Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Cloud Instance ID	Cloud Instance ID
Verdict
Agent Version	Reporting Agent/Sensor Version
Report Name
Suspicious Executions
Cloud Resource List
MD5	MD5
Risk Rating
Vulnerability Category
Country Code
Duration
MAC Address	MAC Address
RemovedFromCampaigns
End Time	The time when the offense ended.
Device External IPs
Alert Action	Alert action as received from the integration JSON
Process Paths
Device Id	Device Id
Exposure Level
Triage SLA	The time it took to investigate and enrich incident information.
Org Level 2
Sub Category	The sub category
File Size	File Size
Account Status
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Pre Nat Destination Port	The destination port before NAT.
Parent Process CMD
Destination Network
File SHA1
Policy Recommendation
Detected Endpoints
Verification Status	The status of the user verification.
Device Username	The username of the user that owns the device
Event Names	The event name (translated QID ) in the event.
File Paths
Traffic Direction	The direction of the traffic in the event.
Users
Close Time	The closing time.
EmailCampaignMutualIndicators
First Seen
Manager Email Address
Related Alerts
First Name	First Name
Device Internal IPs
SKU TIER
Cloud Service
Vulnerable Product
Agent ID	Agent ID
Bugtraq
Endpoint
Technique
Account Member Of
ASN
Custom Query Results
Containment SLA	The time it took to contain the incident.
Classification	Incident Classification
Alert URL	Alert URL as received from the integration JSON
Description	The description of the incident
Team name
Source Networks
Internal Addresses
Detected Users	Detected users
Post Nat Destination IP	The destination IP address after NAT.
SHA1	SHA1
External Sub Category Name
Work Phone
App message
Pre Nat Source Port	The source port before NAT.
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Ticket Acknowledged Date
Domain Updated Date
Source Username	The username that was the source of the attack.
IncomingMirrorError
User Engagement Response
Threat Hunting Detected IP
File Hash
Region ID
Related Campaign
External Addresses
Asset Name
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Mobile Phone
Follow Up	True if marked for follow up.
UUID	UUID as received from the integration JSON
Related Report
Country Name	Country Name
Password Changed Date
Event Descriptions	The description of the event name.
Rendered HTML	The HTML content in a rendered form.
Acquisition Hire
Location Region	Location Region
App
File Name
Detected External Hosts	Detected external hosts
Post Nat Destination Port	The destination port after NAT.
OS Version	OS Version
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Job Function	Job Function
Sensor IP
Related Endpoints
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Process Names
OS Type	OS Type
Source External IPs
Destination IP	The IP address the impossible traveler logged in to.
Group ID
SHA256	SHA256
List Of Rules - Event	The list of rules associated to an event.
Detected Internal Hosts	Detected internal hosts
MITRE Tactic ID
Parent Process
Parent Process Path
Alert Name	Alert name as received from the integration JSON
PID	PID
Device Time	The time from the original logging device when the event occurred.
Org Level 1
Post Nat Source IP	The source IP address after NAT.
Process SHA256
Start Time	The time when the offense started.
Process MD5
URLs
Tools
Source Created By
Source Status
Device Name	Device Name
Protocols
MITRE Tactic Name
SSDeep
File Access Date
Source Hostname	The hostname that performed the port scan.
Registration Email
Destination Port	The destination port used.
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Alert Rules
Last Modified By
Technical Owner Contact	The contact details for the technical owner.
Caller
Hunt Results Count
Log Source	Log Source
Destination Hostname	Destination hostname
Title	Title
Log Source Name	The log source name associated with the event.
Password Reset Successfully	Whether the password has been successfully reset.
Objective
Usernames	The username in the event.
Manager Name	Manager Name
Dest	Destination
Registry Key
Source MAC Address	The source MAC address in an event.
Appliance Name	Appliance name as received from the integration JSON
File Creation Date
Attack Patterns
Subtype	Subtype
Technical Owner	The technical owner of the asset.
Process CMD
Detected IPs
Selected Indicators	Includes the indicators selected by the user.
Command Line	Command Line
Registry Hive
Attack Mode	Attack mode as received from the integration JSON
Ticket Opened Date
External Start Time
Destination Geolocation	The destination geolocation of the event.
MITRE Technique Name
Policy ID
File MD5
External Link
Detection End Time
Approver	The person who approved or needs to approve the request.
Event ID	Event ID
Registry Value Type
Source Network
Suspicious Executions Found
CVSS Availability Requirement	The CVSS availability requirement for the asset.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Policy Type
Asset ID
Src Ports	The source ports of the event.
Policy Actions
Similar incidents Dbot
Birthday	Person's Birthday
Alert Type ID
Parent Process MD5
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Tags
Raw Event	The unparsed event data.
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Tool Usage Found
Vendor ID
SHA512	SHA512
Last Modified On
Alert tags
Escalation
CVSS
Location	Location
Device Local IP	Device Local IP
sAMAccountName	User sAMAAccountName
Resource ID
Process ID
Parent Process Name
Display Name	Display Name
High Level Categories	The high level categories in the events.
Referenced Resource ID
Device Model	Device Model
Account ID
Tenant Name	Tenant Name
Protocol - Event	The network protocol in the event.
Source Category
Additional Indicators
Number of Related Incidents
External System ID
Appliance ID	Appliance ID as received from the integration JSON
Domain Name
Technique ID
Device Hash	Device Hash
Alert Source
Last Update Time
Additional Email Addresses
Detection Update Time
Campaign Name
Categories	The categories for the incident.
Region
Cost Center Code	Cost Center Code
Tactic
External Category ID
Dest OS	Destination OS
Full Name	Person's Full Name
Category Count	The number of categories that are associated with the offense.
Phone Number	Phone number
Unique Ports
Resource Type
Timezone
Project ID
Device MAC Address
Detected User
Street Address
Detection URL	URL of the ExtraHop Reveal(x) detection
SKU Name
Closing User	The closing user.
Cloud Account ID
Surname	Surname
Reporter Email Address	The email address of the user who reported the email.
User Risk Level
EmailCampaignSnippets
CVE Published
Process Name
MITRE Technique ID
Alert Malicious	Whether the alert is malicious.
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Policy Details
EmailCampaignCanvas
Error Message	The error message that contains details about the error that occurred.
Post Nat Source Port	The source port after NAT.
Endpoint Isolation Status
ASN Name
Mobile Device Model
Application Id	Application Id
Policy Remediable
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Affected Users
External End Time
Parent CMD line
Src NT Domain	Source NT Domain
Detection ID
Assignment Group
IP Blocked Status
Assigned User	Assigned User
Employee Email	The email address of the employee.
Destination Networks
Rule Name	The name of a YARA rule
Dest Hostname	Destination hostname
Personal Email
Event Type	Event Type
External ID
External Sub Category ID
Destination IPs	The destination IPs of the event.
Device OS Name
Registry Value
Alert Category	The category of the alert
Vendor Product
Use Case Description
Org Level 3
Policy Deleted
External Category Name
Is Active	Alert status
Zip Code	Zip Code
Status Reason
External Confidence
Application Name	Application Name
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Compliance Notes	Notes regarding the assets compliance.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Identity Type
Technical User	The technical user of the asset.
Org Unit
Country	The country from which the user logged in.
Detected Internal IPs	Detected internal IPs
Ticket Closed Date
Incident Link
Device Status
File Names
Isolated	Isolated
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Number Of Log Sources	The number of log sources related to the offense.
Scenario
Email	Primary Email Address
City
Employee Display Name	The display name of the employee.
Approval Status	The status for the approval of the request.
Source Create time
Src User	Source User
External Severity
Audit Logs
Username	The username of the account who logged in.
File Path
User SID
Policy Severity
Changed	The user who changed this incident
OS	The operating system.
Domain Registrar Abuse Email
Source IPV6	The source IPV6 address.
Investigation Stage	The stage of the investigation.
Policy Description
Resource URL
Protocol	Protocol
Rating
Policy URI
Triggered Security Profile	Triggered Security Profile
similarIncidents
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Srcs	The source values.
Threat Hunting Detected Hostnames
Device OS Version
Sensor Name
Country Code Number
Parent Process IDs
Endpoints Details
Low Level Categories Events	The low level category of the event.
Blocked Action	Blocked Action
Users Details
Closing Reason	The closing reason
Source Urgency	Source Urgency
CVE
Source Priority
Error Code
Employee Manager Email	The email address of the employee's manager.
Device OU	Device's OU path in Active Directory
Src OS	Src OS
Process Creation Time
Pre Nat Source IP	The source IP before NAT.
Events	The events associated with the offense.
File Relationships
Tactic ID
Alert ID	Alert ID as received from the integration JSON
Src	Source
Risk Score
Agents ID
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
State	State
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Source Updated by
CVE ID
High Risky Hosts
Application Path
User Anomaly Count
File SHA256
Job Family	Job Family
Cloud Region List
High Risky Users
Resource Name
Destination MAC Address	The destination MAC address in an event.
EmailCampaignSummary
User Creation Time
Log Source Type	The log source type associated with the event.
IP Reputation
Device External IP	Device External IP
Src Hostname	Source hostname
Source IP	The IP Address that the user initially logged in from.
Command Line Verdict
Ticket Number
Block Indicators Status
Source Geolocation	The source geolocation of the event.
Last Seen
Dst Ports	The destination ports of the event.
Referenced Resource Name
User Id	User Id
DNS Name	The DNS name of the asset.
Cloud Operation Type
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
app channel name
Dest NT Domain	Destination NT Domain
userAccountControl	userAccountControl
Last Name	Last Name
Source Port	The source port that was used
Child Process
Leadership
Job Code	Job Code
Parent Process SHA256
Comment	The comments related with the incident
Department	Department
Hostnames	The hostname in the event.
Account Name	Account Name
String Similarity Results
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Cost Center	Cost Center
Dsts	The destination values.
Source Id
Item Owner Email
External Last Updated Time
Detected External IPs	Detected external IPs
Parent Process File Path
Number of similar files
Signature
Given Name	Given Name
Operation Name
Protocol names
Risk Name
External Status
Destination IPV6	The destination IPV6 address.
OutgoingMirrorError
Affected Hosts
CMD
Alert Attack Time
User Block Status
Item Owner
Additional Data
Process Path
Source IPs	The source IPs of the event.
User Agent
Email Sent Successfully	Whether the email has been successfully sent.
CMD line
Verification Method	The method used to verify the user.
User Groups

Incident Types

Name	Description
Exfiltration
Policy Violation
DoS
Indicator Feed
Vulnerability
Network
C2Communication
UnknownBinary
Exploit
Authentication
Reconnaissance
Job
Hunt
Defacement
Lateral Movement
Simulation

Indicator Fields

Name	Description
Malware types
Acquisition Hire	Whether the employee is an acquisition hire.
Domain Status
Paths
Country Name
Category
Given Name	Given Name
Targets
Street Address
Commands
Region
Display Name
Signature Internal Name
City	City
ASN
Indicator Identification
Surname	Surname
Subject
Manager Email Address
Processors
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Org Level 3
Account Type
Registrar Abuse Address
Processor
Registrar Abuse Phone
Email
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Organization Type
Mobile Phone
Validity Not After	Specifies the date on which the certificate validity period ends.
Cost Center Code
Cost Center
Community Notes
STIX Roles
Mitre ID
Org Unit
Key Value
Actor
Admin Country
Version
Name Field
Associations	Known associations to other pieces of Threat Data.
Report Object References	A list of STIX IDs referenced in the report.
Service	The specific service of a feed integration from which an indicator was ingested.
Short Description
Email Address
Query Language
Domain Name
MAC Address
Vendor
Campaign
IP Address
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Source Original Severity	The original score/severity provided by the source without DBot translation.
Definition
Department	Department
Goals
Updated Date
Certificate Signature
Reports
SHA512
CVSS Version
Objective
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Groups
Product
Serial Number
STIX Goals
SSDeep
Rank	Used to display rank from different sources
SHA256
Implementation Languages
Assigned user
STIX Resource Level
Certificate Validation Checks
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Vulnerable Products
Signature Original Name
Organization First Seen	Date and time when the indicator was first seen in the organization.
Admin Phone
Detection Engines	Total number of engines that checked the indicator
Samples
Geo Location
Force Sync	Whether to force user synchronization.
Infrastructure Types
Office365Category
Location
Roles
First Seen By Source	The first time the indicator was seen by the source vendor.
SWID	Specifies the Software Identification (SWID) tags entry for the software
Path
Validity Not Before	Specifies the date on which the certificate validity period begins.
Registrar Abuse Email
Leadership
Quarantined	Whether the indicator is quarantined or isolated
Internal
DNS Records
Name Servers
Registrant Country
Organization Prevalence	The number of times the indicator is detected in the organization.
STIX Description
Registrar Abuse Name
Positive Detections	Number of engines that positively detected the indicator as malicious
Device Model
Tool Types
Office365ExpressRoute
Published
Job Family
Registrar Name
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Whois Records
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Organizational Unit (OU)
Secondary Motivations
imphash
Registrant Phone
Resource Level
Operating System Refs
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
CVSS Score
Operating System
Signature Algorithm
State
Registrar Abuse Country
Entry ID
MD5
Size
Admin Email
DNS
Tool Version
STIX Is Malware Family
Port
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Geo Country
Report type
Expiration Date
Job Function
Global Prevalence	The number of times the indicator is detected across all organizations.
Office365Required
Number of subkeys
Source Priority
CVE Modified
Username
File Extension
STIX Malware Types
Hostname
Author
Personal Email
Architecture
Is Malware Family
CVE Description
Detections
Blocked
Certificate Names
DHCP Server
Malware Family
Sophistication
Manager Name	Manager Name
BIOS Version
Action
Publications
Aliases	Alternative names used to identify this object
Mitre Tactics
Extension
Issuer DN	Issuer Distinguished Name
X.509 v3 Extensions
CVSS Table
Vulnerabilities
User ID
PEM	Certificate in PEM format.
Feed Related Indicators
Public Key
Signed
Is Processed
AS Owner
Subject Alternative Names
Country Code Number
Org Level 2
Certificates
Associated File Names
Description
Domain IDN Name
Operating System Version
OS Version
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Registrant Email
CVSS
Signature File Version
Download URL
Applications
Registrar Abuse Network
Subject DN	Subject Distinguished Name
Threat Actor Types
Work Phone
Subdomains
Primary Motivation
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Memory
STIX Secondary Motivations
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
STIX Tool Version
Confidence
Organization
Title	Title
Country Code
Registrant Name
Assigned role
Signature Description
Admin Name
Job Code	Job Code
STIX Threat Actor Types
STIX Tool Types
Issuer
CVSS Vector
Tags
CVSS3
Org Level 1
Behavior
Location Region
SHA1
Name
STIX Sophistication
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
File Type
STIX Primary Motivation.
Domains
Signature Authentihash
Zip Code
STIX Aliases	Alternative names used to identify this object
Domain Referring Subnets
Domain Referring IPs
Creation Date
Capabilities
Signature Copyright

Layouts

Name	Description
IP Indicator	IP Indicator Layout
Identity	Identity indicator layout
Account Indicator	Account Indicator Layout
Indicator Feed Incident
CVE Indicator	CVE Indicator Layout
Tool Indicator	Tool Indicator Layout
Email Indicator	Email Indicator Layout
X509 Certificate	CVE Indicator Layout
Host Indicator	Host indicator layout
Intrusion Set	Intrusion Set Layout
Report	Report Indicator Layout
URL Indicator	URL Indicator Layout
Campaign	Campaign Indicator Layout
File Indicator	File Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Software	Software Indicator Layout
Domain Indicator	Domain Indicator Layout
ASN	ASN Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Location	Location indicator layout
Course of Action	Course of Action Indicator Layout
Malware Indicator	Malware Indicator Layout
Vulnerability Incident
Attack Pattern	Attack Pattern Indicator Layout
Mutex	Mutex indicator layout
Tactic Layout	Tactic Indicator Layout

Indicator Types

Name	Description
File SHA-1
CIDR
Domain
Tactic
X509 Certificate
DomainGlob
Report
Malware
Tool
Threat Actor
Infrastructure
File
Registry Key
Intrusion Set
Host
Identity
Email
Attack Pattern
ssdeep
Course of Action
Account
File SHA-256
File MD5
Campaign
URL
ASN
Software
Onion Address
Mutex
IP
CVE
Location
IPv6CIDR
IPv6

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Device Status
CVE
Closing Reason	The closing reason
Detection URL	URL of the ExtraHop Reveal(x) detection
Sensor IP
External Sub Category Name
OutgoingMirrorError
sAMAccountName	User sAMAAccountName
Number of Related Incidents
Low Level Categories Events	The low level category of the event.
Password Changed Date
Status Reason
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
External Category Name
Org Level 2
Triggered Security Profile	Triggered Security Profile
SSDeep
File Access Date
Related Endpoints
Cloud Service
Approval Status	The status for the approval of the request.
Referenced Resource Name
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
EmailCampaignMutualIndicators
Assignment Group
Caller
Affected Hosts
Bugtraq
Ticket Number
Job Function	Job Function
Location	Location
Process SHA256
Post Nat Destination IP	The destination IP address after NAT.
Process MD5
CVE Published
End Time	The time when the offense ended.
Account ID
Original Description	The description of the incident
Signature
Country Code
Incident Link
Pre Nat Destination Port	The destination port before NAT.
Parent Process Name
Number Of Log Sources	The number of log sources related to the offense.
Registry Value
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Employee Display Name	The display name of the employee.
EmailCampaignSummary
Tools
City
URLs
Asset ID
Team name
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
External Severity
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Additional Email Addresses
RemovedFromCampaigns
Destination Geolocation	The destination geolocation of the event.
Domain Updated Date
Error Code
Cost Center Code	Cost Center Code
Detected Endpoints
Device MAC Address
User Block Status
Last Modified By
Resource URL
Risk Rating
Command Line Verdict
Users Details
Work Phone
Email Sent Successfully	Whether the email has been successfully sent.
Process Names
File Hash
First Seen
External System ID
Cost Center	Cost Center
Last Modified On
similarIncidents
Country Code Number
Technique ID
Group ID
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Source Created By
Error Message	The error message that contains details about the error that occurred.
Verification Method	The method used to verify the user.
Custom Query Results
Additional Indicators
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
External Status
Policy ID
Policy URI
Source Id
Device Model	Device Model
Exposure Level
Post Nat Destination Port	The destination port after NAT.
ASN Name
File Creation Date
Pre Nat Source IP	The source IP before NAT.
Personal Email
MITRE Tactic ID
Risk Name
Zip Code	Zip Code
Log Source	Log Source
Event Names	The event name (translated QID ) in the event.
String Similarity Results
Domain Registrar Abuse Email
External Category ID
Verdict
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
OS Type	OS Type
Acquisition Hire
Dest OS	Destination OS
Rule Name	The name of a YARA rule
Related Report
Event ID	Event ID
Cloud Region List
Log Source Type	The log source type associated with the event.
Attack Mode	Attack mode as received from the integration JSON
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Password Reset Successfully	Whether the password has been successfully reset.
Process Paths
Source Priority
Dsts	The destination values.
Comment	The comments related with the incident
Parent Process Path
User Groups
File Size	File Size
Location Region	Location Region
Mobile Phone
Investigation Stage	The stage of the investigation.
Title	Title
Phone Number	Phone number
Compliance Notes	Notes regarding the assets compliance.
Parent Process IDs
Device Id	Device Id
User Creation Time
Sub Category	The sub category
Job Family	Job Family
App message
Source Networks
Referenced Resource ID
Vulnerability Category
Parent Process CMD
Number of similar files
Source Updated by
Registry Value Type
Device Internal IPs
Suspicious Executions Found
Source Urgency	Source Urgency
Asset Name
SKU Name
Use Case Description
Destination IPV6	The destination IPV6 address.
User Anomaly Count
External Confidence
Source Category
Detected Internal Hosts	Detected internal hosts
Pre Nat Source Port	The source port before NAT.
Device Time	The time from the original logging device when the event occurred.
Vulnerable Product
SHA1	SHA1
Street Address
MITRE Tactic Name
Similar incidents Dbot
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Domain Name
Device Hash	Device Hash
Device OS Name
Last Seen
Start Time	The time when the offense started.
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Destination Networks
MITRE Technique ID
First Name	First Name
Agent Version	Reporting Agent/Sensor Version
Log Source Name	The log source name associated with the event.
Cloud Instance ID	Cloud Instance ID
Tactic ID
Account Member Of
Device OS Version
Registry Hive
Triage SLA	The time it took to investigate and enrich incident information.
Org Level 1
Birthday	Person's Birthday
Reporter Email Address	The email address of the user who reported the email.
Process CMD
Policy Recommendation
IncomingMirrorError
UUID	UUID as received from the integration JSON
Alert Rules
Item Owner Email
List Of Rules - Event	The list of rules associated to an event.
State	State
Isolated	Isolated
EmailCampaignSnippets
Resource Type
Hunt Results Count
Close Time	The closing time.
MITRE Technique Name
Detection ID
Duration
Endpoints Details
Policy Actions
Device External IPs
Policy Type
Project ID
External Link
Vendor ID
Internal Addresses
External End Time
Suspicious Executions
Verification Status	The status of the user verification.
Policy Severity
Objective
Protocol names
IP Blocked Status
User Id	User Id
Closing User	The closing user.
Org Unit
CVE ID
Vendor Product
CVSS
Rendered HTML	The HTML content in a rendered form.
Raw Event	The unparsed event data.
Given Name	Given Name
Technical Owner	The technical owner of the asset.
Registry Key
Alert Action	Alert action as received from the integration JSON
Registration Email
Region
Detected External IPs	Detected external IPs
Policy Details
Original Events	The events associated with the offense.
Related Campaign
Full Name	Person's Full Name
Job Code	Job Code
Application Path
Source Geolocation	The source geolocation of the event.
Affected Users
Source Create time
Audit Logs
Employee Email	The email address of the employee.
Item Owner
Post Nat Source IP	The source IP address after NAT.
Follow Up	True if marked for follow up.
Process ID
Traffic Direction	The direction of the traffic in the event.
Assigned User	Assigned User
Source External IPs
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Identity Type
Post Nat Source Port	The source port after NAT.
Is Active	Alert status
Changed	The user who changed this incident
SHA512	SHA512
Event Descriptions	The description of the event name.
Cloud Account ID
Report Name
Parent Process SHA256
Technique
Approver	The person who approved or needs to approve the request.
Parent Process MD5
Source Status
User Engagement Response
Policy Deleted
Scenario
Related Alerts
Src OS	Src OS
Policy Description
Display Name	Display Name
ASN
Ticket Closed Date
Last Name	Last Name
Alert Malicious	Whether the alert is malicious.
Policy Remediable
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Tool Usage Found
Original Alert ID	Alert ID as received from the integration JSON
Account Status
Manager Name	Manager Name
Attack Patterns
Classification	Incident Classification
Block Indicators Status
Surname	Surname
Resource Name
Device Name	Device Name
Original Alert Name	Alert name as received from the integration JSON
File Relationships
Containment SLA	The time it took to contain the incident.
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
IP Reputation
Rating
Ticket Acknowledged Date
Additional Data
Device OU	Device's OU path in Active Directory
Operation Name
Timezone
Alert Type ID
Org Level 3
External Sub Category ID
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Detection End Time
Selected Indicators	Includes the indicators selected by the user.
Subtype	Subtype
Agents ID
Escalation
External Start Time
Unique Ports
External Last Updated Time
Manager Email Address
Parent Process File Path
userAccountControl	userAccountControl
Tactic
Email	Primary Email Address
User SID
Technical Owner Contact	The contact details for the technical owner.
Process Creation Time
Mobile Device Model
Campaign Name
Leadership
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Region ID
High Risky Hosts
SKU TIER
Category Count	The number of categories that are associated with the offense.
Last Update Time
Risk Score
Endpoint Isolation Status
High Risky Users
Tenant Name	Tenant Name
Original Alert Source
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Department	Department
app channel name
Cloud Resource List
EmailCampaignCanvas
Technical User	The technical user of the asset.
Employee Manager Email	The email address of the employee's manager.
File SHA1
Alert tags
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
OS	The operating system.
Blocked Action	Blocked Action

Incident Types

Name	Description
Defacement
Job
Exfiltration
Simulation
Reconnaissance
Authentication
UnknownBinary
Exploit
Hunt
Vulnerability
Policy Violation
DoS
Network
Lateral Movement
Indicator Feed
C2Communication

Indicator Fields

Name	Description
Office365Category
Mitre ID
Vendor
Location Region
Job Code	Job Code
Signature Copyright
Tags
Registrant Country
Publications
Behavior
CVE Description
Signed
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Org Unit
Domain Name
Subject DN	Subject Distinguished Name
Detection Engines	Total number of engines that checked the indicator
Malware types
Domain IDN Name
BIOS Version
Samples
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Validity Not Before	Specifies the date on which the certificate validity period begins.
SSDeep
Organization Type
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
OS Version
Version
Commands
Organization
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Key Value
Admin Email
MD5
Whois Records
Name Servers
Office365Required
Registrant Name
Operating System Version
Acquisition Hire	Whether the employee is an acquisition hire.
Admin Phone
Action
Report Object References	A list of STIX IDs referenced in the report.
Registrant Phone
Processors
Device Model
Definition
Signature Internal Name
Registrar Abuse Name
Domain Status
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
STIX Tool Types
Surname	Surname
Office365ExpressRoute
Source Priority
Subdomains
Paths
Org Level 1
Street Address
Confidence
SHA512
Subject Alternative Names
Reports
Registrar Abuse Address
Vulnerabilities
Tool Version
STIX Sophistication
Sophistication
State
Operating System
Registrar Abuse Email
Feed Related Indicators
Resource Level
Issuer
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Job Function
Registrar Abuse Phone
Objective
STIX Primary Motivation.
Country Code
Goals
Associated File Names
Quarantined	Whether the indicator is quarantined or isolated
Work Phone
Geo Location
Registrar Abuse Network
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
CVSS
SWID	Specifies the Software Identification (SWID) tags entry for the software
Department	Department
Signature Algorithm
STIX Goals
Given Name	Given Name
Associations	Known associations to other pieces of Threat Data.
Expiration Date
Zip Code
Product
Global Prevalence	The number of times the indicator is detected across all organizations.
Applications
City	City
Published
Certificate Names
Hostname
Certificate Validation Checks
Domain Referring IPs
PEM	Certificate in PEM format.
Country Name
STIX Secondary Motivations
Signature Authentihash
Service	The specific service of a feed integration from which an indicator was ingested.
STIX Threat Actor Types
SHA1
Registrant Email
Cost Center
Public Key
Download URL
First Seen By Source	The first time the indicator was seen by the source vendor.
CVSS3
DNS Records
Targets
CVSS Vector
Internal
Entry ID
Job Family
Indicator Identification
Size
Tool Types
Name
Rank	Used to display rank from different sources
Updated Date
STIX Malware Types
Org Level 2
CVSS Version
Roles
Groups
DHCP Server
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Account Type
Username
Blocked
Processor
Malware Family
Email
Organization Prevalence	The number of times the indicator is detected in the organization.
ASN
DNS
CVSS Score
Manager Name	Manager Name
Is Malware Family
Organizational Unit (OU)
Validity Not After	Specifies the date on which the certificate validity period ends.
Organization First Seen	Date and time when the indicator was first seen in the organization.
CVSS Table
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Positive Detections	Number of engines that positively detected the indicator as malicious
Category
Implementation Languages
Secondary Motivations
Memory
File Extension
Signature Original Name
Is Processed
STIX Tool Version
Name Field
Admin Country
Operating System Refs
User ID
Report type
Capabilities
Email Address
Source Original Severity	The original score/severity provided by the source without DBot translation.
AS Owner
STIX Description
Assigned role
STIX Is Malware Family
Author
STIX Aliases	Alternative names used to identify this object
Mobile Phone
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Primary Motivation
Geo Country
Subject
Query Language
IP Address
Extension
Location
Title	Title
Detections
STIX Resource Level
Signature File Version
CVE Modified
Force Sync	Whether to force user synchronization.
Cost Center Code
Registrar Name
Assigned user
Threat Actor Types
Manager Email Address
Certificates
Architecture
STIX Roles
Aliases	Alternative names used to identify this object
Vulnerable Products
Personal Email
Actor
Display Name
Country Code Number
Domain Referring Subnets
Registrar Abuse Country
Port
Signature Description
Mitre Tactics
SHA256
Admin Name
Certificate Signature
Campaign
Infrastructure Types
Number of subkeys
Creation Date
Leadership
Path
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Domains
imphash
Issuer DN	Issuer Distinguished Name
Region
Org Level 3
Community Notes
X.509 v3 Extensions
Description
Short Description
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
File Type
Serial Number

Layoutrule

Name	Description
Vulnerability Layout Rule
Indicator Feed Layout Rule

Layouts

Name	Description
Host Indicator	Host indicator layout
Tool Indicator	Tool Indicator Layout
IP Indicator	IP Indicator Layout
Report	Report Indicator Layout
Account Indicator	Account Indicator Layout
File Indicator	File Indicator Layout
Indicator Feed Incident
Vulnerability Incident
Campaign	Campaign Indicator Layout
ASN	ASN Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Malware Indicator	Malware Indicator Layout
Intrusion Set	Intrusion Set Layout
Course of Action	Course of Action Indicator Layout
CVE Indicator	CVE Indicator Layout
Tactic Layout	Tactic Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
X509 Certificate	CVE Indicator Layout
Mutex	Mutex indicator layout
Infrastructure	Infrastructure Indicator Layout
Software	Software Indicator Layout
Email Indicator	Email Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Domain Indicator	Domain Indicator Layout
URL Indicator	URL Indicator Layout
Location	Location indicator layout
Identity	Identity indicator layout

Indicator Types

Name	Description
DomainGlob
Domain
Host
Malware
Tactic
Threat Actor
Attack Pattern
ssdeep
File MD5
X509 Certificate
IPv6
File SHA-256
IP
Campaign
URL
Mutex
Tool
Email
Location
CIDR
Report
Registry Key
Intrusion Set
Software
Onion Address
Infrastructure
CVE
IPv6CIDR
Course of Action
File SHA-1
File
ASN
Identity
Account

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (57)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
RSA NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

3.9.6 - 5538136 (October 23, 2025)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1903608 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Username
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Layouts

New: Tactic Layout
New: New layout for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1619437 (November 10, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.8.9 - 3181336 (April 20, 2025)

Indicator Types

URL
Updated the URL indicator regex to better handle numerical IPs in URLs (Only when a protocol is present).

Related pull requests:
- 39556

Download

3.8.8 - 3152302 (April 16, 2025)

Incident Fields

New: Audit Logs
New: Added a new incident field - Audit Logs.

Related pull requests:
- 39580
- 37882

Download

3.8.7 - 3062885 (April 6, 2025)

Indicator Types

URL
Updated the URL Regex indicator type to handle numerical IPs in URLs.

Related pull requests:
- 39033

Download

3.8.6 - 3018025 (March 31, 2025)

Indicator Types

Attack Pattern
Fixed an issue with capital letters in an indicator condition.

Related pull requests:
- 39352

Download

3.8.5 - R2988287 (March 26, 2025)

Indicator Types

URL
Updated the URL indicator type to capture urls with numerical IPs.

Related pull requests:
- 38923

Download

3.8.4 - 2553674 (February 24, 2025)

Indicator Types

Attack Pattern
Updated the indicator to save the Attack Pattern name in context under "Value" and not "value".

Related pull requests:
- 38699

Download

3.8.3 - 2086795 (January 27, 2025)

Indicator Types

IPv6
Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.

Related pull requests:
- 38269

Download

3.8.2 - 1900707 (December 31, 2024)

Incident Fields

MITRE Tactic Name
Updated the field to be searchable.
MITRE Technique ID
Updated the field to be searchable.
MITRE Tactic ID
Updated the field to be searchable.
MITRE Technique Name
Updated the field to be searchable.

Related pull requests:
- 37866

Download

3.8.1 - 1899571 (December 31, 2024)

Layouts

Tactic Layout
Updated the layout to also appear in XSIAM.

Related pull requests:
- 37862

Download

3.8.0 - 1873754 (December 25, 2024)

Incident Fields

Cloud Service
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
First Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Seen
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Device Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.
User Id
Added the CrowdStrike Falcon OFP Detection incident type as an associated type.

Related pull requests:
- 37659

Download

3.7.0 - 1834150 (December 18, 2024)

Indicator Types

Attack Pattern
Fixed an issue with Attack Patterns not being added to the context.
New: Tactic
New: New indicator type for MITRE ATT&CK tactics.

Related pull requests:
- 36731

Download

3.6.1 - 1793696 (December 11, 2024)

Indicator Types

URL
Fixed an issue with the URL regex not allowing parenthesis in the query part of it.

Related pull requests:
- 37562

Download

3.6.0 - 1663384 (November 18, 2024)

Indicator Fields

New: Organization Prevalence

Added new number field which represents the number of times the indicator is detected in the organization.

New: Global Prevalence

Added new number field which represents the number of times the indicator is detected across all organizations.

New: Organization First Seen

Added new date field which represents when the indicator was first seen in the organization.

New: Organization Last Seen

Added new date field which represents when the indicator was last seen in the organization.

Indicator Types

File
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	File.OrganizationPrevalence
`globalprevalence`	File.GlobalPrevalence
`organizationfirstseen`	File.OrganizationFirstSeen
`organizationlastseen`	File.OrganizationLastSeen
`firstseenbysource`	File.FirstSeenBySource
`lastseenbysource`	File.LastSeenBySource

Domain
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	Domain.OrganizationPrevalence
`globalprevalence`	Domain.GlobalPrevalence
`organizationfirstseen`	Domain.OrganizationFirstSeen
`organizationlastseen`	Domain.OrganizationLastSeen
`firstseenbysource`	Domain.FirstSeenBySource
`lastseenbysource`	Domain.LastSeenBySource

URL
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	URL.OrganizationPrevalence
`globalprevalence`	URL.GlobalPrevalence
`organizationfirstseen`	URL.OrganizationFirstSeen
`organizationlastseen`	URL.OrganizationLastSeen
`firstseenbysource`	URL.FirstSeenBySource
`lastseenbysource`	URL.LastSeenBySource

IP
Added default mapping to the indicator fields:

CLI Name	Context Path
`organizationprevalence`	IP.OrganizationPrevalence
`globalprevalence`	IP.GlobalPrevalence
`organizationfirstseen`	IP.OrganizationFirstSeen
`organizationlastseen`	IP.OrganizationLastSeen
`firstseenbysource`	IP.FirstSeenBySource
`lastseenbysource`	IP.LastSeenBySource

IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence| IPv6.OrganizationPrevalence |
| globalprevalence| IPv6.GlobalPrevalence |
| organizationfirstseen| IPv6.OrganizationFirstSeen |
| organizationlastseen| IPv6.OrganizationLastSeen |
| firstseenbysource| IPv6.FirstSeenBySource |
| lastseenbysource| IPv6.LastSeenBySource |

Related pull requests:
- 37022

Download

3.5.25 - 1621428 (November 11, 2024)

Layouts

Malware Indicator
Fixed an issue with the Malware indicator type using the wrong layout.

Related pull requests:
- 36453

Download

3.5.24 - 1609112 (November 7, 2024)

Layouts

Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.

Related pull requests:
- 37071

Download

3.5.23 - 1602991 (November 6, 2024)

Incident Fields

New: Risk Name
New: Asset Name

Related pull requests:
- 37077
- 36393

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	October 23, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.