Classifies phishing email messages.
Common Types
- Details
- Content
- Dependencies
- Version History
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Name | Description |
---|---|
Job | |
Network | |
DoS | |
Indicator Feed | |
Defacement | |
C2Communication | |
Simulation | |
Vulnerability | |
Lateral Movement | |
Reconnaissance | |
Authentication | |
Policy Violation | |
Hunt | |
Exfiltration | |
UnknownBinary | |
Exploit |
Name | Description |
---|---|
Mail Listener - Classifier | |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Application Name | Application Name |
Process Creation Time | |
Subtype | Subtype |
Registry Value | |
Start Time | The time when the offense started. |
Group ID | |
Child Process | |
SSDeep | |
Process Path | |
Source Geolocation | The source geolocation of the event. |
Device OU | Device's OU path in Active Directory |
Device Hash | Device Hash |
Dest Hostname | Destination hostname |
Device External IP | Device External IP |
EmailCampaignSummary | |
Source Networks | |
Tactic ID | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Appliance ID | Appliance ID as received from the integration JSON |
Source Hostname | The hostname that performed the port scan. |
File Names | |
Event Type | Event Type |
SHA512 | SHA512 |
Device OS Version | |
Policy Severity | |
Source Network | |
Employee Email | The email address of the employee. |
Destination Hostname | Destination hostname |
Source Updated by | |
External Start Time | |
Detection ID | |
PID | PID |
File Name | |
Manager Email Address | |
App message | |
Password Changed Date | |
Compliance Notes | Notes regarding the assets compliance. |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Caller | |
Dest | Destination |
Log Source Name | The log source name associated with the event. |
SKU Name | |
Src Hostname | Source hostname |
User Id | User Id |
Closing User | The closing user. |
userAccountControl | userAccountControl |
Item Owner Email | |
CMD line | |
Technical User | The technical user of the asset. |
Risk Rating | |
Objective | |
Rule Name | The name of a YARA rule |
Number of similar files | |
Source Create time | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Org Level 2 | |
Leadership | |
Related Report | |
EmailCampaignSnippets | |
Job Code | Job Code |
Triage SLA | The time it took to investigate and enrich incident information. |
Triggered Security Profile | Triggered Security Profile |
Device Name | Device Name |
Mobile Device Model | |
Verdict | |
CVE | |
Follow Up | True if marked for follow up. |
Event ID | Event ID |
External Confidence | |
Source Status | |
Threat Hunting Detected IP | |
Policy Remediable | |
Last Seen | |
Source Priority | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Cloud Resource List | |
Source IP | The IP Address that the user initially logged in from. |
Dsts | The destination values. |
Rating | |
Use Case Description | |
Tactic | |
Cloud Account ID | |
Post Nat Source Port | The source port after NAT. |
SHA256 | SHA256 |
Event Descriptions | The description of the event name. |
Detection End Time | |
Source Created By | |
Number Of Log Sources | The number of log sources related to the offense. |
Vendor ID | |
SHA1 | SHA1 |
Parent Process Path | |
Parent Process | |
OS | The operating system. |
Device Id | Device Id |
File Relationships | |
Related Endpoints | |
sAMAccountName | User sAMAAccountName |
Acquisition Hire | |
MITRE Tactic Name | |
Cloud Region List | |
User Engagement Response | |
Agent Version | Reporting Agent/Sensor Version |
Source Port | The source port that was used |
Detected Endpoints | |
External Category Name | |
File SHA256 | |
Asset ID | |
Account Member Of | |
EmailCampaignMutualIndicators | |
Account Name | Account Name |
Vendor Product | |
External Addresses | |
Item Owner | |
User SID | |
Similar incidents Dbot | |
Process CMD | |
Region ID | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Alert Type ID | |
Device Internal IPs | |
Source Urgency | Source Urgency |
Log Source | Log Source |
First Name | First Name |
Traffic Direction | The direction of the traffic in the event. |
Device Status | |
High Level Categories | The high level categories in the events. |
IP Reputation | |
MAC Address | MAC Address |
Additional Data | |
File Access Date | |
Device External IPs | |
Detected Internal IPs | Detected internal IPs |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Escalation | |
Parent Process MD5 | |
Tenant Name | Tenant Name |
Domain Name | |
Classification | Incident Classification |
Last Modified On | |
Appliance Name | Appliance name as received from the integration JSON |
Attack Mode | Attack mode as received from the integration JSON |
Location | Location |
Resource ID | |
Internal Addresses | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Endpoint | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Personal Email | |
Closing Reason | The closing reason |
Policy Recommendation | |
Src | Source |
External System ID | |
Location Region | Location Region |
Destination IP | The IP address the impossible traveler logged in to. |
External Sub Category ID | |
Hunt Results Count | |
Scenario | |
Pre Nat Source IP | The source IP before NAT. |
Employee Display Name | The display name of the employee. |
Events | The events associated with the offense. |
Policy Description | |
Source IPV6 | The source IPV6 address. |
Policy ID | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Destination IPV6 | The destination IPV6 address. |
Zip Code | Zip Code |
EmailCampaignCanvas | |
Ticket Opened Date | |
List Of Rules - Event | The list of rules associated to an event. |
Detected External IPs | Detected external IPs |
Country Name | Country Name |
Cost Center | Cost Center |
Parent Process File Path | |
Endpoint Isolation Status | |
Destination Networks | |
Policy Actions | |
External ID | |
File Path | |
Process Paths | |
Ticket Closed Date | |
Cloud Instance ID | Cloud Instance ID |
Additional Indicators | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Detected Users | Detected users |
File SHA1 | |
Work Phone | |
Error Code | |
Incident Link | |
Srcs | The source values. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Policy Details | |
Destination IPs | The destination IPs of the event. |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage |
File MD5 | |
Alert Category | The category of the alert |
Region | |
Unique Ports | |
Technique | |
Job Family | Job Family |
External Status | |
Sub Category | The sub category |
File Paths | |
Source External IPs | |
Display Name | Display Name |
Surname | Surname |
Account Status | |
Full Name | Person's Full Name |
Alert Source | |
Containment SLA | The time it took to contain the incident. |
Alert Name | Alert name as received from the integration JSON |
Dest NT Domain | Destination NT Domain |
Policy Deleted | |
MD5 | MD5 |
Low Level Categories Events | The low level category of the event. |
Parent Process Name | |
Bugtraq | |
Device Time | The time from the original logging device when the event occurred. |
Alert Malicious | Whether the alert is malicious. |
Threat Hunting Detected Hostnames | |
Registry Hive | |
Src Ports | The source ports of the event. |
DNS Name | The DNS name of the asset. |
Username | The username of the account who logged in. |
End Time | The time when the offense ended. |
Device Username | The username of the user that owns the device |
Dest OS | Destination OS |
Src OS | Src OS |
UUID | UUID as received from the integration JSON |
File Creation Date | |
Changed | The user who changed this incident |
CMD | |
app channel name | |
Department | Department |
Device Model | Device Model |
Device MAC Address | |
CVSS | |
Error Message | The error message that contains details about the error that occurred. |
Application Path | |
Team name | |
Protocol names | |
Risk Score | |
First Seen | |
OS Type | OS Type |
User Creation Time | |
Process MD5 | |
Title | Title |
External End Time | |
Destination Geolocation | The destination geolocation of the event. |
File Hash | |
Country Code | |
Org Level 1 | |
Policy Type | |
Last Update Time | |
Registry Value Type | |
Phone Number | Phone Number |
Duration | |
Technique ID | |
Detected User | |
Account ID | |
Device OS Name | |
Job Function | Job Function |
External Severity | |
Investigation Stage | The stage of the investigation. |
Technical Owner Contact | The contact details for the technical owner. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Close Time | The closing time. |
Assignment Group | |
Parent Process SHA256 | |
Device Local IP | Device Local IP |
Last Modified By | |
Exposure Level | |
Parent CMD line | |
Src User | Source User |
MITRE Tactic ID | |
similarIncidents | |
Post Nat Source IP | The source IP address after NAT. |
Dst Ports | The destination ports of the event. |
Street Address | |
External Category ID | |
Process SHA256 | |
Log Source Type | The log source type associated with the event. |
ASN | |
Isolated | Isolated |
Parent Process IDs | |
Destination MAC Address | The destination MAC address in an event. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Blocked Action | Blocked Action |
Timezone | |
App | |
Number of Related Incidents | |
Process Name | |
Rendered HTML | The HTML content in a rendered form. |
MITRE Technique ID | |
Process Names | |
Source IPs | The source IPs of the event. |
SKU TIER | |
Manager Name | Manager Name |
Signature | |
Pre Nat Destination Port | The destination port before NAT. |
Post Nat Destination Port | The destination port after NAT. |
State | State |
Primary Email Address | |
Protocol | Protocol |
Org Unit | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Sensor Name | |
Detected IPs | |
Alert ID | Alert ID as received from the integration JSON |
Agents ID | |
Assigned User | Assigned User |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Command Line | Command Line |
Resource Type | |
Vulnerability Category | |
Pre Nat Source Port | The source port before NAT. |
Source Username | The username that was the source of the attack. |
Org Level 3 | |
Usernames | The username in the event. |
Post Nat Destination IP | The destination IP address after NAT. |
Source Category | |
URLs | |
Detected External Hosts | Detected external hosts |
City | |
IP Blocked Status | |
Alert Attack Time | |
Country | The country from which the user logged in. |
Sensor IP | |
Ticket Acknowledged Date | |
OS Version | OS Version |
Technical Owner | The technical owner of the asset. |
Hostnames | The hostname in the event. |
Destination Port | The destination port used. |
Tags | |
Detection Update Time | |
Comment | The comments related with the incident |
Source MAC Address | The source MAC address in an event. |
Ticket Number | |
Birthday | Person's Birthday |
Description | The description of the incident |
Cloud Service | |
Raw Event | The unparsed event data. |
Employee Manager Email | The email address of the employee's manager. |
Src NT Domain | Source NT Domain |
Given Name | Given Name |
Resource Name | |
Categories | The categories for the incident. |
Country Code Number | |
Alert Action | Alert action as received from the integration JSON |
Protocol - Event | The network protocol in the event. |
Is Active | Alert status |
Parent Process CMD | |
Policy URI | |
Protocols | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
File Size | File Size |
Mobile Phone | |
External Sub Category Name | |
Users | |
Alert URL | Alert URL as received from the integration JSON |
External Link | |
Application Id | Application Id |
Detected Internal Hosts | Detected internal hosts |
Agent ID | Agent ID |
Registry Key | |
Category Count | The number of categories that are associated with the offense. |
IncomingMirrorError | |
Last Name | Last Name |
Process ID | |
Cost Center Code | Cost Center Code |
MITRE Technique Name | |
Event Names | The event name (translated QID ) in the event. |
OutgoingMirrorError | |
Destination Network |
Name | Description |
---|---|
Name | Description |
---|---|
Name | |
Email Address | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Aliases | Alternative names used to identify this object |
Registrant Country | |
Internal | |
Org Level 1 | |
Username | |
Confidence | |
Admin Email | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Domain IDN Name | |
Country Name | |
Operating System | |
Org Unit | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Manager Email Address | |
DNS | |
Hostname | |
Rank | Used to display rank from different sources |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
SHA1 | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
File Type | |
Personal Email | |
Force Sync | Whether to force user synchronization. |
Surname | Surname |
Country Code | |
Threat Actor Types | |
Targets | |
Org Level 2 | |
Account Type | |
Domain Referring Subnets | |
Updated Date | |
Expiration Date | |
Office365Category | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
OS Version | |
CVSS Vector | |
Community Notes | |
Job Family | |
Registrar Abuse Name | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Subdomains | |
STIX Secondary Motivations | |
Operating System Refs | |
Resource Level | |
Feed Related Indicators | |
Source Priority | |
STIX Roles | |
CVSS Score | |
Action | |
Path | |
Cost Center | |
MD5 | |
AS Owner | |
Signature Internal Name | |
Registrar Abuse Address | |
Registrar Abuse Country | |
BIOS Version | |
STIX Description | |
CVE Description | |
Tool Types | |
Detection Engines | Total number of engines that checked the indicator |
Domain Name | |
Quarantined | Whether the indicator is quarantined or isolated |
Department | Department |
Reports | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Mobile Phone | |
Organization Type | |
Work Phone | |
Assigned user | |
Indicator Identification | |
Device Model | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Port | |
Registrar Abuse Email | |
Infrastructure Types | |
CVSS | |
Key Value | |
Name Field | |
CVSS3 | |
Admin Phone | |
Registrant Phone | |
Location | |
Malware Family | |
Location Region | |
Vulnerabilities | |
Actor | |
Category | |
Office365ExpressRoute | |
STIX Is Malware Family | |
Secondary Motivations | |
Service | The specific service of a feed integration from which an indicator was ingested. |
State | |
Campaign | |
Tool Version | |
Behavior | |
Short Description | |
Published | |
Cost Center Code | |
CVSS Version | |
Roles | |
STIX Resource Level | |
STIX Malware Types | |
SHA256 | |
Tags | |
Memory | |
Registrar Name | |
Display Name | |
Creation Date | |
Manager Name | Manager Name |
Leadership | |
Entry ID | |
Street Address | |
Job Code | Job Code |
Organization | |
Signature Authentihash | |
CVE Modified | |
Sophistication | |
IP Address | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Geo Location | |
DHCP Server | |
Registrant Email | |
Associations | Known associations to other pieces of Threat Data. |
Signature File Version | |
Malware types | |
Assigned role | |
Vendor | |
Given Name | Given Name |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Registrant Name | |
Is Processed | |
File Extension | |
Signature Description | |
Org Level 3 | |
imphash | |
Mitre Tactics | |
Description | |
Download URL | |
Country Code Number | |
Job Function | |
Registrar Abuse Phone | |
Title | Title |
MAC Address | |
Admin Country | |
Size | |
Primary Motivation | |
Region | |
Acquisition Hire | Whether the employee is an acquisition hire. |
City | City |
Name Servers | |
Geo Country | |
Mitre ID | |
Operating System Version | |
STIX Aliases | Alternative names used to identify this object |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Version | |
Signature Copyright | |
Signed | |
SSDeep | |
STIX Primary Motivation. | |
STIX Goals | |
Office365Required | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
STIX Sophistication | |
Registrar Abuse Network | |
Zip Code | |
Processors | |
Processor | |
Admin Name | |
SHA512 | |
Goals | |
CVSS Table | |
Associated File Names | |
Objective | |
Domain Status | |
Organizational Unit (OU) | |
Is Malware Family | |
STIX Tool Types | |
Applications | |
Domain Referring IPs | |
ASN | |
Publications | |
STIX Threat Actor Types | |
Groups | |
STIX Tool Version |
Name | Description |
---|---|
Intrusion Set | |
Course of Action | |
Threat Actor | |
Infrastructure | |
CVE Indicator | |
Location | |
Identity | |
IP Indicator | |
Domain Indicator | |
Indicator Feed Incident | |
Vulnerability Incident | |
Campaign | |
Attack Pattern | |
Email Indicator | |
ASN | |
Tool | |
Registry Key Indicator | |
Software | |
File Indicator | |
Host Indicator | |
URL Indicator | |
Account Indicator | |
Mutex | Mutex indicator layout |
Malware | |
Report |
Name | Description |
---|---|
Job | |
Network | |
DoS | |
Indicator Feed | |
Defacement | |
C2Communication | |
Simulation | |
Vulnerability | |
Lateral Movement | |
Reconnaissance | |
Authentication | |
Policy Violation | |
Hunt | |
Exfiltration | |
UnknownBinary | |
Exploit |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Process Creation Time | |
Subtype | Subtype |
Registry Value | |
Start Time | The time when the offense started. |
Group ID | |
SSDeep | |
Source Geolocation | The source geolocation of the event. |
Device OU | Device's OU path in Active Directory |
Device Hash | Device Hash |
EmailCampaignSummary | |
Source Networks | |
Tactic ID | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
SHA512 | SHA512 |
Device OS Version | |
Policy Severity | |
Employee Email | The email address of the employee. |
Source Updated by | |
External Start Time | |
Detection ID | |
Manager Email Address | |
App message | |
Password Changed Date | |
Compliance Notes | Notes regarding the assets compliance. |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Caller | |
Log Source Name | The log source name associated with the event. |
SKU Name | |
User Id | User Id |
Closing User | The closing user. |
userAccountControl | userAccountControl |
Item Owner Email | |
Technical User | The technical user of the asset. |
Risk Rating | |
Objective | |
Rule Name | The name of a YARA rule |
Number of similar files | |
Source Create time | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Org Level 2 | |
Leadership | |
Related Report | |
EmailCampaignSnippets | |
Job Code | Job Code |
Triage SLA | The time it took to investigate and enrich incident information. |
Triggered Security Profile | Triggered Security Profile |
Device Name | Device Name |
Mobile Device Model | |
Verdict | |
CVE | |
Follow Up | True if marked for follow up. |
Event ID | Event ID |
External Confidence | |
Source Status | |
Policy Remediable | |
Last Seen | |
Source Priority | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Cloud Resource List | |
Dsts | The destination values. |
Rating | |
Use Case Description | |
Tactic | |
Cloud Account ID | |
Post Nat Source Port | The source port after NAT. |
Event Descriptions | The description of the event name. |
Detection End Time | |
Source Created By | |
Number Of Log Sources | The number of log sources related to the offense. |
Vendor ID | |
SHA1 | SHA1 |
Parent Process Path | |
OS | The operating system. |
Device Id | Device Id |
File Relationships | |
Related Endpoints | |
sAMAccountName | User sAMAAccountName |
Acquisition Hire | |
MITRE Tactic Name | |
Cloud Region List | |
User Engagement Response | |
Agent Version | Reporting Agent/Sensor Version |
Detected Endpoints | |
External Category Name | |
Asset ID | |
Account Member Of | |
EmailCampaignMutualIndicators | |
Vendor Product | |
Item Owner | |
User SID | |
Similar incidents Dbot | |
Process CMD | |
Region ID | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Alert Type ID | |
Device Internal IPs | |
Source Urgency | Source Urgency |
Log Source | Log Source |
First Name | First Name |
Traffic Direction | The direction of the traffic in the event. |
Device Status | |
IP Reputation | |
Additional Data | |
File Access Date | |
Device External IPs | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Escalation | |
Parent Process MD5 | |
Tenant Name | Tenant Name |
Domain Name | |
Classification | Incident Classification |
Last Modified On | |
Attack Mode | Attack mode as received from the integration JSON |
Location | Location |
Internal Addresses | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Personal Email | |
Closing Reason | The closing reason |
Policy Recommendation | |
External System ID | |
Location Region | Location Region |
External Sub Category ID | |
Hunt Results Count | |
Scenario | |
Pre Nat Source IP | The source IP before NAT. |
Employee Display Name | The display name of the employee. |
Events | The events associated with the offense. |
Policy Description | |
Policy ID | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Destination IPV6 | The destination IPV6 address. |
Zip Code | Zip Code |
EmailCampaignCanvas | |
List Of Rules - Event | The list of rules associated to an event. |
Detected External IPs | Detected external IPs |
Cost Center | Cost Center |
Parent Process File Path | |
Endpoint Isolation Status | |
Destination Networks | |
Policy Actions | |
External ID | |
Process Paths | |
Ticket Closed Date | |
Cloud Instance ID | Cloud Instance ID |
Additional Indicators | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
File SHA1 | |
Work Phone | |
Error Code | |
Incident Link | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Policy Details | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage |
Region | |
Unique Ports | |
Technique | |
Job Family | Job Family |
External Status | |
Sub Category | The sub category |
Source External IPs | |
Display Name | Display Name |
Surname | Surname |
Account Status | |
Full Name | Person's Full Name |
Alert Source | |
Containment SLA | The time it took to contain the incident. |
Alert Name | Alert name as received from the integration JSON |
Policy Deleted | |
Low Level Categories Events | The low level category of the event. |
Parent Process Name | |
Bugtraq | |
Device Time | The time from the original logging device when the event occurred. |
Alert Malicious | Whether the alert is malicious. |
Registry Hive | |
End Time | The time when the offense ended. |
Dest OS | Destination OS |
Src OS | Src OS |
UUID | UUID as received from the integration JSON |
File Creation Date | |
Changed | The user who changed this incident |
app channel name | |
Department | Department |
Device Model | Device Model |
Device MAC Address | |
CVSS | |
Error Message | The error message that contains details about the error that occurred. |
Application Path | |
Team name | |
Protocol names | |
Risk Score | |
First Seen | |
OS Type | OS Type |
User Creation Time | |
Process MD5 | |
Title | Title |
External End Time | |
Destination Geolocation | The destination geolocation of the event. |
File Hash | |
Country Code | |
Org Level 1 | |
Policy Type | |
Last Update Time | |
Registry Value Type | |
Phone Number | Phone Number |
Duration | |
Technique ID | |
Account ID | |
Device OS Name | |
Job Function | Job Function |
External Severity | |
Investigation Stage | The stage of the investigation. |
Technical Owner Contact | The contact details for the technical owner. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Close Time | The closing time. |
Assignment Group | |
Parent Process SHA256 | |
Last Modified By | |
Exposure Level | |
MITRE Tactic ID | |
similarIncidents | |
Post Nat Source IP | The source IP address after NAT. |
Street Address | |
External Category ID | |
Process SHA256 | |
Log Source Type | The log source type associated with the event. |
ASN | |
Isolated | Isolated |
Parent Process IDs | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Blocked Action | Blocked Action |
Timezone | |
Number of Related Incidents | |
Rendered HTML | The HTML content in a rendered form. |
MITRE Technique ID | |
Process Names | |
SKU TIER | |
Manager Name | Manager Name |
Signature | |
Pre Nat Destination Port | The destination port before NAT. |
Post Nat Destination Port | The destination port after NAT. |
State | State |
Primary Email Address | |
Org Unit | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Alert ID | Alert ID as received from the integration JSON |
Agents ID | |
Assigned User | Assigned User |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Resource Type | |
Vulnerability Category | |
Pre Nat Source Port | The source port before NAT. |
Org Level 3 | |
Post Nat Destination IP | The destination IP address after NAT. |
Source Category | |
URLs | |
City | |
IP Blocked Status | |
Sensor IP | |
Ticket Acknowledged Date | |
Technical Owner | The technical owner of the asset. |
Tags | |
Comment | The comments related with the incident |
Ticket Number | |
Birthday | Person's Birthday |
Description | The description of the incident |
Cloud Service | |
Raw Event | The unparsed event data. |
Employee Manager Email | The email address of the employee's manager. |
Given Name | Given Name |
Resource Name | |
Country Code Number | |
Alert Action | Alert action as received from the integration JSON |
Is Active | Alert status |
Parent Process CMD | |
Policy URI | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
File Size | File Size |
Mobile Phone | |
External Sub Category Name | |
External Link | |
Detected Internal Hosts | Detected internal hosts |
Registry Key | |
Category Count | The number of categories that are associated with the offense. |
IncomingMirrorError | |
Last Name | Last Name |
Process ID | |
Cost Center Code | Cost Center Code |
MITRE Technique Name | |
Event Names | The event name (translated QID ) in the event. |
OutgoingMirrorError |
Name | Description |
---|---|
Name | Description |
---|---|
Name | |
Email Address | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Aliases | Alternative names used to identify this object |
Registrant Country | |
Internal | |
Org Level 1 | |
Username | |
Confidence | |
Admin Email | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Domain IDN Name | |
Country Name | |
Operating System | |
Org Unit | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Manager Email Address | |
DNS | |
Hostname | |
Rank | Used to display rank from different sources |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
SHA1 | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
File Type | |
Personal Email | |
Force Sync | Whether to force user synchronization. |
Surname | Surname |
Country Code | |
Threat Actor Types | |
Targets | |
Org Level 2 | |
Account Type | |
Domain Referring Subnets | |
Updated Date | |
Expiration Date | |
Office365Category | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
OS Version | |
CVSS Vector | |
Community Notes | |
Job Family | |
Registrar Abuse Name | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Subdomains | |
STIX Secondary Motivations | |
Operating System Refs | |
Resource Level | |
Feed Related Indicators | |
Source Priority | |
STIX Roles | |
CVSS Score | |
Action | |
Path | |
Cost Center | |
MD5 | |
AS Owner | |
Signature Internal Name | |
Registrar Abuse Address | |
Registrar Abuse Country | |
BIOS Version | |
STIX Description | |
CVE Description | |
Tool Types | |
Detection Engines | Total number of engines that checked the indicator |
Domain Name | |
Quarantined | Whether the indicator is quarantined or isolated |
Department | Department |
Reports | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Mobile Phone | |
Organization Type | |
Work Phone | |
Assigned user | |
Indicator Identification | |
Device Model | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Port | |
Registrar Abuse Email | |
Infrastructure Types | |
CVSS | |
Key Value | |
Name Field | |
CVSS3 | |
Admin Phone | |
Registrant Phone | |
Location | |
Malware Family | |
Location Region | |
Vulnerabilities | |
Actor | |
Category | |
Office365ExpressRoute | |
STIX Is Malware Family | |
Secondary Motivations | |
Service | The specific service of a feed integration from which an indicator was ingested. |
State | |
Campaign | |
Tool Version | |
Behavior | |
Short Description | |
Published | |
Cost Center Code | |
CVSS Version | |
Roles | |
STIX Resource Level | |
STIX Malware Types | |
SHA256 | |
Tags | |
Memory | |
Registrar Name | |
Display Name | |
Creation Date | |
Manager Name | Manager Name |
Leadership | |
Entry ID | |
Street Address | |
Job Code | Job Code |
Organization | |
Signature Authentihash | |
CVE Modified | |
Sophistication | |
IP Address | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Geo Location | |
DHCP Server | |
Registrant Email | |
Associations | Known associations to other pieces of Threat Data. |
Signature File Version | |
Malware types | |
Assigned role | |
Vendor | |
Given Name | Given Name |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Registrant Name | |
Is Processed | |
File Extension | |
Signature Description | |
Org Level 3 | |
imphash | |
Mitre Tactics | |
Description | |
Download URL | |
Country Code Number | |
Job Function | |
Registrar Abuse Phone | |
Title | Title |
Admin Country | |
Size | |
Primary Motivation | |
Region | |
Acquisition Hire | Whether the employee is an acquisition hire. |
City | City |
Name Servers | |
Geo Country | |
Mitre ID | |
Operating System Version | |
STIX Aliases | Alternative names used to identify this object |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Version | |
Signature Copyright | |
Signed | |
SSDeep | |
STIX Primary Motivation. | |
STIX Goals | |
Office365Required | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
STIX Sophistication | |
Registrar Abuse Network | |
Zip Code | |
Processors | |
Processor | |
Admin Name | |
SHA512 | |
Goals | |
CVSS Table | |
Associated File Names | |
Objective | |
Domain Status | |
Organizational Unit (OU) | |
Is Malware Family | |
STIX Tool Types | |
Applications | |
Domain Referring IPs | |
ASN | |
Publications | |
STIX Threat Actor Types | |
Groups | |
STIX Tool Version |
Name | Description |
---|---|
Intrusion Set | |
Course of Action | |
Threat Actor | |
Infrastructure | |
CVE Indicator | |
Location | |
Identity | |
IP Indicator | |
Domain Indicator | |
Indicator Feed Incident | |
Vulnerability Incident | |
Campaign | |
Attack Pattern | |
Email Indicator | |
ASN | |
Tool | |
Registry Key Indicator | |
Software | |
File Indicator | |
Host Indicator | |
URL Indicator | |
Account Indicator | |
Mutex | Mutex indicator layout |
Malware | |
Report |
Pack Name | Pack By |
---|---|
Common Scripts | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Pack Name | Pack By |
---|
Indicator Fields
New: Identity class
- Created a new field "Identity class".
New: Industry sectors
- Created a new field "Industry sectors".
Indicator Types
New: Location
Added a new Location type indicator.New: Identity
Added a new Identity type indicator.
Layouts
New: Location
Created a new layout for the Location indicator type (Available from Cortex XSOAR 6.5.0).
New: Identity
Created a new layout for the Identity indicator type (Available from Cortex XSOAR 6.5.0).
- 22593
Download
Incident Fields
- Additional Indicators - Added a new field for additional indicators of an incident.
- Verdict - Added a new field for the verdict of a file.
- SSDeep - Added a new field for SSDeep hashes in an incident.
- Number of Related Incidents - Added a new field for the number of incidents related to the current incident.
- Related Endpoints - Added a new field for the names of endpoints that are related to the incident.
- Number of similar files - Added a new field for the number of files similar to the file investigated in the incident.
- File Relationships - Added a field for displaying the different relationships a file has with other indicators.
- 21970
Download
Incident Fields
Added the following incident fields to be associated with the AWS Guard Duty EC2 Finding, AWS Guard Duty IAM Finding, AWS Guard Duty Kubernetes Finding, AWS Guard Duty Malware Protection Finding, AWS Guard Duty S3 Finding incident types.
- Account ID
- Last Update Time
- Region
- Title
- 22284
Download
Incident Fields
- Added the following incident fields to be associated with the Vectra Detection incident types.
- Destination IPs
- Detection ID
- Dst Ports
Added the following incident fields to be associated with the Vectra Account incident types. - Account ID
- Department
- Usernames
- Display Name
- sAMAccountName
- Title
- Note: removed description from the following incident fields.
- Detection ID
- Detection End Time
- Detection Update Time
Indicator Types
- emailRep
- 21398
Download
Incident Fields
- Containment SLA
- Triage SLA
Layouts
domainRepUnified
hostRep
urlRep
ipRep
unifiedFileRep
registryKey
emailRep
accountRep
Indicator Feed
cveRep
Intrusion Set
Updated layout for IOC.
Email Indicator
Updated layout for IOC.
Threat Actor
Updated layout for IOC.
File Indicator
Updated layout for IOC.
Attack Pattern
Updated layout for IOC.
Vulnerability Incident
Updated layout for IOC.
URL Indicator
Updated layout for IOC.
IP Indicator
Updated layout for IOC.
Tool
Updated layout for IOC.
Course of Action
Updated layout for IOC.
ASN
Updated layout for IOC.
Domain Indicator
Updated layout for IOC.
Campaign
Updated layout for IOC.
Malware
Updated layout for IOC.
Registry Key Indicator
Updated layout for IOC.
Updated layout for IOC.
Host Indicator
Updated layout for IOC.
Report
Updated layout for IOC.
CVE Indicator
Updated layout for IOC.
Infrastructure
Updated layout for IOC.
Account Indicator
Updated layout for IOC.
- 21172
Download
Incident Fields
Added the following incident fields to be associated with the Skyhigh Security Alert and Skyhigh Security Threat incident types.
- City
- Start Time
- Risk Score
- Alert Action
- Source IPs
- Event Action
- Account ID
- Policy Description
- Policy ID
- Last Update Time
- Cloud Service
- Added the new field Source Create time.
- Title
- Source Create time
- Item Owner
- Last Update Time
- 19793
Download
Indicator Fields
Description
- Added the field to all types (associated to all).
STIX ID
- Added the field to all types (associated to all).
Indicator Types
- Mutex
Layouts
- New: Mutex
- Added support for a new indicator type for mutex (Available from Cortex XSOAR 6.5.0).
- 20440
Download
Indicator Fields
- Description - changed the type from longText to markdown
- Groups - changed the type from longText to markdown
- Short Description - changed the type from longText to markdown
- Applications - changed the type from longText to markdown
- Note:
- In order for the changes to take effect, server versions < 6.8 should re-install the CommonTypes pack. If any warnings appear, click the Install anyway button.
- Re-installing the pack would reset existing configurations for those types configured. For example, an incident type configured for a certain playbook would no longer be configured.
- Any configuration attached to types from CommonTypes pack would need to be re-configured.
- 19903
- 20107
Download
Incident Fields
- Removed the unsupported fromServerVersion field from the following Incident Fields:
- Source MAC Address
- Post Nat Source IP
- Log Source Type
- CVSS Integrity Requirement
- Mobile Device Model
- Source IPs
- DNS Name
- Follow Up
- Low Level Categories Events
- Event Names
- Device Time
- Protocol - Event
- Post Nat Destination Port
- Close Time
- Usernames
- Compliance Notes
- Source IPV6
- Destination IPV6
- Destination MAC Address
- Last Update Time
- Technical Owner
- End Time
- Closing Reason
- Source Geolocation
- Post Nat Destination IP
- Traffic Direction
- Destination IPs
- CVSS Collateral Damage Potential
- CVSS Availability Requirement
- Pre Nat Source IP
- Technical Owner Contact
- Event Descriptions
- Src Ports
- Dst Ports
- High Level Categories
- Technical User
- Destination Geolocation
- Start Time
- Events
- Pre Nat Destination Port
- Post Nat Source Port
- List Of Rules - Event
- Category Count
- Closing User
- CVSS Confidentiality Requirement
- Log Source Name
- Raw Event
- Pre Nat Source Port
- Number Of Log Sources
Indicator Fields
- Removed the unsupported fromServerVersion field from the following Incident Fields:
- STIX Roles
- Roles
- 19800
Download
Incident Fields
- OS Type
Incident Fields
- Device Internal IPs
WARNING: This version is invalid. Please install a different version.
Incident Fields
- External Status
- Cloud Account ID
- Process ID
- Parent Process CMD
- Parent Process SHA256
- External Severity
- External Category ID
- Device MAC Address
- Source MAC Address
- External Sub Category ID
- External Start Time
- Parent Process ID
- External Category Name
- Source External IPs
- Device External IPs
- Process CMD
- Parent Process Name
- Source IPs
- Parent Process MD5
- External End Time
- Process SHA256
- Parent Process Path
- Process Paths
- Process MD5
- External Sub Category Name
- Process Names
- External Link
- External Confidence
- Device OS Version
- Device OS Name
- Additional Data
- MITRE Tactic Name
- MITRE Technique Name
- MITRE Tactic ID
- MITRE Technique ID
- External System ID
- 17780
- 20109
Download
Incident Fields
- Account Name - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Asset ID - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Close Time - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Closing Reason - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Department - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Email - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Last Modified By - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Location - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Manager Name - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Source Urgency - Added a new incident field.
- Subtype - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
- Title - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Incident Fields
- Associated Device OU to all incident types.
- Application Name
Added "Symantec DLP Endpoint" Incident to this incident field. - File Creation Date
Added "Symantec DLP Discover" Incident to this incident field. - First Seen
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Item Owner Email
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Device Status
Added "Symantec DLP Endpoint" Incident to this incident field. - Resource Name
Added "Symantec DLP Discover" Incident to this incident field. - File Access Date
Added "Symantec DLP Discover" Incident to this incident field. - Item Owner
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Policy ID
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Last Modified By
Added "Symantec DLP Discover" Incident to this incident field. - Policy Details
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - External ID
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Device Id
Added "Symantec DLP Endpoint" Incident to this incident field. - Application Path
Added "Symantec DLP Endpoint" Incident to this incident field. - Error MessageD
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field. - Rendered HTML - Added a new field that shows a rendered version of HTML content.
Incident Fields
- Domain Squatting Result - Added a new markdown field that shows the results of the domain-squatting check.
Incident Fields
Alert Action
Added FireEye HX Alert to this incident field.Appliance ID
Added FireEye HX Alert to this incident field.
Indicator Types
Incident Fields
- Registry Key
- Registry Value Type
- Registry Value
- Registry Hive
- URLs
- User SID
- Domain Name
- Parent Process File Path
- Parent Process IDs
- Process Creation Time
- Process ID
Incident Fields
- File Paths
Incident Fields
- Alert URL
Incident Fields
- MAC Address
Incident Fields
- Agents ID
Incident Fields
Destination IPs
Destination Networks
Dst Ports
Policy Actions
Protocol names
Source IPs
Source Networks
Signature
File Name
File MD5
MD5
File Path
File Names
Incident Fields
- Categories
- Alert Category
- High Level Categories
Incident Fields
- Tactic ID
- Tactic
- Technique
- Technique ID
Indicator Types
- urlRep
- ipRep
- hashRepSHA1
- hashRep
Incident Fields
- Usernames
- Destination IPs
- Alert Action
- Blocked Action
- Dest OS
- OS
- Src OS
Incident Fields
- High Level Categories
- Dest NT Domain
- Src NT Domain
- Resource ID
- Application Name
- Application Id
- Alert Category
- OS Version
- Categories
- App
- Country
- Protocol - Event
- Event Type
Incident Fields
- Hostnames
- Alert Attack Time
- Process Name
- Device External IP
- Technique
- Detected User
- Tactic
- Tactic ID
- Detected Internal IPs
- PID
- Child Process
- Src
- CMD
- Ticket Opened Date
- Users
- Dest
- Detected IPs
- Usernames
- Destination Hostname
- Source MAC Address
- Detected External Hosts
- Destination MAC Address
- Source IPV6
- Dest Hostname
- Detection Update Time
- External Addresses
- Signature
- Technique ID
- Threat Hunting Detected IP
- Source Network
- OS
- Dest OS
- Detected Users
- Command Line
- Srcs
- CMD line
- Device Local IP
Indicator Fields
- MAC Address
PUBLISHER
Cortex
PLATFORMS
INFO
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | January 26, 2023 |
WORKS WITH THE FOLLOWING INTEGRATIONS:



















































