Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
| Name | Description |
|---|---|
Account Name | Account Name |
Source Urgency | Source Urgency |
External Sub Category ID | |
Employee Display Name | The display name of the employee. |
Source IPs | The source IPs of the event. |
OS Type | OS Type |
Policy Recommendation | |
Cost Center Code | Cost Center Code |
userAccountControl | userAccountControl |
Source External IPs | |
Device Internal IPs | |
Affected Hosts | |
Destination IPs | The destination IPs of the event. |
External Confidence | |
Policy Remediable | |
Location Region | Location Region |
Detected Endpoints | |
Subtype | Subtype |
Destination Networks | |
User Block Status | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Employee Email | The email address of the employee. |
Device Local IP | Device Local IP |
SHA1 | SHA1 |
Source Networks | |
MITRE Tactic Name | |
Threat Hunting Detected IP | |
Log Source Type | The log source type associated with the event. |
Categories | The categories for the incident. |
Source Category | |
Attack Mode | Attack mode as received from the integration JSON |
Device Model | Device Model |
File SHA1 | |
Process ID | |
Related Alerts | |
Parent Process MD5 | |
Personal Email | |
Policy URI | |
Alert Category | The category of the alert |
Triggered Security Profile | Triggered Security Profile |
Resource ID | |
PID | PID |
Unique Ports | |
URLs | |
External Link | |
Number Of Log Sources | The number of log sources related to the offense. |
Ticket Opened Date | |
Org Level 2 | |
Users | |
Appliance ID | Appliance ID as received from the integration JSON |
Dest OS | Destination OS |
Dest Hostname | Destination hostname |
Is Active | Alert status |
Event Type | Event Type |
Objective | |
Registry Value | |
Number of Related Incidents | |
Alert Rules | |
Manager Email Address | |
Endpoint Isolation Status | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Street Address | |
SKU TIER | |
Device Hash | Device Hash |
User Groups | |
Event Names | The event name (translated QID ) in the event. |
Assigned User | Assigned User |
Password Reset Successfully | Whether the password has been successfully reset. |
External Addresses | |
Location | Location |
CVE | |
Job Family | Job Family |
CMD | |
Duration | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Device MAC Address | |
Category Count | The number of categories that are associated with the offense. |
Application Name | Application Name |
CVSS | |
MITRE Tactic ID | |
User Agent | |
Policy Description | |
Hunt Results Count | |
Device Username | The username of the user that owns the device |
Detected Users | Detected users |
Endpoint | |
Dst Ports | The destination ports of the event. |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Post Nat Destination Port | The destination port after NAT. |
Org Level 3 | |
Birthday | Person's Birthday |
Manager Name | Manager Name |
Traffic Direction | The direction of the traffic in the event. |
Cloud Account ID | |
Assignment Group | |
File Relationships | |
File Names | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
String Similarity Results | |
Parent CMD line | |
Account Status | |
Close Time | The closing time. |
Password Changed Date | |
Cloud Resource List | |
Referenced Resource Name | |
Device OS Name | |
Project ID | |
Alert Attack Time | |
UUID | UUID as received from the integration JSON |
City | |
Tactic | |
Surname | Surname |
Alert Malicious | Whether the alert is malicious. |
Cloud Operation Type | |
Escalation | |
First Name | First Name |
Job Function | Job Function |
External System ID | |
Title | Title |
Event ID | Event ID |
EmailCampaignSummary | |
Risk Rating | |
Device OU | Device's OU path in Active Directory |
Device Status | |
App message | |
Registration Email | |
File Size | File Size |
app channel name | |
Process Path | |
Attack Patterns | |
Hostnames | The hostname in the event. |
CVE Published | |
Agent Version | Reporting Agent/Sensor Version |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Incident Link | |
Work Phone | |
File SHA256 | |
Country | The country from which the user logged in. |
Detected User | |
File Hash | |
Destination Hostname | Destination hostname |
OutgoingMirrorError | |
Zip Code | Zip Code |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Process MD5 | |
Source Username | The username that was the source of the attack. |
External Category Name | |
External ID | |
Verification Method | The method used to verify the user. |
Detection End Time | |
Policy Deleted | |
Related Endpoints | |
Agent ID | Agent ID |
Exposure Level | |
External Start Time | |
Alert Name | Alert name as received from the integration JSON |
Affected Users | |
Events | The events associated with the offense. |
Signature | |
Tools | |
Country Code Number | |
Parent Process File Path | |
Employee Manager Email | The email address of the employee's manager. |
Use Case Description | |
Suspicious Executions | |
External Category ID | |
Parent Process IDs | |
Mobile Phone | |
Similar incidents Dbot | |
Parent Process Name | |
End Time | The time when the offense ended. |
Internal Addresses | |
Cloud Region List | |
File Name | |
User Id | User Id |
Item Owner Email | |
Leadership | |
EmailCampaignSnippets | |
Last Modified By | |
Verification Status | The status of the user verification. |
Src Ports | The source ports of the event. |
Post Nat Destination IP | The destination IP address after NAT. |
External Severity | |
Display Name | Display Name |
Source IPV6 | The source IPV6 address. |
Child Process | |
Identity Type | |
Source Geolocation | The source geolocation of the event. |
Device Id | Device Id |
Protocols | |
Low Level Categories Events | The low level category of the event. |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Destination Port | The destination port used. |
Detection ID | |
Domain Name | |
Account Member Of | |
Technical Owner | The technical owner of the asset. |
Tenant Name | Tenant Name |
Process Name | |
Containment SLA | The time it took to contain the incident. |
Block Indicators Status | |
External Status | |
Process Creation Time | |
Status Reason | |
RemovedFromCampaigns | |
Policy Type | |
Resource Name | |
File Paths | |
IP Blocked Status | |
Srcs | The source values. |
Destination MAC Address | The destination MAC address in an event. |
File Path | |
Error Message | The error message that contains details about the error that occurred. |
Cloud Service | |
Email Sent Successfully | Whether the email has been successfully sent. |
Destination Network | |
Dsts | The destination values. |
Alert Action | Alert action as received from the integration JSON |
Log Source Name | The log source name associated with the event. |
Source Status | |
Device External IPs | |
Primary Email Address | |
Description | The description of the incident |
Event Descriptions | The description of the event name. |
App | |
Ticket Closed Date | |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
IP Reputation | |
Region ID | |
Rendered HTML | The HTML content in a rendered form. |
Appliance Name | Appliance name as received from the integration JSON |
Alert Type ID | |
Parent Process SHA256 | |
Registry Value Type | |
Username | The username of the account who logged in. |
Source IP | The IP Address that the user initially logged in from. |
Follow Up | True if marked for follow up. |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage |
Post Nat Source Port | The source port after NAT. |
Parent Process Path | |
Start Time | The time when the offense started. |
Technique | |
Src User | Source User |
Additional Data | |
Team name | |
Given Name | Given Name |
Asset ID | |
MITRE Technique ID | |
Error Code | |
Process Paths | |
Policy Severity | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Approver | The person who approved or needs to approve the request. |
Protocol - Event | The network protocol in the event. |
Suspicious Executions Found | |
Detected External Hosts | Detected external hosts |
Alert ID | Alert ID as received from the integration JSON |
Caller | |
Source Hostname | The hostname that performed the port scan. |
ASN Name | |
sAMAccountName | User sAMAAccountName |
Device External IP | Device External IP |
Risk Name | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Source MAC Address | The source MAC address in an event. |
Alert tags | |
SHA256 | SHA256 |
Device Time | The time from the original logging device when the event occurred. |
IncomingMirrorError | |
Detected External IPs | Detected external IPs |
Last Update Time | |
Last Seen | |
Protocol names | |
Protocol | Protocol |
Item Owner | |
Alert URL | Alert URL as received from the integration JSON |
OS Version | OS Version |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Investigation Stage | The stage of the investigation. |
Src NT Domain | Source NT Domain |
Destination IP | The IP address the impossible traveler logged in to. |
Vendor Product | |
Resource URL | |
External Sub Category Name | |
Closing Reason | The closing reason |
Detected IPs | |
CVE ID | |
ASN | |
Group ID | |
similarIncidents | |
Campaign Name | |
Ticket Acknowledged Date | |
OS | The operating system. |
Additional Indicators | |
File Creation Date | |
External Last Updated Time | |
User Risk Level | |
Registry Hive | |
Technical User | The technical user of the asset. |
Users Details | |
Verdict | |
Source Priority | |
Alert Source | |
Process CMD | |
State | State |
High Level Categories | The high level categories in the events. |
Parent Process CMD | |
Dest NT Domain | Destination NT Domain |
Referenced Resource ID | |
Pre Nat Source Port | The source port before NAT. |
Timezone | |
Technical Owner Contact | The contact details for the technical owner. |
Region | |
Closing User | The closing user. |
Policy ID | |
MITRE Technique Name | |
EmailCampaignMutualIndicators | |
Threat Hunting Detected Hostnames | |
Additional Email Addresses | |
High Risky Users | |
SHA512 | SHA512 |
Endpoints Details | |
Vendor ID | |
SSDeep | |
Number of similar files | |
Risk Score | |
Org Level 1 | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Policy Details | |
Parent Process | |
Scenario | |
Country Name | Country Name |
User Anomaly Count | |
Domain Updated Date | |
Log Source | Log Source |
User SID | |
Command Line | Command Line |
Tactic ID | |
Source Created By | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Registry Key | |
Compliance Notes | Notes regarding the assets compliance. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Mobile Device Model | |
Classification | Incident Classification |
Src Hostname | Source hostname |
Device OS Version | |
File Access Date | |
Agents ID | |
Sensor IP | |
SKU Name | |
Source Network | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Resource Type | |
Job Code | Job Code |
Detection Update Time | |
Isolated | Isolated |
Country Code | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Operation Name | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Process SHA256 | |
Source Updated by | |
Source Id | |
Account ID | |
Related Campaign | |
Source Port | The source port that was used |
Rule Name | The name of a YARA rule |
Rating | |
Triage SLA | The time it took to investigate and enrich incident information. |
Technique ID | |
Comment | The comments related with the incident |
Device Name | Device Name |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Tool Usage Found | |
User Engagement Response | |
Blocked Action | Blocked Action |
Last Modified On | |
Phone Number | Phone number |
Audit Logs | |
Application Path | |
Src OS | Src OS |
Destination Geolocation | The destination geolocation of the event. |
High Risky Hosts | |
External End Time | |
Approval Status | The status for the approval of the request. |
Process Names | |
DNS Name | The DNS name of the asset. |
Ticket Number | |
Custom Query Results | |
Sensor Name | |
Cloud Instance ID | Cloud Instance ID |
Raw Event | The unparsed event data. |
Destination IPV6 | The destination IPV6 address. |
CMD line | |
Cost Center | Cost Center |
Usernames | The username in the event. |
Last Name | Last Name |
File MD5 | |
Source Create time | |
Sub Category | The sub category |
Detected Internal Hosts | Detected internal hosts |
Policy Actions | |
Pre Nat Source IP | The source IP before NAT. |
Org Unit | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Post Nat Source IP | The source IP address after NAT. |
Src | Source |
Acquisition Hire | |
Pre Nat Destination Port | The destination port before NAT. |
MAC Address | MAC Address |
Tags | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Detected Internal IPs | Detected internal IPs |
Selected Indicators | Includes the indicators selected by the user. |
Application Id | Application Id |
First Seen | |
Bugtraq | |
Asset Name | |
Vulnerability Category | |
Department | Department |
MD5 | MD5 |
List Of Rules - Event | The list of rules associated to an event. |
Changed | The user who changed this incident |
User Creation Time | |
Reporter Email Address | The email address of the user who reported the email. |
Dest | Destination |
Command Line Verdict | |
Domain Registrar Abuse Email | |
EmailCampaignCanvas | |
Related Report | |
Vulnerable Product | |
Report Name | |
Full Name | Person's Full Name |
| Name | Description |
|---|---|
Hunt | |
Policy Violation | |
Simulation | |
Lateral Movement | |
Reconnaissance | |
Exploit | |
Exfiltration | |
Vulnerability | |
UnknownBinary | |
Authentication | |
Network | |
Job | |
C2Communication | |
Defacement | |
DoS | |
Indicator Feed |
| Name | Description |
|---|---|
Job Family | |
Resource Level | |
SSDeep | |
Quarantined | Whether the indicator is quarantined or isolated |
Behavior | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Assigned user | |
Street Address | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Processor | |
Name | |
PEM | Certificate in PEM format. |
Issuer | |
SHA1 | |
Admin Phone | |
Creation Date | |
Serial Number | |
Office365Category | |
Department | Department |
Subject Alternative Names | |
Campaign | |
Admin Country | |
Location | |
DNS | |
Geo Location | |
Infrastructure Types | |
Version | |
STIX Malware Types | |
Signature Original Name | |
Manager Email Address | |
Detection Engines | Total number of engines that checked the indicator |
STIX Roles | |
Rank | Used to display rank from different sources |
Number of subkeys | |
Job Function | |
Registrar Abuse Country | |
Internal | |
Secondary Motivations | |
Assigned role | |
Vulnerabilities | |
Architecture | |
Whois Records | |
Registrant Name | |
Detections | |
SHA512 | |
Subdomains | |
STIX Goals | |
Reports | |
Publications | |
Registrant Phone | |
Country Code | |
Product | |
Registrar Abuse Email | |
Domain Referring Subnets | |
Hostname | |
Region | |
Signature Internal Name | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Registrar Name | |
Is Processed | |
Cost Center Code | |
Work Phone | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Malware types | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
STIX Is Malware Family | |
Memory | |
Samples | |
Certificate Signature | |
Location Region | |
Account Type | |
Surname | Surname |
State | |
Processors | |
Username | |
Signature Copyright | |
Geo Country | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Implementation Languages | |
Threat Actor Types | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
MD5 | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
SHA256 | |
Applications | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Feed Related Indicators | |
Report type | |
Actor | |
Blocked | |
Registrant Email | |
Organization Type | |
Definition | |
Registrar Abuse Network | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
STIX Sophistication | |
Capabilities | |
Certificate Validation Checks | |
Title | Title |
Personal Email | |
Port | |
Vendor | |
Org Unit | |
Signature Description | |
Force Sync | Whether to force user synchronization. |
ASN | |
STIX Tool Types | |
Goals | |
Domain Name | |
Mitre ID | |
Office365ExpressRoute | |
Manager Name | Manager Name |
STIX Tool Version | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Operating System | |
Given Name | Given Name |
Vulnerable Products | |
Registrant Country | |
Country Code Number | |
CVE Modified | |
Signature Authentihash | |
Commands | |
Action | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
CVSS | |
OS Version | |
Short Description | |
X.509 v3 Extensions | |
Updated Date | |
imphash | |
Operating System Refs | |
Display Name | |
Objective | |
Community Notes | |
Certificates | |
Org Level 3 | |
Office365Required | |
Job Code | Job Code |
DHCP Server | |
STIX Resource Level | |
Expiration Date | |
STIX Description | |
Path | |
Cost Center | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Confidence | |
Registrar Abuse Name | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
File Type | |
Is Malware Family | |
Domains | |
Tool Version | |
City | City |
Associations | Known associations to other pieces of Threat Data. |
Key Value | |
Mitre Tactics | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Country Name | |
CVSS Vector | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Tool Types | |
Extension | |
Admin Email | |
Name Field | |
Primary Motivation | |
Certificate Names | |
Sophistication | |
Email Address | |
Published | |
STIX Aliases | Alternative names used to identify this object |
Device Model | |
Organization | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Operating System Version | |
Subject | |
Aliases | Alternative names used to identify this object |
Domain Referring IPs | |
DNS Records | |
CVE Description | |
STIX Threat Actor Types | |
Admin Name | |
STIX Primary Motivation. | |
Query Language | |
Description | |
Roles | |
Org Level 2 | |
Domain IDN Name | |
Download URL | |
Subject DN | Subject Distinguished Name |
Groups | |
Signature Algorithm | |
Organizational Unit (OU) | |
Source Priority | |
Indicator Identification | |
Tags | |
CVSS Version | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Positive Detections | Number of engines that positively detected the indicator as malicious |
IP Address | |
Report Object References | A list of STIX IDs referenced in the report. |
Size | |
Name Servers | |
Associated File Names | |
Signed | |
Paths | |
MAC Address | |
Domain Status | |
BIOS Version | |
Registrar Abuse Phone | |
STIX Secondary Motivations | |
Signature File Version | |
User ID | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Zip Code | |
Malware Family | |
Leadership | |
CVSS Score | |
AS Owner | |
Author | |
Org Level 1 | |
CVSS Table | |
Issuer DN | Issuer Distinguished Name |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Category | |
Entry ID | |
Public Key | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Targets | |
Registrar Abuse Address | |
Mobile Phone | |
File Extension | |
CVSS3 |
| Name | Description |
|---|---|
ASN | ASN Indicator Layout |
IP Indicator | IP Indicator Layout |
Host Indicator | Host indicator layout |
Email Indicator | Email Indicator Layout |
Campaign | Campaign Indicator Layout |
URL Indicator | URL Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Course of Action | Course of Action Indicator Layout |
File Indicator | File Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Identity | Identity indicator layout |
Malware Indicator | Malware Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Software | Software Indicator Layout |
Account Indicator | Account Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Mutex | Mutex indicator layout |
CVE Indicator | CVE Indicator Layout |
Report | Report Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Indicator Feed Incident | |
Vulnerability Incident | |
Location | Location indicator layout |
| Name | Description |
|---|---|
URL | |
Account | |
ssdeep | |
Malware | |
Tool | |
Campaign | |
Report | |
File | |
Attack Pattern | |
Course of Action | |
Domain | |
Infrastructure | |
Mutex | |
DomainGlob | |
File MD5 | |
File SHA-256 | |
Identity | |
File SHA-1 | |
Threat Actor | |
Location | |
IPv6CIDR | |
Registry Key | |
Host | |
ASN | |
Tactic | |
CIDR | |
IP | |
IPv6 | |
Onion Address | |
CVE | |
Intrusion Set | |
Software | |
X509 Certificate |
| Name | Description |
|---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
| Name | Description |
|---|---|
Identity Type | |
Src OS | Src OS |
Compliance Notes | Notes regarding the assets compliance. |
Additional Email Addresses | |
Region | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Country Code | |
MITRE Tactic ID | |
External System ID | |
EmailCampaignSnippets | |
Suspicious Executions | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Assignment Group | |
Detected Endpoints | |
Audit Logs | |
Password Reset Successfully | Whether the password has been successfully reset. |
Report Name | |
Resource Name | |
Device Hash | Device Hash |
Affected Users | |
Signature | |
Original Events | The events associated with the offense. |
Alert Action | Alert action as received from the integration JSON |
Org Level 1 | |
Rendered HTML | The HTML content in a rendered form. |
File Hash | |
SKU TIER | |
Device OS Version | |
Policy ID | |
EmailCampaignMutualIndicators | |
Source Geolocation | The source geolocation of the event. |
User Anomaly Count | |
File Creation Date | |
External Severity | |
Changed | The user who changed this incident |
Close Time | The closing time. |
EmailCampaignSummary | |
Dest OS | Destination OS |
External Sub Category ID | |
Block Indicators Status | |
Additional Data | |
Domain Registrar Abuse Email | |
sAMAccountName | User sAMAAccountName |
Endpoint Isolation Status | |
SHA1 | SHA1 |
MITRE Tactic Name | |
Post Nat Destination IP | The destination IP address after NAT. |
Post Nat Destination Port | The destination port after NAT. |
Error Code | |
Low Level Categories Events | The low level category of the event. |
Source Priority | |
Job Code | Job Code |
Related Endpoints | |
Sub Category | The sub category |
Org Level 2 | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Pre Nat Source Port | The source port before NAT. |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Street Address | |
Mobile Device Model | |
Application Path | |
User Creation Time | |
Is Active | Alert status |
User Block Status | |
Cost Center Code | Cost Center Code |
Parent Process File Path | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
ASN | |
Risk Name | |
Last Update Time | |
CVE ID | |
OS | The operating system. |
First Name | First Name |
Parent Process MD5 | |
Parent Process IDs | |
Vendor ID | |
Registry Value | |
Source Created By | |
Detected External IPs | Detected external IPs |
Suspicious Executions Found | |
Rule Name | The name of a YARA rule |
Region ID | |
Closing Reason | The closing reason |
Display Name | Display Name |
Tactic | |
Device External IPs | |
Department | Department |
Attack Mode | Attack mode as received from the integration JSON |
Campaign Name | |
Exposure Level | |
Similar incidents Dbot | |
app channel name | |
Cloud Account ID | |
Manager Name | Manager Name |
Policy Description | |
Referenced Resource Name | |
SKU Name | |
String Similarity Results | |
Approval Status | The status for the approval of the request. |
Source Create time | |
Triggered Security Profile | Triggered Security Profile |
Custom Query Results | |
Policy Severity | |
Parent Process CMD | |
OutgoingMirrorError | |
Log Source Type | The log source type associated with the event. |
Event ID | Event ID |
Device Id | Device Id |
OS Type | OS Type |
Technique ID | |
Device Name | Device Name |
Original Alert ID | Alert ID as received from the integration JSON |
Post Nat Source Port | The source port after NAT. |
Process Names | |
Registry Hive | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Device Internal IPs | |
Event Names | The event name (translated QID ) in the event. |
File Relationships | |
Device Time | The time from the original logging device when the event occurred. |
CVSS | |
External End Time | |
Cloud Region List | |
Group ID | |
Process ID | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage |
IP Blocked Status | |
Affected Hosts | |
Given Name | Given Name |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Protocol names | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
File Access Date | |
URLs | |
Process CMD | |
Cloud Resource List | |
Log Source Name | The log source name associated with the event. |
Device MAC Address | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Surname | Surname |
Domain Name | |
CVE Published | |
Technique | |
Investigation Stage | The stage of the investigation. |
CVE | |
Account ID | |
Registry Value Type | |
Internal Addresses | |
State | State |
Number of similar files | |
Tool Usage Found | |
Objective | |
Ticket Acknowledged Date | |
Users Details | |
App message | |
Source Updated by | |
SSDeep | |
External Category Name | |
Duration | |
Cost Center | Cost Center |
Resource URL | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
ASN Name | |
Follow Up | True if marked for follow up. |
Parent Process Name | |
Source External IPs | |
Email Sent Successfully | Whether the email has been successfully sent. |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Work Phone | |
Ticket Closed Date | |
Employee Email | The email address of the employee. |
Item Owner | |
Detection ID | |
Cloud Instance ID | Cloud Instance ID |
Acquisition Hire | |
External Link | |
Primary Email Address | |
Tactic ID | |
Source Urgency | Source Urgency |
Vendor Product | |
Process MD5 | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Policy Type | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Risk Rating | |
Technical Owner Contact | The contact details for the technical owner. |
Job Family | Job Family |
Policy Details | |
Technical Owner | The technical owner of the asset. |
Team name | |
Destination Networks | |
Country Code Number | |
Category Count | The number of categories that are associated with the offense. |
Account Member Of | |
MITRE Technique ID | |
External Start Time | |
Project ID | |
Last Modified On | |
Cloud Service | |
Blocked Action | Blocked Action |
Unique Ports | |
Traffic Direction | The direction of the traffic in the event. |
Job Function | Job Function |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Attack Patterns | |
Log Source | Log Source |
High Risky Hosts | |
Original Alert Name | Alert name as received from the integration JSON |
Parent Process Path | |
External Sub Category Name | |
Item Owner Email | |
Comment | The comments related with the incident |
Verification Status | The status of the user verification. |
Rating | |
User Id | User Id |
Alert Type ID | |
Employee Display Name | The display name of the employee. |
Asset ID | |
Tenant Name | Tenant Name |
Bugtraq | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Dsts | The destination values. |
Technical User | The technical user of the asset. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
userAccountControl | userAccountControl |
Registry Key | |
Agents ID | |
Endpoints Details | |
Domain Updated Date | |
Selected Indicators | Includes the indicators selected by the user. |
Use Case Description | |
Timezone | |
Status Reason | |
Alert Rules | |
Event Descriptions | The description of the event name. |
Birthday | Person's Birthday |
Policy Remediable | |
IncomingMirrorError | |
Location | Location |
Leadership | |
Command Line Verdict | |
Scenario | |
Raw Event | The unparsed event data. |
Source Status | |
Parent Process SHA256 | |
Number Of Log Sources | The number of log sources related to the offense. |
High Risky Users | |
similarIncidents | |
Alert Malicious | Whether the alert is malicious. |
Additional Indicators | |
EmailCampaignCanvas | |
Org Unit | |
Account Status | |
Start Time | The time when the offense started. |
Policy URI | |
Subtype | Subtype |
Process Creation Time | |
Post Nat Source IP | The source IP address after NAT. |
Process SHA256 | |
Hunt Results Count | |
Org Level 3 | |
Escalation | |
Policy Actions | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Employee Manager Email | The email address of the employee's manager. |
User Engagement Response | |
Location Region | Location Region |
Manager Email Address | |
Related Report | |
Assigned User | Assigned User |
Referenced Resource ID | |
Operation Name | |
Classification | Incident Classification |
Incident Link | |
Last Modified By | |
MITRE Technique Name | |
Caller | |
Source Category | |
Tools | |
Triage SLA | The time it took to investigate and enrich incident information. |
External Confidence | |
SHA512 | SHA512 |
Agent Version | Reporting Agent/Sensor Version |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Last Seen | |
External Status | |
Related Campaign | |
Source Networks | |
Isolated | Isolated |
UUID | UUID as received from the integration JSON |
Phone Number | Phone number |
Alert tags | |
Reporter Email Address | The email address of the user who reported the email. |
Destination IPV6 | The destination IPV6 address. |
IP Reputation | |
Verdict | |
Error Message | The error message that contains details about the error that occurred. |
Policy Recommendation | |
Original Alert Source | |
Full Name | Person's Full Name |
Risk Score | |
Zip Code | Zip Code |
Detection End Time | |
Vulnerable Product | |
Device Status | |
Password Changed Date | |
Approver | The person who approved or needs to approve the request. |
Containment SLA | The time it took to contain the incident. |
Detected Internal Hosts | Detected internal hosts |
Registration Email | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Related Alerts | |
Personal Email | |
Number of Related Incidents | |
Closing User | The closing user. |
Sensor IP | |
Last Name | Last Name |
Asset Name | |
Device Model | Device Model |
Device OU | Device's OU path in Active Directory |
Device OS Name | |
Vulnerability Category | |
Process Paths | |
RemovedFromCampaigns | |
Ticket Number | |
Title | Title |
Policy Deleted | |
End Time | The time when the offense ended. |
Destination Geolocation | The destination geolocation of the event. |
City | |
Source Id | |
Pre Nat Source IP | The source IP before NAT. |
First Seen | |
External Category ID | |
User Groups | |
File Size | File Size |
File SHA1 | |
Verification Method | The method used to verify the user. |
Pre Nat Destination Port | The destination port before NAT. |
User SID | |
External Last Updated Time | |
Resource Type | |
List Of Rules - Event | The list of rules associated to an event. |
Mobile Phone | |
Original Description | The description of the incident |
| Name | Description |
|---|---|
Network | |
Lateral Movement | |
Policy Violation | |
Job | |
Hunt | |
Simulation | |
Exploit | |
DoS | |
Indicator Feed | |
Authentication | |
Defacement | |
Exfiltration | |
UnknownBinary | |
Vulnerability | |
Reconnaissance | |
C2Communication |
| Name | Description |
|---|---|
CVSS3 | |
Goals | |
Location | |
OS Version | |
Office365Required | |
Architecture | |
Job Family | |
Applications | |
Email Address | |
Action | |
Admin Phone | |
STIX Resource Level | |
File Type | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Signature Description | |
Domain Status | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Domains | |
Secondary Motivations | |
Certificate Signature | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Registrant Country | |
Actor | |
Office365Category | |
Detection Engines | Total number of engines that checked the indicator |
STIX Tool Types | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Domain IDN Name | |
STIX Primary Motivation. | |
Name Field | |
Associations | Known associations to other pieces of Threat Data. |
Org Unit | |
Sophistication | |
Processor | |
Account Type | |
Published | |
Zip Code | |
Country Code | |
Registrar Abuse Country | |
STIX Secondary Motivations | |
PEM | Certificate in PEM format. |
Hostname | |
SHA512 | |
Malware types | |
Admin Name | |
Tool Version | |
Subject | |
Reports | |
Registrar Abuse Network | |
Department | Department |
Capabilities | |
Whois Records | |
Memory | |
Detections | |
Country Name | |
Location Region | |
Assigned role | |
Issuer | |
STIX Threat Actor Types | |
Organization | |
CVSS | |
State | |
Entry ID | |
Signature Algorithm | |
Port | |
Geo Location | |
Vulnerabilities | |
Registrar Abuse Address | |
Behavior | |
Is Malware Family | |
Personal Email | |
Mobile Phone | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Feed Related Indicators | |
Cost Center | |
Extension | |
Resource Level | |
Number of subkeys | |
Internal | |
Registrant Name | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Mitre ID | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Work Phone | |
Operating System Version | |
Org Level 1 | |
CVE Description | |
Is Processed | |
Serial Number | |
Expiration Date | |
Domain Referring Subnets | |
Region | |
Leadership | |
STIX Malware Types | |
Issuer DN | Issuer Distinguished Name |
Campaign | |
Public Key | |
Source Priority | |
Report type | |
Domain Name | |
STIX Roles | |
Community Notes | |
CVSS Table | |
Implementation Languages | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
User ID | |
Office365ExpressRoute | |
ASN | |
Signature File Version | |
STIX Is Malware Family | |
Username | |
Certificates | |
Blocked | |
Path | |
SHA256 | |
Organization Type | |
Geo Country | |
STIX Aliases | Alternative names used to identify this object |
Definition | |
Display Name | |
Creation Date | |
Roles | |
Processors | |
Signed | |
Vulnerable Products | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Surname | Surname |
Description | |
Cost Center Code | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Street Address | |
imphash | |
Certificate Validation Checks | |
Signature Authentihash | |
IP Address | |
Size | |
Title | Title |
Confidence | |
Job Code | Job Code |
Given Name | Given Name |
Mitre Tactics | |
Samples | |
X.509 v3 Extensions | |
CVSS Vector | |
Objective | |
Rank | Used to display rank from different sources |
Infrastructure Types | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
STIX Goals | |
Org Level 3 | |
CVSS Version | |
Device Model | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Key Value | |
Author | |
Targets | |
Subject DN | Subject Distinguished Name |
Registrant Email | |
Aliases | Alternative names used to identify this object |
Org Level 2 | |
Organizational Unit (OU) | |
STIX Description | |
BIOS Version | |
Manager Email Address | |
MD5 | |
Country Code Number | |
Category | |
Subject Alternative Names | |
CVE Modified | |
Force Sync | Whether to force user synchronization. |
Positive Detections | Number of engines that positively detected the indicator as malicious |
SSDeep | |
Product | |
Name Servers | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Version | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Registrar Abuse Email | |
STIX Tool Version | |
DHCP Server | |
Registrar Abuse Phone | |
Commands | |
Admin Country | |
Admin Email | |
Updated Date | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Malware Family | |
SHA1 | |
Short Description | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Registrar Name | |
Name | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Quarantined | Whether the indicator is quarantined or isolated |
Query Language | |
Certificate Names | |
Subdomains | |
Manager Name | Manager Name |
STIX Sophistication | |
Publications | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Tags | |
Threat Actor Types | |
Job Function | |
Operating System Refs | |
Registrar Abuse Name | |
Vendor | |
Acquisition Hire | Whether the employee is an acquisition hire. |
CVSS Score | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Signature Copyright | |
Signature Internal Name | |
Indicator Identification | |
Tool Types | |
City | City |
Associated File Names | |
Assigned user | |
Download URL | |
Paths | |
Primary Motivation | |
DNS Records | |
DNS | |
Signature Original Name | |
Registrant Phone | |
AS Owner | |
Operating System | |
Groups | |
File Extension | |
Report Object References | A list of STIX IDs referenced in the report. |
Domain Referring IPs |
| Name | Description |
|---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
| Name | Description |
|---|---|
Course of Action | Course of Action Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Intrusion Set | Intrusion Set Layout |
IP Indicator | IP Indicator Layout |
Email Indicator | Email Indicator Layout |
X509 Certificate | CVE Indicator Layout |
URL Indicator | URL Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Location | Location indicator layout |
Campaign | Campaign Indicator Layout |
Account Indicator | Account Indicator Layout |
Report | Report Indicator Layout |
Identity | Identity indicator layout |
Mutex | Mutex indicator layout |
Indicator Feed Incident | |
File Indicator | File Indicator Layout |
Tactic Layout | Tactic Indicator Layout |
Vulnerability Incident | |
CVE Indicator | CVE Indicator Layout |
Software | Software Indicator Layout |
Host Indicator | Host indicator layout |
Attack Pattern | Attack Pattern Indicator Layout |
ASN | ASN Indicator Layout |
| Name | Description |
|---|---|
File | |
Location | |
Tactic | |
Campaign | |
IPv6CIDR | |
Malware | |
Registry Key | |
Account | |
File SHA-256 | |
ASN | |
Domain | |
IPv6 | |
Threat Actor | |
Mutex | |
ssdeep | |
Tool | |
File SHA-1 | |
CVE | |
URL | |
Infrastructure | |
Report | |
Intrusion Set | |
X509 Certificate | |
DomainGlob | |
File MD5 | |
Course of Action | |
Identity | |
Attack Pattern | |
CIDR | |
IP | |
Onion Address | |
Software | |
Host |
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Scripts | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.
Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
imphash incident field.Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
imphash incident field.Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 26, 2020 | |
| Last Release | July 5, 2026 |









































































