Common Types | Marketplace

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Incident Types

Name	Description
Job
Network
DoS
Indicator Feed
Defacement
C2Communication
Simulation
Vulnerability
Lateral Movement
Reconnaissance
Authentication
Policy Violation
Hunt
Exfiltration
UnknownBinary
Exploit

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Application Name	Application Name
Process Creation Time
Subtype	Subtype
Registry Value
Start Time	The time when the offense started.
Group ID
Child Process
SSDeep
Process Path
Source Geolocation	The source geolocation of the event.
Device OU	Device's OU path in Active Directory
Device Hash	Device Hash
Dest Hostname	Destination hostname
Device External IP	Device External IP
EmailCampaignSummary
Source Networks
Tactic ID
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Appliance ID	Appliance ID as received from the integration JSON
Source Hostname	The hostname that performed the port scan.
File Names
Event Type	Event Type
SHA512	SHA512
Device OS Version
Policy Severity
Source Network
Employee Email	The email address of the employee.
Destination Hostname	Destination hostname
Source Updated by
External Start Time
Detection ID
PID	PID
File Name
Manager Email Address
App message
Password Changed Date
Compliance Notes	Notes regarding the assets compliance.
Detection URL	URL of the ExtraHop Reveal(x) detection
Caller
Dest	Destination
Log Source Name	The log source name associated with the event.
SKU Name
Src Hostname	Source hostname
User Id	User Id
Closing User	The closing user.
userAccountControl	userAccountControl
Item Owner Email
CMD line
Technical User	The technical user of the asset.
Risk Rating
Objective
Rule Name	The name of a YARA rule
Number of similar files
Source Create time
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Org Level 2
Leadership
Related Report
EmailCampaignSnippets
Job Code	Job Code
Triage SLA	The time it took to investigate and enrich incident information.
Triggered Security Profile	Triggered Security Profile
Device Name	Device Name
Mobile Device Model
Verdict
CVE
Follow Up	True if marked for follow up.
Event ID	Event ID
External Confidence
Source Status
Threat Hunting Detected IP
Policy Remediable
Last Seen
Source Priority
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Cloud Resource List
Source IP	The IP Address that the user initially logged in from.
Dsts	The destination values.
Rating
Use Case Description
Tactic
Cloud Account ID
Post Nat Source Port	The source port after NAT.
SHA256	SHA256
Event Descriptions	The description of the event name.
Detection End Time
Source Created By
Number Of Log Sources	The number of log sources related to the offense.
Vendor ID
SHA1	SHA1
Parent Process Path
Parent Process
OS	The operating system.
Device Id	Device Id
File Relationships
Related Endpoints
sAMAccountName	User sAMAAccountName
Acquisition Hire
MITRE Tactic Name
Cloud Region List
User Engagement Response
Agent Version	Reporting Agent/Sensor Version
Source Port	The source port that was used
Detected Endpoints
External Category Name
File SHA256
Asset ID
Account Member Of
EmailCampaignMutualIndicators
Account Name	Account Name
Vendor Product
External Addresses
Item Owner
User SID
Similar incidents Dbot
Process CMD
Region ID
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Alert Type ID
Device Internal IPs
Source Urgency	Source Urgency
Log Source	Log Source
First Name	First Name
Traffic Direction	The direction of the traffic in the event.
Device Status
High Level Categories	The high level categories in the events.
IP Reputation
MAC Address	MAC Address
Additional Data
File Access Date
Device External IPs
Detected Internal IPs	Detected internal IPs
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Escalation
Parent Process MD5
Tenant Name	Tenant Name
Domain Name
Classification	Incident Classification
Last Modified On
Appliance Name	Appliance name as received from the integration JSON
Attack Mode	Attack mode as received from the integration JSON
Location	Location
Resource ID
Internal Addresses
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Endpoint
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Personal Email
Closing Reason	The closing reason
Policy Recommendation
Src	Source
External System ID
Location Region	Location Region
Destination IP	The IP address the impossible traveler logged in to.
External Sub Category ID
Hunt Results Count
Scenario
Pre Nat Source IP	The source IP before NAT.
Employee Display Name	The display name of the employee.
Events	The events associated with the offense.
Policy Description
Source IPV6	The source IPV6 address.
Policy ID
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Destination IPV6	The destination IPV6 address.
Zip Code	Zip Code
EmailCampaignCanvas
Ticket Opened Date
List Of Rules - Event	The list of rules associated to an event.
Detected External IPs	Detected external IPs
Country Name	Country Name
Cost Center	Cost Center
Parent Process File Path
Endpoint Isolation Status
Destination Networks
Policy Actions
External ID
File Path
Process Paths
Ticket Closed Date
Cloud Instance ID	Cloud Instance ID
Additional Indicators
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Detected Users	Detected users
File SHA1
Work Phone
Error Code
Incident Link
Srcs	The source values.
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Policy Details
Destination IPs	The destination IPs of the event.
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
File MD5
Alert Category	The category of the alert
Region
Unique Ports
Technique
Job Family	Job Family
External Status
Sub Category	The sub category
File Paths
Source External IPs
Display Name	Display Name
Surname	Surname
Account Status
Full Name	Person's Full Name
Alert Source
Containment SLA	The time it took to contain the incident.
Alert Name	Alert name as received from the integration JSON
Dest NT Domain	Destination NT Domain
Policy Deleted
MD5	MD5
Low Level Categories Events	The low level category of the event.
Parent Process Name
Bugtraq
Device Time	The time from the original logging device when the event occurred.
Alert Malicious	Whether the alert is malicious.
Threat Hunting Detected Hostnames
Registry Hive
Src Ports	The source ports of the event.
DNS Name	The DNS name of the asset.
Username	The username of the account who logged in.
End Time	The time when the offense ended.
Device Username	The username of the user that owns the device
Dest OS	Destination OS
Src OS	Src OS
UUID	UUID as received from the integration JSON
File Creation Date
Changed	The user who changed this incident
CMD
app channel name
Department	Department
Device Model	Device Model
Device MAC Address
CVSS
Error Message	The error message that contains details about the error that occurred.
Application Path
Team name
Protocol names
Risk Score
First Seen
OS Type	OS Type
User Creation Time
Process MD5
Title	Title
External End Time
Destination Geolocation	The destination geolocation of the event.
File Hash
Country Code
Org Level 1
Policy Type
Last Update Time
Registry Value Type
Phone Number	Phone Number
Duration
Technique ID
Detected User
Account ID
Device OS Name
Job Function	Job Function
External Severity
Investigation Stage	The stage of the investigation.
Technical Owner Contact	The contact details for the technical owner.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Close Time	The closing time.
Assignment Group
Parent Process SHA256
Device Local IP	Device Local IP
Last Modified By
Exposure Level
Parent CMD line
Src User	Source User
MITRE Tactic ID
similarIncidents
Post Nat Source IP	The source IP address after NAT.
Dst Ports	The destination ports of the event.
Street Address
External Category ID
Process SHA256
Log Source Type	The log source type associated with the event.
ASN
Isolated	Isolated
Parent Process IDs
Destination MAC Address	The destination MAC address in an event.
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Blocked Action	Blocked Action
Timezone
App
Number of Related Incidents
Process Name
Rendered HTML	The HTML content in a rendered form.
MITRE Technique ID
Process Names
Source IPs	The source IPs of the event.
SKU TIER
Manager Name	Manager Name
Signature
Pre Nat Destination Port	The destination port before NAT.
Post Nat Destination Port	The destination port after NAT.
State	State
Email	Primary Email Address
Protocol	Protocol
Org Unit
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Sensor Name
Detected IPs
Alert ID	Alert ID as received from the integration JSON
Agents ID
Assigned User	Assigned User
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Command Line	Command Line
Resource Type
Vulnerability Category
Pre Nat Source Port	The source port before NAT.
Source Username	The username that was the source of the attack.
Org Level 3
Usernames	The username in the event.
Post Nat Destination IP	The destination IP address after NAT.
Source Category
URLs
Detected External Hosts	Detected external hosts
City
IP Blocked Status
Alert Attack Time
Country	The country from which the user logged in.
Sensor IP
Ticket Acknowledged Date
OS Version	OS Version
Technical Owner	The technical owner of the asset.
Hostnames	The hostname in the event.
Destination Port	The destination port used.
Tags
Detection Update Time
Comment	The comments related with the incident
Source MAC Address	The source MAC address in an event.
Ticket Number
Birthday	Person's Birthday
Description	The description of the incident
Cloud Service
Raw Event	The unparsed event data.
Employee Manager Email	The email address of the employee's manager.
Src NT Domain	Source NT Domain
Given Name	Given Name
Resource Name
Categories	The categories for the incident.
Country Code Number
Alert Action	Alert action as received from the integration JSON
Protocol - Event	The network protocol in the event.
Is Active	Alert status
Parent Process CMD
Policy URI
Protocols
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
File Size	File Size
Mobile Phone
External Sub Category Name
Users
Alert URL	Alert URL as received from the integration JSON
External Link
Application Id	Application Id
Detected Internal Hosts	Detected internal hosts
Agent ID	Agent ID
Registry Key
Category Count	The number of categories that are associated with the offense.
IncomingMirrorError
Last Name	Last Name
Process ID
Cost Center Code	Cost Center Code
MITRE Technique Name
Event Names	The event name (translated QID ) in the event.
OutgoingMirrorError
Destination Network

Indicator Types

Name	Description

Indicator Fields

Name	Description
Name
Email Address
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Aliases	Alternative names used to identify this object
Registrant Country
Internal
Org Level 1
Username
Confidence
Admin Email
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Domain IDN Name
Country Name
Operating System
Org Unit
Positive Detections	Number of engines that positively detected the indicator as malicious
Manager Email Address
DNS
Hostname
Rank	Used to display rank from different sources
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
SHA1
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
File Type
Personal Email
Force Sync	Whether to force user synchronization.
Surname	Surname
Country Code
Threat Actor Types
Targets
Org Level 2
Account Type
Domain Referring Subnets
Updated Date
Expiration Date
Office365Category
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
OS Version
CVSS Vector
Community Notes
Job Family
Registrar Abuse Name
Source Original Severity	The original score/severity provided by the source without DBot translation.
Subdomains
STIX Secondary Motivations
Operating System Refs
Resource Level
Feed Related Indicators
Source Priority
STIX Roles
CVSS Score
Action
Path
Cost Center
MD5
AS Owner
Signature Internal Name
Registrar Abuse Address
Registrar Abuse Country
BIOS Version
STIX Description
CVE Description
Tool Types
Detection Engines	Total number of engines that checked the indicator
Domain Name
Quarantined	Whether the indicator is quarantined or isolated
Department	Department
Reports
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Mobile Phone
Organization Type
Work Phone
Assigned user
Indicator Identification
Device Model
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Port
Registrar Abuse Email
Infrastructure Types
CVSS
Key Value
Name Field
CVSS3
Admin Phone
Registrant Phone
Location
Malware Family
Location Region
Vulnerabilities
Actor
Category
Office365ExpressRoute
STIX Is Malware Family
Email
Secondary Motivations
Service	The specific service of a feed integration from which an indicator was ingested.
State
Campaign
Tool Version
Behavior
Short Description
Published
Cost Center Code
CVSS Version
Roles
STIX Resource Level
STIX Malware Types
SHA256
Tags
Memory
Registrar Name
Display Name
Creation Date
Manager Name	Manager Name
Leadership
Entry ID
Street Address
Job Code	Job Code
Organization
Signature Authentihash
CVE Modified
Sophistication
IP Address
First Seen By Source	The first time the indicator was seen by the source vendor.
Geo Location
DHCP Server
Registrant Email
Associations	Known associations to other pieces of Threat Data.
Signature File Version
Malware types
Assigned role
Vendor
Given Name	Given Name
SWID	Specifies the Software Identification (SWID) tags entry for the software
Registrant Name
Is Processed
File Extension
Signature Description
Org Level 3
imphash
Mitre Tactics
Description
Download URL
Country Code Number
Job Function
Registrar Abuse Phone
Title	Title
MAC Address
Admin Country
Size
Primary Motivation
Region
Acquisition Hire	Whether the employee is an acquisition hire.
City	City
Name Servers
Geo Country
Mitre ID
Operating System Version
STIX Aliases	Alternative names used to identify this object
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Version
Signature Copyright
Signed
SSDeep
STIX Primary Motivation.
STIX Goals
Office365Required
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
STIX Sophistication
Registrar Abuse Network
Zip Code
Processors
Processor
Admin Name
SHA512
Goals
CVSS Table
Associated File Names
Objective
Domain Status
Organizational Unit (OU)
Is Malware Family
STIX Tool Types
Applications
Domain Referring IPs
ASN
Publications
STIX Threat Actor Types
Groups
STIX Tool Version

Layouts

Name	Description
Intrusion Set
Course of Action
Threat Actor
Infrastructure
CVE Indicator
Location
Identity
IP Indicator
Domain Indicator
Indicator Feed Incident
Vulnerability Incident
Campaign
Attack Pattern
Email Indicator
ASN
Tool
Registry Key Indicator
Software
File Indicator
Host Indicator
URL Indicator
Account Indicator
Mutex	Mutex indicator layout
Malware
Report

Incident Types

Name	Description
Job
Network
DoS
Indicator Feed
Defacement
C2Communication
Simulation
Vulnerability
Lateral Movement
Reconnaissance
Authentication
Policy Violation
Hunt
Exfiltration
UnknownBinary
Exploit

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Process Creation Time
Subtype	Subtype
Registry Value
Start Time	The time when the offense started.
Group ID
SSDeep
Source Geolocation	The source geolocation of the event.
Device OU	Device's OU path in Active Directory
Device Hash	Device Hash
EmailCampaignSummary
Source Networks
Tactic ID
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
SHA512	SHA512
Device OS Version
Policy Severity
Employee Email	The email address of the employee.
Source Updated by
External Start Time
Detection ID
Manager Email Address
App message
Password Changed Date
Compliance Notes	Notes regarding the assets compliance.
Detection URL	URL of the ExtraHop Reveal(x) detection
Caller
Log Source Name	The log source name associated with the event.
SKU Name
User Id	User Id
Closing User	The closing user.
userAccountControl	userAccountControl
Item Owner Email
Technical User	The technical user of the asset.
Risk Rating
Objective
Rule Name	The name of a YARA rule
Number of similar files
Source Create time
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Org Level 2
Leadership
Related Report
EmailCampaignSnippets
Job Code	Job Code
Triage SLA	The time it took to investigate and enrich incident information.
Triggered Security Profile	Triggered Security Profile
Device Name	Device Name
Mobile Device Model
Verdict
CVE
Follow Up	True if marked for follow up.
Event ID	Event ID
External Confidence
Source Status
Policy Remediable
Last Seen
Source Priority
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Cloud Resource List
Dsts	The destination values.
Rating
Use Case Description
Tactic
Cloud Account ID
Post Nat Source Port	The source port after NAT.
Event Descriptions	The description of the event name.
Detection End Time
Source Created By
Number Of Log Sources	The number of log sources related to the offense.
Vendor ID
SHA1	SHA1
Parent Process Path
OS	The operating system.
Device Id	Device Id
File Relationships
Related Endpoints
sAMAccountName	User sAMAAccountName
Acquisition Hire
MITRE Tactic Name
Cloud Region List
User Engagement Response
Agent Version	Reporting Agent/Sensor Version
Detected Endpoints
External Category Name
Asset ID
Account Member Of
EmailCampaignMutualIndicators
Vendor Product
Item Owner
User SID
Similar incidents Dbot
Process CMD
Region ID
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Alert Type ID
Device Internal IPs
Source Urgency	Source Urgency
Log Source	Log Source
First Name	First Name
Traffic Direction	The direction of the traffic in the event.
Device Status
IP Reputation
Additional Data
File Access Date
Device External IPs
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Escalation
Parent Process MD5
Tenant Name	Tenant Name
Domain Name
Classification	Incident Classification
Last Modified On
Attack Mode	Attack mode as received from the integration JSON
Location	Location
Internal Addresses
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Personal Email
Closing Reason	The closing reason
Policy Recommendation
External System ID
Location Region	Location Region
External Sub Category ID
Hunt Results Count
Scenario
Pre Nat Source IP	The source IP before NAT.
Employee Display Name	The display name of the employee.
Events	The events associated with the offense.
Policy Description
Policy ID
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Destination IPV6	The destination IPV6 address.
Zip Code	Zip Code
EmailCampaignCanvas
List Of Rules - Event	The list of rules associated to an event.
Detected External IPs	Detected external IPs
Cost Center	Cost Center
Parent Process File Path
Endpoint Isolation Status
Destination Networks
Policy Actions
External ID
Process Paths
Ticket Closed Date
Cloud Instance ID	Cloud Instance ID
Additional Indicators
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
File SHA1
Work Phone
Error Code
Incident Link
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Policy Details
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
Region
Unique Ports
Technique
Job Family	Job Family
External Status
Sub Category	The sub category
Source External IPs
Display Name	Display Name
Surname	Surname
Account Status
Full Name	Person's Full Name
Alert Source
Containment SLA	The time it took to contain the incident.
Alert Name	Alert name as received from the integration JSON
Policy Deleted
Low Level Categories Events	The low level category of the event.
Parent Process Name
Bugtraq
Device Time	The time from the original logging device when the event occurred.
Alert Malicious	Whether the alert is malicious.
Registry Hive
End Time	The time when the offense ended.
Dest OS	Destination OS
Src OS	Src OS
UUID	UUID as received from the integration JSON
File Creation Date
Changed	The user who changed this incident
app channel name
Department	Department
Device Model	Device Model
Device MAC Address
CVSS
Error Message	The error message that contains details about the error that occurred.
Application Path
Team name
Protocol names
Risk Score
First Seen
OS Type	OS Type
User Creation Time
Process MD5
Title	Title
External End Time
Destination Geolocation	The destination geolocation of the event.
File Hash
Country Code
Org Level 1
Policy Type
Last Update Time
Registry Value Type
Phone Number	Phone Number
Duration
Technique ID
Account ID
Device OS Name
Job Function	Job Function
External Severity
Investigation Stage	The stage of the investigation.
Technical Owner Contact	The contact details for the technical owner.
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Close Time	The closing time.
Assignment Group
Parent Process SHA256
Last Modified By
Exposure Level
MITRE Tactic ID
similarIncidents
Post Nat Source IP	The source IP address after NAT.
Street Address
External Category ID
Process SHA256
Log Source Type	The log source type associated with the event.
ASN
Isolated	Isolated
Parent Process IDs
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
Blocked Action	Blocked Action
Timezone
Number of Related Incidents
Rendered HTML	The HTML content in a rendered form.
MITRE Technique ID
Process Names
SKU TIER
Manager Name	Manager Name
Signature
Pre Nat Destination Port	The destination port before NAT.
Post Nat Destination Port	The destination port after NAT.
State	State
Email	Primary Email Address
Org Unit
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Alert ID	Alert ID as received from the integration JSON
Agents ID
Assigned User	Assigned User
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Resource Type
Vulnerability Category
Pre Nat Source Port	The source port before NAT.
Org Level 3
Post Nat Destination IP	The destination IP address after NAT.
Source Category
URLs
City
IP Blocked Status
Sensor IP
Ticket Acknowledged Date
Technical Owner	The technical owner of the asset.
Tags
Comment	The comments related with the incident
Ticket Number
Birthday	Person's Birthday
Description	The description of the incident
Cloud Service
Raw Event	The unparsed event data.
Employee Manager Email	The email address of the employee's manager.
Given Name	Given Name
Resource Name
Country Code Number
Alert Action	Alert action as received from the integration JSON
Is Active	Alert status
Parent Process CMD
Policy URI
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
File Size	File Size
Mobile Phone
External Sub Category Name
External Link
Detected Internal Hosts	Detected internal hosts
Registry Key
Category Count	The number of categories that are associated with the offense.
IncomingMirrorError
Last Name	Last Name
Process ID
Cost Center Code	Cost Center Code
MITRE Technique Name
Event Names	The event name (translated QID ) in the event.
OutgoingMirrorError

Indicator Types

Name	Description

Indicator Fields

Name	Description
Name
Email Address
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Aliases	Alternative names used to identify this object
Registrant Country
Internal
Org Level 1
Username
Confidence
Admin Email
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Domain IDN Name
Country Name
Operating System
Org Unit
Positive Detections	Number of engines that positively detected the indicator as malicious
Manager Email Address
DNS
Hostname
Rank	Used to display rank from different sources
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
SHA1
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
File Type
Personal Email
Force Sync	Whether to force user synchronization.
Surname	Surname
Country Code
Threat Actor Types
Targets
Org Level 2
Account Type
Domain Referring Subnets
Updated Date
Expiration Date
Office365Category
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
OS Version
CVSS Vector
Community Notes
Job Family
Registrar Abuse Name
Source Original Severity	The original score/severity provided by the source without DBot translation.
Subdomains
STIX Secondary Motivations
Operating System Refs
Resource Level
Feed Related Indicators
Source Priority
STIX Roles
CVSS Score
Action
Path
Cost Center
MD5
AS Owner
Signature Internal Name
Registrar Abuse Address
Registrar Abuse Country
BIOS Version
STIX Description
CVE Description
Tool Types
Detection Engines	Total number of engines that checked the indicator
Domain Name
Quarantined	Whether the indicator is quarantined or isolated
Department	Department
Reports
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Mobile Phone
Organization Type
Work Phone
Assigned user
Indicator Identification
Device Model
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Port
Registrar Abuse Email
Infrastructure Types
CVSS
Key Value
Name Field
CVSS3
Admin Phone
Registrant Phone
Location
Malware Family
Location Region
Vulnerabilities
Actor
Category
Office365ExpressRoute
STIX Is Malware Family
Email
Secondary Motivations
Service	The specific service of a feed integration from which an indicator was ingested.
State
Campaign
Tool Version
Behavior
Short Description
Published
Cost Center Code
CVSS Version
Roles
STIX Resource Level
STIX Malware Types
SHA256
Tags
Memory
Registrar Name
Display Name
Creation Date
Manager Name	Manager Name
Leadership
Entry ID
Street Address
Job Code	Job Code
Organization
Signature Authentihash
CVE Modified
Sophistication
IP Address
First Seen By Source	The first time the indicator was seen by the source vendor.
Geo Location
DHCP Server
Registrant Email
Associations	Known associations to other pieces of Threat Data.
Signature File Version
Malware types
Assigned role
Vendor
Given Name	Given Name
SWID	Specifies the Software Identification (SWID) tags entry for the software
Registrant Name
Is Processed
File Extension
Signature Description
Org Level 3
imphash
Mitre Tactics
Description
Download URL
Country Code Number
Job Function
Registrar Abuse Phone
Title	Title
Admin Country
Size
Primary Motivation
Region
Acquisition Hire	Whether the employee is an acquisition hire.
City	City
Name Servers
Geo Country
Mitre ID
Operating System Version
STIX Aliases	Alternative names used to identify this object
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Version
Signature Copyright
Signed
SSDeep
STIX Primary Motivation.
STIX Goals
Office365Required
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
STIX Sophistication
Registrar Abuse Network
Zip Code
Processors
Processor
Admin Name
SHA512
Goals
CVSS Table
Associated File Names
Objective
Domain Status
Organizational Unit (OU)
Is Malware Family
STIX Tool Types
Applications
Domain Referring IPs
ASN
Publications
STIX Threat Actor Types
Groups
STIX Tool Version

Layouts

Name	Description
Intrusion Set
Course of Action
Threat Actor
Infrastructure
CVE Indicator
Location
Identity
IP Indicator
Domain Indicator
Indicator Feed Incident
Vulnerability Incident
Campaign
Attack Pattern
Email Indicator
ASN
Tool
Registry Key Indicator
Software
File Indicator
Host Indicator
URL Indicator
Account Indicator
Mutex	Mutex indicator layout
Malware
Report

Required Content Packs (2)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

Optional Content Packs (44)

Pack Name	Pack By
Carbon Black Enterprise Response	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
LogRhythm	By: Cortex XSOAR
Mandiant Automated Defense	By: Mandiant
PCAP Analysis	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
AWS - GuardDuty	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
Employee Offboarding	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
Port Scan	By: Cortex XSOAR
Skyhigh Security SSE	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
Exabeam	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
CVE Search	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
Symantec Data Loss Prevention	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
GuardiCore	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Cortex Xpanse by Palo Alto Networks	By: Cortex XSOAR
FireEye Email Security (EX)	By: Cortex XSOAR

All level dependencies (0)

Pack Name	Pack By

3.3.47 - 4477986 (January 26, 2023)

Indicator Types

Fixed an issue where "\b" in the domain regex prevented it from catching non-ascii chars.

Related pull requests:
- 24125

Download

3.3.46 - 4466748 (January 25, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 24031

Download

3.3.45 - 4458364 (January 24, 2023)

Incident Fields

New: IP Blocked Status
New: Related Report
New: Endpoint Isolation Status
New: User Creation Time
New: IP Reputation
New: User Engagement Response
New: Password Changed Date
New: Hunt Results Count

Related pull requests:
- 23840

Download

3.3.44 - 4413860 (January 17, 2023)

Indicator Types

Updated the URL regex to support the "mailto:" scheme, defanged colon and user info within the URL.

Related pull requests:
- 23830

Download

3.3.43 - 4376356 (January 11, 2023)

Indicator Types

Fixed an issue in the URL regex which resulted in catching HTML tags.

Related pull requests:
- 23761

Download

3.3.42 - R4372591 (January 11, 2023)

Indicator Types

Fixed an issue with IP URLs, and limited TLDs to only be valid when starting with a letter.

Related pull requests:
- 23625

Download

3.3.41 - 4314916 (January 2, 2023)

Indicator Fields

SWID
Version
Vendor
Languages
CPE

Indicator Types

Software

Layouts

New: Software
Created a new layout for the new indicator type (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 23388

Download

3.3.40 - 4299594 (December 29, 2022)

Incident Fields

Added the Exabeam Incident incident type to the following incident fields:

Close Time
Item Owner
Start Time
Title

Added the Source Updated By incident field.

Related pull requests:
- 22664

Download

3.3.39 - 4285391 (December 26, 2022)

Indicator Types

domainRepUnified
Fixed an issue in the domain regex causing XSOAR markdown to break in the war-room.

Related pull requests:
- 23282

Download

3.3.38 - 4258430 (December 21, 2022)

Indicator Types

urlRep
Fixed an issue where the URL type regex did not catch the full domain indicator when it was separated by a hyphen.

Related pull requests:
- 23120

Download

3.3.37 - 4197844 (December 11, 2022)

Indicator Types

domainRepUnified
Updated the domain regex to only accept languages, digits and valid characters.

Related pull requests:
- 22857

Download

3.3.36 - 4172596 (December 7, 2022)

Indicator Types

emailRep

Related pull requests:
- 22399

Download

3.3.35 - 4152557 (December 5, 2022)

Indicator Fields

New: Identity class

Created a new field "Identity class".

New: Industry sectors

Created a new field "Industry sectors".

Indicator Types

New: Location
Added a new Location type indicator.
New: Identity
Added a new Identity type indicator.

Layouts

New: Location
Created a new layout for the Location indicator type (Available from Cortex XSOAR 6.5.0).
New: Identity
Created a new layout for the Identity indicator type (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 22593

Download

3.3.34 - 4137548 (December 2, 2022)

Incident Fields

Cloud Resource List
ASN
Cloud Region List

Related pull requests:
- 22402

Download

3.3.33 - 4123091 (November 29, 2022)

Incident Fields

Additional Indicators - Added a new field for additional indicators of an incident.
Verdict - Added a new field for the verdict of a file.
SSDeep - Added a new field for SSDeep hashes in an incident.
Number of Related Incidents - Added a new field for the number of incidents related to the current incident.
Related Endpoints - Added a new field for the names of endpoints that are related to the incident.
Number of similar files - Added a new field for the number of files similar to the file investigated in the incident.
File Relationships - Added a field for displaying the different relationships a file has with other indicators.

Related pull requests:
- 21970

Download

3.3.32 - R4116031 (November 28, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 22511

Download

3.3.31 - 4105702 (November 26, 2022)

Indicator Types

domainRepUnified
Updated the Domain regex.

Related pull requests:
- 22181

Download

3.3.30 - 4095599 (November 24, 2022)

Incident Fields

Added the following incident fields to be associated with the AWS Guard Duty EC2 Finding, AWS Guard Duty IAM Finding, AWS Guard Duty Kubernetes Finding, AWS Guard Duty Malware Protection Finding, AWS Guard Duty S3 Finding incident types.

Account ID
Last Update Time
Region
Title

Related pull requests:
- 22284

Download

3.3.29 - R4085738 (November 22, 2022)

Indicator Fields

CVSS Table
CVSS Score
CVSS Version

Related pull requests:
- 22302

Download

3.3.28 - 4070054 (November 20, 2022)

Indicator Fields

Key Value
Changed the "Name" column from required "true" to "false"

Related pull requests:
- 22350

Download

3.3.27 - 4005065 (November 10, 2022)

Indicator Fields

Rank

Related pull requests:
- 22075

Download

3.3.26 - 3910837 (October 25, 2022)

Incident Fields

Updated the description for Containment SLA
Updated the description for Triage SLA

Related pull requests:
- 21554

Download

3.3.25 - 3872652 (October 19, 2022)

Incident Fields

Macro Source Code

Related pull requests:
- 21694

Download

3.3.24 - 3818129 (October 11, 2022)

Indicator Types

CIDR
Added the VerifyCIDR formatting script.

Related pull requests:
- 21629

Download

3.3.23 - 3775849 (October 3, 2022)

Indicator Fields

Traffic Light Protocol Added the following values to the field to support TLP 2.0:
- CLEAR
- AMBER+STRICT

Related pull requests:
- 21590

Download

3.3.22 - 3709503 (September 22, 2022)

Indicator Fields

Key Value

Related pull requests:
- 21741
- 21380

Download

3.3.21 - 3702189 (September 21, 2022)

Incident Fields

Added the following incident fields to be associated with the Vectra Detection incident types.
Destination IPs
Detection ID
Dst Ports
Added the following incident fields to be associated with the Vectra Account incident types.
Account ID
Department
Email
Usernames
Display Name
sAMAccountName
Title
Note: removed description from the following incident fields.
Detection ID
Detection End Time
Detection Update Time

Indicator Types

emailRep

Related pull requests:
- 21398

Download

3.3.1 - 3687475 (September 19, 2022)

Incident Fields

Containment SLA
Triage SLA

Layouts

domainRepUnified
hostRep
urlRep
ipRep
unifiedFileRep
registryKey
emailRep
accountRep
Indicator Feed
cveRep
Intrusion Set
Updated layout for IOC.
Email Indicator
Updated layout for IOC.
Threat Actor
Updated layout for IOC.
File Indicator
Updated layout for IOC.
Attack Pattern
Updated layout for IOC.
Vulnerability Incident
Updated layout for IOC.
URL Indicator
Updated layout for IOC.
IP Indicator
Updated layout for IOC.
Tool
Updated layout for IOC.
Course of Action
Updated layout for IOC.
ASN
Updated layout for IOC.
Domain Indicator
Updated layout for IOC.
Campaign
Updated layout for IOC.
Malware
Updated layout for IOC.
Registry Key Indicator
Updated layout for IOC.
Updated layout for IOC.
Host Indicator
Updated layout for IOC.
Report
Updated layout for IOC.
CVE Indicator
Updated layout for IOC.
Infrastructure
Updated layout for IOC.
Account Indicator
Updated layout for IOC.

Related pull requests:
- 21172

Download

3.2.46 - 3649843 (September 13, 2022)

Incident Fields

Added the following incident fields to be associated with the Skyhigh Security Alert and Skyhigh Security Threat incident types.

City
Start Time
Risk Score
Alert Action
Source IPs
Event Action
Account ID
Policy Description
Policy ID
Last Update Time
Cloud Service
Added the new field Source Create time.
Title
Source Create time
Item Owner
Last Update Time

Related pull requests:
- 19793

Download

3.2.44 - 3570916 (August 31, 2022)

Indicator Types

urlRep - The URL regex now catches all kind of parenthesis.

Related pull requests:
- 20170

Download

3.2.43 - 3528006 (August 24, 2022)

Indicator Types

ASN

Layouts

New: ASN
Added support for a new indicator type for asn (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 20447

Download

3.2.42 - 3480655 (August 17, 2022)

Indicator Fields

Description

Added the field to all types (associated to all).

STIX ID

Added the field to all types (associated to all).

Indicator Types

Mutex

Layouts

New: Mutex
Added support for a new indicator type for mutex (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 20440

Download

3.2.41 - 3379905 (August 2, 2022)

Incident Fields

High Level Categories
Alert Category
Categories

Related pull requests:
- 20257

Download

3.2.40 - 3281367 (July 17, 2022)

Indicator Fields

Description - changed the type from longText to markdown
Groups - changed the type from longText to markdown
Short Description - changed the type from longText to markdown
Applications - changed the type from longText to markdown
Note:
- In order for the changes to take effect, server versions < 6.8 should re-install the CommonTypes pack. If any warnings appear, click the Install anyway button.
- Re-installing the pack would reset existing configurations for those types configured. For example, an incident type configured for a certain playbook would no longer be configured.
- Any configuration attached to types from CommonTypes pack would need to be re-configured.

Related pull requests:
- 19903
- 20107

Download

3.2.39 - 3279429 (July 17, 2022)

Incident Fields

Removed the unsupported fromServerVersion field from the following Incident Fields:
Source MAC Address
Post Nat Source IP
Log Source Type
CVSS Integrity Requirement
Mobile Device Model
Source IPs
DNS Name
Follow Up
Low Level Categories Events
Event Names
Device Time
Protocol - Event
Post Nat Destination Port
Close Time
Usernames
Compliance Notes
Source IPV6
Destination IPV6
Destination MAC Address
Last Update Time
Technical Owner
End Time
Closing Reason
Source Geolocation
Post Nat Destination IP
Traffic Direction
Destination IPs
CVSS Collateral Damage Potential
CVSS Availability Requirement
Pre Nat Source IP
Technical Owner Contact
Event Descriptions
Src Ports
Dst Ports
High Level Categories
Technical User
Destination Geolocation
Start Time
Events
Pre Nat Destination Port
Post Nat Source Port
List Of Rules - Event
Category Count
Closing User
CVSS Confidentiality Requirement
Log Source Name
Raw Event
Pre Nat Source Port
Number Of Log Sources

Indicator Fields

Removed the unsupported fromServerVersion field from the following Incident Fields:
STIX Roles
Roles

Related pull requests:
- 19800

Download

3.2.38 - 3271929 (July 15, 2022)

CommonTypes

Fixed an issue where indicator types were missing from the pack.

Related pull requests:
- 20071
- 19800

Download

3.2.37 - 3178125 (June 29, 2022)

Incident Fields

Full Name
Birthday

Related pull requests:
- 19794
- 19392

Download

3.2.36 - 3143373 (June 23, 2022)

Indicator Types

unifiedFileRep - fixed an issue where deprecated enhancment scripts were used.

Related pull requests:
- 19695

Download

3.2.35 - 3103876 (June 16, 2022)

Indicator Fields

Mitre ID
Name of field changed from "MITRE ID" to "Mitre ID"

Related pull requests:
- 19600

Download

3.2.34 - 2941201 (May 18, 2022)

Incident Fields

OS Type

Download

3.2.33 - 2899700 (May 10, 2022)

Incident Fields

Device Internal IPs

Download

3.2.32 - 2855656 (May 2, 2022)

WARNING: This version is invalid. Please install a different version.

Incident Fields

Fixed an issue in External Severity containing typo.

Related pull requests:
- 20109
- 18857

Download

3.2.31 - 2836953 (April 28, 2022)

WARNING: This version is invalid. Please install a different version.

Incident Fields

External Status
Cloud Account ID
Process ID
Parent Process CMD
Parent Process SHA256
External Severity
External Category ID
Device MAC Address
Source MAC Address
External Sub Category ID
External Start Time
Parent Process ID
External Category Name
Source External IPs
Device External IPs
Process CMD
Parent Process Name
Source IPs
Parent Process MD5
External End Time
Process SHA256
Parent Process Path
Process Paths
Process MD5
External Sub Category Name
Process Names
External Link
External Confidence
Device OS Version
Device OS Name
Additional Data
MITRE Tactic Name
MITRE Technique Name
MITRE Tactic ID
MITRE Technique ID
External System ID

Related pull requests:
- 17780
- 20109

Download

3.2.30 - 2750927 (April 13, 2022)

Incident Fields

Account Name - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Asset ID - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Close Time - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Closing Reason - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Department - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Email - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Last Modified By - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Location - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Manager Name - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Source Urgency - Added a new incident field.
Subtype - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.
Title - Added SysAid Change, SysAid Incident, SysAid Problem and SysAid Request to this incident field.

Download

3.2.29 - 2745974 (April 12, 2022)

Incident Fields

Associated Device OU to all incident types.
Application Name
Added "Symantec DLP Endpoint" Incident to this incident field.
File Creation Date
Added "Symantec DLP Discover" Incident to this incident field.
First Seen
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field.
Item Owner Email
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field.
Device Status
Added "Symantec DLP Endpoint" Incident to this incident field.
Resource Name
Added "Symantec DLP Discover" Incident to this incident field.
File Access Date
Added "Symantec DLP Discover" Incident to this incident field.
Item Owner
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field.
Policy ID
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field.
Last Modified By
Added "Symantec DLP Discover" Incident to this incident field.
Policy Details
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field.
External ID
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field.
Device Id
Added "Symantec DLP Endpoint" Incident to this incident field.
Application Path
Added "Symantec DLP Endpoint" Incident to this incident field.
Error MessageD
Added "Symantec DLP Discover" Incident to this incident field.
Added "Symantec DLP Endpoint" Incident to this incident field.
Added "Symantec DLP Network" Incident to this incident field.
Rendered HTML - Added a new field that shows a rendered version of HTML content.

Download

3.2.26 - 2641705 (March 24, 2022)

Incident Fields

Domain Squatting Result - Added a new markdown field that shows the results of the domain-squatting check.

Download

3.2.25 - 2536574 (March 8, 2022)

Incident Fields

Alert Action
Added FireEye HX Alert to this incident field.
Appliance ID
Added FireEye HX Alert to this incident field.

Hostnames
Alert Attack Time
Process Name
Device External IP
Technique
Detected User
Tactic
Tactic ID
Detected Internal IPs
PID
Child Process
Src
CMD
Ticket Opened Date
Users
Dest
Detected IPs
Usernames
Destination Hostname
Source MAC Address
Detected External Hosts
Destination MAC Address
Source IPV6
Dest Hostname
Detection Update Time
External Addresses
Signature
Technique ID
Threat Hunting Detected IP
Source Network
OS
Dest OS
Detected Users
Command Line
Srcs
CMD line
Device Local IP

Indicator Fields

MAC Address

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	January 26, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

VMware Carbon Black Endpoint Standard (Deprecated)

Symantec Data Loss Prevention (Deprecated)

Mandiant Automated Defense (Formerly Respond Software)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.