Common Types

Details
Content
Dependencies
Version History

This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Francisco Javier Fernández Jiménez
Timothy Roberts

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Post Nat Destination Port	The destination port after NAT.
Domain Updated Date
Device Model	Device Model
Technical Owner	The technical owner of the asset.
Appliance Name	Appliance name as received from the integration JSON
Policy Remediable
Dest OS	Destination OS
Last Seen
Manager Name	Manager Name
Last Name	Last Name
Ticket Closed Date
Destination Network
Policy Type
Account ID
Similar incidents Dbot
Triage SLA	The time it took to investigate and enrich incident information.
Detected Internal Hosts	Detected internal hosts
Referenced Resource Name
File Size	File Size
SHA512	SHA512
Alert Rules
Source Id
Protocol	Protocol
Parent CMD line
Detected External IPs	Detected external IPs
Log Source Name	The log source name associated with the event.
Cloud Resource List
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
External Status
MD5	MD5
External ID
Src OS	Src OS
IP Blocked Status
Surname	Surname
Region
Users
Device Time	The time from the original logging device when the event occurred.
Asset ID
Device OS Version
Approval Status	The status for the approval of the request.
Campaign Name
Device OS Name
Log Source Type	The log source type associated with the event.
EmailCampaignSummary
Users Details
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Additional Indicators
Country Code Number
Internal Addresses
Rating
Detection ID
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Hunt Results Count
Classification	Incident Classification
userAccountControl	userAccountControl
Post Nat Destination IP	The destination IP address after NAT.
Agent Version	Reporting Agent/Sensor Version
RemovedFromCampaigns
Full Name	Person's Full Name
High Risky Users
Process Name
Destination Hostname	Destination hostname
Mobile Phone
EmailCampaignMutualIndicators
Isolated	Isolated
Caller
Device MAC Address
MITRE Tactic Name
Category Count	The number of categories that are associated with the offense.
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
File Hash
SKU Name
External Sub Category ID
Custom Query Results
Destination IP	The IP address the impossible traveler logged in to.
ASN
Dsts	The destination values.
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Audit Logs
ASN Name
Child Process
Additional Email Addresses
Selected Indicators	Includes the indicators selected by the user.
Event Descriptions	The description of the event name.
Duration
Vendor ID
Destination MAC Address	The destination MAC address in an event.
Device Local IP	Device Local IP
Account Name	Account Name
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
Alert Action	Alert action as received from the integration JSON
Source Network
File Relationships
Reporter Email Address	The email address of the user who reported the email.
External Severity
Source IPs	The source IPs of the event.
Group ID
First Seen
Acquisition Hire
Resource Name
Policy Actions
Vendor Product
Parent Process MD5
Source Networks
Source Updated by
Process Paths
Compliance Notes	Notes regarding the assets compliance.
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
City
Detected External Hosts	Detected external hosts
MITRE Technique Name
Policy Recommendation
Error Code
Pre Nat Source IP	The source IP before NAT.
Related Endpoints
Device External IPs
Referenced Resource ID
Policy ID
Event ID	Event ID
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
IP Reputation
First Name	First Name
Process SHA256
Unique Ports
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Attack Mode	Attack mode as received from the integration JSON
Dest	Destination
Protocol - Event	The network protocol in the event.
Account Status
EmailCampaignCanvas
Application Id	Application Id
Registration Email
Destination Networks
Report Name
Events	The events associated with the offense.
Manager Email Address
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Device Hash	Device Hash
User Anomaly Count
Password Reset Successfully	Whether the password has been successfully reset.
Containment SLA	The time it took to contain the incident.
Hostnames	The hostname in the event.
Suspicious Executions Found
OutgoingMirrorError
Closing Reason	The closing reason
Protocols
Alert tags
File MD5
External Start Time
Src User	Source User
Source IP	The IP Address that the user initially logged in from.
Sensor IP
External Category Name
Title	Title
Verification Status	The status of the user verification.
Source External IPs
Region ID
Status Reason
Last Modified On
External Addresses
EmailCampaignSnippets
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Email Sent Successfully	Whether the email has been successfully sent.
Source Created By
Policy Description
Country Name	Country Name
Verdict
Parent Process SHA256
Source Status
SHA256	SHA256
OS Type	OS Type
Country	The country from which the user logged in.
Registry Value
Alert ID	Alert ID as received from the integration JSON
File Path
Triggered Security Profile	Triggered Security Profile
Operation Name
Device Name	Device Name
CVE ID
SKU TIER
Registry Hive
Employee Email	The email address of the employee.
Location Region	Location Region
Is Active	Alert status
Item Owner
Rendered HTML	The HTML content in a rendered form.
Source Hostname	The hostname that performed the port scan.
Device External IP	Device External IP
Incident Link
Source Urgency	Source Urgency
Alert Name	Alert name as received from the integration JSON
Changed	The user who changed this incident
Endpoints Details
External Link
Parent Process IDs
Ticket Acknowledged Date
Verification Method	The method used to verify the user.
Timezone
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Close Time	The closing time.
Raw Event	The unparsed event data.
Detected Internal IPs	Detected internal IPs
External End Time
Resource Type
Device Internal IPs
SHA1	SHA1
Sub Category	The sub category
Registry Key
File Names
Follow Up	True if marked for follow up.
Number of similar files
App
OS Version	OS Version
File Creation Date
Cloud Region List
UUID	UUID as received from the integration JSON
Device Status
Detection Update Time
Process CMD
Description	The description of the incident
Risk Rating
Detection URL	URL of the ExtraHop Reveal(x) detection
Ticket Number
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
URLs
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Attack Patterns
CMD line
Tool Usage Found
Mobile Device Model
Tactic
Org Level 1
Event Type	Event Type
IncomingMirrorError
Source Username	The username that was the source of the attack.
Cost Center Code	Cost Center Code
Assigned User	Assigned User
Endpoint Isolation Status
File Paths
High Risky Hosts
Subtype	Subtype
Alert Type ID
Cloud Account ID
Policy Details
Post Nat Source Port	The source port after NAT.
Alert Malicious	Whether the alert is malicious.
Street Address
Last Update Time
Affected Users
Src NT Domain	Source NT Domain
Blocked Action	Blocked Action
Alert Category	The category of the alert
User Block Status
Device OU	Device's OU path in Active Directory
Scenario
Approver	The person who approved or needs to approve the request.
Bugtraq
CVSS Availability Requirement	The CVSS availability requirement for the asset.
External Last Updated Time
SSDeep
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
List Of Rules - Event	The list of rules associated to an event.
Process ID
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
similarIncidents
Risk Name
Birthday	Person's Birthday
Traffic Direction	The direction of the traffic in the event.
Process Creation Time
Cloud Instance ID	Cloud Instance ID
Src Ports	The source ports of the event.
Log Source	Log Source
Display Name	Display Name
Number of Related Incidents
Usernames	The username in the event.
Post Nat Source IP	The source IP address after NAT.
Detection End Time
Job Function	Job Function
Registry Value Type
Source Priority
Application Name	Application Name
Technical User	The technical user of the asset.
Detected IPs
Destination Geolocation	The destination geolocation of the event.
Error Message	The error message that contains details about the error that occurred.
Src	Source
MITRE Technique ID
Domain Name
Department	Department
Event Names	The event name (translated QID ) in the event.
Asset Name
Agents ID
Dst Ports	The destination ports of the event.
Parent Process
Pre Nat Source Port	The source port before NAT.
Location	Location
Parent Process CMD
External Category ID
Affected Hosts
Country Code
Detected Users	Detected users
Source IPV6	The source IPV6 address.
State	State
File SHA1
Appliance ID	Appliance ID as received from the integration JSON
User Agent
Threat Hunting Detected Hostnames
Work Phone
Resource URL
Tenant Name	Tenant Name
Team name
User Engagement Response
Agent ID	Agent ID
Block Indicators Status
Sensor Name
Src Hostname	Source hostname
Device Username	The username of the user that owns the device
Cloud Operation Type
User SID
Process Path
app channel name
Rule Name	The name of a YARA rule
DNS Name	The DNS name of the asset.
Closing User	The closing user.
Alert URL	Alert URL as received from the integration JSON
Technique ID
Org Unit
Risk Score
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Endpoint
External Sub Category Name
Vulnerable Product
Vulnerability Category
Cost Center	Cost Center
Assignment Group
Destination IPs	The destination IPs of the event.
Source MAC Address	The source MAC address in an event.
Categories	The categories for the incident.
User Id	User Id
Related Alerts
Destination IPV6	The destination IPV6 address.
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
Policy Severity
Destination Port	The destination port used.
Suspicious Executions
Number Of Log Sources	The number of log sources related to the offense.
Org Level 3
Policy URI
Email	Primary Email Address
Parent Process Path
Additional Data
Domain Registrar Abuse Email
Technique
MITRE Tactic ID
Signature
String Similarity Results
Dest NT Domain	Destination NT Domain
Alert Attack Time
Srcs	The source values.
Related Report
Start Time	The time when the offense started.
External Confidence
File Name
File Access Date
Identity Type
Related Campaign
Given Name	Given Name
Account Member Of
Leadership
Org Level 2
File SHA256
Policy Deleted
CMD
Process MD5
Parent Process File Path
App message
User Creation Time
Ticket Opened Date
Source Category
Detected Endpoints
Job Family	Job Family
Protocol names
Password Changed Date
Comment	The comments related with the incident
Dest Hostname	Destination hostname
Process Names
Investigation Stage	The stage of the investigation.
External System ID
Device Id	Device Id
Low Level Categories Events	The low level category of the event.
OS	The operating system.
Application Path
Project ID
CVE Published
Personal Email
Tools
Detected User
High Level Categories	The high level categories in the events.
Command Line	Command Line
Source Geolocation	The source geolocation of the event.
Resource ID
PID	PID
MAC Address	MAC Address
Employee Manager Email	The email address of the employee's manager.
Exposure Level
User Risk Level
End Time	The time when the offense ended.
CVSS
Item Owner Email
Last Modified By
CVE
Phone Number	Phone number
Command Line Verdict
Pre Nat Destination Port	The destination port before NAT.
Employee Display Name	The display name of the employee.
Escalation
Threat Hunting Detected IP
Tactic ID
Zip Code	Zip Code
Source Create time
File Upload	Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button.
Username	The username of the account who logged in.
Parent Process Name
Incident Duration	How long it took for the playbook of the incident to finish, from the moment it started.
sAMAccountName	User sAMAAccountName
Tags
Cloud Service
Technical Owner Contact	The contact details for the technical owner.
Source Port	The source port that was used
Objective
Alert Source
Use Case Description
Job Code	Job Code
User Groups

Incident Types

Name	Description
Vulnerability
Policy Violation
Hunt
C2Communication
Defacement
Lateral Movement
UnknownBinary
Job
Authentication
Indicator Feed
DoS
Exploit
Exfiltration
Simulation
Reconnaissance
Network

Indicator Fields

Name	Description
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Path
Tool Version
Admin Name
Short Description
Malware Family
Detection Engines	Total number of engines that checked the indicator
Acquisition Hire	Whether the employee is an acquisition hire.
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
City	City
Author
Domain Referring Subnets
Report Object References	A list of STIX IDs referenced in the report.
First Seen By Source	The first time the indicator was seen by the source vendor.
Organization Type
Registrar Abuse Country
Name
imphash
Org Unit
Signature Algorithm
Community Notes
Vendor
Signature Original Name
Global Prevalence	The number of times the indicator is detected across all organizations.
Applications
User ID
Detections
Domains
Internal
Subdomains
DNS Records
Download URL
Blocked
Product
Certificate Signature
Version
Malware types
Behavior
SSDeep
Name Servers
Street Address
File Extension
BIOS Version
Assigned role
CVSS Vector
Positive Detections	Number of engines that positively detected the indicator as malicious
Goals
Username
Registrant Email
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Registrar Abuse Network
Organization Prevalence	The number of times the indicator is detected in the organization.
Validity Not Before	Specifies the date on which the certificate validity period begins.
Certificate Validation Checks
Personal Email
OS Version
Organization Last Seen	Date and time when the indicator was last seen in the organization.
Name Field
MAC Address
Service	The specific service of a feed integration from which an indicator was ingested.
Registrant Phone
Admin Phone
Processor
Domain Status
Mitre Tactics
Processors
Aliases	Alternative names used to identify this object
Threat Actor Types
STIX Primary Motivation.
Serial Number
Tool Types
CVE Description
MD5
SWID	Specifies the Software Identification (SWID) tags entry for the software
STIX Malware Types
Signature Authentihash
State
Organizational Unit (OU)
Implementation Languages
Admin Email
Work Phone
Is Processed
Public Key
Admin Country
STIX Resource Level
Cost Center
Port
Org Level 1
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Commands
Department	Department
AS Owner
Country Name
Expiration Date
Subject Alternative Names
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
Office365Required
Domain IDN Name
Confidence
Org Level 2
Given Name	Given Name
Registrar Abuse Address
Operating System
Registrar Abuse Email
Registrar Abuse Phone
Feed Related Indicators
STIX Sophistication
Device Model
Publications
Rank	Used to display rank from different sources
ASN
Account Type
Surname	Surname
Geo Location
Whois Records
Subject
Mobile Phone
Zip Code
File Type
Job Function
Memory
Query Language
Registrar Abuse Name
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Indicator Identification
Is Malware Family
Country Code
Extension
Actor
Operating System Version
Force Sync	Whether to force user synchronization.
Manager Email Address
CVSS Table
Leadership
Entry ID
Domain Referring IPs
Validity Not After	Specifies the date on which the certificate validity period ends.
X.509 v3 Extensions
Registrant Name
SHA512
DNS
Assigned user
Organization
Email
Campaign
Tags
STIX Goals
Office365Category
Associations	Known associations to other pieces of Threat Data.
Roles
Location
Action
Source Original Severity	The original score/severity provided by the source without DBot translation.
Cost Center Code
Updated Date
CVE Modified
SHA256
Job Code	Job Code
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Sophistication
Groups
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
STIX Description
Vulnerable Products
Operating System Refs
Office365ExpressRoute
Hostname
Signed
Certificates
Report type
IP Address
Location Region
Size
CVSS
Creation Date
STIX Roles
Category
Organization First Seen	Date and time when the indicator was first seen in the organization.
STIX Aliases	Alternative names used to identify this object
CVSS3
Subject DN	Subject Distinguished Name
Resource Level
Manager Name	Manager Name
Associated File Names
Title	Title
Email Address
Secondary Motivations
Reports
Primary Motivation
Architecture
Description
Geo Country
Samples
Objective
Registrar Name
Last Seen By Source	The last time the indicator was seen by the Source vendor.
Published
STIX Tool Version
STIX Secondary Motivations
Capabilities
Issuer
Source Priority
Paths
CVSS Score
SHA1
Certificate Names
PEM	Certificate in PEM format.
Vulnerabilities
Quarantined	Whether the indicator is quarantined or isolated
Signature Description
Display Name
CVSS Version
Domain Name
Key Value
Issuer DN	Issuer Distinguished Name
Number of subkeys
Targets
STIX Tool Types
Infrastructure Types
Job Family
Mitre ID
Country Code Number
Signature File Version
Definition
STIX Threat Actor Types
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
STIX Is Malware Family
Signature Copyright
Registrant Country
Org Level 3
Region
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
DHCP Server
Signature Internal Name

Layouts

Name	Description
Email Indicator	Email Indicator Layout
Report	Report Indicator Layout
X509 Certificate	CVE Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Host Indicator	Host indicator layout
File Indicator	File Indicator Layout
Infrastructure	Infrastructure Indicator Layout
Campaign	Campaign Indicator Layout
Account Indicator	Account Indicator Layout
Identity	Identity indicator layout
Tool Indicator	Tool Indicator Layout
CVE Indicator	CVE Indicator Layout
Indicator Feed Incident
Mutex	Mutex indicator layout
URL Indicator	URL Indicator Layout
Course of Action	Course of Action Indicator Layout
Domain Indicator	Domain Indicator Layout
IP Indicator	IP Indicator Layout
ASN	ASN Indicator Layout
Malware Indicator	Malware Indicator Layout
Intrusion Set	Intrusion Set Layout
Registry Key Indicator	Registry Key Indicator Layout
Tactic Layout	Tactic Indicator Layout
Vulnerability Incident
Attack Pattern	Attack Pattern Indicator Layout
Software	Software Indicator Layout
Location	Location indicator layout

Indicator Types

Name	Description
CIDR
DomainGlob
URL
Location
ssdeep
Mutex
Onion Address
IPv6
Attack Pattern
ASN
Identity
CVE
X509 Certificate
Registry Key
File SHA-1
Threat Actor
Course of Action
File
File SHA-256
IP
Malware
Tool
Report
Infrastructure
Host
Software
Intrusion Set
File MD5
Email
IPv6CIDR
Campaign
Account
Tactic
Domain

Classifiers

Name	Description
Mail Listener - Classifier	Classifies phishing email messages.
Mail Listener - Incoming Mapper	Maps incoming phishing email messages fields.

Incident Fields

Name	Description
Verification Status	The status of the user verification.
Destination Geolocation	The destination geolocation of the event.
Source Create time
Resource URL
Vulnerability Category
Block Indicators Status
Parent Process Name
Resource Type
MITRE Technique ID
Last Update Time
Source Priority
SHA1	SHA1
Endpoint Isolation Status
Pre Nat Destination Port	The destination port before NAT.
Threat Family Name	Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ֿFraud\Espionage
ASN
Low Level Categories Events	The low level category of the event.
Policy Recommendation
Failed Logon Events	The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field.
Account Member Of
Source Urgency	Source Urgency
List Of Rules - Event	The list of rules associated to an event.
File SHA1
IncomingMirrorError
IP Blocked Status
Compliance Notes	Notes regarding the assets compliance.
Registration Email
Asset Name
Technical Owner	The technical owner of the asset.
Blocked Action	Blocked Action
External Link
Last Modified On
Error Code
Source External IPs
Org Level 2
First Name	First Name
CVE ID
User SID
Account Status
Vulnerable Product
Users Details
Additional Indicators
CVSS Availability Requirement	The CVSS availability requirement for the asset.
Display Name	Display Name
Investigation Stage	The stage of the investigation.
Use Case Description
Start Time	The time when the offense started.
Policy ID
EmailCampaignSummary
Alert tags
Event Action	Action taken on user accounts - Create, Update, Deactivate, Reactivate
Parent Process CMD
Country Code
Device Id	Device Id
Sub Category	The sub category
Parent Process SHA256
RemovedFromCampaigns
Device OS Version
Cloud Account ID
External Category ID
Triage SLA	The time it took to investigate and enrich incident information.
Isolated	Isolated
Surname	Surname
Process Names
Campaign Name
File Access Date
User Anomaly Count
Risk Name
Post Nat Source IP	The source IP address after NAT.
Technical Owner Contact	The contact details for the technical owner.
MITRE Tactic ID
Original Alert ID	Alert ID as received from the integration JSON
External Sub Category ID
Number of similar files
Report Name
Source Networks
Org Level 3
Risk Score
Remediation SLA	The time it took since remediation of the incident began, and until it ended.
Country Code Number
SHA512	SHA512
Last Modified By
Destination IPV6	The destination IPV6 address.
Device External IPs
File Relationships
Part of Campaign	The ID of the campaign incident of which the current incident is part of.
Exposure Level
Source Updated by
Vendor ID
Policy Severity
EmailCampaignMutualIndicators
Policy Deleted
External Severity
External Confidence
Subtype	Subtype
Objective
Password Changed Date
Registry Value Type
Detection SLA	The time it took from incident creation until the maliciousness was determined.
Number of Related Incidents
Technique ID
Device Model	Device Model
Process Paths
Tools
MITRE Technique Name
Source Geolocation	The source geolocation of the event.
Device Hash	Device Hash
Street Address
Event Names	The event name (translated QID ) in the event.
Location	Location
Is Active	Alert status
Triggered Security Profile	Triggered Security Profile
Unique Ports
Original Alert Source
Internal Addresses
Reporter Email Address	The email address of the user who reported the email.
User Groups
Rendered HTML	The HTML content in a rendered form.
Number Of Found Related Alerts	Medium or Higher Severity Alerts
Domain Registrar Abuse Email
String Similarity Results
Email Sent Successfully	Whether the email has been successfully sent.
Cloud Resource List
Cloud Service
Alert Malicious	Whether the alert is malicious.
Traffic Direction	The direction of the traffic in the event.
App message
Related Endpoints
OS Type	OS Type
Destination Networks
Resource Name
Critical Assets	A table of critical assets involved in the incident, including the name and asset type.
High Risky Users
Mobile Phone
Process ID
Threat Name	Define the threat name such as malware/exploit/phishing/etc
Status Reason
Manager Name	Manager Name
Suspicious Executions Found
EmailCampaignSnippets
Asset ID
Job Function	Job Function
Department	Department
Region ID
Detected Endpoints
Tool Usage Found
Item Owner
External System ID
Application Path
Zip Code	Zip Code
Changed	The user who changed this incident
Account ID
Technical User	The technical user of the asset.
Ticket Closed Date
Source Created By
Event Descriptions	The description of the event name.
Affected Users
Approval Status	The status for the approval of the request.
Risk Rating
Process CMD
Device OU	Device's OU path in Active Directory
Device OS Name
Assignment Group
URLs
External Last Updated Time
Cost Center Code	Cost Center Code
Vendor Product
OS	The operating system.
External Category Name
Employee Email	The email address of the employee.
Detected External IPs	Detected external IPs
Selected Indicators	Includes the indicators selected by the user.
Verdict
Device Internal IPs
File Hash
Domain Name
Employee Display Name	The display name of the employee.
Timezone
Device MAC Address
Protocol names
Error Message	The error message that contains details about the error that occurred.
Closing User	The closing user.
Log Source Name	The log source name associated with the event.
CVSS Confidentiality Requirement	The CVSS confidentiality requirement of the asset.
External Start Time
Containment SLA	The time it took to contain the incident.
Cloud Region List
Item Owner Email
Operation Name
Closing Reason	The closing reason
Caller
Attack Mode	Attack mode as received from the integration JSON
Category Count	The number of categories that are associated with the offense.
Policy Type
Identity Type
userAccountControl	userAccountControl
Ticket Number
similarIncidents
State	State
Affected Hosts
Detection URL	URL of the ExtraHop Reveal(x) detection
Phone Number	Phone number
Group ID
Cloud Instance ID	Cloud Instance ID
External Sub Category Name
Manager Email Address
Sensor IP
Escalation
Custom Query Results
Last Name	Last Name
Location Region	Location Region
Referenced Resource Name
Comment	The comments related with the incident
Alert Type ID
Additional Data
Duration
EmailCampaignCanvas
Alert Acknowledgement	Alert acknowledgement as received from the integration JSON
Parent Process IDs
Registry Key
Hunt Results Count
Team name
sAMAccountName	User sAMAAccountName
CVE
Registry Value
Audit Logs
Rule Name	The name of a YARA rule
Similar incidents Dbot
Agent Version	Reporting Agent/Sensor Version
SKU TIER
Log Source Type	The log source type associated with the event.
CVSS
Policy Details
URL SSL Verification	Indicates whether the URLs passed the SSL certificate verification.
Policy Description
Parent Process File Path
Raw Event	The unparsed event data.
Job Family	Job Family
Suspicious Executions
User Creation Time
Original Events	The events associated with the offense.
Work Phone
Policy URI
Macro Source Code	In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro.
Additional Email Addresses
Policy Remediable
Birthday	Person's Birthday
app channel name
Verification Method	The method used to verify the user.
UUID	UUID as received from the integration JSON
Region
Approver	The person who approved or needs to approve the request.
Incident Link
File Size	File Size
Related Alerts
User Engagement Response
Alert Rules
Parent Process Path
CVSS Collateral Damage Potential	The CVSS collateral damage potential of the asset.
Attack Patterns
Domain Updated Date
Agents ID
Follow Up	True if marked for follow up.
Tenant Name	Tenant Name
Last Mirrored Time Stamp	The last time the incident was mirrored in.
Employee Manager Email	The email address of the employee's manager.
Detection ID
User Block Status
Detection End Time
Signature
File Creation Date
Close Time	The closing time.
External End Time
Process Creation Time
Command Line Verdict
Process MD5
End Time	The time when the offense ended.
Domain Squatting Result	The result of the domain-squatting check for the attacker's email.
User Id	User Id
Cost Center	Cost Center
MITRE Tactic Name
Tactic ID
Password Reset Successfully	Whether the password has been successfully reset.
Referenced Resource ID
Classification	Incident Classification
First Seen
Org Unit
Personal Email
Source Status
Source Id
Endpoints Details
City
Device Status
Project ID
Ticket Acknowledged Date
Time to Assignment	The time it took from when the incident was created until a user was assigned to it.
Title	Title
Post Nat Destination Port	The destination port after NAT.
Email	Primary Email Address
Mobile Device Model
Alert Action	Alert action as received from the integration JSON
Pre Nat Source Port	The source port before NAT.
Number Of Log Sources	The number of log sources related to the offense.
Post Nat Source Port	The source port after NAT.
Given Name	Given Name
Pre Nat Source IP	The source IP before NAT.
External Status
Rating
Dsts	The destination values.
Source Category
Failed Logon Events Timeframe	The timeframe which the failed logon events occurred in.
Original Alert Name	Alert name as received from the integration JSON
Parent Process MD5
Post Nat Destination IP	The destination IP address after NAT.
Policy Actions
Detected Internal Hosts	Detected internal hosts
Process SHA256
CVE Published
Acquisition Hire
Last Seen
ASN Name
Dest OS	Destination OS
OutgoingMirrorError
Job Code	Job Code
Org Level 1
Registry Hive
Technique
Bugtraq
Log Source	Log Source
Device Time	The time from the original logging device when the event occurred.
Related Campaign
Related Report
Assigned User	Assigned User
Device Name	Device Name
CVSS Integrity Requirement	The CVSS integrity requirement for the asset.
Original Description	The description of the incident
Tactic
Src OS	Src OS
Scenario
SKU Name
SSDeep
High Risky Hosts
Full Name	Person's Full Name
Event ID	Event ID
IP Reputation
Leadership

Incident Types

Name	Description
Hunt
Network
C2Communication
DoS
UnknownBinary
Vulnerability
Authentication
Defacement
Indicator Feed
Reconnaissance
Lateral Movement
Exploit
Policy Violation
Job
Simulation
Exfiltration

Indicator Fields

Name	Description
Malware Family
SPKI SHA256	SHA256 fingerprint of Subject Public Key Info
Given Name	Given Name
imphash
Admin Country
Validity Not After	Specifies the date on which the certificate validity period ends.
Vulnerable Products
Associations	Known associations to other pieces of Threat Data.
DHCP Server
Query Language
Entry ID
Display Name
Product
Feed Related Indicators
Primary Motivation
Registrar Abuse Email
STIX Goals
Registrar Abuse Phone
OS Version
Registrar Name
Admin Name
Issuer DN	Issuer Distinguished Name
Title	Title
Surname	Surname
ASN
Reports
CVSS Score
Tool Types
STIX Secondary Motivations
STIX ID	An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way
Org Level 1
Organizational Unit (OU)
Source Priority
Implementation Languages
STIX Threat Actor Types
Operating System
Admin Email
Assigned role
CVE Description
Indicator Identification
Malware types
Action
CPE	Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary
Description
Certificate Names
Detections
Certificate Signature
Number of subkeys
Processor
Domain Referring Subnets
Traffic Light Protocol	TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Internal
Threat Types	The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc.
Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Domains
Geo Country
Objective
Signature Authentihash
Quarantined	Whether the indicator is quarantined or isolated
Country Name
Is Malware Family
Job Function
Job Code	Job Code
Confidence
Organization First Seen	Date and time when the indicator was first seen in the organization.
Threat Actor Types
Organization
Service	The specific service of a feed integration from which an indicator was ingested.
City	City
Street Address
Job Family
Location Region
File Extension
Author
Download URL
Campaign
Paths
SHA512
Community Notes
Office365Category
Processors
Roles
SHA1
Positive Detections	Number of engines that positively detected the indicator as malicious
Is Processed
Applications
Email
Org Unit
SHA256
Assigned user
Memory
Tool Version
Reported By	The source that reported this indicator. Can be a feed, an incident, or users.
Actor
Creation Date
Rank	Used to display rank from different sources
Signature Description
Signed
CVSS
Office365ExpressRoute
STIX Roles
Global Prevalence	The number of times the indicator is detected across all organizations.
Vulnerabilities
Architecture
Signature Internal Name
Subject
Subject Alternative Names
Domain IDN Name
Samples
Certificate Validation Checks
Size
Organization Last Seen	Date and time when the indicator was last seen in the organization.
X.509 v3 Extensions
Expiration Date
Blocked
Capabilities
User ID
Registrar Abuse Name
STIX Tool Types
Mobile Phone
Issuer
Manager Name	Manager Name
Username
Manager Email Address
Report Object References	A list of STIX IDs referenced in the report.
Domain Status
Aliases	Alternative names used to identify this object
STIX Is Malware Family
Goals
Industry sectors	Industry sector is an open vocabulary that describes industrial and commercial sectors.
SWID	Specifies the Software Identification (SWID) tags entry for the software
SSDeep
Key Value
Country Code
Subject DN	Subject Distinguished Name
CVSS Version
Signature Copyright
Office365Required
Operating System Version
Email Address
STIX Kill Chain Phases	The list of Kill Chain Phases for which this object is used.
Region
Org Level 2
Mitre Tactics
STIX Description
Publications
Registrant Email
First Seen By Source	The first time the indicator was seen by the source vendor.
Device Model
Tags
Cost Center
Department	Department
CVSS Vector
Location
Public Key
Organization Type
CVSS3
Detection Engines	Total number of engines that checked the indicator
AS Owner
Registrant Country
Last Seen By Source	The last time the indicator was seen by the Source vendor.
STIX Sophistication
IP Address
STIX Primary Motivation.
Name Servers
BIOS Version
Whois Records
Hostname
Commands
Country Code Number
CVSS Table
Cost Center Code
Report type
Version
Personal Email
Geo Location
Name Field
Name
Registrar Abuse Network
Work Phone
File Type
STIX Malware Types
Extension
STIX Tool Version
Certificates
PEM	Certificate in PEM format.
Source Original Severity	The original score/severity provided by the source without DBot translation.
Account Type
Validity Not Before	Specifies the date on which the certificate validity period begins.
Domain Name
Registrar Abuse Country
Subdomains
Resource Level
STIX Aliases	Alternative names used to identify this object
Infrastructure Types
Updated Date
STIX Resource Level
Admin Phone
Registrant Phone
Associated File Names
Signature Original Name
Definition
Registrant Name
Sophistication
Groups
Secondary Motivations
Port
Short Description
Behavior
Path
Force Sync	Whether to force user synchronization.
Registrar Abuse Address
Vendor
Signature Algorithm
Organization Prevalence	The number of times the indicator is detected in the organization.
Identity class	The type of entity that this Identity describes, e.g., an individual or organization.
Org Level 3
Domain Referring IPs
CVE Modified
Serial Number
Zip Code
Acquisition Hire	Whether the employee is an acquisition hire.
State
Languages	Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646.
Category
Published
Targets
DNS
MD5
Signature File Version
Operating System Refs
Mitre ID
Leadership
DNS Records

Layoutrule

Name	Description
Indicator Feed Layout Rule
Vulnerability Layout Rule

Layouts

Name	Description
Infrastructure	Infrastructure Indicator Layout
Host Indicator	Host indicator layout
Report	Report Indicator Layout
Course of Action	Course of Action Indicator Layout
URL Indicator	URL Indicator Layout
Email Indicator	Email Indicator Layout
Tactic Layout	Tactic Indicator Layout
ASN	ASN Indicator Layout
IP Indicator	IP Indicator Layout
Attack Pattern	Attack Pattern Indicator Layout
Registry Key Indicator	Registry Key Indicator Layout
Vulnerability Incident
Domain Indicator	Domain Indicator Layout
Campaign	Campaign Indicator Layout
Mutex	Mutex indicator layout
File Indicator	File Indicator Layout
Account Indicator	Account Indicator Layout
CVE Indicator	CVE Indicator Layout
Intrusion Set	Intrusion Set Layout
Tool Indicator	Tool Indicator Layout
Location	Location indicator layout
X509 Certificate	CVE Indicator Layout
Threat Actor	Threat Actor Indicator Layout
Malware Indicator	Malware Indicator Layout
Software	Software Indicator Layout
Indicator Feed Incident
Identity	Identity indicator layout

Indicator Types

Name	Description
Report
Malware
Email
Location
Intrusion Set
ssdeep
Tactic
URL
Mutex
DomainGlob
IP
File SHA-256
Course of Action
Tool
Threat Actor
Onion Address
IPv6
Host
ASN
Software
CIDR
File MD5
Attack Pattern
CVE
Infrastructure
IPv6CIDR
Identity
Domain
Registry Key
File SHA-1
File
X509 Certificate
Campaign
Account

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (60)

Pack Name	Pack By
AWS - GuardDuty	By: Cortex XSOAR
AWS - Security Hub	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Microsoft Sentinel	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Carbon Black Endpoint Standard	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Change Management	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
Cyberint	By: Cyberint
Doppel	By: Doppel Inc
Employee Offboarding	By: Cortex XSOAR
Exabeam Advanced Analytics	By: Cortex XSOAR
Exabeam Security Operations Platform	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
Trellix Email Security - Cloud	By: Cortex XSOAR
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
FireEye Network Security (NX)	By: Cortex XSOAR
FraudWatch PhishPortal	By: Cortex XSOAR
Freshworks Freshservice	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
GravityZone	By: Bitdefender
Akamai GuardiCore	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Impossible Traveler	By: Cortex XSOAR
Rapid7 - Threat Command (IntSights)	By: Rapid7
LogRhythm	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Microsoft Defender for Cloud Apps	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Graph Security	By: Cortex XSOAR
Netskope	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
OpsGenie	By: Cortex XSOAR
OrionMalware	By: Airbus
Enterprise DLP by Palo Alto Networks	By: Palo Alto Networks Enterprise DLP
Password Reset via Chatbot	By: Cortex XSOAR
PCAP Analysis	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Port Scan	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud Compute by Palo Alto Networks	By: Cortex XSOAR
SaaS Security by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
NetWitness	By: Netwitness
Mandiant Automated Defense	By: Mandiant
Skyhigh Security SSE	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Stamus	By: Stamus Networks
Symantec Data Loss Prevention	By: Cortex XSOAR
SysAid	By: Cortex XSOAR
Tanium Threat Response	By: Cortex XSOAR
ThreatConnect	By: Cortex XSOAR
Trend Micro Cloud App Security	By: Cortex XSOAR
Tripwire	By: Cortex XSOAR
Vectra AI	By: Vectra TME Integrations

All level dependencies (4)

Pack Name	Pack By
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

3.10.11 - 9233795 (May 24, 2026)

Incident Fields

Last Update Time
Added the CrowdStrike Falcon IOA Event incident type to the associated types of the Last Update Time incident field.

Related pull requests:
- 44334

Download

3.10.10 - 8801294 (May 6, 2026)

Layouts

URL Indicator
Updated Add tags and Remove tags in the URL Indicator layout to use a pipe (|) delimiter.

Related pull requests:
- 44206

Download

3.10.9 - 8727847 (May 4, 2026)

Indicator Types

IPv6
Fixed an issue where IPv6 indicators with a trailing :: (for example, aaaa:9999:1111:ffff::) were not extracted.

Related pull requests:
- 44112

Download

3.10.8 - 8382811 (April 20, 2026)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

3.10.7 - 8288718 (April 15, 2026)

Indicator Types

Domain
Fixed an issue where false-positive domain indicators were extracted.

Related pull requests:
- 43856

Download

3.10.6 - 8227525 (April 13, 2026)

Incident Fields

Last Update Time
Updated the Last Update Time incident field to support the CrowdStrike Falcon Intelligence Recon incident type.

Related pull requests:
- 42097
- 41869

Download

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7389211 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920594 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Alert Attack Time
Updated the Alert Attack Time incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Detected External Hosts
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Source IPs
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5208238 (September 30, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4121830 (July 10, 2025)

Incident Fields

Destination IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Username
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPV6
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Source IPs
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

3.10.11 - 9233795 (May 24, 2026)

Incident Fields

Last Update Time
Added the CrowdStrike Falcon IOA Event incident type to the associated types of the Last Update Time incident field.

Related pull requests:
- 44334

Download

3.10.10 - 8801294 (May 6, 2026)

Layouts

URL Indicator
Updated Add tags and Remove tags in the URL Indicator layout to use a pipe (|) delimiter.

Related pull requests:
- 44206

Download

3.10.9 - 8727847 (May 4, 2026)

Indicator Types

IPv6
Fixed an issue where IPv6 indicators with a trailing :: (for example, aaaa:9999:1111:ffff::) were not extracted.

Related pull requests:
- 44112

Download

3.10.8 - 8382811 (April 20, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

3.10.7 - 8288718 (April 15, 2026)

Indicator Types

Domain
Fixed an issue where false-positive domain indicators were extracted.

Related pull requests:
- 43856

Download

3.10.6 - 8227525 (April 13, 2026)

Incident Fields

Last Update Time
Updated the Last Update Time incident field to support the CrowdStrike Falcon Intelligence Recon incident type.

Related pull requests:
- 42097
- 41869

Download

3.10.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

3.10.4 - 7478701 (March 8, 2026)

Incident Fields

Last Update Time
Added the GravityZone EDR, and GravityZone XDR incident types as associated types.

Related pull requests:
- 43387
- 42789

Download

3.10.3 - 7379405 (March 1, 2026)

Indicator Types

IPv6
Fixed an issue where the IPv6 indicator type regex failed to extract an IPv6 address from input text containing line breaks.

Related pull requests:
- 43284

Download

3.10.2 - 7188558 (February 17, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

3.10.1 - 6920581 (January 28, 2026)

Incident Fields

Traffic Direction
Updated the Traffic Direction incident field to associate 'Trellix Incident' type.
Vendor Product
Updated the Vendor Product incident field to associate 'Trellix Incident' type.
UUID
Updated the UUID incident field to associate 'Trellix Incident' type.

Related pull requests:
- 42762

Download

3.10.0 - 6802612 (January 20, 2026)

Incident Fields

Vendor Product
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
UUID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
End Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Display Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Start Time
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Risk Score
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
Detection ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Related pull requests:
- 42537

Download

3.9.9 - 6640287 (January 11, 2026)

Indicator Types

URL
Updated the URL indicator regex to handle defanged IP addresses with a [.] notation (e.g., 45.134.174[.]235/2.sh).

Related pull requests:
- 42595

Download

3.9.8 - 6580350 (January 6, 2026)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

3.9.7 - 5888286 (November 16, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41916

Download

3.9.6 - 5538136 (October 23, 2025)

Common Types

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.9.5 - 5212533 (October 1, 2025)

Indicator Fields

Primary Motivation

Updated the Primary Motivation indicator field to include additional values.

Indicator Types

File
Updated the file formatter to include the imphash incident field.

Layouts

Threat Actor
Updated the Threat Actor layout to include additional incident fields.

Related pull requests:
- 41462

Download

3.9.4 - R5172709 (September 29, 2025)

Layouts

Malware Indicator
Added a new layout for Malware Indicators.
Campaign
Added a new layout for Campaign Indicators.

Related pull requests:
- 41337
- 41411

Download

3.9.3 - 4826286 (September 9, 2025)

Indicator Types

Domain
Updated the Domain REGEX to exclude numbers from TLDs.

Related pull requests:
- 41200

Download

3.9.2 - 4261213 (July 22, 2025)

Indicator Types

Domain
Fixed an issue where the regular expression caught an extra backtick (`) causing the Markdown to fail.

Related pull requests:
- 40660

Download

3.9.1 - 4130170 (July 10, 2025)

Common Types

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

3.9.0 - 4118212 (July 9, 2025)

Incident Fields

Display Name
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
End Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Start Time
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Related pull requests:
- 40208

Download

3.8.12 - 4083045 (July 7, 2025)

Indicator Types

IPv6
Updated the IPv6 indicator regex.

Related pull requests:
- 40165

Download

3.8.11 - 4049458 (July 3, 2025)

Common Types

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.8.10 - 3802487 (June 15, 2025)

Indicator Types

URL
Updated the URL indicator type to allow underscores in sub-domains.
Domain
Updated the Domain indicator type to allow underscores in sub domains.

Related pull requests:
- 40041

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	May 24, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Mandiant Automated Defense (Formerly Respond Software)

Palo Alto Networks Cortex XDR - Investigation and Response

Symantec Data Loss Prevention (Deprecated)

Palo Alto Networks - Prisma Cloud Compute

VMware Carbon Black Endpoint Standard (Deprecated)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.