Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Common Types
- Details
- Content
- Dependencies
- Version History
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Related Alerts | |
SHA256 | SHA256 |
Tactic ID | |
Registry Value Type | |
Registry Value | |
Dst Ports | The destination ports of the event. |
Follow Up | True if marked for follow up. |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Src NT Domain | Source NT Domain |
File Relationships | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
similarIncidents | |
Alert Name | Alert name as received from the integration JSON |
SSDeep | |
SKU Name | |
Users | |
External Confidence | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
MITRE Tactic Name | |
Policy Severity | |
Source Geolocation | The source geolocation of the event. |
Destination Port | The destination port used. |
Process ID | |
External Status | |
Primary Email Address | |
Zip Code | Zip Code |
Last Modified By | |
Job Family | Job Family |
Device Time | The time from the original logging device when the event occurred. |
User SID | |
Destination Hostname | Destination hostname |
Appliance Name | Appliance name as received from the integration JSON |
IP Reputation | |
Application Id | Application Id |
Parent Process File Path | |
Cloud Instance ID | Cloud Instance ID |
Destination MAC Address | The destination MAC address in an event. |
First Name | First Name |
Team name | |
External Start Time | |
Application Name | Application Name |
Parent Process MD5 | |
Detection End Time | |
Referenced Resource Name | |
Low Level Categories Events | The low level category of the event. |
Last Update Time | |
Number Of Log Sources | The number of log sources related to the offense. |
Endpoint Isolation Status | |
City | |
Is Active | Alert status |
Srcs | The source values. |
Device MAC Address | |
Src Hostname | Source hostname |
Last Modified On | |
Hostnames | The hostname in the event. |
Escalation | |
External Sub Category ID | |
Domain Registrar Abuse Email | |
File Hash | |
Number of Related Incidents | |
Alert ID | Alert ID as received from the integration JSON |
Manager Email Address | |
Policy URI | |
Detected IPs | |
Source Username | The username that was the source of the attack. |
External Link | |
Alert tags | |
Resource Type | |
Dest NT Domain | Destination NT Domain |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
MAC Address | MAC Address |
Technique ID | |
List Of Rules - Event | The list of rules associated to an event. |
Policy ID | |
Hunt Results Count | |
EmailCampaignMutualIndicators | |
File Names | |
Source Updated by | |
Source Status | |
User Anomaly Count | |
Process Names | |
Post Nat Destination Port | The destination port after NAT. |
SHA512 | SHA512 |
Reporter Email Address | The email address of the user who reported the email. |
Item Owner | |
Dest OS | Destination OS |
Job Function | Job Function |
Ticket Opened Date | |
Birthday | Person's Birthday |
Custom Query Results | |
Alert Category | The category of the alert |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
OutgoingMirrorError | |
Device OU | Device's OU path in Active Directory |
Detected Internal IPs | Detected internal IPs |
Policy Type | |
Mobile Phone | |
Assigned User | Assigned User |
Alert Action | Alert action as received from the integration JSON |
External Severity | |
Use Case Description | |
Verdict | |
App | |
Source External IPs | |
Sensor Name | |
First Seen | |
Detected User | |
Application Path | |
OS Type | OS Type |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Registry Key | |
Location Region | Location Region |
Scenario | |
CMD line | |
Objective | |
Tools | |
Cloud Resource List | |
Destination IPV6 | The destination IPV6 address. |
Policy Details | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Parent Process | |
Destination Networks | |
Vendor Product | |
Usernames | The username in the event. |
Src OS | Src OS |
Phone Number | Phone number |
File Paths | |
Source Hostname | The hostname that performed the port scan. |
User Engagement Response | |
Isolated | Isolated |
Duration | |
Country Name | Country Name |
External Category Name | |
Threat Hunting Detected IP | |
Device OS Version | |
Vendor ID | |
Ticket Number | |
Source IPV6 | The source IPV6 address. |
Device Model | Device Model |
Source Created By | |
Account Name | Account Name |
UUID | UUID as received from the integration JSON |
IP Blocked Status | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Cost Center | Cost Center |
Block Indicators Status | |
Timezone | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Tool Usage Found | |
CVSS | |
Post Nat Source Port | The source port after NAT. |
External End Time | |
Tags | |
Protocol | Protocol |
Alert Attack Time | |
Source Port | The source port that was used |
Last Seen | |
Source Network | |
Employee Display Name | The display name of the employee. |
Report Name | |
Log Source Type | The log source type associated with the event. |
Detection ID | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Appliance ID | Appliance ID as received from the integration JSON |
Rule Name | The name of a YARA rule |
Destination Geolocation | The destination geolocation of the event. |
Suspicious Executions | |
Resource ID | |
Asset Name | |
Parent Process Name | |
Triage SLA | The time it took to investigate and enrich incident information. |
Cost Center Code | Cost Center Code |
sAMAccountName | User sAMAAccountName |
Dsts | The destination values. |
Suspicious Executions Found | |
Resource URL | |
Unique Ports | |
Org Unit | |
User Block Status | |
Threat Hunting Detected Hostnames | |
File Path | |
Device External IP | Device External IP |
Alert Malicious | Whether the alert is malicious. |
Pre Nat Source IP | The source IP before NAT. |
Pre Nat Source Port | The source port before NAT. |
Technical Owner Contact | The contact details for the technical owner. |
Caller | |
Ticket Closed Date | |
Category Count | The number of categories that are associated with the offense. |
MITRE Tactic ID | |
Job Code | Job Code |
Cloud Operation Type | |
Mobile Device Model | |
Event Type | Event Type |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Account Status | |
Endpoints Details | |
Error Message | The error message that contains details about the error that occurred. |
Error Code | |
External Category ID | |
IncomingMirrorError | |
Ticket Acknowledged Date | |
High Risky Users | |
Device Internal IPs | |
Related Endpoints | |
App message | |
EmailCampaignCanvas | |
Src User | Source User |
Destination IP | The IP address the impossible traveler logged in to. |
Related Report | |
Work Phone | |
Src Ports | The source ports of the event. |
External Last Updated Time | |
Password Reset Successfully | Whether the password has been successfully reset. |
Region ID | |
File SHA256 | |
Last Name | Last Name |
Process Paths | |
Policy Recommendation | |
Region | |
Categories | The categories for the incident. |
Operation Name | |
SKU TIER | |
Registration Email | |
High Risky Hosts | |
Detected Endpoints | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Containment SLA | The time it took to contain the incident. |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Parent Process IDs | |
Compliance Notes | Notes regarding the assets compliance. |
Group ID | |
Alert Type ID | |
Post Nat Source IP | The source IP address after NAT. |
Protocol - Event | The network protocol in the event. |
Source MAC Address | The source MAC address in an event. |
Detection Update Time | |
User Creation Time | |
Source IP | The IP Address that the user initially logged in from. |
Event ID | Event ID |
Log Source | Log Source |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Number of similar files | |
Detected External IPs | Detected external IPs |
Policy Description | |
Dest | Destination |
Rendered HTML | The HTML content in a rendered form. |
Detected External Hosts | Detected external hosts |
Device Status | |
Country | The country from which the user logged in. |
Verification Status | The status of the user verification. |
Protocols | |
Org Level 1 | |
Device OS Name | |
Device External IPs | |
Approval Status | The status for the approval of the request. |
Command Line | Command Line |
Attack Patterns | |
OS | The operating system. |
Account ID | |
Process SHA256 | |
Policy Actions | |
Risk Rating | |
User Groups | |
Destination Network | |
SHA1 | SHA1 |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Dest Hostname | Destination hostname |
Start Time | The time when the offense started. |
Vulnerability Category | |
CVE ID | |
High Level Categories | The high level categories in the events. |
Alert Rules | |
File Creation Date | |
MITRE Technique Name | |
Technique | |
Device Local IP | Device Local IP |
Device Hash | Device Hash |
Policy Remediable | |
RemovedFromCampaigns | |
Cloud Service | |
Acquisition Hire | |
Source Category | |
Comment | The comments related with the incident |
Event Names | The event name (translated QID ) in the event. |
Status Reason | |
Source Urgency | Source Urgency |
Related Campaign | |
Triggered Security Profile | Triggered Security Profile |
Post Nat Destination IP | The destination IP address after NAT. |
Display Name | Display Name |
File Name | |
Similar incidents Dbot | |
PID | PID |
Investigation Stage | The stage of the investigation. |
Additional Data | |
Incident Link | |
Subtype | Subtype |
Events | The events associated with the offense. |
Parent Process SHA256 | |
CMD | |
Cloud Account ID | |
Parent CMD line | |
Employee Manager Email | The email address of the employee's manager. |
Affected Users | |
Traffic Direction | The direction of the traffic in the event. |
Risk Name | |
Full Name | Person's Full Name |
Alert URL | Alert URL as received from the integration JSON |
Technical User | The technical user of the asset. |
External ID | |
Bugtraq | |
Classification | Incident Classification |
Surname | Surname |
Password Changed Date | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Selected Indicators | Includes the indicators selected by the user. |
Internal Addresses | |
Parent Process CMD | |
Domain Name | |
Policy Deleted | |
MITRE Technique ID | |
External System ID | |
User Risk Level | |
File Size | File Size |
User Id | User Id |
Tactic | |
Event Descriptions | The description of the event name. |
Signature | |
Referenced Resource ID | |
Process CMD | |
Attack Mode | Attack mode as received from the integration JSON |
Process Creation Time | |
File SHA1 | |
Personal Email | |
Closing Reason | The closing reason |
External Sub Category Name | |
Technical Owner | The technical owner of the asset. |
Source Id | |
Department | Department |
User Agent | |
EmailCampaignSnippets | |
Log Source Name | The log source name associated with the event. |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
End Time | The time when the offense ended. |
Source Create time | |
Email Sent Successfully | Whether the email has been successfully sent. |
Destination IPs | The destination IPs of the event. |
Manager Name | Manager Name |
Pre Nat Destination Port | The destination port before NAT. |
Parent Process Path | |
Source Networks | |
Process Path | |
Sub Category | The sub category |
Source Priority | |
File Access Date | |
Blocked Action | Blocked Action |
Endpoint | |
Asset ID | |
Process Name | |
Additional Indicators | |
Item Owner Email | |
Agent Version | Reporting Agent/Sensor Version |
Changed | The user who changed this incident |
Title | Title |
CVE Published | |
Country Code Number | |
Risk Score | |
Detected Internal Hosts | Detected internal hosts |
String Similarity Results | |
EmailCampaignSummary | |
Exposure Level | |
Protocol names | |
Src | Source |
Cloud Region List | |
Agents ID | |
Street Address | |
Device Id | Device Id |
Child Process | |
Tenant Name | Tenant Name |
URLs | |
Verification Method | The method used to verify the user. |
Approver | The person who approved or needs to approve the request. |
Registry Hive | |
Close Time | The closing time. |
Resource Name | |
Org Level 3 | |
Alert Source | |
Additional Email Addresses | |
Employee Email | The email address of the employee. |
File MD5 | |
ASN Name | |
Vulnerable Product | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Raw Event | The unparsed event data. |
Identity Type | |
Campaign Name | |
OS Version | OS Version |
Leadership | |
Source IPs | The source IPs of the event. |
Project ID | |
State | State |
Agent ID | Agent ID |
Description | The description of the incident |
Given Name | Given Name |
Device Username | The username of the user that owns the device |
DNS Name | The DNS name of the asset. |
userAccountControl | userAccountControl |
MD5 | MD5 |
Closing User | The closing user. |
Account Member Of | |
Username | The username of the account who logged in. |
Audit Logs | |
Users Details | |
Command Line Verdict | |
Process MD5 | |
app channel name | |
Rating | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Domain Updated Date | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Location | Location |
Assignment Group | |
CVE | |
Device Name | Device Name |
External Addresses | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Country Code | |
ASN | |
Affected Hosts | |
Detected Users | Detected users |
Sensor IP | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Org Level 2 |
Incident Types
| Name | Description |
|---|---|
UnknownBinary | |
Network | |
Hunt | |
Vulnerability | |
Indicator Feed | |
Lateral Movement | |
Job | |
Policy Violation | |
Authentication | |
Defacement | |
Exploit | |
Reconnaissance | |
DoS | |
Exfiltration | |
Simulation | |
C2Communication |
Indicator Fields
| Name | Description |
|---|---|
Signed | |
Reports | |
DHCP Server | |
Issuer DN | Issuer Distinguished Name |
Signature Description | |
Key Value | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Is Processed | |
STIX Primary Motivation. | |
Org Unit | |
STIX Secondary Motivations | |
Geo Country | |
Groups | |
Personal Email | |
Domain Name | |
File Type | |
Certificate Signature | |
CVSS Table | |
Mitre Tactics | |
Port | |
Location Region | |
Short Description | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
STIX Is Malware Family | |
Domain Status | |
Office365Category | |
Job Function | |
Tool Version | |
Certificate Validation Checks | |
AS Owner | |
IP Address | |
Whois Records | |
Location | |
Commands | |
Internal | |
Cost Center Code | |
Job Family | |
MAC Address | |
Memory | |
DNS Records | |
Organization Type | |
CVSS | |
Applications | |
Mitre ID | |
Size | |
Subdomains | |
Malware Family | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
BIOS Version | |
Assigned user | |
Registrar Abuse Email | |
Admin Phone | |
Job Code | Job Code |
Author | |
Published | |
Admin Country | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
SSDeep | |
PEM | Certificate in PEM format. |
Tags | |
Actor | |
Behavior | |
Registrar Abuse Phone | |
Detections | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Vendor | |
Subject DN | Subject Distinguished Name |
Country Code Number | |
Country Name | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Domain Referring Subnets | |
Extension | |
Leadership | |
Force Sync | Whether to force user synchronization. |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Report Object References | A list of STIX IDs referenced in the report. |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
ASN | |
Operating System Refs | |
CVSS Score | |
Registrar Abuse Country | |
Given Name | Given Name |
Department | Department |
STIX Threat Actor Types | |
Domain IDN Name | |
Zip Code | |
Detection Engines | Total number of engines that checked the indicator |
File Extension | |
Registrant Email | |
Targets | |
Confidence | |
MD5 | |
Query Language | |
SHA256 | |
Region | |
Definition | |
Signature Internal Name | |
Signature Authentihash | |
Entry ID | |
Manager Name | Manager Name |
Roles | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Geo Location | |
X.509 v3 Extensions | |
Resource Level | |
Samples | |
State | |
Signature File Version | |
Account Type | |
Name Servers | |
SHA1 | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Cost Center | |
Organizational Unit (OU) | |
Office365ExpressRoute | |
Processor | |
Blocked | |
Operating System Version | |
Serial Number | |
Primary Motivation | |
Name Field | |
Organization | |
Work Phone | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Product | |
City | City |
STIX Tool Version | |
Associations | Known associations to other pieces of Threat Data. |
Assigned role | |
Acquisition Hire | Whether the employee is an acquisition hire. |
imphash | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Goals | |
Hostname | |
Subject | |
CVSS Version | |
Domains | |
Display Name | |
Name | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Is Malware Family | |
Quarantined | Whether the indicator is quarantined or isolated |
Secondary Motivations | |
Campaign | |
Category | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
STIX Malware Types | |
Org Level 3 | |
Street Address | |
SHA512 | |
Country Code | |
CVSS Vector | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Subject Alternative Names | |
Creation Date | |
Feed Related Indicators | |
Domain Referring IPs | |
Implementation Languages | |
STIX Tool Types | |
Tool Types | |
CVE Description | |
Path | |
Device Model | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Mobile Phone | |
Version | |
Registrant Country | |
STIX Roles | |
Issuer | |
STIX Description | |
Registrar Abuse Address | |
Processors | |
Updated Date | |
Admin Email | |
Download URL | |
Signature Original Name | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Signature Copyright | |
Paths | |
Org Level 1 | |
Objective | |
Signature Algorithm | |
Infrastructure Types | |
Aliases | Alternative names used to identify this object |
Capabilities | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
CVSS3 | |
OS Version | |
Expiration Date | |
Indicator Identification | |
Associated File Names | |
Threat Actor Types | |
Rank | Used to display rank from different sources |
Registrar Abuse Network | |
Description | |
Source Priority | |
Email Address | |
STIX Aliases | Alternative names used to identify this object |
Registrar Name | |
Number of subkeys | |
DNS | |
STIX Goals | |
Community Notes | |
Certificate Names | |
Vulnerable Products | |
Registrant Name | |
Operating System | |
Certificates | |
Registrant Phone | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Public Key | |
Surname | Surname |
STIX Sophistication | |
STIX Resource Level | |
Username | |
Vulnerabilities | |
Registrar Abuse Name | |
Office365Required | |
Architecture | |
User ID | |
Admin Name | |
Sophistication | |
Publications | |
CVE Modified | |
Malware types | |
Manager Email Address | |
Org Level 2 | |
Report type | |
Title | Title |
Action |
Layouts
| Name | Description |
|---|---|
Campaign | Campaign Indicator Layout |
Identity | Identity indicator layout |
Software | Software Indicator Layout |
IP Indicator | IP Indicator Layout |
Mutex | Mutex indicator layout |
Host Indicator | Host indicator layout |
URL Indicator | URL Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Attack Pattern | Attack Pattern Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
ASN | ASN Indicator Layout |
Vulnerability Incident | |
X509 Certificate | CVE Indicator Layout |
File Indicator | File Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Email Indicator | Email Indicator Layout |
Account Indicator | Account Indicator Layout |
Report | Report Indicator Layout |
Location | Location indicator layout |
Infrastructure | Infrastructure Indicator Layout |
Indicator Feed Incident |
Indicator Types
| Name | Description |
|---|---|
Host | |
Malware | |
Software | |
Intrusion Set | |
Threat Actor | |
ASN | |
Attack Pattern | |
File SHA-1 | |
Tool | |
IPv6CIDR | |
Mutex | |
ssdeep | |
IPv6 | |
Domain | |
Account | |
IP | |
CVE | |
Report | |
Tactic | |
Course of Action | |
CIDR | |
DomainGlob | |
Infrastructure | |
Identity | |
Onion Address | |
Location | |
X509 Certificate | |
File | |
File MD5 | |
Campaign | |
URL | |
Registry Key | |
File SHA-256 |
Classifiers
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Incident Fields
| Name | Description |
|---|---|
Event Descriptions | The description of the event name. |
Objective | |
Vendor ID | |
Original Alert Source | |
Country Code | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Registry Value Type | |
Dsts | The destination values. |
External Category ID | |
Process Creation Time | |
Cloud Resource List | |
File Access Date | |
Device OS Name | |
Org Level 1 | |
Last Name | Last Name |
Event Names | The event name (translated QID ) in the event. |
Street Address | |
Registry Key | |
File Size | File Size |
Device Internal IPs | |
List Of Rules - Event | The list of rules associated to an event. |
Assigned User | Assigned User |
Full Name | Person's Full Name |
Users Details | |
Number of Related Incidents | |
SHA512 | SHA512 |
Start Time | The time when the offense started. |
OS Type | OS Type |
Device Id | Device Id |
Low Level Categories Events | The low level category of the event. |
CVE | |
Employee Email | The email address of the employee. |
Device OU | Device's OU path in Active Directory |
Referenced Resource Name | |
Category Count | The number of categories that are associated with the offense. |
Cloud Region List | |
External Severity | |
Leadership | |
Asset Name | |
First Name | First Name |
Vulnerability Category | |
Process Names | |
Given Name | Given Name |
Source Updated by | |
File SHA1 | |
Account Status | |
Device MAC Address | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Log Source Name | The log source name associated with the event. |
Related Report | |
Region ID | |
Manager Name | Manager Name |
Incident Link | |
Destination IPV6 | The destination IPV6 address. |
First Seen | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Parent Process IDs | |
Project ID | |
Employee Manager Email | The email address of the employee's manager. |
Job Family | Job Family |
Parent Process MD5 | |
Technique | |
Policy Actions | |
Source Geolocation | The source geolocation of the event. |
Bugtraq | |
Acquisition Hire | |
MITRE Tactic ID | |
Alert Malicious | Whether the alert is malicious. |
Pre Nat Source Port | The source port before NAT. |
Policy Severity | |
Source Urgency | Source Urgency |
Cloud Instance ID | Cloud Instance ID |
Registry Hive | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Parent Process Name | |
Status Reason | |
Tactic ID | |
Approval Status | The status for the approval of the request. |
Resource URL | |
Mobile Phone | |
Sub Category | The sub category |
Signature | |
External Category Name | |
Job Function | Job Function |
External System ID | |
Last Modified By | |
Technical Owner | The technical owner of the asset. |
Caller | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Tools | |
Country Code Number | |
Additional Data | |
Close Time | The closing time. |
Sensor IP | |
Risk Name | |
Source External IPs | |
Registry Value | |
Policy Description | |
Endpoint Isolation Status | |
Tenant Name | Tenant Name |
Exposure Level | |
Similar incidents Dbot | |
Password Reset Successfully | Whether the password has been successfully reset. |
Domain Name | |
Department | Department |
Device External IPs | |
Original Alert ID | Alert ID as received from the integration JSON |
Job Code | Job Code |
End Time | The time when the offense ended. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Surname | Surname |
Source Status | |
Source Created By | |
Resource Type | |
User Block Status | |
Is Active | Alert status |
Rating | |
Last Seen | |
Raw Event | The unparsed event data. |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Unique Ports | |
EmailCampaignCanvas | |
Device Status | |
User Anomaly Count | |
Identity Type | |
External Confidence | |
Attack Mode | Attack mode as received from the integration JSON |
High Risky Users | |
Compliance Notes | Notes regarding the assets compliance. |
Detected Internal Hosts | Detected internal hosts |
Additional Indicators | |
Report Name | |
Zip Code | Zip Code |
Policy URI | |
Parent Process CMD | |
Escalation | |
Isolated | Isolated |
MITRE Tactic Name | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Closing Reason | The closing reason |
Application Path | |
State | State |
Source Create time | |
Agent Version | Reporting Agent/Sensor Version |
Phone Number | Phone number |
Post Nat Source Port | The source port after NAT. |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Pre Nat Source IP | The source IP before NAT. |
Ticket Acknowledged Date | |
Title | Title |
Destination Geolocation | The destination geolocation of the event. |
Command Line Verdict | |
Last Modified On | |
Referenced Resource ID | |
External Last Updated Time | |
Org Level 2 | |
Email Sent Successfully | Whether the email has been successfully sent. |
Location | Location |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Account ID | |
Reporter Email Address | The email address of the user who reported the email. |
Device Name | Device Name |
Ticket Closed Date | |
Policy Deleted | |
User Groups | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Vulnerable Product | |
Detection End Time | |
Block Indicators Status | |
Rule Name | The name of a YARA rule |
User Engagement Response | |
Alert tags | |
Policy Type | |
SHA1 | SHA1 |
Primary Email Address | |
Team name | |
CVE Published | |
Rendered HTML | The HTML content in a rendered form. |
Triggered Security Profile | Triggered Security Profile |
Process SHA256 | |
IP Blocked Status | |
City | |
Additional Email Addresses | |
Process ID | |
Process CMD | |
IncomingMirrorError | |
Endpoints Details | |
Org Unit | |
CVSS | |
Follow Up | True if marked for follow up. |
Triage SLA | The time it took to investigate and enrich incident information. |
ASN | |
Alert Rules | |
Process Paths | |
Registration Email | |
MITRE Technique Name | |
Investigation Stage | The stage of the investigation. |
Domain Updated Date | |
Error Message | The error message that contains details about the error that occurred. |
Post Nat Destination Port | The destination port after NAT. |
Policy Recommendation | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Policy Details | |
Work Phone | |
OS | The operating system. |
Operation Name | |
Display Name | Display Name |
Original Description | The description of the incident |
Related Campaign | |
Last Update Time | |
Protocol names | |
User Creation Time | |
String Similarity Results | |
Source Priority | |
Classification | Incident Classification |
Source Networks | |
Policy Remediable | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Original Alert Name | Alert name as received from the integration JSON |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
External Status | |
Related Endpoints | |
app channel name | |
Use Case Description | |
Device Model | Device Model |
Custom Query Results | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Asset ID | |
External Sub Category ID | |
userAccountControl | userAccountControl |
Error Code | |
Campaign Name | |
File Creation Date | |
Account Member Of | |
Duration | |
Attack Patterns | |
User SID | |
Risk Score | |
Tactic | |
Region | |
Verdict | |
Parent Process Path | |
High Risky Hosts | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Comment | The comments related with the incident |
Log Source Type | The log source type associated with the event. |
External End Time | |
Detected Endpoints | |
External Link | |
Cloud Account ID | |
Employee Display Name | The display name of the employee. |
MITRE Technique ID | |
Policy ID | |
Internal Addresses | |
Cloud Service | |
Alert Action | Alert action as received from the integration JSON |
similarIncidents | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Mobile Device Model | |
Suspicious Executions Found | |
Location Region | Location Region |
Changed | The user who changed this incident |
Source Category | |
Log Source | Log Source |
Dest OS | Destination OS |
Post Nat Source IP | The source IP address after NAT. |
Containment SLA | The time it took to contain the incident. |
URLs | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
File Relationships | |
Hunt Results Count | |
Traffic Direction | The direction of the traffic in the event. |
Cost Center | Cost Center |
Affected Hosts | |
EmailCampaignSnippets | |
ASN Name | |
Personal Email | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
CVE ID | |
Assignment Group | |
sAMAccountName | User sAMAAccountName |
RemovedFromCampaigns | |
Alert Type ID | |
External Start Time | |
Event ID | Event ID |
Device Hash | Device Hash |
File Hash | |
Agents ID | |
Vendor Product | |
Src OS | Src OS |
Device OS Version | |
Verification Status | The status of the user verification. |
Manager Email Address | |
Technical User | The technical user of the asset. |
Birthday | Person's Birthday |
Blocked Action | Blocked Action |
Pre Nat Destination Port | The destination port before NAT. |
Affected Users | |
App message | |
Device Time | The time from the original logging device when the event occurred. |
UUID | UUID as received from the integration JSON |
OutgoingMirrorError | |
IP Reputation | |
Subtype | Subtype |
Process MD5 | |
EmailCampaignSummary | |
Timezone | |
Detection ID | |
Org Level 3 | |
Original Events | The events associated with the offense. |
Password Changed Date | |
Number of similar files | |
Technique ID | |
Scenario | |
Related Alerts | |
Post Nat Destination IP | The destination IP address after NAT. |
Cost Center Code | Cost Center Code |
Resource Name | |
Source Id | |
EmailCampaignMutualIndicators | |
Risk Rating | |
Parent Process SHA256 | |
Technical Owner Contact | The contact details for the technical owner. |
Suspicious Executions | |
Closing User | The closing user. |
Verification Method | The method used to verify the user. |
Audit Logs | |
Ticket Number | |
Selected Indicators | Includes the indicators selected by the user. |
SSDeep | |
External Sub Category Name | |
Domain Registrar Abuse Email | |
Parent Process File Path | |
Item Owner | |
SKU Name | |
SKU TIER | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Approver | The person who approved or needs to approve the request. |
Group ID | |
Detected External IPs | Detected external IPs |
Number Of Log Sources | The number of log sources related to the offense. |
Destination Networks | |
Item Owner Email | |
Tool Usage Found | |
User Id | User Id |
Incident Types
| Name | Description |
|---|---|
UnknownBinary | |
Policy Violation | |
Defacement | |
C2Communication | |
Job | |
Exfiltration | |
Network | |
Authentication | |
Simulation | |
Vulnerability | |
Hunt | |
Exploit | |
Indicator Feed | |
Reconnaissance | |
DoS | |
Lateral Movement |
Indicator Fields
| Name | Description |
|---|---|
Associated File Names | |
Size | |
Tags | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Sophistication | |
Report type | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Description | |
Job Function | |
City | City |
Vulnerable Products | |
Domain Referring Subnets | |
Rank | Used to display rank from different sources |
Operating System Refs | |
Signature Description | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Serial Number | |
Signed | |
Geo Country | |
Admin Country | |
Samples | |
Assigned user | |
Hostname | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Certificates | |
Surname | Surname |
Subject | |
STIX Threat Actor Types | |
Roles | |
Expiration Date | |
Public Key | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Signature Algorithm | |
Country Code | |
Feed Related Indicators | |
Paths | |
Resource Level | |
Office365Required | |
STIX Aliases | Alternative names used to identify this object |
SHA1 | |
Signature Authentihash | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Community Notes | |
Org Level 1 | |
Processors | |
Organization Type | |
File Extension | |
STIX Goals | |
Query Language | |
Version | |
STIX Roles | |
Domain Name | |
CVSS Score | |
Updated Date | |
Domain IDN Name | |
PEM | Certificate in PEM format. |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Definition | |
Cost Center Code | |
Registrar Abuse Phone | |
Name Servers | |
Operating System | |
Given Name | Given Name |
imphash | |
Account Type | |
SSDeep | |
Domains | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Name | |
Username | |
Category | |
STIX Resource Level | |
Registrant Email | |
Behavior | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Device Model | |
Email Address | |
Subdomains | |
Detection Engines | Total number of engines that checked the indicator |
Domain Status | |
Path | |
Job Code | Job Code |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Internal | |
STIX Primary Motivation. | |
CVSS Version | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Port | |
Acquisition Hire | Whether the employee is an acquisition hire. |
CVSS Table | |
File Type | |
Organization | |
Infrastructure Types | |
CVSS3 | |
Org Level 3 | |
Office365Category | |
Signature Internal Name | |
Extension | |
Actor | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Confidence | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
BIOS Version | |
Entry ID | |
Registrant Phone | |
Department | Department |
Registrar Name | |
Is Malware Family | |
DHCP Server | |
Published | |
Architecture | |
Subject DN | Subject Distinguished Name |
STIX Tool Version | |
Cost Center | |
Campaign | |
Registrar Abuse Address | |
Operating System Version | |
Tool Version | |
Signature Original Name | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Zip Code | |
Location | |
SHA256 | |
Vulnerabilities | |
Download URL | |
Detections | |
Assigned role | |
Secondary Motivations | |
Location Region | |
Mobile Phone | |
Tool Types | |
Implementation Languages | |
Country Name | |
IP Address | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Memory | |
Short Description | |
CVSS Vector | |
Admin Name | |
Manager Email Address | |
Personal Email | |
Org Level 2 | |
Issuer DN | Issuer Distinguished Name |
Admin Phone | |
Blocked | |
Signature Copyright | |
CVSS | |
Threat Actor Types | |
Whois Records | |
Action | |
Organizational Unit (OU) | |
STIX Malware Types | |
Certificate Validation Checks | |
Goals | |
Registrant Name | |
Certificate Names | |
Street Address | |
Indicator Identification | |
Product | |
Force Sync | Whether to force user synchronization. |
User ID | |
CVE Modified | |
Commands | |
Signature File Version | |
Office365ExpressRoute | |
Geo Location | |
Work Phone | |
Display Name | |
MD5 | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Malware Family | |
Admin Email | |
CVE Description | |
Objective | |
Source Priority | |
State | |
Domain Referring IPs | |
STIX Description | |
Job Family | |
Org Unit | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Vendor | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Leadership | |
Author | |
Quarantined | Whether the indicator is quarantined or isolated |
Subject Alternative Names | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Malware types | |
Registrar Abuse Email | |
Groups | |
Registrar Abuse Country | |
SHA512 | |
STIX Secondary Motivations | |
DNS | |
X.509 v3 Extensions | |
Number of subkeys | |
Name Field | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Targets | |
Capabilities | |
STIX Tool Types | |
Aliases | Alternative names used to identify this object |
Registrar Abuse Name | |
AS Owner | |
Country Code Number | |
Issuer | |
Processor | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Primary Motivation | |
Region | |
Mitre Tactics | |
Manager Name | Manager Name |
ASN | |
Registrant Country | |
Registrar Abuse Network | |
Associations | Known associations to other pieces of Threat Data. |
Publications | |
DNS Records | |
STIX Sophistication | |
Title | Title |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Mitre ID | |
Is Processed | |
Certificate Signature | |
Creation Date | |
Applications | |
Key Value | |
Reports | |
Report Object References | A list of STIX IDs referenced in the report. |
OS Version | |
STIX Is Malware Family |
Layoutrule
| Name | Description |
|---|---|
Indicator Feed Layout Rule | |
Vulnerability Layout Rule |
Layouts
| Name | Description |
|---|---|
URL Indicator | URL Indicator Layout |
Malware Indicator | Malware Indicator Layout |
CVE Indicator | CVE Indicator Layout |
File Indicator | File Indicator Layout |
Mutex | Mutex indicator layout |
Domain Indicator | Domain Indicator Layout |
Email Indicator | Email Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Course of Action | Course of Action Indicator Layout |
IP Indicator | IP Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Account Indicator | Account Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Campaign | Campaign Indicator Layout |
ASN | ASN Indicator Layout |
Vulnerability Incident | |
Report | Report Indicator Layout |
Identity | Identity indicator layout |
Host Indicator | Host indicator layout |
Software | Software Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Indicator Feed Incident | |
Threat Actor | Threat Actor Indicator Layout |
Location | Location indicator layout |
Indicator Types
| Name | Description |
|---|---|
Identity | |
Software | |
CIDR | |
Mutex | |
File SHA-256 | |
Infrastructure | |
File SHA-1 | |
Registry Key | |
IP | |
Attack Pattern | |
CVE | |
IPv6CIDR | |
Tool | |
ASN | |
File MD5 | |
Tactic | |
Report | |
Threat Actor | |
Account | |
Onion Address | |
Domain | |
URL | |
Campaign | |
Malware | |
Host | |
Intrusion Set | |
File | |
Location | |
DomainGlob | |
ssdeep | |
X509 Certificate | |
IPv6 | |
Course of Action |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
Optional Content Packs (57)
All level dependencies (3)
| Pack Name | Pack By |
|---|---|
| Common Scripts | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
3.9.0 - 4121830 (July 10, 2025)
- 40208
Download
Incident Fields
Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
- 40208
Download
3.8.3 - 2086795 (January 27, 2025)
- 38269
Download
Indicator Types
- IPv6
- Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
- Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.
- 38269
Download
3.8.2 - 1903608 (December 31, 2024)
3.8.0 - 1873754 (December 25, 2024)
- 37659
Download
Incident Fields
Username
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Cloud Service
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.First Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Display Name
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Device Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Vendor Product
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Update Time
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.User Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.
- 37659
Download
3.7.0 - 1834150 (December 18, 2024)
3.6.0 - 1663384 (November 18, 2024)
- 37022
Download
Indicator Fields
New: Organization Prevalence
Added new number field which represents the number of times the indicator is detected in the organization.
New: Global Prevalence
Added new number field which represents the number of times the indicator is detected across all organizations.
New: Organization First Seen
Added new date field which represents when the indicator was first seen in the organization.
New: Organization Last Seen
Added new date field which represents when the indicator was last seen in the organization.
Indicator Types
File
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceFile.OrganizationPrevalence globalprevalenceFile.GlobalPrevalence organizationfirstseenFile.OrganizationFirstSeen organizationlastseenFile.OrganizationLastSeen firstseenbysourceFile.FirstSeenBySource lastseenbysourceFile.LastSeenBySource Domain
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceDomain.OrganizationPrevalence globalprevalenceDomain.GlobalPrevalence organizationfirstseenDomain.OrganizationFirstSeen organizationlastseenDomain.OrganizationLastSeen firstseenbysourceDomain.FirstSeenBySource lastseenbysourceDomain.LastSeenBySource URL
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceURL.OrganizationPrevalence globalprevalenceURL.GlobalPrevalence organizationfirstseenURL.OrganizationFirstSeen organizationlastseenURL.OrganizationLastSeen firstseenbysourceURL.FirstSeenBySource lastseenbysourceURL.LastSeenBySource IP
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceIP.OrganizationPrevalence globalprevalenceIP.GlobalPrevalence organizationfirstseenIP.OrganizationFirstSeen organizationlastseenIP.OrganizationLastSeen firstseenbysourceIP.FirstSeenBySource lastseenbysourceIP.LastSeenBySource IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
|organizationprevalence| IPv6.OrganizationPrevalence |
|globalprevalence| IPv6.GlobalPrevalence |
|organizationfirstseen| IPv6.OrganizationFirstSeen |
|organizationlastseen| IPv6.OrganizationLastSeen |
|firstseenbysource| IPv6.FirstSeenBySource |
|lastseenbysource| IPv6.LastSeenBySource |
- 37022
Download
3.5.24 - 1609112 (November 7, 2024)
- 37071
Download
Layouts
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
- 37071
Download
3.5.20 - 1445410 (September 29, 2024)
3.5.18 - 1419889 (September 23, 2024)
3.5.16 - 1370357 (September 11, 2024)
- 36021
Download
Layouts
File Indicator
Updated layout with
canvastab.Account Indicator
Updated layout with
canvastab.Report
Updated layout with
canvastab.Threat Actor
Updated layout with
canvastab.URL Indicator
Updated layout with
canvastab.X509 Certificate
Updated layout with
canvastab.Mutex
Updated layout with
canvastab.Campaign
Updated layout with
canvastab.Location
Updated layout with
canvastab.Tool Indicator
Updated layout with
canvastab.Attack Pattern
Updated layout with
canvastab.Infrastructure
Updated layout with
canvastab.IP Indicator
Updated layout with
canvastab.Malware Indicator
Updated layout with
canvastab.Course of Action
Updated layout with
canvastab.Host Indicator
Updated layout with
canvastab.Tool
Updated layout with
canvastab.Email Indicator
Updated layout with
canvastab.CVE Indicator
Updated layout with
canvastab.Domain Indicator
Updated layout with
canvastab.Identity
Updated layout with
canvastab.Software
Updated layout with
canvastab.Intrusion Set
Updated layout with
canvastab.ASN
Updated layout with
canvastab.Registry Key Indicator
Updated layout with
canvastab.Malware
Updated layout with
canvastab.
- 36021
Download
3.5.14 - 1340401 (September 3, 2024)
- 35794
Download
Incident Fields
External ID
Added support for the External ID field in the Exabeam Security Operations Platform.Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.
- 35794
Download
3.5.12 - 1284734 (August 18, 2024)
- 35705
Download
Layouts
File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
- 35705
Download
3.9.0 - 4118212 (July 9, 2025)
- 40208
Download
Incident Fields
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
- 40208
Download
3.8.3 - 2086795 (January 27, 2025)
- 38269
Download
Indicator Types
- IPv6
- Fixed an issue with the IPv6 indicator type regex not extracting an IPv6 address properly in certain cases in which a colon appeared in front of the address.
- Fixed an issue with the IPv6 indicator type regex extracting an IPv6 address from a substring of a hash fingerprint.
- 38269
Download
3.8.2 - 1900707 (December 31, 2024)
3.8.0 - 1873754 (December 25, 2024)
- 37659
Download
Incident Fields
Cloud Service
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.First Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Seen
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Display Name
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Device Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Vendor Product
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.Last Update Time
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.User Id
Added theCrowdStrike Falcon OFP Detectionincident type as an associated type.
- 37659
Download
3.6.0 - 1663384 (November 18, 2024)
- 37022
Download
Indicator Fields
New: Organization Prevalence
Added new number field which represents the number of times the indicator is detected in the organization.
New: Global Prevalence
Added new number field which represents the number of times the indicator is detected across all organizations.
New: Organization First Seen
Added new date field which represents when the indicator was first seen in the organization.
New: Organization Last Seen
Added new date field which represents when the indicator was last seen in the organization.
Indicator Types
File
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceFile.OrganizationPrevalence globalprevalenceFile.GlobalPrevalence organizationfirstseenFile.OrganizationFirstSeen organizationlastseenFile.OrganizationLastSeen firstseenbysourceFile.FirstSeenBySource lastseenbysourceFile.LastSeenBySource Domain
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceDomain.OrganizationPrevalence globalprevalenceDomain.GlobalPrevalence organizationfirstseenDomain.OrganizationFirstSeen organizationlastseenDomain.OrganizationLastSeen firstseenbysourceDomain.FirstSeenBySource lastseenbysourceDomain.LastSeenBySource URL
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceURL.OrganizationPrevalence globalprevalenceURL.GlobalPrevalence organizationfirstseenURL.OrganizationFirstSeen organizationlastseenURL.OrganizationLastSeen firstseenbysourceURL.FirstSeenBySource lastseenbysourceURL.LastSeenBySource IP
Added default mapping to the indicator fields:CLI Name Context Path organizationprevalenceIP.OrganizationPrevalence globalprevalenceIP.GlobalPrevalence organizationfirstseenIP.OrganizationFirstSeen organizationlastseenIP.OrganizationLastSeen firstseenbysourceIP.FirstSeenBySource lastseenbysourceIP.LastSeenBySource IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
|organizationprevalence| IPv6.OrganizationPrevalence |
|globalprevalence| IPv6.GlobalPrevalence |
|organizationfirstseen| IPv6.OrganizationFirstSeen |
|organizationlastseen| IPv6.OrganizationLastSeen |
|firstseenbysource| IPv6.FirstSeenBySource |
|lastseenbysource| IPv6.LastSeenBySource |
- 37022
Download
3.5.24 - 1609112 (November 7, 2024)
- 37071
Download
Layouts
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
- 37071
Download
3.5.20 - 1445410 (September 29, 2024)
3.5.18 - 1419889 (September 23, 2024)
3.5.16 - 1370357 (September 11, 2024)
- 36021
Download
Layouts
File Indicator
Updated layout with
canvastab.Account Indicator
Updated layout with
canvastab.Report
Updated layout with
canvastab.Threat Actor
Updated layout with
canvastab.URL Indicator
Updated layout with
canvastab.X509 Certificate
Updated layout with
canvastab.Mutex
Updated layout with
canvastab.Campaign
Updated layout with
canvastab.Location
Updated layout with
canvastab.Tool Indicator
Updated layout with
canvastab.Attack Pattern
Updated layout with
canvastab.Infrastructure
Updated layout with
canvastab.IP Indicator
Updated layout with
canvastab.Malware Indicator
Updated layout with
canvastab.Course of Action
Updated layout with
canvastab.Host Indicator
Updated layout with
canvastab.Tool
Updated layout with
canvastab.Email Indicator
Updated layout with
canvastab.CVE Indicator
Updated layout with
canvastab.Domain Indicator
Updated layout with
canvastab.Identity
Updated layout with
canvastab.Software
Updated layout with
canvastab.Intrusion Set
Updated layout with
canvastab.ASN
Updated layout with
canvastab.Registry Key Indicator
Updated layout with
canvastab.Malware
Updated layout with
canvastab.
- 36021
Download
3.5.12 - 1284734 (August 18, 2024)
- 35705
Download
Layouts
File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
- 35705
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 26, 2020 | |
| Last Release | July 22, 2025 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
