Pack Contributors:
- Francisco Javier Fernández Jiménez
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Device OS Version | |
Policy Details | |
Source Create time | |
Ticket Number | |
User SID | |
Application Name | Application Name |
sAMAccountName | User sAMAAccountName |
Device Status | |
Ticket Acknowledged Date | |
End Time | The time when the offense ended. |
Device MAC Address | |
Destination Networks | |
Detected Users | Detected users |
Additional Data | |
Source Port | The source port that was used |
Alert Type ID | |
Alert URL | Alert URL as received from the integration JSON |
User Block Status | |
Dest Hostname | Destination hostname |
Assignment Group | |
Endpoints Details | |
App message | |
User Engagement Response | |
Triage SLA | The time it took to investigate and enrich incident information. |
CVE Published | |
DNS Name | The DNS name of the asset. |
Hunt Results Count | |
Detected Endpoints | |
Srcs | The source values. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
CVE | |
Device Local IP | Device Local IP |
Process Paths | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
EmailCampaignSnippets | |
Src User | Source User |
Process SHA256 | |
Title | Title |
Timezone | |
Isolated | Isolated |
Device External IP | Device External IP |
Status Reason | |
Source External IPs | |
Event Descriptions | The description of the event name. |
Detection Update Time | |
Risk Rating | |
Event Type | Event Type |
Detected Internal IPs | Detected internal IPs |
Department | Department |
Detected External Hosts | Detected external hosts |
Command Line Verdict | |
Process Path | |
Mobile Device Model | |
Unique Ports | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Display Name | Display Name |
Changed | The user who changed this incident |
Classification | Incident Classification |
Number Of Log Sources | The number of log sources related to the offense. |
MD5 | MD5 |
Post Nat Destination Port | The destination port after NAT. |
Policy Remediable | |
Policy Actions | |
Employee Display Name | The display name of the employee. |
Policy Recommendation | |
EmailCampaignCanvas | |
External Addresses | |
Number of Related Incidents | |
Region | |
Source MAC Address | The source MAC address in an event. |
Cloud Instance ID | Cloud Instance ID |
Report Name | |
Detected IPs | |
Sub Category | The sub category |
Sensor Name | |
Manager Email Address | |
Employee Manager Email | The email address of the employee's manager. |
Endpoint | |
Subtype | Subtype |
Follow Up | True if marked for follow up. |
Similar incidents Dbot | |
Policy ID | |
Detection End Time | |
Users Details | |
EmailCampaignSummary | |
Last Update Time | |
Domain Name | |
Cloud Operation Type | |
Description | The description of the incident |
OutgoingMirrorError | |
Parent CMD line | |
Tactic | |
Tool Usage Found | |
Rendered HTML | The HTML content in a rendered form. |
Technical Owner Contact | The contact details for the technical owner. |
Device OU | Device's OU path in Active Directory |
Resource Name | |
Assigned User | Assigned User |
Account Member Of | |
MITRE Tactic ID | |
Org Level 3 | |
Post Nat Destination IP | The destination IP address after NAT. |
Mobile Phone | |
Job Code | Job Code |
CVE ID | |
CVSS | |
Policy Type | |
Full Name | Person's Full Name |
PID | PID |
Cost Center | Cost Center |
Country Code | |
Tags | |
High Level Categories | The high level categories in the events. |
External Severity | |
Last Modified On | |
Additional Indicators | |
Process MD5 | |
Alert Attack Time | |
File SHA256 | |
Attack Patterns | |
Resource Type | |
Alert ID | Alert ID as received from the integration JSON |
Protocol - Event | The network protocol in the event. |
Custom Query Results | |
MITRE Tactic Name | |
File Name | |
Parent Process | |
Org Level 2 | |
Technical User | The technical user of the asset. |
Birthday | Person's Birthday |
Zip Code | Zip Code |
Additional Email Addresses | |
User Creation Time | |
State | State |
Source IP | The IP Address that the user initially logged in from. |
Resource ID | |
Tactic ID | |
Closing Reason | The closing reason |
Parent Process IDs | |
Resource URL | |
Src Hostname | Source hostname |
Categories | The categories for the incident. |
Alert Name | Alert name as received from the integration JSON |
Account Name | Account Name |
Device External IPs | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Password Changed Date | |
High Risky Users | |
First Seen | |
Post Nat Source Port | The source port after NAT. |
Device Model | Device Model |
Number of similar files | |
Compliance Notes | Notes regarding the assets compliance. |
Appliance ID | Appliance ID as received from the integration JSON |
Blocked Action | Blocked Action |
File Hash | |
Detected Internal Hosts | Detected internal hosts |
Last Seen | |
Source Status | |
External Confidence | |
Last Modified By | |
Agents ID | |
Source Networks | |
Policy Deleted | |
Src | Source |
Application Id | Application Id |
String Similarity Results | |
Related Campaign | |
Error Code | |
ASN Name | |
Registry Value | |
Log Source Type | The log source type associated with the event. |
CMD | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
User Risk Level | |
Email Sent Successfully | Whether the email has been successfully sent. |
File Access Date | |
Item Owner Email | |
Duration | |
ASN | |
SHA1 | SHA1 |
Leadership | |
IP Reputation | |
Alert Source | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Dest OS | Destination OS |
Parent Process CMD | |
Destination IPV6 | The destination IPV6 address. |
Log Source Name | The log source name associated with the event. |
Cloud Region List | |
EmailCampaignMutualIndicators | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Related Report | |
Events | The events associated with the offense. |
Tools | |
Process Name | |
External Status | |
Vulnerability Category | |
Detected External IPs | Detected external IPs |
Related Endpoints | |
Parent Process Name | |
Destination IPs | The destination IPs of the event. |
Pre Nat Destination Port | The destination port before NAT. |
Account Status | |
User Groups | |
Parent Process SHA256 | |
Triggered Security Profile | Triggered Security Profile |
Approval Status | The status for the approval of the request. |
Country | The country from which the user logged in. |
External Category ID | |
Protocols | |
External Category Name | |
Ticket Opened Date | |
Country Code Number | |
User Anomaly Count | |
Exposure Level | |
City | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Threat Hunting Detected IP | |
SKU Name | |
Alert Category | The category of the alert |
Device Id | Device Id |
Internal Addresses | |
Caller | |
app channel name | |
Parent Process File Path | |
File Relationships | |
Src OS | Src OS |
Project ID | |
Protocol | Protocol |
File MD5 | |
External Start Time | |
SHA512 | SHA512 |
Rating | |
External Link | |
Traffic Direction | The direction of the traffic in the event. |
Source Category | |
Location | Location |
Affected Hosts | |
File Path | |
Country Name | Country Name |
Log Source | Log Source |
Destination Hostname | Destination hostname |
Application Path | |
Source IPV6 | The source IPV6 address. |
Location Region | Location Region |
Username | The username of the account who logged in. |
Event Names | The event name (translated QID ) in the event. |
Event ID | Event ID |
Category Count | The number of categories that are associated with the offense. |
Is Active | Alert status |
Start Time | The time when the offense started. |
Command Line | Command Line |
Affected Users | |
External Sub Category Name | |
Scenario | |
Ticket Closed Date | |
userAccountControl | userAccountControl |
Vulnerable Product | |
Device OS Name | |
Personal Email | |
Policy URI | |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
File SHA1 | |
Parent Process Path | |
OS | The operating system. |
Alert Malicious | Whether the alert is malicious. |
Group ID | |
External Sub Category ID | |
Escalation | |
SKU TIER | |
Alert Rules | |
Vendor Product | |
File Paths | |
UUID | UUID as received from the integration JSON |
Endpoint Isolation Status | |
Region ID | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Campaign Name | |
Alert tags | |
Acquisition Hire | |
External ID | |
Cloud Account ID | |
Source Updated by | |
Objective | |
Device Name | Device Name |
Use Case Description | |
MITRE Technique ID | |
MAC Address | MAC Address |
Employee Email | The email address of the employee. |
MITRE Technique Name | |
Referenced Resource ID | |
Risk Score | |
Appliance Name | Appliance name as received from the integration JSON |
Reporter Email Address | The email address of the user who reported the email. |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Sensor IP | |
Cloud Service | |
Rule Name | The name of a YARA rule |
Account ID | |
Primary Email Address | |
Job Function | Job Function |
List Of Rules - Event | The list of rules associated to an event. |
Source Urgency | Source Urgency |
Process Creation Time | |
Verdict | |
Destination MAC Address | The destination MAC address in an event. |
First Name | First Name |
Verification Status | The status of the user verification. |
Device Internal IPs | |
Technique ID | |
Agent Version | Reporting Agent/Sensor Version |
Related Alerts | |
Source Priority | |
Dest | Destination |
Policy Description | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Parent Process MD5 | |
Team name | |
Containment SLA | The time it took to contain the incident. |
Operation Name | |
Source Network | |
IncomingMirrorError | |
Cost Center Code | Cost Center Code |
Item Owner | |
Source Hostname | The hostname that performed the port scan. |
Registry Hive | |
Given Name | Given Name |
Registry Value Type | |
Street Address | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Hostnames | The hostname in the event. |
Asset ID | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
File Names | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Device Username | The username of the user that owns the device |
Org Unit | |
Usernames | The username in the event. |
Source Geolocation | The source geolocation of the event. |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Registry Key | |
OS Version | OS Version |
Block Indicators Status | |
Low Level Categories Events | The low level category of the event. |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Source Id | |
Manager Name | Manager Name |
Bugtraq | |
Dsts | The destination values. |
Org Level 1 | |
Surname | Surname |
Alert Action | Alert action as received from the integration JSON |
Attack Mode | Attack mode as received from the integration JSON |
Src NT Domain | Source NT Domain |
Destination IP | The IP address the impossible traveler logged in to. |
Src Ports | The source ports of the event. |
Identity Type | |
Phone Number | Phone number |
Device Hash | Device Hash |
Source Created By | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
File Size | File Size |
Last Name | Last Name |
App | |
Raw Event | The unparsed event data. |
Technique | |
Users | |
Vendor ID | |
Detection ID | |
Destination Network | |
Investigation Stage | The stage of the investigation. |
High Risky Hosts | |
User Agent | |
similarIncidents | |
User Id | User Id |
URLs | |
Incident Link | |
Referenced Resource Name | |
Close Time | The closing time. |
Child Process | |
Comment | The comments related with the incident |
Verification Method | The method used to verify the user. |
Post Nat Source IP | The source IP address after NAT. |
Technical Owner | The technical owner of the asset. |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Pre Nat Source Port | The source port before NAT. |
Tenant Name | Tenant Name |
SSDeep | |
IP Blocked Status | |
Policy Severity | |
Pre Nat Source IP | The source IP before NAT. |
Closing User | The closing user. |
Password Reset Successfully | Whether the password has been successfully reset. |
Threat Hunting Detected Hostnames | |
Selected Indicators | Includes the indicators selected by the user. |
SHA256 | SHA256 |
Dest NT Domain | Destination NT Domain |
Error Message | The error message that contains details about the error that occurred. |
Cloud Resource List | |
Protocol names | |
Destination Port | The destination port used. |
Dst Ports | The destination ports of the event. |
Approver | The person who approved or needs to approve the request. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Work Phone | |
Source Username | The username that was the source of the attack. |
Device Time | The time from the original logging device when the event occurred. |
Suspicious Executions | |
Signature | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Job Family | Job Family |
External System ID | |
Suspicious Executions Found | |
OS Type | OS Type |
CMD line | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Source IPs | The source IPs of the event. |
External End Time | |
Process CMD | |
Process ID | |
Detected User | |
File Creation Date | |
Agent ID | Agent ID |
Process Names | |
Destination Geolocation | The destination geolocation of the event. |
Name | Description |
---|---|
Exploit | |
Indicator Feed | |
Hunt | |
Network | |
Lateral Movement | |
Policy Violation | |
Vulnerability | |
C2Communication | |
Authentication | |
Defacement | |
DoS | |
Job | |
Reconnaissance | |
UnknownBinary | |
Simulation | |
Exfiltration |
Name | Description |
---|---|
Signature Authentihash | |
Infrastructure Types | |
Memory | |
Whois Records | |
Publications | |
Path | |
Secondary Motivations | |
Malware types | |
STIX Tool Types | |
Architecture | |
Expiration Date | |
Admin Email | |
Quarantined | Whether the indicator is quarantined or isolated |
Admin Phone | |
Paths | |
Job Code | Job Code |
Device Model | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Processors | |
Organization | |
DHCP Server | |
Registrant Email | |
Feed Related Indicators | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Groups | |
Samples | |
Capabilities | |
Acquisition Hire | Whether the employee is an acquisition hire. |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Registrar Abuse Name | |
User ID | |
MD5 | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Signature Copyright | |
Key Value | |
Number of subkeys | |
Org Level 2 | |
Blocked | |
Subject Alternative Names | |
Validity Not After | |
CVE Modified | |
CVSS Score | |
Signature Internal Name | |
Surname | Surname |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Domain IDN Name | |
Internal | |
STIX Description | |
Mitre Tactics | |
Work Phone | |
Hostname | |
STIX Is Malware Family | |
STIX Primary Motivation. | |
Updated Date | |
Registrar Abuse Network | |
Is Malware Family | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Organizational Unit (OU) | |
Domain Status | |
Primary Motivation | |
Signature Algorithm | |
Category | |
OS Version | |
Validity Not Before | |
Operating System | |
File Extension | |
Job Family | |
State | |
Department | Department |
Commands | |
CVSS | |
Indicator Identification | |
AS Owner | |
Sophistication | |
Threat Actor Types | |
Report Object References | A list of STIX IDs referenced in the report. |
Domain Referring Subnets | |
Certificates | |
Street Address | |
Domains | |
Assigned role | |
STIX Secondary Motivations | |
Office365ExpressRoute | |
Geo Country | |
Region | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
CVE Description | |
Signed | |
Organization Type | |
Extension | |
Detections | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Creation Date | |
Signature File Version | |
STIX Sophistication | |
Subdomains | |
STIX Roles | |
Confidence | |
File Type | |
Rank | Used to display rank from different sources |
Associated File Names | |
Location Region | |
SHA1 | |
Registrant Name | |
Objective | |
Serial Number | |
STIX Threat Actor Types | |
Source Priority | |
Cost Center Code | |
Resource Level | |
Actor | |
Processor | |
Targets | |
Registrar Name | |
Reports | |
STIX Tool Version | |
Domain Name | |
Domain Referring IPs | |
Org Level 3 | |
MAC Address | |
DNS Records | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Signature Original Name | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Name Servers | |
Org Unit | |
Admin Name | |
Download URL | |
Is Processed | |
Port | |
Vulnerabilities | |
BIOS Version | |
Aliases | Alternative names used to identify this object |
SSDeep | |
Geo Location | |
Registrar Abuse Email | |
Signature Description | |
Leadership | |
Certificate Signature | |
CVSS Version | |
PEM | Certificate in PEM format. |
Malware Family | |
Campaign | |
Personal Email | |
Tags | |
Office365Required | |
STIX Resource Level | |
Subject DN | Subject Distinguished Name |
City | City |
DNS | |
STIX Malware Types | |
STIX Goals | |
Vendor | |
Display Name | |
Tool Version | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Country Code Number | |
Mitre ID | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Registrant Phone | |
Org Level 1 | |
Admin Country | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Operating System Refs | |
Issuer DN | Issuer Distinguished Name |
Username | |
Manager Email Address | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
CVSS3 | |
Tool Types | |
IP Address | |
Name Field | |
Zip Code | |
ASN | |
SHA256 | |
CVSS Table | |
Country Code | |
Size | |
Mobile Phone | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Implementation Languages | |
Issuer | |
Version | |
Office365Category | |
Report type | |
Operating System Version | |
Name | |
Certificate Names | |
Title | Title |
Public Key | |
Roles | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Registrar Abuse Country | |
Short Description | |
imphash | |
Location | |
STIX Aliases | Alternative names used to identify this object |
X.509 v3 Extensions | |
Community Notes | |
CVSS Vector | |
Detection Engines | Total number of engines that checked the indicator |
Description | |
Certificate Validation Checks | |
Registrant Country | |
Associations | Known associations to other pieces of Threat Data. |
Assigned user | |
Force Sync | Whether to force user synchronization. |
Manager Name | Manager Name |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
SHA512 | |
Published | |
Registrar Abuse Address | |
Subject | |
Entry ID | |
Vulnerable Products | |
Registrar Abuse Phone | |
Email Address | |
Goals | |
Account Type | |
Behavior | |
Action | |
Job Function | |
Cost Center | |
Given Name | Given Name |
Applications | |
Country Name |
Name | Description |
---|---|
Malware | |
IP Indicator | IP Indicator Layout |
Account Indicator | Account Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Threat Actor | Threat Actor Indicator Layout |
Campaign | Campaign Indicator Layout |
Malware Indicator | Malware Indicator Layout |
CVE Indicator | CVE Indicator Layout |
File Indicator | File Indicator Layout |
Domain Indicator | Domain Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Indicator Feed Incident | |
Host Indicator | Host indicator layout |
Mutex | Mutex indicator layout |
Software | Software Indicator Layout |
ASN | ASN Indicator Layout |
Report | Report Indicator Layout |
Identity | Identity indicator layout |
Vulnerability Incident | |
Registry Key Indicator | Registry Key Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Email Indicator | Email Indicator Layout |
URL Indicator | URL Indicator Layout |
Location | Location indicator layout |
Name | Description |
---|---|
File MD5 | |
File SHA-1 | |
Report | |
Domain | |
Malware | |
CVE | |
Host | |
Location | |
Infrastructure | |
Course of Action | |
Mutex | |
Registry Key | |
Software | |
Intrusion Set | |
ASN | |
IPv6CIDR | |
Identity | |
DomainGlob | |
Tool | |
URL | |
IPv6 | |
CIDR | |
IP | |
X509 Certificate | |
Attack Pattern | |
Threat Actor | |
ssdeep | |
Campaign | |
File SHA-256 | |
File | |
Onion Address | |
Account |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Ticket Number | |
Password Changed Date | |
Source Priority | |
Original Alert Name | Alert name as received from the integration JSON |
Users Details | |
MITRE Tactic Name | |
Cloud Service | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Cost Center | Cost Center |
Blocked Action | Blocked Action |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Device Hash | Device Hash |
Rating | |
Assignment Group | |
Custom Query Results | |
Country Code Number | |
Acquisition Hire | |
Alert Rules | |
Referenced Resource ID | |
MITRE Technique ID | |
Process ID | |
Close Time | The closing time. |
Process Creation Time | |
Primary Email Address | |
Sub Category | The sub category |
Cloud Instance ID | Cloud Instance ID |
Agents ID | |
Event ID | Event ID |
Use Case Description | |
Device Internal IPs | |
Post Nat Destination IP | The destination IP address after NAT. |
userAccountControl | userAccountControl |
Policy URI | |
Number of Related Incidents | |
Item Owner | |
First Seen | |
External Category Name | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Org Level 3 | |
Parent Process File Path | |
Rendered HTML | The HTML content in a rendered form. |
External Severity | |
Tenant Name | Tenant Name |
Containment SLA | The time it took to contain the incident. |
Last Update Time | |
Process Names | |
Alert Type ID | |
Event Names | The event name (translated QID ) in the event. |
User Anomaly Count | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
User Creation Time | |
Vendor ID | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
High Risky Hosts | |
Pre Nat Source IP | The source IP before NAT. |
ASN | |
User SID | |
Tools | |
Comment | The comments related with the incident |
Error Message | The error message that contains details about the error that occurred. |
Process CMD | |
Internal Addresses | |
Similar incidents Dbot | |
File Hash | |
EmailCampaignSnippets | |
OS | The operating system. |
Item Owner Email | |
External Sub Category ID | |
Parent Process CMD | |
Policy Type | |
Last Modified By | |
Verification Method | The method used to verify the user. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
City | |
Triggered Security Profile | Triggered Security Profile |
File Access Date | |
Log Source Name | The log source name associated with the event. |
Region | |
CVE | |
Source Created By | |
Affected Hosts | |
Policy Actions | |
Source Networks | |
Device OS Version | |
User Groups | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Device Id | Device Id |
Policy Description | |
Tactic ID | |
Cloud Account ID | |
Full Name | Person's Full Name |
Category Count | The number of categories that are associated with the offense. |
External Category ID | |
Approval Status | The status for the approval of the request. |
Number Of Log Sources | The number of log sources related to the offense. |
Pre Nat Destination Port | The destination port before NAT. |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Original Alert ID | Alert ID as received from the integration JSON |
File Creation Date | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Cloud Region List | |
Device Name | Device Name |
Asset ID | |
Event Descriptions | The description of the event name. |
Vulnerable Product | |
Personal Email | |
Password Reset Successfully | Whether the password has been successfully reset. |
Ticket Acknowledged Date | |
Policy Remediable | |
Pre Nat Source Port | The source port before NAT. |
Project ID | |
CVE Published | |
Post Nat Source Port | The source port after NAT. |
Dsts | The destination values. |
CVE ID | |
Domain Name | |
Error Code | |
Title | Title |
User Engagement Response | |
Employee Display Name | The display name of the employee. |
External System ID | |
User Block Status | |
Original Alert Source | |
Location | Location |
Operation Name | |
Source Create time | |
External End Time | |
Manager Name | Manager Name |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Suspicious Executions | |
Manager Email Address | |
Group ID | |
Log Source | Log Source |
Detection End Time | |
Additional Email Addresses | |
Technical Owner | The technical owner of the asset. |
Device OU | Device's OU path in Active Directory |
Registry Key | |
Account Status | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Given Name | Given Name |
Attack Patterns | |
Job Function | Job Function |
Related Alerts | |
Leadership | |
Risk Score | |
Alert Action | Alert action as received from the integration JSON |
Technical Owner Contact | The contact details for the technical owner. |
Source Urgency | Source Urgency |
Tool Usage Found | |
Alert Malicious | Whether the alert is malicious. |
High Risky Users | |
Process Paths | |
Last Modified On | |
IncomingMirrorError | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Display Name | Display Name |
End Time | The time when the offense ended. |
IP Blocked Status | |
Mobile Device Model | |
File Relationships | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Affected Users | |
Signature | |
Surname | Surname |
ASN Name | |
Caller | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Related Report | |
App message | |
Account Member Of | |
Log Source Type | The log source type associated with the event. |
Changed | The user who changed this incident |
Post Nat Destination Port | The destination port after NAT. |
sAMAccountName | User sAMAAccountName |
Parent Process IDs | |
Source Category | |
Additional Data | |
Policy Recommendation | |
Vendor Product | |
Traffic Direction | The direction of the traffic in the event. |
Source Geolocation | The source geolocation of the event. |
Source External IPs | |
Registry Value Type | |
EmailCampaignMutualIndicators | |
Source Status | |
EmailCampaignCanvas | |
Policy Severity | |
Verification Status | The status of the user verification. |
Detected Internal Hosts | Detected internal hosts |
Mobile Phone | |
Work Phone | |
Device Time | The time from the original logging device when the event occurred. |
Detection ID | |
Destination Networks | |
Post Nat Source IP | The source IP address after NAT. |
SHA512 | SHA512 |
Job Family | Job Family |
OutgoingMirrorError | |
Report Name | |
Registry Value | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Alert tags | |
Vulnerability Category | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Department | Department |
Identity Type | |
Destination IPV6 | The destination IPV6 address. |
Parent Process MD5 | |
Src OS | Src OS |
Org Unit | |
Incident Link | |
Employee Manager Email | The email address of the employee's manager. |
File Size | File Size |
Is Active | Alert status |
Closing Reason | The closing reason |
Unique Ports | |
Sensor IP | |
External Status | |
Device Status | |
List Of Rules - Event | The list of rules associated to an event. |
Raw Event | The unparsed event data. |
Start Time | The time when the offense started. |
UUID | UUID as received from the integration JSON |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
External Link | |
EmailCampaignSummary | |
Parent Process Name | |
MITRE Technique Name | |
Zip Code | Zip Code |
Location Region | Location Region |
Detected External IPs | Detected external IPs |
Last Name | Last Name |
SKU TIER | |
Phone Number | Phone number |
Employee Email | The email address of the employee. |
Subtype | Subtype |
MITRE Tactic ID | |
OS Type | OS Type |
URLs | |
State | State |
Agent Version | Reporting Agent/Sensor Version |
Technique | |
Process MD5 | |
Dest OS | Destination OS |
Protocol names | |
Last Seen | |
Timezone | |
Risk Rating | |
SHA1 | SHA1 |
CVSS | |
Policy Details | |
Parent Process SHA256 | |
Org Level 1 | |
Policy Deleted | |
Application Path | |
External Start Time | |
Technique ID | |
Objective | |
Destination Geolocation | The destination geolocation of the event. |
Referenced Resource Name | |
Compliance Notes | Notes regarding the assets compliance. |
Exposure Level | |
Street Address | |
SKU Name | |
Suspicious Executions Found | |
Source Updated by | |
Selected Indicators | Includes the indicators selected by the user. |
Status Reason | |
Technical User | The technical user of the asset. |
Assigned User | Assigned User |
app channel name | |
Email Sent Successfully | Whether the email has been successfully sent. |
Triage SLA | The time it took to investigate and enrich incident information. |
similarIncidents | |
Detected Endpoints | |
Original Description | The description of the incident |
Cloud Resource List | |
Scenario | |
Number of similar files | |
Attack Mode | Attack mode as received from the integration JSON |
Block Indicators Status | |
Verdict | |
Ticket Closed Date | |
Closing User | The closing user. |
Tactic | |
Device MAC Address | |
Process SHA256 | |
Isolated | Isolated |
Account ID | |
SSDeep | |
External Confidence | |
IP Reputation | |
File SHA1 | |
Campaign Name | |
Device OS Name | |
Device Model | Device Model |
Team name | |
Job Code | Job Code |
Related Campaign | |
Source Id | |
Duration | |
Parent Process Path | |
Resource Name | |
Original Events | The events associated with the offense. |
Bugtraq | |
Reporter Email Address | The email address of the user who reported the email. |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Low Level Categories Events | The low level category of the event. |
Investigation Stage | The stage of the investigation. |
Follow Up | True if marked for follow up. |
Hunt Results Count | |
Classification | Incident Classification |
Org Level 2 | |
String Similarity Results | |
Related Endpoints | |
Birthday | Person's Birthday |
Endpoints Details | |
Rule Name | The name of a YARA rule |
Registry Hive | |
First Name | First Name |
Region ID | |
External Sub Category Name | |
Approver | The person who approved or needs to approve the request. |
Escalation | |
Cost Center Code | Cost Center Code |
Policy ID | |
Device External IPs | |
Additional Indicators | |
Endpoint Isolation Status | |
Resource URL | |
Command Line Verdict | |
Resource Type | |
User Id | User Id |
Country Code | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Name | Description |
---|---|
DoS | |
UnknownBinary | |
Exploit | |
Network | |
Job | |
Policy Violation | |
Indicator Feed | |
Lateral Movement | |
Exfiltration | |
Defacement | |
C2Communication | |
Hunt | |
Authentication | |
Vulnerability | |
Reconnaissance | |
Simulation |
Name | Description |
---|---|
Signature Internal Name | |
Objective | |
Organization Type | |
Subject Alternative Names | |
Domain Referring IPs | |
Subject | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Name Servers | |
Processor | |
STIX Aliases | Alternative names used to identify this object |
Job Code | Job Code |
Registrar Abuse Name | |
Whois Records | |
Subject DN | Subject Distinguished Name |
Internal | |
DNS | |
Job Function | |
Community Notes | |
Detection Engines | Total number of engines that checked the indicator |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
STIX Malware Types | |
Name Field | |
Signature Original Name | |
Operating System Refs | |
Location Region | |
imphash | |
Signature Description | |
Secondary Motivations | |
Behavior | |
Assigned user | |
Certificate Signature | |
Validity Not After | |
Admin Phone | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Malware types | |
Zip Code | |
Campaign | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
BIOS Version | |
Roles | |
File Extension | |
X.509 v3 Extensions | |
Personal Email | |
Architecture | |
ASN | |
STIX Threat Actor Types | |
Signature File Version | |
Domain Referring Subnets | |
Category | |
Region | |
Certificates | |
Detections | |
Quarantined | Whether the indicator is quarantined or isolated |
STIX Is Malware Family | |
Applications | |
Goals | |
Job Family | |
CVSS Vector | |
Device Model | |
Is Malware Family | |
Operating System Version | |
Expiration Date | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Validity Not Before | |
Signed | |
Office365ExpressRoute | |
Mobile Phone | |
SHA256 | |
Sophistication | |
Surname | Surname |
Email Address | |
Work Phone | |
Admin Country | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Groups | |
DNS Records | |
Actor | |
Account Type | |
Username | |
Publications | |
Issuer DN | Issuer Distinguished Name |
Geo Location | |
Paths | |
User ID | |
Title | Title |
City | City |
STIX Tool Version | |
Resource Level | |
DHCP Server | |
Targets | |
Tool Version | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Certificate Names | |
Malware Family | |
Aliases | Alternative names used to identify this object |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Display Name | |
Admin Email | |
Vendor | |
Office365Required | |
Download URL | |
Given Name | Given Name |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Public Key | |
Leadership | |
Registrar Abuse Email | |
Domain Name | |
CVSS Version | |
Admin Name | |
STIX Resource Level | |
STIX Primary Motivation. | |
Action | |
STIX Description | |
Version | |
Indicator Identification | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Street Address | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Cost Center | |
Department | Department |
Org Level 3 | |
Published | |
Manager Email Address | |
Issuer | |
CVSS | |
Size | |
Number of subkeys | |
Name | |
Org Level 2 | |
Associated File Names | |
Is Processed | |
Creation Date | |
Port | |
Entry ID | |
Domains | |
Blocked | |
AS Owner | |
Source Priority | |
Mitre ID | |
Primary Motivation | |
Operating System | |
Hostname | |
Confidence | |
Vulnerable Products | |
Registrant Email | |
Office365Category | |
Cost Center Code | |
Report type | |
Geo Country | |
Serial Number | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Description | |
Path | |
Associations | Known associations to other pieces of Threat Data. |
State | |
CVSS Score | |
Capabilities | |
Samples | |
File Type | |
Subdomains | |
STIX Tool Types | |
Extension | |
Signature Authentihash | |
Signature Copyright | |
Registrar Abuse Country | |
Manager Name | Manager Name |
Mitre Tactics | |
Organizational Unit (OU) | |
Assigned role | |
Registrant Country | |
CVE Description | |
Rank | Used to display rank from different sources |
SHA512 | |
Reports | |
Force Sync | Whether to force user synchronization. |
Country Code | |
OS Version | |
Tags | |
STIX Goals | |
STIX Roles | |
Registrant Name | |
Key Value | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Memory | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Domain Status | |
Threat Actor Types | |
Commands | |
Certificate Validation Checks | |
Domain IDN Name | |
Country Code Number | |
Org Level 1 | |
Updated Date | |
Registrant Phone | |
Infrastructure Types | |
Processors | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
CVSS Table | |
Registrar Name | |
IP Address | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Signature Algorithm | |
Org Unit | |
Registrar Abuse Address | |
STIX Sophistication | |
CVSS3 | |
Location | |
Short Description | |
STIX Secondary Motivations | |
SSDeep | |
Tool Types | |
Country Name | |
Report Object References | A list of STIX IDs referenced in the report. |
PEM | Certificate in PEM format. |
Registrar Abuse Phone | |
CVE Modified | |
Feed Related Indicators | |
Vulnerabilities | |
MD5 | |
Registrar Abuse Network | |
Implementation Languages | |
Organization | |
SHA1 | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Name | Description |
---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Name | Description |
---|---|
Report | Report Indicator Layout |
Host Indicator | Host indicator layout |
Mutex | Mutex indicator layout |
ASN | ASN Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Threat Actor | Threat Actor Indicator Layout |
Campaign | Campaign Indicator Layout |
IP Indicator | IP Indicator Layout |
Account Indicator | Account Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Email Indicator | Email Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Identity | Identity indicator layout |
Registry Key Indicator | Registry Key Indicator Layout |
X509 Certificate | CVE Indicator Layout |
URL Indicator | URL Indicator Layout |
Software | Software Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Indicator Feed Incident | |
Malware Indicator | Malware Indicator Layout |
Location | Location indicator layout |
File Indicator | File Indicator Layout |
Vulnerability Incident |
Name | Description |
---|---|
Tool | |
Account | |
ASN | |
IP | |
ssdeep | |
Threat Actor | |
File MD5 | |
IPv6 | |
Attack Pattern | |
Campaign | |
Location | |
URL | |
Identity | |
X509 Certificate | |
Report | |
File SHA-256 | |
Malware | |
Domain | |
Mutex | |
IPv6CIDR | |
Course of Action | |
Intrusion Set | |
File | |
Software | |
CIDR | |
Registry Key | |
Host | |
CVE | |
Onion Address | |
Infrastructure | |
DomainGlob | |
File SHA-1 |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Cortex REST API | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Intrusion Set
Added the 'Execute Intrusion Set Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Campaign
Added the 'Execute Campaign Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Malware Indicator
Added the 'Execute Malware Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Custom mapping for the indicator was updated adding mapping to new fields.
Vulnerable Products
with all the relevant CPEs in a grid field.Added the following incident fields:
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | April 11, 2024 |