	Subtype
Street Address
Timezone
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Resource URL
Account Member Of
Scenario
Asset ID
External Category ID
Device OS Name
High Risky Hosts
Last Update Time
Phone Number	Phone number
Device Status
Device Name	Device Name
Technical User	The technical user of the asset.
EmailCampaignMutualIndicators
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Job Function	Job Function
Ticket Number
Parent Process SHA256
UUID	UUID as received from the integration JSON
Endpoint Isolation Status
Alert Type ID
Vendor Product
Source Updated by
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Ticket Acknowledged Date
Device MAC Address
OS Type	OS Type
Device Internal IPs
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Number of Related Incidents
Sub Category	The sub category
userAccountControl	userAccountControl
Display Name	Display Name
Raw Event	The unparsed event data.
Parent Process File Path
Source Geolocation	The source geolocation of the event.
Email Sent Successfully	Whether the email has been successfully sent.
Vulnerable Product
Parent Process CMD
Project ID
Given Name	Given Name
EmailCampaignSnippets
Device External IPs
External Last Updated Time
Last Seen
Similar incidents Dbot
Device OS Version
Assigned User	Assigned User
Pre Nat Destination Port	The destination port before NAT.
File Hash
Leadership
Resource Type
Registry Key
App message
Verification Status	The status of the user verification.
Policy URI
Post Nat Source Port	The source port after NAT.
Risk Score
Internal Addresses
IncomingMirrorError
Tool Usage Found
Acquisition Hire
Post Nat Destination Port	The destination port after NAT.
MITRE Tactic ID
Rule Name	The name of a YARA rule
Detection ID
Password Reset Successfully	Whether the password has been successfully reset.
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Additional Data
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Cloud Instance ID	Cloud Instance ID
First Name	First Name
External Confidence
External Sub Category Name
Item Owner
Process ID
Additional Email Addresses
Surname	Surname
Containment SLA	The time it took to contain the incident.
Item Owner Email
User Anomaly Count
Detection URL	URL of the ExtraHop Reveal(x) detection
Dsts	The destination values.
Work Phone
Original Alert Source
Password Changed Date
Event ID	Event ID
Start Time	The time when the offense started.
Country Code
EmailCampaignCanvas
Policy Deleted
OutgoingMirrorError
Pre Nat Source Port	The source port before NAT.
Escalation
Employee Manager Email	The email address of the employee's manager.
Agent Version	Reporting Agent/Sensor Version
Assignment Group
Reporter Email Address	The email address of the user who reported the email.
Job Family	Job Family
Original Events	The events associated with the offense.
Process Creation Time
Last Modified On
Classification	Incident Classification
Policy ID
Manager Name	Manager Name
External Category Name
Detection End Time
File Access Date
Team name
CVE Published
Suspicious Executions
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
External Severity
Mobile Phone
Policy Details
Parent Process MD5
Related Alerts
Job Code	Job Code
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Verdict
Department	Department
External Link
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Report Name
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
User Engagement Response
State	State
app channel name
Log Source Type	The log source type associated with the event.
Approver	The person who approved or needs to approve the request.
Referenced Resource ID
CVSS Availability Requirement	The CVSS availability requirement for the asset.
ASN Name
Manager Email Address
Policy Actions
Application Path
Device Time	The time from the original logging device when the event occurred.
String Similarity Results
Objective
City
SSDeep
Src OS	Src OS
Status Reason
CVE
Closing Reason	The closing reason
Compliance Notes	Notes regarding the assets compliance.
Agents ID
Process Names
Mobile Device Model
similarIncidents
Device Hash	Device Hash
Number of similar files
Tools
User SID
External End Time
Cloud Region List
Domain Registrar Abuse Email
File Relationships
Process Paths
Employee Email	The email address of the employee.
Source External IPs
Last Name	Last Name
CVSS
Risk Rating
Approval Status	The status for the approval of the request.
Asset Name
Location	Location
Cost Center	Cost Center
Rendered HTML	The HTML content in a rendered form.
Cloud Account ID
Zip Code	Zip Code
Policy Remediable
Source Status
Attack Mode	Attack mode as received from the integration JSON
Personal Email
Process CMD
Triage SLA	The time it took to investigate and enrich incident information.
Cost Center Code	Cost Center Code
Process SHA256
Account Status
Campaign Name
External System ID
Affected Hosts
Cloud Service
End Time	The time when the offense ended.
Policy Recommendation
IP Reputation
Alert tags
Birthday	Person's Birthday
Country Code Number
IP Blocked Status
Command Line Verdict
Detected Internal Hosts	Detected internal hosts
List Of Rules - Event	The list of rules associated to an event.
Source Id
Technical Owner Contact	The contact details for the technical owner.
SKU TIER
Account ID
Org Unit
Signature
CVE ID
Dest OS	Destination OS
Referenced Resource Name
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Device OU	Device's OU path in Active Directory
Related Endpoints
Risk Name
Unique Ports
Destination Networks
Comment	The comments related with the incident
Detected External IPs	Detected external IPs
SHA512	SHA512
Is Active	Alert status
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Region ID
RemovedFromCampaigns
EmailCampaignSummary
Technique
Bugtraq
Last Modified By
Post Nat Destination IP	The destination IP address after NAT.
Technical Owner	The technical owner of the asset.
Registry Hive
sAMAccountName	User sAMAAccountName
Operation Name
MITRE Tactic Name
Duration
Number Of Log Sources	The number of log sources related to the offense.
Isolated	Isolated
Domain Name
Technique ID
Sensor IP
Additional Indicators
Parent Process Path
Org Level 2
Cloud Resource List
Suspicious Executions Found
Users Details
MITRE Technique ID
Location Region	Location Region
Source Priority
SHA1	SHA1
Original Alert ID	Alert ID as received from the integration JSON
Pre Nat Source IP	The source IP before NAT.
Attack Patterns
Source Created By
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Resource Name
Custom Query Results
Log Source Name	The log source name associated with the event.
Selected Indicators	Includes the indicators selected by the user.
MITRE Technique Name
File Creation Date
Policy Type
Post Nat Source IP	The source IP address after NAT.
Source Urgency	Source Urgency
Endpoints Details
Related Report
Incident Link
High Risky Users
Original Alert Name	Alert name as received from the integration JSON
User Creation Time
External Start Time
Protocol names
Triggered Security Profile	Triggered Security Profile
Rating
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Changed	The user who changed this incident
Policy Severity
Event Names	The event name (translated QID ) in the event.
Parent Process Name
File Size	File Size
External Sub Category ID
Vulnerability Category
Traffic Direction	The direction of the traffic in the event.
Original Description	The description of the incident
Alert Malicious	Whether the alert is malicious.
Full Name	Person's Full Name
Detected Endpoints
Affected Users
Error Message	The error message that contains details about the error that occurred.
Email	Primary Email Address
Source Create time
Source Networks
Identity Type
Follow Up	True if marked for follow up.
Related Campaign
Process MD5
Destination IPV6	The destination IPV6 address.
Error Code
File SHA1
Registry Value Type
Use Case Description
Parent Process IDs
Blocked Action	Blocked Action
Org Level 1
Closing User	The closing user.
Event Descriptions	The description of the event name.
Tenant Name	Tenant Name
Title	Title
Tactic
SKU Name
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Destination Geolocation	The destination geolocation of the event.
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Caller
Log Source	Log Source
Hunt Results Count
Registration Email
ASN
Alert Action	Alert action as received from the integration JSON
Low Level Categories Events	The low level category of the event.
Block Indicators Status
Verification Method	The method used to verify the user.
Registry Value
Investigation Stage	The stage of the investigation.

Incident Types

Name	Description
Policy Violation
Hunt
C2Communication
Network
Indicator Feed
Exploit
UnknownBinary
DoS
Authentication
Vulnerability
Exfiltration
Simulation
Lateral Movement
Job
Reconnaissance
Defacement

Indicator Fields

Name	Description
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Country Name
Country Code Number
Download URL
Leadership
Whois Records
CVSS
Campaign
Groups
Source Priority
Processor
Office365Category
Subject Alternative Names
Threat Actor Types
Resource Level
Geo Country
Signature Algorithm
Operating System Refs
Organizational Unit (OU)
Tags
Mitre Tactics
Registrar Abuse Address
Is Processed
STIX Resource Level
STIX Is Malware Family
Primary Motivation
Size
Detections
SWID	Specifies the Software Identification (SWID) tags entry for the software
Office365Required
First Seen By Source	The first time the indicator was seen by the source vendor.
Capabilities
Issuer
CVSS Version
Vendor
CVSS3
Internal
Admin Name
Geo Location
OS Version
Registrar Abuse Country
Service	The specific service of a feed integration from which an indicator was ingested.
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Assigned user
Samples
Paths
Domains
STIX Primary Motivation.
Name Servers
Region
Registrar Abuse Name
DNS
Last Seen By Source	The last time the indicator was seen by the Source vendor.
CVE Modified
Department	Department
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Mobile Phone
DHCP Server
Org Unit
Org Level 3
AS Owner
Signature Original Name
Actor
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Manager Name	Manager Name
Country Code
DNS Records
Objective
Acquisition Hire	Whether the employee is an acquisition hire.
Name Field
Port
Username
Positive Detections	Number of engines that positively detected the indicator as malicious
Registrar Abuse Network
Public Key
Extension
File Extension
Location
Commands
Given Name	Given Name
Issuer DN	Issuer Distinguished Name
Organization
Source Original Severity	The original score/severity provided by the source without DBot translation.
STIX Threat Actor Types
Job Family
Is Malware Family
Assigned role
Sophistication
Confidence
Vulnerabilities
Operating System Version
Signature Internal Name
Implementation Languages
Creation Date
STIX Tool Types
Domain Status
Architecture
Expiration Date
STIX Tool Version
City	City
Registrant Email
SHA256
Infrastructure Types
Subject
STIX Roles
Registrant Name
Malware types
Report Object References	A list of STIX IDs referenced in the report.
Action
Registrant Country
Tool Version
Certificate Validation Checks
Cost Center Code
STIX Sophistication
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
CVE Description
Associated File Names
Admin Email
Product
IP Address
Domain Referring Subnets
Rank	Used to display rank from different sources
Registrar Abuse Email
Device Model
Key Value
Vulnerable Products
Cost Center
Admin Phone
Surname	Surname
Certificates
Office365ExpressRoute
Goals
Malware Family
Account Type
Registrant Phone
Roles
Aliases	Alternative names used to identify this object
User ID
Org Level 2
Version
Indicator Identification
imphash
STIX Secondary Motivations
Domain Referring IPs
Manager Email Address
Email Address
Registrar Name
Secondary Motivations
Operating System
Mitre ID
Validity Not After	Specifies the date on which the certificate validity period ends.
Domain IDN Name
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Work Phone
Number of subkeys
State
Description
Feed Related Indicators
Certificate Signature
Memory
CVSS Score
Organization Type
BIOS Version
CVSS Vector
Display Name
ASN
Publications
Quarantined	Whether the indicator is quarantined or isolated
Zip Code
Reports
Name
Signature Copyright
Entry ID
Category
Validity Not Before	Specifies the date on which the certificate validity period begins.
Location Region
Certificate Names
SHA512
Updated Date
Subdomains
Short Description
Community Notes
Associations	Known associations to other pieces of Threat Data.
Query Language
Serial Number
Detection Engines	Total number of engines that checked the indicator
Processors
Definition
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Targets
Path
Signature Authentihash
File Type
Title	Title
STIX Goals
STIX Description
STIX Malware Types
Job Code	Job Code
Published
X.509 v3 Extensions
Author
Job Function
Tool Types
MD5
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Applications
Email
Personal Email
STIX Aliases	Alternative names used to identify this object
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Admin Country
Registrar Abuse Phone
Domain Name
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Hostname
Report type
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Blocked
Street Address
CVSS Table
Subject DN	Subject Distinguished Name
Signature Description
SHA1
Force Sync	Whether to force user synchronization.
Signed
PEM	Certificate in PEM format.
Org Level 1
Signature File Version
Behavior
SSDeep

Layoutrule

Name	Description
Indicator Feed Layout Rule
Vulnerability Layout Rule

Layouts

Name	Description
X509 Certificate	CVE Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
CVE Indicator	CVE Indicator Layout
Vulnerability Incident
Report	Report Indicator Layout
File Indicator	File Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Course of Action	Course of Action Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Intrusion Set	Intrusion Set Layout
URL Indicator	URL Indicator Layout
Malware Indicator	Malware Indicator Layout
Location	Location indicator layout
Campaign	Campaign Indicator Layout
Indicator Feed Incident
Mutex	Mutex indicator layout
Host Indicator	Host indicator layout
ASN	ASN Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Email Indicator	Email Indicator Layout
Tool Indicator	Tool Indicator Layout
Account Indicator	Account Indicator Layout
Identity	Identity indicator layout
Domain Indicator	Domain Indicator Layout
IP Indicator	IP Indicator Layout
Software	Software Indicator Layout

Indicator Types

Name	Description
Infrastructure
Email
Identity
Software
X509 Certificate
ssdeep
URL
IPv6CIDR
IPv6
Report
File SHA-256
Host
CIDR
DomainGlob
Attack Pattern
Tool
Mutex
File
Account
Location
Threat Actor
File MD5
Malware
IP
CVE
Registry Key
Intrusion Set
Campaign
File SHA-1
ASN
Course of Action
Domain
Onion Address

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (56)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.5.22 - 1491068 (October 10, 2024)

Indicator Fields

New: Query Language

New Field (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 36582

Download

3.5.21 - 1448088 (September 29, 2024)

Incident Fields

Title
Added support for incident type Netskope DLP Incident.

Related pull requests:
- 36537
- 36351

Download

3.5.20 - 1445410 (September 29, 2024)

Indicator Fields

New: Product

Created a new indicator field.

Publications

Updated the grid field column widths for better readability.

New: Definition

Created a new indicator field.

Related pull requests:
- 35496

Download

3.5.19 - 1434344 (September 25, 2024)

Indicator Types

Onion Address
Fixed an issues with the type regex not working correctly.

Related pull requests:
- 36221

Download

3.5.18 - 1419889 (September 23, 2024)

Incident Fields

Last Modified On
Made available to IBM QRadar SOAR Incident.
Zip Code
Made available to IBM QRadar SOAR Incident.
City
Made available to IBM QRadar SOAR Incident.
Street Address
Made available to IBM QRadar SOAR Incident.

Related pull requests:
- 35286

Download

3.5.17 - 1398165 (September 17, 2024)

Indicator Fields

Validity Not Before

Updated the field adding a description to it.

Validity Not After

Updated the field adding a description to it.

Related pull requests:
- 36350

Download

3.5.16 - 1370357 (September 11, 2024)

Layouts

File Indicator
Updated layout with canvas tab.
Account Indicator
Updated layout with canvas tab.
Report
Updated layout with canvas tab.
Threat Actor
Updated layout with canvas tab.
URL Indicator
Updated layout with canvas tab.
X509 Certificate
Updated layout with canvas tab.
Mutex
Updated layout with canvas tab.
Campaign
Updated layout with canvas tab.
Location
Updated layout with canvas tab.
Tool Indicator
Updated layout with canvas tab.
Attack Pattern
Updated layout with canvas tab.
Infrastructure
Updated layout with canvas tab.
IP Indicator
Updated layout with canvas tab.
Malware Indicator
Updated layout with canvas tab.
Course of Action
Updated layout with canvas tab.
Host Indicator
Updated layout with canvas tab.
Tool
Updated layout with canvas tab.
Email Indicator
Updated layout with canvas tab.
CVE Indicator
Updated layout with canvas tab.
Domain Indicator
Updated layout with canvas tab.
Identity
Updated layout with canvas tab.
Software
Updated layout with canvas tab.
Intrusion Set
Updated layout with canvas tab.
ASN
Updated layout with canvas tab.
Registry Key Indicator
Updated layout with canvas tab.
Malware
Updated layout with canvas tab.

Related pull requests:
- 36021

Download

3.5.15 - 1358619 (September 8, 2024)

Indicator Types

IP
Fixed an issue where the ASOwner field was incorrectly mapped to URL.ASOwner instead of IP.ASOwner in context.

Related pull requests:
- 36046
- 36158

Download

3.5.14 - 1340401 (September 3, 2024)

Incident Fields

External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.

Related pull requests:
- 35794

Download

3.5.13 - 1300648 (August 22, 2024)

Indicator Types

URL
Updated the URL regex to allow for a URL with a user:pass combo.

Related pull requests:
- 35960

Download

3.5.12 - 1284734 (August 18, 2024)

Layouts

File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)

Related pull requests:
- 35705

Download

3.5.11 - 1234417 (August 1, 2024)

Indicator Fields

Primary Motivation

Added Threat Actor as an associated type.

Related pull requests:
- 35649
- 35716

Download

3.5.10 - 1200812 (July 22, 2024)

Incident Fields

New: RemovedFromCampaigns
New: RemovedFromCampaigns

Related pull requests:
- 34642

Download

3.5.9 - R1189290 (July 18, 2024)

Incident Fields

Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.

Related pull requests:
- 34900

Download

3.5.8 - 1170213 (July 11, 2024)

Incident Fields

Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection incident type as an associated type.

Related pull requests:
- 34805

Download

3.5.7 - 1169083 (July 11, 2024)

Indicator Types

IPv6
Updated the regex to capture an extra character before the IPv6 (Handled by the formatter).

Related pull requests:
- 35279

Download

3.5.6 - 1143998 (July 3, 2024)

Incident Fields

New: External Last Updated Time
New: External Last Updated Time.

Related pull requests:
- 35004

Download

3.5.5 - 1082615 (June 10, 2024)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

3.5.4 - 1061293 (June 2, 2024)

Indicator Types

Email

Related pull requests:
- 33924

Download

3.5.3 - 1021616 (May 16, 2024)

Indicator Fields

Kill Chain Phases
- Added a missing phase, Resource Development, to multi-select list

Related pull requests:
- 33786

Download

3.5.2 - 998827 (May 6, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Indicator Fields

Author

Related pull requests:
- 33839

Download

3.5.0 - 995825 (May 5, 2024)

Incident Fields

New: Registration Email
New: Domain Updated Date
New: Domain Registrar Abuse Email

Related pull requests:
- 32924

Download

3.4.10 - 951066 (April 11, 2024)

Incident Fields

Policy Type
New: CVE ID
New: Resource URL
New: User Anomaly Count
New: CVE Published
Policy Recommendation
New: Vulnerable Product
New: Alert Rules

Related pull requests:
- 33781

Download

3.4.9 - 948301 (April 10, 2024)

Incident Fields

Compliance Notes - Added the Prisma Cloud Compute Compliance v2 incident type as an associated types.

Related pull requests:
- 32936

Download

3.4.8 - 927547 (April 1, 2024)

Indicator Types

URL
Updated the regex to capture URLs with commas.

Related pull requests:
- 33688

Download

3.4.7 - 904622 (March 20, 2024)

Incident Fields

Containment SLA
- Updated to be searchable
Incident Duration
- Updated to be searchable
Triage SLA
- Updated to be searchable

Indicator Fields

New: Number of subkeys
New: Samples

Related pull requests:
- 33419

Download

3.4.5 - 882064 (March 11, 2024)

Incident Fields

New: Additional Email Addresses

Related pull requests:
- 33129

Download

3.4.4 - 870683 (March 5, 2024)

Indicator Fields

New: Subject
New: Issuer
New: Certificate Names
New: Validity Not Before
New: PEM
New: Certificate Signature
New: Extension
New: X.509 v3 Extensions
New: Certificate Validation Checks
New: Issuer DN
New: SPKI SHA256
New: Validity Not After
New: Serial Number
New: Signature Algorithm
New: Public Key
New: Subject Alternative Names
New: Domains
New: Subject DN

Layouts

New: X509 Certificate
layout for the new X509 indicator type (Available from Cortex XSOAR 6.0.0).

Related pull requests:
- 31341

Download

3.4.3 - 865088 (March 3, 2024)

Incident Fields

New: Alert tags
New: User Risk Level

Related pull requests:
- 32470

Download

3.4.2 - 860237 (February 29, 2024)

Incident Fields

Added the CrowdStrike Falcon Mobile Detection incident type to the following incident fields:

Email
Detection ID
Last Update Time
Vendor Product
Display Name

Related pull requests:
- 33072

Download

3.4.1 - R828628 (February 14, 2024)

Indicator Types

URL
Fixed an issue with the regex not capturing quoted slashes.

Related pull requests:
- 32719

Download

3.4.0 - 778227 (January 22, 2024)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

3.3.99 - 764361 (January 15, 2024)

Indicator Fields

Blocked

Related pull requests:
- 32218

Download

3.3.98 - 737854 (January 2, 2024)

Incident Fields

New: Status Reason

Related pull requests:
- 31187

Download

3.3.97 - 729445 (January 1, 2024)

Indicator Types

IPv6
Updated IPv6 regex for better performance and to avoid MAC addresses.

Related pull requests:
- 31686

Download

3.3.96 - 716847 (December 25, 2023)

Indicator Fields

New: Signature Original Name

Related pull requests:
- 31587

Download

3.3.95 - 7087775 (December 6, 2023)

Incident Fields

New: Last Mirrored Time Stamp

Related pull requests:
- 31251

Download

3.3.94 - 7061914 (December 4, 2023)

Incident Fields

Added the Cyberint incident type to the following incident fields:

Last Update Time

Related pull requests:
- 31252
- 30493
- 25523

Download

3.3.93 - 6992191 (November 26, 2023)

Incident Fields

External Severity
Updated the field to be searchable in XSOAR.

Related pull requests:
- 31109

Download

3.3.92 - 6955725 (November 21, 2023)

Incident Fields

Threat Name
Updated the field to be searchable.

Related pull requests:
- 30949
- 31006

Download

3.3.91 - 6932727 (November 19, 2023)

Incident Fields

New: Report Name
New: Tool Usage Found
New: Suspicious Executions Found
New: Affected Users
New: Users Details
New: Custom Query Results
New: Affected Hosts
New: Tools
New: Block Indicators Status
New: String Similarity Results
New: Related Alerts
New: Campaign Name
New: Attack Patterns
New: Suspicious Executions
New: Endpoints Details

Layouts

Intrusion Set
Added the 'Execute Intrusion Set Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Campaign
Added the 'Execute Campaign Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Malware Indicator
Added the 'Execute Malware Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.

Related pull requests:
- 28853

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	November 10, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Common Types

Pack Contributors:

Pack Contributors:

Layouts

Layouts

Incident Fields

Indicator Fields

New: Query Language

Incident Fields

Indicator Fields

Category

New: Product

Publications

New: Definition

Indicator Types

Incident Fields

Indicator Fields

Validity Not Before

Validity Not After

Layouts

Indicator Types

Incident Fields

Indicator Types

Layouts

Indicator Fields

Primary Motivation

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Common Types

Indicator Types

Indicator Fields

Common Types

Indicator Fields

Incident Fields

Incident Fields

Incident Fields

Indicator Types

Incident Fields

Indicator Fields

Incident Fields

Indicator Fields

Layouts

Incident Fields

Incident Fields

Indicator Types

Common Types

Indicator Fields

Incident Fields

Indicator Types

Indicator Fields

Incident Fields

Incident Fields

Incident Fields

Incident Fields

Incident Fields

Layouts

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER