Maps incoming phishing email messages fields.
Common Types
- Details
- Content
- Dependencies
- Version History
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Classifiers
| Name | Description |
|---|---|
Mail Listener - Incoming Mapper | |
Mail Listener - Classifier | Classifies phishing email messages. |
Indicator Types
| Name | Description |
|---|---|
Incident Types
| Name | Description |
|---|---|
Exploit | |
Exfiltration | |
Vulnerability | |
Defacement | |
Lateral Movement | |
Policy Violation | |
Network | |
Hunt | |
Job | |
UnknownBinary | |
Simulation | |
Reconnaissance | |
DoS | |
Indicator Feed | |
C2Communication | |
Authentication |
Indicator Fields
| Name | Description |
|---|---|
Manager Name | Manager Name |
Processors | |
Internal | |
Detection Engines | Total number of engines that checked the indicator |
Registrar Abuse Phone | |
SSDeep | |
Operating System | |
Registrant Name | |
OS Version | |
Creation Date | |
Is Malware Family | |
Indicator Identification | |
Org Unit | |
State | |
Tool Version | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Vulnerabilities | |
AS Owner | |
CVSS Table | |
Office365ExpressRoute | |
Name Servers | |
Signed | |
Signature Internal Name | |
Display Name | |
Secondary Motivations | |
Registrar Abuse Address | |
Registrar Abuse Network | |
Assigned role | |
Download URL | |
MD5 | |
Registrant Email | |
Rank | Used to display rank from different sources |
imphash | |
Office365Category | |
IP Address | |
Groups | |
Resource Level | |
Signature File Version | |
STIX Description | |
Domain Referring Subnets | |
Mitre Tactics | |
Objective | |
Category | |
Organization Type | |
Assigned user | |
STIX Secondary Motivations | |
Leadership | |
STIX Malware Types | |
Location Region | |
Subdomains | |
Surname | Surname |
STIX Resource Level | |
Actor | |
DNS | |
Domain IDN Name | |
Personal Email | |
Memory | |
Job Code | Job Code |
Service | The specific service of a feed integration from which an indicator was ingested. |
CVSS Vector | |
SHA512 | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Associated File Names | |
Department | Department |
Name Field | |
Mitre ID | |
Description | |
Path | |
Admin Name | |
Published | |
Given Name | Given Name |
Confidence | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Email Address | |
Signature Authentihash | |
Cost Center | |
City | City |
SHA1 | |
Mobile Phone | |
STIX Aliases | Alternative names used to identify this object |
Admin Email | |
Tags | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Org Level 1 | |
Work Phone | |
STIX Is Malware Family | |
Office365Required | |
Applications | |
Acquisition Hire | Whether the employee is an acquisition hire. |
STIX Threat Actor Types | |
Street Address | |
Port | |
Reports | |
Community Notes | |
Campaign | |
Organization | |
STIX Sophistication | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Job Function | |
CVSS Score | |
Goals | |
Country Name | |
Location | |
BIOS Version | |
Admin Country | |
Domain Referring IPs | |
Job Family | |
STIX Goals | |
Size | |
Targets | |
Malware types | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Publications | |
Country Code | |
Region | |
STIX Tool Version | |
Operating System Refs | |
CVSS | |
Org Level 3 | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Is Processed | |
Primary Motivation | |
Geo Country | |
CVE Modified | |
Hostname | |
File Type | |
Aliases | Alternative names used to identify this object |
STIX Tool Types | |
Organizational Unit (OU) | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Threat Actor Types | |
Device Model | |
Title | Title |
Expiration Date | |
Processor | |
Entry ID | |
STIX Primary Motivation. | |
Registrant Country | |
Signature Copyright | |
Manager Email Address | |
Key Value | |
Cost Center Code | |
Associations | Known associations to other pieces of Threat Data. |
Registrant Phone | |
Sophistication | |
CVE Description | |
Zip Code | |
Account Type | |
Infrastructure Types | |
Feed Related Indicators | |
Domain Status | |
Registrar Abuse Country | |
Signature Description | |
Updated Date | |
Roles | |
CVSS Version | |
SHA256 | |
Quarantined | Whether the indicator is quarantined or isolated |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Country Code Number | |
Operating System Version | |
Name | |
Registrar Abuse Name | |
MAC Address | |
DHCP Server | |
Org Level 2 | |
Tool Types | |
Registrar Abuse Email | |
Admin Phone | |
Domain Name | |
Force Sync | Whether to force user synchronization. |
Geo Location | |
Registrar Name | |
Behavior | |
ASN | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Short Description | |
Source Priority | |
Action | |
Malware Family | |
STIX Roles | |
Username | |
File Extension | |
CVSS3 |
Layouts
| Name | Description |
|---|---|
Host Indicator | |
CVE Indicator | |
Intrusion Set | |
Attack Pattern | |
Campaign | |
ASN | |
Vulnerability Incident | |
Malware | |
Registry Key Indicator | |
Threat Actor | |
Account Indicator | |
File Indicator | |
IP Indicator | |
Indicator Feed Incident | |
Infrastructure | |
Tool | |
Mutex | Mutex indicator layout |
Course of Action | |
URL Indicator | |
Domain Indicator | |
Report | |
Email Indicator |
Incident Fields
| Name | Description |
|---|---|
External System ID | |
Mobile Phone | |
Internal Addresses | |
Classification | Incident Classification |
File SHA256 | |
Alert Action | Alert action as received from the integration JSON |
Post Nat Destination IP | The destination IP address after NAT. |
Description | The description of the incident |
Employee Manager Email | The email address of the employee's manager. |
Risk Rating | |
Follow Up | True if marked for follow up. |
Post Nat Destination Port | The destination port after NAT. |
Number Of Log Sources | The number of log sources related to the offense. |
Detection End Time | |
Error Message | The error message that contains details about the error that occurred. |
Last Modified By | |
Command Line | Command Line |
Phone Number | Phone Number |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Alert Category | The category of the alert |
App message | |
Source Created By | |
Country Name | Country Name |
Parent Process SHA256 | |
Destination MAC Address | The destination MAC address in an event. |
Protocols | |
Policy Details | |
Process Creation Time | |
Employee Email | The email address of the employee. |
Low Level Categories Events | The low level category of the event. |
Unique Ports | |
sAMAccountName | User sAMAAccountName |
Zip Code | Zip Code |
MITRE Tactic ID | |
File Name | |
Asset ID | |
Item Owner | |
Tenant Name | Tenant Name |
Last Update Time | |
External Status | |
Appliance ID | Appliance ID as received from the integration JSON |
Bugtraq | |
Dest Hostname | Destination hostname |
Parent Process Path | |
External Category ID | |
Alert Type ID | |
Source Username | The username that was the source of the attack. |
Org Level 1 | |
Parent Process | |
SHA256 | SHA256 |
Username | The username of the account who logged in. |
Policy Type | |
Vendor Product | |
Alert ID | Alert ID as received from the integration JSON |
Region | |
OS Type | OS Type |
Manager Email Address | |
Dst Ports | The destination ports of the event. |
Domain Name | |
Protocol names | |
Attack Mode | Attack mode as received from the integration JSON |
Country Code | |
Alert Source | |
Device Local IP | Device Local IP |
Org Level 2 | |
Error Code | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
First Seen | |
Closing User | The closing user. |
Src Ports | The source ports of the event. |
User SID | |
File Hash | |
Cloud Instance ID | Cloud Instance ID |
MD5 | MD5 |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
External Severity | |
Process Name | |
Application Path | |
Source Category | |
Policy Remediable | |
Assigned User | Assigned User |
Destination Hostname | Destination hostname |
CMD line | |
Ticket Acknowledged Date | |
SHA512 | SHA512 |
OS Version | OS Version |
Process SHA256 | |
Detected External IPs | Detected external IPs |
userAccountControl | userAccountControl |
Policy Deleted | |
Org Level 3 | |
File Paths | |
Account Name | Account Name |
Device Time | The time from the original logging device when the event occurred. |
External Sub Category ID | |
Source IPV6 | The source IPV6 address. |
Raw Event | The unparsed event data. |
Comment | The comments related with the incident |
Parent Process Name | |
Employee Display Name | The display name of the employee. |
Source Priority | |
Item Owner Email | |
Last Name | Last Name |
Technical Owner | The technical owner of the asset. |
DNS Name | The DNS name of the asset. |
Registry Value | |
Events | The events associated with the offense. |
Registry Hive | |
Device Model | Device Model |
Source Networks | |
Device Username | The username of the user that owns the device |
Title | Title |
Department | Department |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Source Status | |
Tactic ID | |
Technical User | The technical user of the asset. |
Source Network | |
MAC Address | MAC Address |
Parent Process File Path | |
Vendor ID | |
Technical Owner Contact | The contact details for the technical owner. |
Device External IPs | |
Source External IPs | |
Street Address | |
Process MD5 | |
Srcs | The source values. |
Agent ID | Agent ID |
EmailCampaignSnippets | |
External Confidence | |
Process CMD | |
Incident Link | |
Alert URL | Alert URL as received from the integration JSON |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Destination IPV6 | The destination IPV6 address. |
Destination Geolocation | The destination geolocation of the event. |
File Names | |
Detected External Hosts | Detected external hosts |
CMD | |
City | |
Technique ID | |
Detected Internal IPs | Detected internal IPs |
Device OS Name | |
Src User | Source User |
Compliance Notes | Notes regarding the assets compliance. |
Cost Center | Cost Center |
Application Name | Application Name |
Assignment Group | |
Device Hash | Device Hash |
Sensor Name | |
Is Active | Alert status |
Registry Value Type | |
Event Names | The event name (translated QID ) in the event. |
Policy Description | |
Device MAC Address | |
High Level Categories | The high level categories in the events. |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Policy Severity | |
Dest | Destination |
Objective | |
Policy Recommendation | |
Pre Nat Source IP | The source IP before NAT. |
EmailCampaignSummary | |
Pre Nat Destination Port | The destination port before NAT. |
Tactic | |
Region ID | |
Dsts | The destination values. |
Alert Name | Alert name as received from the integration JSON |
State | State |
Detection ID | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Close Time | The closing time. |
Subtype | Subtype |
Registry Key | |
User Id | User Id |
PID | PID |
End Time | The time when the offense ended. |
Detected IPs | |
Ticket Number | |
Log Source | Log Source |
app channel name | |
Caller | |
Primary Email Address | |
Technique | |
Usernames | The username in the event. |
URLs | |
Team name | |
Tags | |
Rendered HTML | The HTML content in a rendered form. |
Resource Type | |
External Start Time | |
Leadership | |
Src OS | Src OS |
File Creation Date | |
App | |
Rule Name | The name of a YARA rule |
File Size | File Size |
Traffic Direction | The direction of the traffic in the event. |
Last Seen | |
Agent Version | Reporting Agent/Sensor Version |
Source Urgency | Source Urgency |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Threat Hunting Detected Hostnames | |
Job Family | Job Family |
Country | The country from which the user logged in. |
Containment SLA | The time it took to contain the incident. |
Policy URI | |
Device OS Version | |
Work Phone | |
Cloud Service | |
File Access Date | |
External Addresses | |
External End Time | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
External Link | |
Src | Source |
Destination Network | |
IncomingMirrorError | |
Timezone | |
Job Code | Job Code |
SKU Name | |
Alert Attack Time | |
Ticket Closed Date | |
Org Unit | |
MITRE Tactic Name | |
Destination Port | The destination port used. |
Resource ID | |
CVE | |
Parent CMD line | |
Resource Name | |
SHA1 | SHA1 |
EmailCampaignMutualIndicators | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
File MD5 | |
Triggered Security Profile | Triggered Security Profile |
External Sub Category Name | |
External Category Name | |
Location | Location |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Device External IP | Device External IP |
Source Port | The source port that was used |
Policy ID | |
Ticket Opened Date | |
Detected Endpoints | |
Destination Networks | |
EmailCampaignCanvas | |
UUID | UUID as received from the integration JSON |
Event ID | Event ID |
Endpoint | |
Detected Users | Detected users |
Country Code Number | |
Blocked Action | Blocked Action |
Alert Malicious | Whether the alert is malicious. |
Detection Update Time | |
Mobile Device Model | |
Start Time | The time when the offense started. |
Category Count | The number of categories that are associated with the offense. |
Src NT Domain | Source NT Domain |
Display Name | Display Name |
Application Id | Application Id |
Detection URL | URL of the ExtraHop Reveal(x) detection |
SKU TIER | |
Source Create time | |
Personal Email | |
Categories | The categories for the incident. |
Process ID | |
Log Source Name | The log source name associated with the event. |
CVSS | |
Job Function | Job Function |
Src Hostname | Source hostname |
Threat Hunting Detected IP | |
Parent Process IDs | |
Detected Internal Hosts | Detected internal hosts |
Source IPs | The source IPs of the event. |
Detected User | |
Users | |
Scenario | |
Appliance Name | Appliance name as received from the integration JSON |
File Path | |
Device OU | Device's OU path in Active Directory |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Hostnames | The hostname in the event. |
Manager Name | Manager Name |
Full Name | Person's Full Name |
Sensor IP | |
Device Name | Device Name |
Duration | |
List Of Rules - Event | The list of rules associated to an event. |
Source Hostname | The hostname that performed the port scan. |
Birthday | Person's Birthday |
Dest OS | Destination OS |
Surname | Surname |
Log Source Type | The log source type associated with the event. |
Rating | |
Cost Center Code | Cost Center Code |
Process Names | |
Last Modified On | |
OutgoingMirrorError | |
Child Process | |
Policy Actions | |
Source Geolocation | The source geolocation of the event. |
Event Type | Event Type |
Closing Reason | The closing reason |
Cloud Account ID | |
Changed | The user who changed this incident |
Device Id | Device Id |
Escalation | |
Device Internal IPs | |
Pre Nat Source Port | The source port before NAT. |
External ID | |
Sub Category | The sub category |
Location Region | Location Region |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Risk Score | |
Additional Data | |
OS | The operating system. |
Triage SLA | The time it took to investigate and enrich incident information. |
Acquisition Hire | |
Source MAC Address | The source MAC address in an event. |
Post Nat Source Port | The source port after NAT. |
Signature | |
Parent Process CMD | |
MITRE Technique ID | |
Post Nat Source IP | The source IP address after NAT. |
Event Descriptions | The description of the event name. |
similarIncidents | |
Dest NT Domain | Destination NT Domain |
Protocol - Event | The network protocol in the event. |
Destination IP | The IP address the impossible traveler logged in to. |
File SHA1 | |
Use Case Description | |
Source IP | The IP Address that the user initially logged in from. |
Vulnerability Category | |
Process Path | |
Process Paths | |
First Name | First Name |
Agents ID | |
Similar incidents Dbot | |
Group ID | |
Destination IPs | The destination IPs of the event. |
Device Status | |
Protocol | Protocol |
Isolated | Isolated |
Exposure Level | |
MITRE Technique Name | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Account ID | |
Given Name | Given Name |
Parent Process MD5 | |
Investigation Stage | The stage of the investigation. |
Classifiers
| Name | Description |
|---|---|
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Mail Listener - Classifier | Classifies phishing email messages. |
Indicator Types
| Name | Description |
|---|---|
Incident Types
| Name | Description |
|---|---|
Exploit | |
Exfiltration | |
Vulnerability | |
Defacement | |
Lateral Movement | |
Policy Violation | |
Network | |
Hunt | |
Job | |
UnknownBinary | |
Simulation | |
Reconnaissance | |
DoS | |
Indicator Feed | |
C2Communication | |
Authentication |
Indicator Fields
| Name | Description |
|---|---|
Manager Name | Manager Name |
Processors | |
Internal | |
Detection Engines | Total number of engines that checked the indicator |
Registrar Abuse Phone | |
SSDeep | |
Operating System | |
Registrant Name | |
OS Version | |
Creation Date | |
Is Malware Family | |
Indicator Identification | |
Org Unit | |
State | |
Tool Version | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Vulnerabilities | |
AS Owner | |
CVSS Table | |
Office365ExpressRoute | |
Name Servers | |
Signed | |
Signature Internal Name | |
Display Name | |
Secondary Motivations | |
Registrar Abuse Address | |
Registrar Abuse Network | |
Assigned role | |
Download URL | |
MD5 | |
Registrant Email | |
Rank | Used to display rank from different sources |
imphash | |
Office365Category | |
IP Address | |
Groups | |
Resource Level | |
Signature File Version | |
STIX Description | |
Domain Referring Subnets | |
Mitre Tactics | |
Objective | |
Category | |
Organization Type | |
Assigned user | |
STIX Secondary Motivations | |
Leadership | |
STIX Malware Types | |
Location Region | |
Subdomains | |
Surname | Surname |
STIX Resource Level | |
Actor | |
DNS | |
Domain IDN Name | |
Personal Email | |
Memory | |
Job Code | Job Code |
Service | The specific service of a feed integration from which an indicator was ingested. |
CVSS Vector | |
SHA512 | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Associated File Names | |
Department | Department |
Name Field | |
Mitre ID | |
Description | |
Path | |
Admin Name | |
Published | |
Given Name | Given Name |
Confidence | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Email Address | |
Signature Authentihash | |
Cost Center | |
City | City |
SHA1 | |
Mobile Phone | |
STIX Aliases | Alternative names used to identify this object |
Admin Email | |
Tags | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Org Level 1 | |
Work Phone | |
STIX Is Malware Family | |
Office365Required | |
Applications | |
Acquisition Hire | Whether the employee is an acquisition hire. |
STIX Threat Actor Types | |
Street Address | |
Port | |
Reports | |
Community Notes | |
Campaign | |
Organization | |
STIX Sophistication | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Job Function | |
CVSS Score | |
Goals | |
Country Name | |
Location | |
BIOS Version | |
Admin Country | |
Domain Referring IPs | |
Job Family | |
STIX Goals | |
Size | |
Targets | |
Malware types | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Publications | |
Country Code | |
Region | |
STIX Tool Version | |
Operating System Refs | |
CVSS | |
Org Level 3 | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Is Processed | |
Primary Motivation | |
Geo Country | |
CVE Modified | |
Hostname | |
File Type | |
Aliases | Alternative names used to identify this object |
STIX Tool Types | |
Organizational Unit (OU) | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Threat Actor Types | |
Device Model | |
Title | Title |
Expiration Date | |
Processor | |
Entry ID | |
STIX Primary Motivation. | |
Registrant Country | |
Signature Copyright | |
Manager Email Address | |
Key Value | |
Cost Center Code | |
Associations | Known associations to other pieces of Threat Data. |
Registrant Phone | |
Sophistication | |
CVE Description | |
Zip Code | |
Account Type | |
Infrastructure Types | |
Feed Related Indicators | |
Domain Status | |
Registrar Abuse Country | |
Signature Description | |
Updated Date | |
Roles | |
CVSS Version | |
SHA256 | |
Quarantined | Whether the indicator is quarantined or isolated |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Country Code Number | |
Operating System Version | |
Name | |
Registrar Abuse Name | |
DHCP Server | |
Org Level 2 | |
Tool Types | |
Registrar Abuse Email | |
Admin Phone | |
Domain Name | |
Force Sync | Whether to force user synchronization. |
Geo Location | |
Registrar Name | |
Behavior | |
ASN | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Short Description | |
Source Priority | |
Action | |
Malware Family | |
STIX Roles | |
Username | |
File Extension | |
CVSS3 |
Layouts
| Name | Description |
|---|---|
Host Indicator | |
CVE Indicator | |
Intrusion Set | |
Attack Pattern | |
Campaign | |
ASN | |
Malware | |
Registry Key Indicator | |
Threat Actor | |
Account Indicator | |
File Indicator | |
IP Indicator | |
Infrastructure | |
Tool | |
Mutex | Mutex indicator layout |
Course of Action | |
URL Indicator | |
Domain Indicator | |
Report | |
Email Indicator |
Incident Fields
| Name | Description |
|---|---|
External System ID | |
Mobile Phone | |
Internal Addresses | |
Classification | Incident Classification |
Alert Action | Alert action as received from the integration JSON |
Post Nat Destination IP | The destination IP address after NAT. |
Description | The description of the incident |
Employee Manager Email | The email address of the employee's manager. |
Risk Rating | |
Follow Up | True if marked for follow up. |
Post Nat Destination Port | The destination port after NAT. |
Number Of Log Sources | The number of log sources related to the offense. |
Detection End Time | |
Error Message | The error message that contains details about the error that occurred. |
Last Modified By | |
Phone Number | Phone Number |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
App message | |
Source Created By | |
Parent Process SHA256 | |
Policy Details | |
Process Creation Time | |
Employee Email | The email address of the employee. |
Low Level Categories Events | The low level category of the event. |
Unique Ports | |
sAMAccountName | User sAMAAccountName |
Zip Code | Zip Code |
MITRE Tactic ID | |
Asset ID | |
Item Owner | |
Tenant Name | Tenant Name |
Last Update Time | |
External Status | |
Bugtraq | |
Parent Process Path | |
External Category ID | |
Alert Type ID | |
Org Level 1 | |
Policy Type | |
Vendor Product | |
Alert ID | Alert ID as received from the integration JSON |
Region | |
OS Type | OS Type |
Manager Email Address | |
Domain Name | |
Protocol names | |
Attack Mode | Attack mode as received from the integration JSON |
Country Code | |
Alert Source | |
Org Level 2 | |
Error Code | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
First Seen | |
Closing User | The closing user. |
User SID | |
File Hash | |
Cloud Instance ID | Cloud Instance ID |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
External Severity | |
Application Path | |
Source Category | |
Policy Remediable | |
Assigned User | Assigned User |
Ticket Acknowledged Date | |
SHA512 | SHA512 |
Process SHA256 | |
Detected External IPs | Detected external IPs |
userAccountControl | userAccountControl |
Policy Deleted | |
Org Level 3 | |
Device Time | The time from the original logging device when the event occurred. |
External Sub Category ID | |
Raw Event | The unparsed event data. |
Comment | The comments related with the incident |
Parent Process Name | |
Employee Display Name | The display name of the employee. |
Source Priority | |
Item Owner Email | |
Last Name | Last Name |
Technical Owner | The technical owner of the asset. |
Registry Value | |
Events | The events associated with the offense. |
Registry Hive | |
Device Model | Device Model |
Source Networks | |
Title | Title |
Department | Department |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Source Status | |
Tactic ID | |
Technical User | The technical user of the asset. |
Parent Process File Path | |
Vendor ID | |
Technical Owner Contact | The contact details for the technical owner. |
Device External IPs | |
Source External IPs | |
Street Address | |
Process MD5 | |
EmailCampaignSnippets | |
External Confidence | |
Process CMD | |
Incident Link | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Destination IPV6 | The destination IPV6 address. |
Destination Geolocation | The destination geolocation of the event. |
City | |
Technique ID | |
Device OS Name | |
Compliance Notes | Notes regarding the assets compliance. |
Cost Center | Cost Center |
Assignment Group | |
Device Hash | Device Hash |
Is Active | Alert status |
Registry Value Type | |
Event Names | The event name (translated QID ) in the event. |
Policy Description | |
Device MAC Address | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Policy Severity | |
Objective | |
Policy Recommendation | |
Pre Nat Source IP | The source IP before NAT. |
EmailCampaignSummary | |
Pre Nat Destination Port | The destination port before NAT. |
Tactic | |
Region ID | |
Dsts | The destination values. |
Alert Name | Alert name as received from the integration JSON |
State | State |
Detection ID | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Close Time | The closing time. |
Subtype | Subtype |
Registry Key | |
User Id | User Id |
End Time | The time when the offense ended. |
Ticket Number | |
Log Source | Log Source |
app channel name | |
Caller | |
Primary Email Address | |
Technique | |
URLs | |
Team name | |
Tags | |
Rendered HTML | The HTML content in a rendered form. |
Resource Type | |
External Start Time | |
Leadership | |
Src OS | Src OS |
File Creation Date | |
Rule Name | The name of a YARA rule |
File Size | File Size |
Traffic Direction | The direction of the traffic in the event. |
Last Seen | |
Agent Version | Reporting Agent/Sensor Version |
Source Urgency | Source Urgency |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Job Family | Job Family |
Containment SLA | The time it took to contain the incident. |
Policy URI | |
Device OS Version | |
Work Phone | |
Cloud Service | |
File Access Date | |
External End Time | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
External Link | |
IncomingMirrorError | |
Timezone | |
Job Code | Job Code |
SKU Name | |
Ticket Closed Date | |
Org Unit | |
MITRE Tactic Name | |
CVE | |
Resource Name | |
SHA1 | SHA1 |
EmailCampaignMutualIndicators | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Triggered Security Profile | Triggered Security Profile |
External Sub Category Name | |
External Category Name | |
Location | Location |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Policy ID | |
Detected Endpoints | |
Destination Networks | |
EmailCampaignCanvas | |
UUID | UUID as received from the integration JSON |
Event ID | Event ID |
Country Code Number | |
Blocked Action | Blocked Action |
Alert Malicious | Whether the alert is malicious. |
Mobile Device Model | |
Start Time | The time when the offense started. |
Category Count | The number of categories that are associated with the offense. |
Display Name | Display Name |
Detection URL | URL of the ExtraHop Reveal(x) detection |
SKU TIER | |
Source Create time | |
Personal Email | |
Process ID | |
Log Source Name | The log source name associated with the event. |
CVSS | |
Job Function | Job Function |
Parent Process IDs | |
Detected Internal Hosts | Detected internal hosts |
Scenario | |
Device OU | Device's OU path in Active Directory |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Manager Name | Manager Name |
Full Name | Person's Full Name |
Sensor IP | |
Device Name | Device Name |
Duration | |
List Of Rules - Event | The list of rules associated to an event. |
Birthday | Person's Birthday |
Dest OS | Destination OS |
Surname | Surname |
Log Source Type | The log source type associated with the event. |
Rating | |
Cost Center Code | Cost Center Code |
Process Names | |
Last Modified On | |
OutgoingMirrorError | |
Policy Actions | |
Source Geolocation | The source geolocation of the event. |
Closing Reason | The closing reason |
Cloud Account ID | |
Changed | The user who changed this incident |
Device Id | Device Id |
Escalation | |
Device Internal IPs | |
Pre Nat Source Port | The source port before NAT. |
External ID | |
Sub Category | The sub category |
Location Region | Location Region |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Risk Score | |
Additional Data | |
OS | The operating system. |
Triage SLA | The time it took to investigate and enrich incident information. |
Acquisition Hire | |
Post Nat Source Port | The source port after NAT. |
Signature | |
Parent Process CMD | |
MITRE Technique ID | |
Post Nat Source IP | The source IP address after NAT. |
Event Descriptions | The description of the event name. |
similarIncidents | |
File SHA1 | |
Use Case Description | |
Vulnerability Category | |
Process Paths | |
First Name | First Name |
Agents ID | |
Similar incidents Dbot | |
Group ID | |
Device Status | |
Isolated | Isolated |
Exposure Level | |
MITRE Technique Name | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Account ID | |
Given Name | Given Name |
Parent Process MD5 | |
Investigation Stage | The stage of the investigation. |
Required Content Packs (3)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| CommonScripts | By: Cortex XSOAR |
| DemistoRESTAPI | By: Cortex XSOAR |
Optional Content Packs (6)
| Pack Name | Pack By |
|---|---|
| CVESearch | By: Cortex XSOAR |
| CoreAlertFields | By: Cortex XSOAR |
| Compliance | By: Cortex XSOAR |
| Phishing | By: Cortex XSOAR |
| Malware | By: Cortex XSOAR |
| SplunkPy | By: Cortex XSOAR |
3.3.30 - 4095599 (November 24, 2022)
- 22284
Download
Incident Fields
Added the following incident fields to be associated with the AWS Guard Duty EC2 Finding, AWS Guard Duty IAM Finding, AWS Guard Duty Kubernetes Finding, AWS Guard Duty Malware Protection Finding, AWS Guard Duty S3 Finding incident types.
- Account ID
- Last Update Time
- Region
- Title
- 22284
Download
3.3.21 - 3702189 (September 21, 2022)
- 21398
Download
Incident Fields
- Added the following incident fields to be associated with the Vectra Detection incident types.
- Destination IPs
- Detection ID
- Dst Ports
Added the following incident fields to be associated with the Vectra Account incident types. - Account ID
- Department
- Usernames
- Display Name
- sAMAccountName
- Title
- Note: removed description from the following incident fields.
- Detection ID
- Detection End Time
- Detection Update Time
Indicator Types
- emailRep
- 21398
Download
3.3.1 - 3687475 (September 19, 2022)
- 21172
Download
Incident Fields
- Containment SLA
- Triage SLA
Layouts
domainRepUnified
hostRep
urlRep
ipRep
unifiedFileRep
registryKey
emailRep
accountRep
Indicator Feed
cveRep
Intrusion Set
Updated layout for IOC.
Email Indicator
Updated layout for IOC.
Threat Actor
Updated layout for IOC.
File Indicator
Updated layout for IOC.
Attack Pattern
Updated layout for IOC.
Vulnerability Incident
Updated layout for IOC.
URL Indicator
Updated layout for IOC.
IP Indicator
Updated layout for IOC.
Tool
Updated layout for IOC.
Course of Action
Updated layout for IOC.
ASN
Updated layout for IOC.
Domain Indicator
Updated layout for IOC.
Campaign
Updated layout for IOC.
Malware
Updated layout for IOC.
Registry Key Indicator
Updated layout for IOC.
Updated layout for IOC.
Host Indicator
Updated layout for IOC.
Report
Updated layout for IOC.
CVE Indicator
Updated layout for IOC.
Infrastructure
Updated layout for IOC.
Account Indicator
Updated layout for IOC.
- 21172
Download
3.2.46 - 3649843 (September 13, 2022)
- 19793
Download
Incident Fields
Added the following incident fields to be associated with the Skyhigh Security Alert and Skyhigh Security Threat incident types.
- City
- Start Time
- Risk Score
- Alert Action
- Source IPs
- Event Action
- Account ID
- Policy Description
- Policy ID
- Last Update Time
- Cloud Service
- Added the new field Source Create time.
- Title
- Source Create time
- Item Owner
- Last Update Time
- 19793
Download
3.2.42 - 3480655 (August 17, 2022)
- 20440
Download
Indicator Fields
Description
- Added the field to all types (associated to all).
STIX ID
- Added the field to all types (associated to all).
Indicator Types
- Mutex
Layouts
- New: Mutex
- Added support for a new indicator type for mutex (Available from Cortex XSOAR 6.5.0).
- 20440
Download
3.2.40 - 3281367 (July 17, 2022)
- 19903
- 20107
Download
Indicator Fields
- Description - changed the type from longText to markdown
- Groups - changed the type from longText to markdown
- Short Description - changed the type from longText to markdown
- Applications - changed the type from longText to markdown
- Note:
- In order for the changes to take effect, server versions < 6.8 should re-install the CommonTypes pack. If any warnings appear, click the Install anyway button.
- Re-installing the pack would reset existing configurations for those types configured. For example, an incident type configured for a certain playbook would no longer be configured.
- Any configuration attached to types from CommonTypes pack would need to be re-configured.
- 19903
- 20107
Download
3.2.39 - 3279429 (July 17, 2022)
- 19800
Download
Incident Fields
- Removed the unsupported fromServerVersion field from the following Incident Fields:
- Source MAC Address
- Post Nat Source IP
- Log Source Type
- CVSS Integrity Requirement
- Mobile Device Model
- Source IPs
- DNS Name
- Follow Up
- Low Level Categories Events
- Event Names
- Device Time
- Protocol - Event
- Post Nat Destination Port
- Close Time
- Usernames
- Compliance Notes
- Source IPV6
- Destination IPV6
- Destination MAC Address
- Last Update Time
- Technical Owner
- End Time
- Closing Reason
- Source Geolocation
- Post Nat Destination IP
- Traffic Direction
- Destination IPs
- CVSS Collateral Damage Potential
- CVSS Availability Requirement
- Pre Nat Source IP
- Technical Owner Contact
- Event Descriptions
- Src Ports
- Dst Ports
- High Level Categories
- Technical User
- Destination Geolocation
- Start Time
- Events
- Pre Nat Destination Port
- Post Nat Source Port
- List Of Rules - Event
- Category Count
- Closing User
- CVSS Confidentiality Requirement
- Log Source Name
- Raw Event
- Pre Nat Source Port
- Number Of Log Sources
Indicator Fields
- Removed the unsupported fromServerVersion field from the following Incident Fields:
- STIX Roles
- Roles
- 19800
Download
3.2.34 - 2941201 (May 18, 2022)
Incident Fields
- OS Type
3.2.33 - 2899700 (May 10, 2022)
Incident Fields
- Device Internal IPs
3.2.31 - 2836953 (April 28, 2022)
- 17780
- 20109
Download
WARNING: This version is invalid. Please install a different version.
Incident Fields
- External Status
- Cloud Account ID
- Process ID
- Parent Process CMD
- Parent Process SHA256
- External Severity
- External Category ID
- Device MAC Address
- Source MAC Address
- External Sub Category ID
- External Start Time
- Parent Process ID
- External Category Name
- Source External IPs
- Device External IPs
- Process CMD
- Parent Process Name
- Source IPs
- Parent Process MD5
- External End Time
- Process SHA256
- Parent Process Path
- Process Paths
- Process MD5
- External Sub Category Name
- Process Names
- External Link
- External Confidence
- Device OS Version
- Device OS Name
- Additional Data
- MITRE Tactic Name
- MITRE Technique Name
- MITRE Tactic ID
- MITRE Technique ID
- External System ID
- 17780
- 20109
Download
3.2.30 - 2750927 (April 13, 2022)
Incident Fields
- Account Name - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Asset ID - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Close Time - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Closing Reason - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Department - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Email - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Last Modified By - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Location - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Manager Name - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Source Urgency - Added a new incident field.
- Subtype - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Title - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
3.2.29 - 2745974 (April 12, 2022)
Incident Fields
- Associated Device OU to all incident types.
- Application Name
Added "Symantec DLP Endpoint" Incident to this incident field. - File Creation Date
Added "Symantec DLP Discover" Incident to this incident field. - First Seen
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Item Owner Email
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Device Status
Added "Symantec DLP Endpoint" Incident to this incident field. - Resource Name
Added "Symantec DLP Discover" Incident to this incident field. - File Access Date
Added "Symantec DLP Discover" Incident to this incident field. - Item Owner
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Policy ID
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Last Modified By
Added "Symantec DLP Discover" Incident to this incident field. - Policy Details
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - External ID
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Device Id
Added "Symantec DLP Endpoint" Incident to this incident field. - Application Path
Added "Symantec DLP Endpoint" Incident to this incident field. - Error MessageD
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Rendered HTML - Added a new field that shows a rendered version of HTML content.
3.2.26 - 2641705 (March 24, 2022)
Incident Fields
- Domain Squatting Result - Added a new markdown field that shows the results of the domain-squatting check.
3.2.25 - 2536574 (March 8, 2022)
Incident Fields
Alert Action
Added FireEye HX Alert to this incident field.Appliance ID
Added FireEye HX Alert to this incident field.
Indicator Types
3.2.23 - 2475198 (February 25, 2022)
Incident Fields
- Registry Key
- Registry Value Type
- Registry Value
- Registry Hive
- URLs
- User SID
- Domain Name
- Parent Process File Path
- Parent Process IDs
- Process Creation Time
- Process ID
3.2.21 - 2436256 (February 18, 2022)
Incident Fields
- File Paths
3.2.20 - 2425968 (February 16, 2022)
Incident Fields
- Alert URL
3.2.19 - 2411339 (February 14, 2022)
Incident Fields
- MAC Address
3.2.18 - 2406376 (February 13, 2022)
Incident Fields
- Agents ID
3.2.17 - 2387690 (February 9, 2022)
Incident Fields
Destination IPs
Destination Networks
Dst Ports
Policy Actions
Protocol names
Source IPs
Source Networks
Signature
File Name
File MD5
MD5
File Path
File Names
3.2.15 - 2380698 (February 8, 2022)
Incident Fields
- Categories
- Alert Category
- High Level Categories
3.2.14 - 2377451 (February 8, 2022)
Incident Fields
- Tactic ID
- Tactic
- Technique
- Technique ID
3.2.13 - 2371508 (February 7, 2022)
Indicator Types
- urlRep
- ipRep
- hashRepSHA1
- hashRep
3.2.12 - 2369391 (February 6, 2022)
Incident Fields
- Usernames
- Destination IPs
- Alert Action
- Blocked Action
- Dest OS
- OS
- Src OS
3.2.11 - 2355875 (February 3, 2022)
Incident Fields
- High Level Categories
- Dest NT Domain
- Src NT Domain
- Resource ID
- Application Name
- Application Id
- Alert Category
- OS Version
- Categories
- App
- Country
- Protocol - Event
- Event Type
3.2.9 - 2353377 (February 3, 2022)
Incident Fields
- Hostnames
- Alert Attack Time
- Process Name
- Device External IP
- Technique
- Detected User
- Tactic
- Tactic ID
- Detected Internal IPs
- PID
- Child Process
- Src
- CMD
- Ticket Opened Date
- Users
- Dest
- Detected IPs
- Usernames
- Destination Hostname
- Source MAC Address
- Detected External Hosts
- Destination MAC Address
- Source IPV6
- Dest Hostname
- Detection Update Time
- External Addresses
- Signature
- Technique ID
- Threat Hunting Detected IP
- Source Network
- OS
- Dest OS
- Detected Users
- Command Line
- Srcs
- CMD line
- Device Local IP
Indicator Fields
- MAC Address
3.2.8 - 2350241 (February 2, 2022)
Incident Fields
- File SHA256
3.2.7 - 2348792 (February 2, 2022)
Incident Fields
- File SHA256
- Country Name
3.2.6 - 2343672 (February 1, 2022)
Incident Fields
- File SHA256
3.2.5 - 2340785 (February 1, 2022)
Incident Fields
Dst Ports
Process Path
SHA256
Src Ports
Alert Action
Source IPs
Parent CMD line
Parent Process
Protocol
Protocols
Src OS
Destination Network
Appliance ID
Appliance Name
3.2.3 - 2318351 (January 27, 2022)
Indicator Types
- urlRep: Updated the URL indicator regex with the following:
- Added support to IPV6.
- Fixed an issue where the regex did not catch valid URLs.
- Removed duplications in the regex's string.
3.2.2 - 2309176 (January 26, 2022)
Indicator Fields
- CVSS Vector
- CVSS3
3.2.1 - 2303329 (January 25, 2022)
Incident Fields
- Account Name
- Agent ID
- Blocked Action
- DNS Name
- Destination Port
- Device Username
- Endpoint
- Sensor Name
- Source Hostname
- Source Port
- Source Username
- Src Hostname
- Src User
- Threat Hunting Detected Hostnames
- Usernames
- Hostnames
- Source IPs
- Alert Action
- Destination IPs
- Agents ID
- Src Ports
- Dst Ports
3.2.0 - 2273091 (January 19, 2022)
Incident Fields
- First Seen
- Source Created By
- Last Modified By
- Last Modified On
- Source Category
- Risk Score
3.1.33 - 2233034 (January 10, 2022)
Indicator Types
- urlRep: Changed the formatting script default to FormatURL script.
- Breaking Change: The URL indicator regex will no longer extract domains, e.g
www.test.comwill not be extracted as URL.
3.1.32 - 2183875 (December 30, 2021)
Incident Fields
- Source IPs
- File MD5
- CMD line
- Events
- CVSS Confidentiality Requirement
- Source IPV6
- DNS Name
- Log Source Name
- Device Time
- File SHA256
- Parent CMD line
- Hostnames
- Tactic
- File Names
- Destination Geolocation
- Src Ports
- Technique
- Technical Owner Contact
- Post Nat Destination IP
- Detected User
- Technical Owner
- File SHA1
- Destination IPV6
- Event Descriptions
- High Level Categories
- Destination IPs
- Pre Nat Source IP
- Low Level Categories Events
- CMD
- Post Nat Source IP
- CVSS Collateral Damage Potential
- File Paths
- Source Geolocation
- Post Nat Destination Port
- Destination MAC Address
- Technical User
- Source MAC Address
- Pre Nat Destination Port
- Post Nat Source Port
- Event Names
- Dst Ports
- Dsts
- Users
- Protocol - Event
- Compliance Notes
- Detected IPs
- Scenario
- CVSS Availability Requirement
- Traffic Direction
- Threat Hunting Detected Hostnames
- Objective
- Threat Hunting Detected IP
- Categories
- Child Process
- Usernames
- Raw Event
- Pre Nat Source Port
- Parent Process
- Srcs
- Agents ID
- Tactic ID
- List Of Rules - Event
- CVSS Integrity Requirement
- Log Source Type
- Technique ID
Indicator Fields
Targets
- Malware Family
- Reports
- Name Servers
- Vulnerabilities
- Subdomains
- Campaign
- Actor
Indicator Types
3.1.30 - 2157470 (December 24, 2021)
Incident Fields
- Use Case Description - New field for Use Case descriptions.
3.1.29 - R2146019 (December 21, 2021)
Layouts
Course of Action
- Resized the description section for a better legibility.
Report
- Resized the description section for a better legibility.
Malware
- Resized the description section for a better legibility.
Threat Actor
- Resized the description section for a better legibility.
Infrastructure
- Resized the description section for a better legibility.
Intrusion Set
- Resized the description section for a better legibility.
Campaign
- Resized the description section for a better legibility.
Attack Pattern
- Resized the description section for a better legibility.
Tool
- Resized the description section for a better legibility.
3.1.28 - 2083673 (December 9, 2021)
Incident Fields
- Alert Source
- Source Priority
- Source Status
- Title
- Last Seen
- Last Update Time
- Alert Acknowledgement
3.1.27 - 2020903 (November 28, 2021)
Incident Fields
Added the following common fields:
- Agent Version
- Device OU
- Threat Family Name
- Threat Name
- Cloud Instance ID
Edited the following field configurations:
- Cloud Service
- Event Descriptions
- Event Names
- Last Update Time
- Start Time
3.1.26 - 2009340 (November 25, 2021)
Incident Fields
- Detected Endpoints
3.1.25 - 1970937 (November 18, 2021)
Incident Fields
- Last Update Time
3.1.24 - 1959372 (November 16, 2021)
Incident Fields
- Technical User
- Maintenance and stability enhancements.
- Event Descriptions
- Maintenance and stability enhancements.
- Pre Nat Source IP
- Maintenance and stability enhancements.
- Source IPs
- Maintenance and stability enhancements.
- Destination IPs
- Maintenance and stability enhancements.
- Technical Owner Contact
- Maintenance and stability enhancements.
- Post Nat Destination IP
- Maintenance and stability enhancements.
- High Level Categories
- Maintenance and stability enhancements.
- List Of Rules - Event
- Maintenance and stability enhancements.
- Pre Nat Source Port
- Maintenance and stability enhancements.
- Log Source Type
- Maintenance and stability enhancements.
- Compliance Notes
- Maintenance and stability enhancements.
- Raw Event
- Maintenance and stability enhancements.
- Destination Geolocation
- Maintenance and stability enhancements.
- Srcs
- Maintenance and stability enhancements.
- Post Nat Destination Port
- Maintenance and stability enhancements.
- DNS Name
- Maintenance and stability enhancements.
- URL SSL Verification
- Maintenance and stability enhancements.
- Event Names
- Maintenance and stability enhancements.
- Post Nat Source Port
- Maintenance and stability enhancements.
- Traffic Direction
- Maintenance and stability enhancements.
- Source IPV6
- Maintenance and stability enhancements.
- CVSS Availability Requirement
- Maintenance and stability enhancements.
- Categories
- Maintenance and stability enhancements.
- Dst Ports
- Maintenance and stability enhancements.
- CVSS Integrity Requirement
- Maintenance and stability enhancements.
- Events
- Maintenance and stability enhancements.
- Source MAC Address
- Maintenance and stability enhancements.
- Device Time
- Maintenance and stability enhancements.
- Event Action
- Maintenance and stability enhancements.
- Hostnames
- Maintenance and stability enhancements.
- Post Nat Source IP
- Maintenance and stability enhancements.
- Low Level Categories Events
- Maintenance and stability enhancements.
- Src Ports
- Maintenance and stability enhancements.
- Critical Assets
- Maintenance and stability enhancements.
- Technical Owner
- Maintenance and stability enhancements.
- Protocol - Event
- Maintenance and stability enhancements.
- Destination MAC Address
- Maintenance and stability enhancements.
- CVSS Confidentiality Requirement
- Maintenance and stability enhancements.
- Dsts
- Maintenance and stability enhancements.
- Pre Nat Destination Port
- Maintenance and stability enhancements.
- Remediation SLA
- Maintenance and stability enhancements.
- Log Source Name
- Maintenance and stability enhancements.
- Detection SLA
- Maintenance and stability enhancements.
- CVSS Collateral Damage Potential
- Maintenance and stability enhancements.
- Source Geolocation
- Maintenance and stability enhancements.
- Vendor ID
- Maintenance and stability enhancements.
- Destination IPV6
- Maintenance and stability enhancements.
- Usernames
- Maintenance and stability enhancements.
Indicator Fields
- Reports
- Maintenance and stability enhancements.
- Subdomains
- Maintenance and stability enhancements.
- Campaign
- Maintenance and stability enhancements.
- Vulnerabilities
- Maintenance and stability enhancements.
- Name Servers
- Maintenance and stability enhancements.
- Malware Family
- Maintenance and stability enhancements.
- Traffic Light Protocol
- Maintenance and stability enhancements.
- Actor
- Maintenance and stability enhancements.
- Targets
- Maintenance and stability enhancements.
3.1.23 - 1929712 (November 10, 2021)
Indicator Fields
- Associated File Names
Updated to type "Array" (Available from Cortex XSOAR 6.5).
3.1.22 - 1913264 (November 8, 2021)
Indicator Fields
Indicator Types
- cveRep
- Fixed an issue where the
Descriptionaccessor in theCVEindicator used an incorrect field name.
3.1.20 - 1855807 (October 27, 2021)
Indicator Types
- emailRep - The regex now limits the local part to 64 characters and the domain part to 255 characters per RFC3696.
3.1.19 - 1807895 (October 17, 2021)
Incident Fields
- Acquisition Hire - Added a new incident field.
Indicator Fields
- Acquisition Hire - Added a new indicator field.
- Force Sync - Added a new indicator field.
3.1.18 - 1800343 (October 15, 2021)
Incident Fields
- Last Update Time
- Start Time
3.1.17 - 7681620 (September 19, 2021)
Incident Fields
- Associated the incident field Close Time with the GuardiCore incident type.
- Associated the incident field Last Update Time with the GuardiCore incident type.
- Associated the incident field Start Time with the GuardiCore incident type.
- Created and associated the incident field End Time with the GuardiCore incident type.
3.1.16 - 7459007 (September 5, 2021)
Indicator Types
- emailRep - The regex now recognizes emails with
[@]as valid.
3.1.15 - 7401319 (September 1, 2021)
Incident Fields
- Exposure Level
- Policy ID
- Policy Details
- Last Update Time
- Policy URI
- Close Time
- Item Owner
- Item Owner Email
Indicator Fields
Description
- Added an association between the Description field with the Malware, Tool, Report, and Threat Actor types.
3.1.12 - 7391875 (September 1, 2021)
Incident Fields
- Alert Type
- Location
- Username
- Subtype
- Risk Rating
- Location Region
- Last Update Time
3.1.11 - 411157 (August 13, 2021)
Indicator Types
- urlRep: Fixed an issue where some URLs (for example 255.255.255.255/25.com) are not recognized as a URL.
3.1.10 - 404180 (July 30, 2021)
Incident Fields
New incident fields:
- Part of Campaign
3.1.9 - 403160 (July 27, 2021)
Indicator Types
- Added a regex and reputation command to the Attack Pattern indicator type.
Indicator Fields
- Associated the Description field with the Attack Pattern indicator type.
3.1.7 - 399371 (July 18, 2021)
Incident Fields
- Manager Email Address Associated the field with the IAM - AD User Activation event from the ILM Content Pack.
3.1.6 - 397303 (July 13, 2021)
Incident Fields
- EmailCampaignSnippets - Added incident field.
3.1.5 - 397182 (July 13, 2021)
Indicator Fields
Publications - updated the Link column to be URL type.
3.1.4 - 394234 (July 7, 2021)
Layouts
Email Indicator
- Fixed an issue where the Additional Details tab was missing from the layout.
IP Indicator
- Fixed an issue where the Additional Details tab was missing from the layout.
File Indicator
- Fixed an issue where the Additional Details tab was missing from the layout.
URL Indicator
- Fixed an issue where the Additional Details tab was missing from the layout.
Domain Indicator
- Fixed an issue where the Additional Details tab was missing from the layout.
3.1.3 - R397303 (July 13, 2021)
Incident Fields
- Process Name
- Process Path
- Resource Type
- Associated the following fields with the CarbonBlackEDR incident type:
- Username
-Event Descriptions - Device Id
- Username
3.1.2 - 388541 (June 22, 2021)
Incident Fields
- Alert Type ID
3.1.1 - 386517 (June 17, 2021)
Indicator Fields
New indicator fields:
- Is Processed
3.1.0 - 383344 (June 11, 2021)
Incident Fields
- Alert Acknowledgement
- Alert Action
- Alert Attack Time
- Alert Malicious
- Alert URL
- Appliance ID
- Appliance Name
- Attack Mode
- Destination MAC Address
- File Name
- File Path
- Sensor IP
- Sensor Name
- Signature
- Source MAC Address
- Incident Link
- Vendor Product
- UUID
3.0.7 - 382285 (June 9, 2021)
Indicator Fields
- Description - Added IP, File, URL to this indicator field.
3.0.6 - 381886 (June 9, 2021)
Indicator Types
- Fixed an issue where some special characters didn't exist in the emailRep regex.
3.0.5 - 381353 (June 8, 2021)
Incident Fields
- Title
- Associated the Mandiant Automated Defense Incident incident type.
3.0.4 - 379063 (June 7, 2021)
Layouts
Report
- Changed the layout name from STIX Report to Report.
Attack Pattern
- Changed the layout name from STIX Attack Pattern to Attack Pattern.
Tool
- Changed the layout name from STIX Tool to Tool.
Threat Actor
- Changed the layout name from STIX Threat Actor to Threat Actor.
Malware
- Changed the layout name from STIX Malware to Malware.
3.0.3 - 378296 (June 6, 2021)
Layouts
STIX Malware
- Maintenance and stability enhancements.
Course of Action
- Maintenance and stability enhancements.
STIX Threat Actor
- Maintenance and stability enhancements.
Intrusion Set
- Maintenance and stability enhancements.
STIX Report
- Maintenance and stability enhancements.
STIX Tool
- Maintenance and stability enhancements.
Infrastructure
- Maintenance and stability enhancements.
Campaign
- Maintenance and stability enhancements.
STIX Attack Pattern
- Maintenance and stability enhancements.
3.0.2 - 375787 (June 3, 2021)
Layouts
File Indicator
- Update File indicator type layout.
URL Indicator
- Update URL indicator type layout.
Email Indicator
- Update Email indicator type layout.
Domain Indicator
- Update Domain indicator type layout.
IP Indicator
- Update IP indicator type layout.
3.0.1 - 373483 (June 1, 2021)
Incident Fields
- Similar incidents Dbot
- Maintenance and stability enhancements.
3.0.0 - 372302 (May 31, 2021)
Incident Fields
- Agents ID
- CMD
- CMD line
- Child Process
- Detected IPs
- Detected User
- Endpoint
- File MD5
- File Names
- File Paths
- File SHA1
- File SHA256
- Objective
- Parent CMD line
- Parent Process
- Scenario
- **Similar incidents Dbot **
- Tactic
- Tactic ID
- Technique
- Technique ID
- Threat Hunting Detected Hostnames
- Threat Hunting Detected IP
- Users
2.9.9 - 371040 (May 30, 2021)
Incident Fields
- Added incident fields:
- EmailCampaignSummary
- EmailCampaignMutualIndicators
- EmailCampaignCanvas
2.9.8 - 367553 (May 26, 2021)
Indicator Fields
New indicator fields:
Operating System Refs
MITRE ID
Associated the Kill Chain Phases field with the Attack Pattern and Tool indicator types.
Layouts
Course of Action
- Maintenance and stability enhancements.
Infrastructure
- Maintenance and stability enhancements.
Campaign
- Maintenance and stability enhancements.
Intrusion Set
- Maintenance and stability enhancements.
2.9.7 - 366824 (May 26, 2021)
Indicator Fields
- Is Malware Family
- Tool Types
- Sophistication
- Roles
- Tool Version
- Threat Actor Types
Indicator Types
- Tool
- Malware
- Report
- Threat Actor
- Attack Pattern
Indicator Types Changes:
For the above indicator types, custom content that relies on one or more of the following types should be updated to use the new types after upgrade to Cortex XSOAR version 6.2.0 or higher.
STIX Tool
- Breaking changes: STIX Tool will be replaced with Tool in Cortex XSOAR version 6.2.0.
STIX Malware
- Breaking changes: STIX Malware will be replaced with Malware in Cortex XSOAR version 6.2.0.
STIX Report
- Breaking changes: STIX Report will be replaced with Report in Cortex XSOAR version 6.2.0.
STIX Threat Actor
- Breaking changes: STIX Threat Actor will be replaced with Threat Actor in Cortex XSOAR version 6.2.0.
STIX Attack Pattern
- Breaking changes: STIX Attack Pattern will be replaced with Attack Pattern in Cortex XSOAR version 6.2.0.
Layouts
STIX Threat Actor
- Update STIX Threat Actor layout.
STIX Malware
- Update STIX Malware layout.
STIX Tool
- Update STIX Tool layout.
STIX Report
- Update STIX Report layout.
STIX Attack Pattern
- Update STIX Attack Pattern layout.
2.9.6 - 364719 (May 24, 2021)
Incident Fields
New incident fields:
- Categories
- Dsts
- Srcs
2.9.5 - R372302 (May 31, 2021)
Indicator Fields
- Applications - Added a new indicator field.
2.9.4 - R372302 (May 31, 2021)
Indicator Types
- emailRep
- Added the ExtractEmailV2 formatting script.
- Maintenance and stability enhancements.
2.9.2 - 358188 (May 18, 2021)
Incident Fields
New incident fields:
- Classification
- Is Active
2.9.1 - 355114 (May 12, 2021)
Indicator Types
- urlRep
- Added support for apostrophes when extracting URL.
2.9.0 - 354205 (May 12, 2021)
Incident Fields
- Tags
- Alert Category
- Policy ID
- Last Update Time
- Device Username
- Comment
- Changed
- Description
2.8.15 - 351790 (May 10, 2021)
Indicator Fields
Description
- Associating this field also with: Campaign, Course of Action, Infrastructure, Intrusion Set.
Primary Motivation
- Associating this field also with: Intrusion Set.
STIX ID
Associating this field also with: Campaign, Course of Action, Infrastructure, Intrusion Set.
The following are new indicator fields:
Resource Level
Secondary Motivations
Goals
Kill Chain Phases
Action
Aliases
Infrastructure Types
Objective
Indicator Types
- The following are new indicator types:
- Campaign
- Course of Action
- Infrastructure
- Intrusion Set
Layouts
New: Infrastructure
- Added a new layout for Infrastructure indicator type.
New: Campaign
- Added a new layout for Campaign indicator type.
New: Course of Action
- Added a new layout for Course of Action indicator type.
New: Intrusion Set
- Added a new layout for Intrusion Set indicator type.
2.8.14 - R351231 (May 9, 2021)
Indicator Types
urlRep - Fixed an issue where the regex caused war room entries to be wrongly parsed.
2.8.13 - 324089 (April 8, 2021)
Incident Fields
- Tags - New field
- Rule Name - New field
2.8.12 - 321069 (April 6, 2021)
Indicator Fields
- Added fields:
- Registrar Abuse Network
- Behavior
- AS Owner
- Registrar Abuse Country
- Registrar Abuse Name
- Organization Type
- Registrar Abuse Address
- Publications
- Community Notes
- ASN - Added the URL indicator type to the Associated types.
- Organization - Added the IP indicator type to the Associated types.
- Geo Country - Added the URL indicator type to the Associated types.
Indicator Types
- Added a mapping to the newly added fields for the following indicator types:
- ipRep
- urlRep
- domainRepUnified
- unifiedFileRep
2.8.11 - 311095 (March 22, 2021)
Incident Fields
- Associated the Email field with the IAM - AD User Activation incident type.
2.8.10 - 307368 (March 17, 2021)
Indicator Fields
- The following are new indicator fields:
- Confidence
- Vulnerabilities
- Reports
- Targets
- The following indicator fields are assigned to all indicator types:
- IP Address
- Domain Name
- STIX Kill Chain Phases
- Updated Date
- Malware Family
- Actor
- Creation Date
2.8.9 - 305310 (March 16, 2021)
Incident Fields
- Incident Link - Added a new incident field.
- Dest Hostname - Added the FraudWatch Alert incident type to the Dest Hostname associated types.
- Timezone - Added a new incident field.
2.8.8 - 303568 (March 14, 2021)
Incident Fields
- Fixed multi select value for the field
- Hostnames
2.8.7 - 301652 (March 11, 2021)
Incident Fields
- Hostnames
Indicator Types
- Onion Address
2.8.6 - 294008 (March 2, 2021)
Indicator Types
- domainRepUnified - Fixed an issue where the DateStringToISOFormat script tried to operate on undefined fields.
2.8.5 - 293470 (March 2, 2021)
Indicator Types
urlRep
- Fixed an issue where URLs with an underscore were not extracted.
2.8.4 - 286068 (February 21, 2021)
CommonTypes
Modified the optional dependencies.
2.8.3 - 277983 (February 10, 2021)
CommonTypes
Modified the optional dependencies.
2.8.2 - 274119 (February 7, 2021)
Incident Fields
- Ticket Acknowledged Date - New field.
- Last Seen - Added Nutanix Hypervisor Alert incident to Last seen Associated types
2.8.1 - 264879 (January 27, 2021)
Incident Fields
- Team name
- app channel name
- similarIncidents
- App message
2.8.0 - R263971 (January 27, 2021)
Indicator Fields
- Mitre Tactics
- Download URL
2.7.3 - R261222 (January 25, 2021)
Indicator Types
- urlRep - The URL regex now supports fragment without trailing slash.
2.7.2 - R253472 (January 16, 2021)
Classifiers
Mail Listener - Incoming Mapper
- Maintenance and stability enhancements.
mail-listener
- Maintenance and stability enhancements.
Layouts
- layout-edit-Vulnerability.json
Maintenance and stability enhancements. - File Indicator
Maintenance and stability enhancements. - unifiedFileRep
Maintenance and stability enhancements.
2.7.1 - 223873 (December 17, 2020)
Indicator Types
- unifiedFileRep
Fixed an issue where the associated layout was not File Indicator.
2.7.0 - 221599 (December 15, 2020)
Incident Fields
- Device Id
- Policy Description
- SHA512
- SHA1
- Policy ID
2.6.3 - 220344 (December 14, 2020)
Incident Fields
Updated the following incident fields to conform to the new schema:
- Dst Ports
- Log Source Type
- Assignment Group
- Pre Nat Destination Port
- Log Source Name
- CVSS Confidentiality Requirement
- Detected Users
- High Level Categories
- Escalation
- Traffic Direction
- Ticket Opened Date
- Source IPV6
- Low Level Categories Events
- DNS Name
- Close Time
- Ticket Number
- Source IPs
- Technical User
- Compliance Notes
- Source Geolocation
- Pre Nat Source Port
- Destination MAC Address
- Destination Hostname
- Number Of Log Sources
- Detected Internal Hosts
- Pre Nat Source IP
- Protocols
- Category Count
- Raw Event
- Technical Owner
- Device Time
- Event Descriptions
- Detected External Hosts
- Source Hostname
- Technical Owner Contact
- Last Update Time
- Post Nat Source IP
- CVSS Availability Requirement
- Follow Up
- List Of Rules - Event
- Detected Internal IPs
- Closing User
- Destination IPs
- Detected External IPs
- Unique Ports
- Caller
- Source MAC Address
- Usernames
- sAMAccountName
- Post Nat Destination Port
- Post Nat Source Port
- Dest Hostname
- Mobile Device Model
- CVSS Collateral Damage Potential
- Closing Reason
- Event Names
- Start Time
- Events
- Src Hostname
- Destination Geolocation
- Src Ports
- userAccountControl
- Protocol - Event
- Post Nat Destination IP
- Destination IPV6
- CVSS Integrity Requirement
- Ticket Closed Date
- Dest OS
Indicator Fields
Updated the following indicator fields to conform to the new schema:
- Signature Description
- Registrant Country
- Internal
- STIX ID
- CVSS
- Admin Phone
- DNS
- Office365Required
- Admin Country
- STIX Description
- Display Name
- Geo Country
- Username
- SHA512
- Description
- Actor
- Category
- Office365Category
- STIX Primary Motivation.
- Source Original Severity
- STIX Resource Level
- Email Address
- STIX Roles
- Updated Date
- Operating System
- Associations
- STIX Is Malware Family
- Subdomains
- Signature Copyright
- STIX Goals
- First Seen By Source
- Path
- Malware Family
- Entry ID
- CVE Modified
- STIX Malware Types
- Expiration Date
- Registrant Name
- STIX Kill Chain Phases
- Last Seen By Source
- MAC Address
- Signed
- Domain Referring IPs
- Registrar Abuse Email
- Organizational Unit (OU)
- Device Model
- Reported By
- File Extension
- Account Type
- ASN
- BIOS Version
- Indicator Identification
- Service
- Admin Email
- Name Field
- Registrant Email
- DHCP Server
- Region
- Groups
- Hostname
- Threat Types
- Name Servers
- Domain Status
- Traffic Light Protocol
- CVE Description
- Memory
- Office365ExpressRoute
- Organization
- STIX Secondary Motivations
- Signature Authentihash
- imphash
- IP Address
- STIX Tool Version
- STIX Threat Actor Types
- File Type
- Registrant Phone
- STIX Aliases
- Name
- MD5
- Detection Engines
- OS Version
- Admin Name
- Campaign
- Operating System Version
- Processors
- SHA1
- Domain Referring Subnets
- Size
- Signature File Version
- Signature Internal Name
- Associated File Names
- Domain Name
- SSDeep
- Positive Detections
- Geo Location
- Creation Date
- Feed Related Indicators
- Registrar Name
- Domain IDN Name
- STIX Tool Types
- STIX Sophistication
- Registrar Abuse Phone
- Port
- SHA256
- Processor
- Published
2.6.2 - 218903 (December 13, 2020)
Indicator Fields
- Tags
Fixed Tags field having empty options.
2.6.1 - 218355 (December 13, 2020)
Incident Fields
- IncomingMirrorError
Removed the field from the close form. - OutgoingMirrorError
Removed the field from the close form.
2.6.0 - 213750 (December 7, 2020)
Incident Fields
- Application Id
UID for the application. - Application Name
The name of the application.
2.5.0 - 212473 (December 6, 2020)
Incident Fields
- Error Message
Long-text field that provides a detailed description of the error. - Error Code
UID for the error type that occurred. - User Id
UID for the user in the application.
Indicator Fields
Primary Motivation
- Malware types
2.3.1 - 202666 (November 27, 2020)
Incident Fields
Added the following new incident fields.
- Alert ID
- Alert Name
2.3.0 - 201154 (November 25, 2020)
Incident Fields
Associated the following incident fields to the IAM - Update User incident type.
- Username
- City
2.2.4 - 192645 (November 18, 2020)
Indicator Types
domainRepUnified - Breaking Change: changed the default mapping for Domain.Admin to correspond to context standards.
2.2.3 - 187404 (November 15, 2020)
Incident Fields
- Post Nat Destination IP
- Src Ports
- Start Time
- Source IPs
- Raw Event
- Destination IPs
- High Level Categories
- Post Nat Source Port
- Closing User
- Pre Nat Destination Port
- Close Time
- Post Nat Destination Port
- DNS Name
- Dst Ports
- Technical Owner
- Traffic Direction
- Post Nat Source IP
- Pre Nat Source IP
- Device Time
- Usernames
- Source IPV6
- Source MAC Address
- Destination Geolocation
- Source Geolocation
- Destination IPV6
- Pre Nat Source Port
- Technical User
- Technical Owner Contact
- Event Names
- Destination MAC Address
- Closing Reason
- Low Level Categories Events
- CVSS Collateral Damage Potential
- Number Of Log Sources
- Last Update Time
- CVSS Integrity Requirement
- CVSS Availability Requirement
- Events
- Log Source Type
- Protocol - Event
- Compliance Notes
- Category Count
- List Of Rules - Event
- Log Source Name
- CVSS Confidentiality Requirement
- Follow Up
- Event Descriptions
2.2.2 - 183115 (November 11, 2020)
Indicator Types
- IPv6
Changed the regex so that it will extract only the common shape addresses of IPv6.
2.2.1 - R180529 (November 9, 2020)
Layouts
STIX Report
- Report details section is now divided into two new sections: XSOAR Details, STIX Report Details.
- Actions section has been removed.
2.2.0 - 159494 (October 25, 2020)
Incident Fields
- Personal Email
Added a new field. - Title
Added a new field. - Job Family
Added a new field. - Job Function
Added a new field. - Location Region
Added a new field. - Username
Added association to IAM incident types. - Work Phone
Added a new field. - Cost Center
Added a new field. - Job Code
Added a new field. - Zip Code
Added a new field. - Event Action
Added a new field. - State
Added association to IAM incident types. - City
Added association to IAM incident types.
Indicator Fields
- Mobile Phone
Added a new field. - Manager Name
Added a new field. - Manager Email Address
Added a new field. - Location
Added a new field. - Display Name
Added association to the User Profile indicator type. - Department
Added a new field. - Surname
Added a new field. - Email
Added a new field. - Street Address
Added a new field. - Leadership
Added a new field. - Country Name
Added a new field. - City
Added a new field. - Given Name
Added a new field. - State
Added a new field. - Cost Center Code
Added a new field.
2.1.1 - 154492 (October 21, 2020)
Common Types
- Documentation and metadata improvements.
2.1.0 - 151676 (October 19, 2020)
Indicator Fields
Domain Indicator Fields
Added the following indicator fields:
- Domain IDN Name
- Domain Referring Subnets
- Domain Referring IPs
2.0.2 - 147869 (October 15, 2020)
Indicator Types
- IPv6
- Upgrade IPv6 regex to extract the address only if it is surrounded by special characters.
2.0.1 - 130392 (September 30, 2020)
Incident Fields
- IncomingMirrorError
- New incident field to indicate an error in incoming mirror feature added in XSOAR version 6.0.0.
- OutgoingMirrorError
- New incident field to indicate an error in outgoing mirror feature added in XSOAR version 6.0.0.
2.0.0 - 128261 (September 29, 2020)
Incident Fields
Added the following incident fields.
- Account Name
- Device Model
- MD5
- Device External IP
- SHA256
- Assigned User
- Device Local IP
1.9.7 - R124496 (September 23, 2020)
Incident Fields
Cloud Service
Added Trend Micro CAS Event to this incident field.Resource Name
Added Trend Micro CAS Event to this incident field.Risk Score
Added Trend Micro CAS Event to this incident field.Username
Added Trend Micro CAS Event to this incident field.Blocked Action
Added Trend Micro CAS Event to this incident field.Policy Details
Added Trend Micro CAS Event to this incident field.
1.9.6 - 117920 (September 16, 2020)
Indicator Fields
Traffic Light Protocol
- You can now choose to not assign TLP value (color).
1.9.5 - 116186 (September 15, 2020)
Indicator Fields
Creation Date
Added STIX Threat Actor to this indicator field
Geo Country
Added STIX Threat Actor to this indicator field
Region
Added STIX Threat Actor to this indicator field
Updated Date
Added STIX Threat Actor to this indicator field
1.9.0 - 103958 (September 3, 2020)
Incident Fields
Username
Added Microsoft CAS Alert to this incident field.
Policy Type
Added Microsoft CAS Alert to this incident field.
Risk Score
Added Microsoft CAS Alert to this incident field.
Cloud Service
Added Microsoft CAS Alert to this incident field.
Account Name
Added Microsoft CAS Alert to this incident field.
Policy Description
Added Microsoft CAS Alert to this incident field.
Country
Added Microsoft CAS Alert to this incident field.
1.8.8 - 95210 (August 26, 2020)
Incident Fields
- Assignment Group
- State
- Sub Category
- Caller
- Ticket Opened Date
- Escalation
- Ticket Number
- Ticket Closed Date
1.8.7 - 94539 (August 25, 2020)
Layouts
layout-edit-Vulnerability.json
Set the default incident type for the layout.
layout-details-Vulnerability.json
Set the default incident type for the layout.
1.8.6 - 92631 (August 21, 2020)
Layouts
- STIX Malware
- STIX Report
- STIX Threat Actor
- STIX Tool
- STIX Attack Pattern
1.8.5 - 92385 (August 20, 2020)
Layouts
File Indicator
- Updated layout name.
1.8.4 - 88347 (August 16, 2020)
Indicator Fields
STIX Indicator Fields
Fixed an issue where the following indicator fields were incorrectly associated to their indicator types:
- STIX Aliases
- STIX Description
- STIX Goals
- STIX ID
- STIX Is Malware Family
- STIX Kill Chain Phases
- STIX Malware Types
- STIX Primary Motivation
- STIX Resource Level
- STIX Roles
- STIX Secondary Motivations
- STIX Sophistication
- STIX Threat Actor Types
- STIX Tool Types
- STIX Tool Version
1.8.3 - 87577 (August 13, 2020)
Layouts
domainRepUnified
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
emailRep
- Added teh new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
hostRep
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
cveRep
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
registryKey
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
urlRep
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
accountRep
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
ipRep
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
unifiedFileRep
- Added the new section Feed Related Indicators that contains information about the relationship between an indicator, an entity (such as malware), and other indicators (such as a MITRE ATT&CK indicator), and connects to indicators, if relevant.
1.8.2 - 86854 (August 12, 2020)
Indicator Types
STIX Attack Pattern
- Associated the STIX Attack Pattern indicator type to the STIX Attack Pattern layout.
- Updated the STIX Attack Pattern indicator type ID to Attack Pattern.
STIX Malware
- Associated the STIX Malware indicator type to the STIX Malware layout.
- Updated the STIX Malware indicator type ID to Malware.
STIX Report
- Associated the STIX Report indicator type to the STIX Report layout.
- Updated the STIX Report indicator type ID to Report.
STIX Threat Actor
- Associated the STIX Threat Actor indicator type to the STIX Threat Actor layout.
- Updated the STIX Threat Actor indicator type ID to Threat Actor.
STIX Tool
- Associated the STIX Tool indicator type to the STIX Tool layout.
- Updated the STIX Tool indicator type ID to Tool.
1.8.1 - 85813 (August 11, 2020)
Layouts
accountRep
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
domainRepUnified
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
STIX Report
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
ipRep
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
STIX Malware
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
STIX Tool
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
STIX Threat Actor
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
STIX Attack Pattern
- Fixed an issue with Add/Remove tag buttons that didn't work properly.
1.8.0 - 84183 (August 9, 2020)
Indicator Fields
STIX Indicator Fields
Added the following Structured Threat Information eXpression (STIX) indicator fields:
- STIX Aliases
- STIX Description
- STIX Goals
- STIX ID
- STIX Is Malware Family
- STIX Kill Chain Phases
- STIX Malware Types
- STIX Primary Motivation
- STIX Resource Level
- STIX Roles
- STIX Secondary Motivations
- STIX Sophistication
- STIX Threat Actor Types
- STIX Tool Types
- STIX Tool Version
Indicator Types
STIX Indicator Types
Added the following Structured Threat Information eXpression (STIX) indicator types:
- STIX Attack Pattern - A type of Time-Triggered Protocol (TTP) that describes ways that adversaries attempt to compromise targets.
- STIX Malware - A type of TTP that represents malicious code.
- STIX Report - Collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
- STIX Threat Actor - Actual individuals, groups, or organizations believed to be operating with malicious intent.
- STIX Tool - Legitimate software that can be used by threat actors to perform attacks.
Layouts
STIX Layouts
Added the following Structured Threat Information eXpression (STIX) layouts: Attack Pattern, Malware, Report, Threat Actor, Tool.
1.7.4 - 84099 (August 9, 2020)
Indicator Fields
Feed Related Indicators
Set the description column values to be clickable.
1.7.3 - R80632 (August 3, 2020)
Layouts
urlRep
Updated the design for the URL indicator layout.
1.7.2 - 79187 (August 2, 2020)
Indicator Types
unifiedFileRep
- Fixed an issue where long hashes where extracted as 2 seperate hashes.
1.7.1 - 76963 (July 29, 2020)
Layouts
emailRep
Updated the design for the Email indicator layout.
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Removed the Aggregated Reliability field from the Account Details widget.
- Removed the Close Notes field from the Related Incidents widget.
- Added the Severity and Owner fields to the Related Incidents widget.
- Renamed the Sources Data widget to Sources.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Moved the Custom Details and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags field to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the Email details widget.
registryKey
Updated the design for the RegistryKey indicator layout.
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Removed the Aggregated Reliability field from the Account Details widget.
- Removed the Close Notes field from the Related Incidents widget.
- Added the Severity and Owner fields to the Related Incidents widget.
- Renamed the Sources Data widget to Sources.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Moved the Custom Details and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags field to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the Registry Key details widget.
hostRep
Updated the design for the Host indicator layout.
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Removed the Aggregated Reliability field from the Account Details widget.
- Removed the Close Notes field from the Related Incidents widget.
- Added the Severity and Owner fields to the Related Incidents widget.
- Renamed the Sources Data widget to Sources.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Moved the Custom Details and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags field to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the Host details widget.
accountRep
Updated the design for the Account indicator layout as follows:
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Removed the Aggregated Reliability field from the Account Details widget.
- Removed the Close Notes field from the Related Incidents widget.
- Added the Severity field to the Related Incidents widget.
- Renamed the Sources Data widget to Sources.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Moved the Custom Details and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags field to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the Account details widget.
cveRep
Updated the design for the CVE indicator layout.
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Added the CVE Modified field to the Account Details widget.
- Removed the Aggregated Reliability field from the Account Details widget.
- Removed the Close Notes field from the Related Incidents widget.
- Added the Severity field to the Related Incidents widget.
- Renamed the Sources Data widget to Sources.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Moved the Custom Details and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags field to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the CVE details widget.
1.7.0 - 76858 (July 29, 2020)
Layouts
domainRepUnified
Updated the design for the Domain indicator layout.
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Removed the Aggregated Reliability and Tags fields from the Domain Details widget.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Moved the Custom Details, and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags and Feed Related Indicators fields to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the Domain details and Whois widget.
ipRep
Updated the design for the IP indicator layout.
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Removed the Aggregated Reliability field from the IP Details widget.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Moved the Custom Details and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags and Feed Related Indicators fields to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the IP details widget.
unifiedFileRep
Updated the design for the File indicator layout.
- Replaced the Info tab with the Summary and Additional Details tabs.
- In the Info tab:
- Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
- Moved the SHA512 field from the Hashes widget to the File Details widget.
- Removed the Aggregated Reliability and Tags fields from the File Details widget.
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
- Renamed the Signatures widget to File signature.
- Moved the Custom Details and Extended Details widgets to the Additional Details tab.
- In the Additional Details tab:
- Added the Tags and Feed Related Indicators fields to the Extended Details widget.
- In the Quick View tab:
- Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
- Added the IP details widget.
1.6.1 - 74521 (July 26, 2020)
PUBLISHER
Cortex
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 26, 2020 | |
| Last Release | November 24, 2022 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
