Pack Contributors:
- Francisco Javier Fernández Jiménez
- Timothy Roberts
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Use Case Description | |
Domain Registrar Abuse Email | |
Asset ID | |
Number of Related Incidents | |
Related Alerts | |
Usernames | The username in the event. |
Device External IPs | |
External System ID | |
Process Name | |
Number of similar files | |
Birthday | Person's Birthday |
Given Name | Given Name |
File SHA256 | |
app channel name | |
Last Seen | |
External Severity | |
Resource ID | |
Destination IPs | The destination IPs of the event. |
File Access Date | |
Subtype | Subtype |
Low Level Categories Events | The low level category of the event. |
Escalation | |
Changed | The user who changed this incident |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Log Source Name | The log source name associated with the event. |
Post Nat Source Port | The source port after NAT. |
Users | |
Policy Description | |
Source Create time | |
Policy URI | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Source IPs | The source IPs of the event. |
Tactic ID | |
Device OS Version | |
Number Of Log Sources | The number of log sources related to the offense. |
Closing Reason | The closing reason |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Application Path | |
Protocol | Protocol |
Org Unit | |
Alert Malicious | Whether the alert is malicious. |
Process Names | |
Policy Recommendation | |
Close Time | The closing time. |
Account Name | Account Name |
Street Address | |
Agent Version | Reporting Agent/Sensor Version |
User Block Status | |
Incident Link | |
Ticket Acknowledged Date | |
Parent Process | |
App message | |
Source Urgency | Source Urgency |
Blocked Action | Blocked Action |
File SHA1 | |
Country | The country from which the user logged in. |
Employee Email | The email address of the employee. |
Bugtraq | |
OS Version | OS Version |
Pre Nat Destination Port | The destination port before NAT. |
Process Creation Time | |
Region | |
Caller | |
Last Name | Last Name |
Source Id | |
Classification | Incident Classification |
Account Member Of | |
Project ID | |
Country Name | Country Name |
Team name | |
Child Process | |
Appliance Name | Appliance name as received from the integration JSON |
RemovedFromCampaigns | |
Alert ID | Alert ID as received from the integration JSON |
SSDeep | |
Device Id | Device Id |
User Groups | |
Additional Email Addresses | |
Technical Owner Contact | The contact details for the technical owner. |
Detection End Time | |
Appliance ID | Appliance ID as received from the integration JSON |
Threat Hunting Detected IP | |
Asset Name | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Device Hash | Device Hash |
File Creation Date | |
Error Message | The error message that contains details about the error that occurred. |
Categories | The categories for the incident. |
Related Campaign | |
Parent Process Path | |
CMD line | |
Vendor Product | |
Pre Nat Source Port | The source port before NAT. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Vulnerability Category | |
Device Username | The username of the user that owns the device |
MITRE Technique ID | |
External Sub Category Name | |
Detected Endpoints | |
Last Modified On | |
Surname | Surname |
Technical Owner | The technical owner of the asset. |
User Id | User Id |
Closing User | The closing user. |
Last Update Time | |
Org Level 3 | |
Vendor ID | |
User Agent | |
Dest Hostname | Destination hostname |
Region ID | |
Source Status | |
EmailCampaignSummary | |
Src Hostname | Source hostname |
Source Username | The username that was the source of the attack. |
Destination Hostname | Destination hostname |
Log Source | Log Source |
External ID | |
Device OS Name | |
Alert Action | Alert action as received from the integration JSON |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Detection Update Time | |
Detected Internal Hosts | Detected internal hosts |
Mobile Device Model | |
Application Name | Application Name |
External Link | |
Parent Process CMD | |
Protocol names | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Detected Internal IPs | Detected internal IPs |
High Risky Hosts | |
Detected External IPs | Detected external IPs |
Scenario | |
Account Status | |
Sensor IP | |
Location Region | Location Region |
Verification Method | The method used to verify the user. |
Parent Process Name | |
Process CMD | |
Source IPV6 | The source IPV6 address. |
MITRE Tactic Name | |
Alert Category | The category of the alert |
Country Code | |
UUID | UUID as received from the integration JSON |
Cloud Region List | |
Cloud Resource List | |
SHA1 | SHA1 |
Group ID | |
Dest NT Domain | Destination NT Domain |
Resource Type | |
Destination IP | The IP address the impossible traveler logged in to. |
OS | The operating system. |
Protocols | |
Device Internal IPs | |
Tenant Name | Tenant Name |
File Hash | |
Hostnames | The hostname in the event. |
Org Level 1 | |
Device Model | Device Model |
Detected IPs | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
First Seen | |
Process ID | |
Policy ID | |
Source Networks | |
Device Time | The time from the original logging device when the event occurred. |
Traffic Direction | The direction of the traffic in the event. |
Leadership | |
Policy Severity | |
Domain Name | |
IncomingMirrorError | |
Mobile Phone | |
Rule Name | The name of a YARA rule |
Related Endpoints | |
External Category ID | |
Affected Hosts | |
EmailCampaignCanvas | |
SKU TIER | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Events | The events associated with the offense. |
Timezone | |
Ticket Number | |
Risk Score | |
Containment SLA | The time it took to contain the incident. |
Endpoint Isolation Status | |
IP Blocked Status | |
Follow Up | True if marked for follow up. |
Srcs | The source values. |
Email Sent Successfully | Whether the email has been successfully sent. |
Registry Key | |
Operation Name | |
Manager Name | Manager Name |
Policy Type | |
Registry Hive | |
Org Level 2 | |
Application Id | Application Id |
Technique ID | |
Parent CMD line | |
Source Created By | |
External Addresses | |
OS Type | OS Type |
Cloud Service | |
Internal Addresses | |
Manager Email Address | |
Threat Hunting Detected Hostnames | |
Report Name | |
User SID | |
Dsts | The destination values. |
Detection ID | |
Tool Usage Found | |
Sub Category | The sub category |
Parent Process IDs | |
External Start Time | |
Vulnerable Product | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Employee Display Name | The display name of the employee. |
Alert Rules | |
Duration | |
CVE ID | |
Destination Geolocation | The destination geolocation of the event. |
Pre Nat Source IP | The source IP before NAT. |
Command Line Verdict | |
Destination Network | |
userAccountControl | userAccountControl |
Approval Status | The status for the approval of the request. |
Tags | |
CMD | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Signature | |
Destination Networks | |
Policy Details | |
Parent Process MD5 | |
Src NT Domain | Source NT Domain |
Src OS | Src OS |
Detected Users | Detected users |
ASN Name | |
Custom Query Results | |
Resource URL | |
Location | Location |
Job Family | Job Family |
Post Nat Destination Port | The destination port after NAT. |
Item Owner Email | |
Event Type | Event Type |
Reporter Email Address | The email address of the user who reported the email. |
Dst Ports | The destination ports of the event. |
Item Owner | |
Source External IPs | |
Event Names | The event name (translated QID ) in the event. |
Post Nat Destination IP | The destination IP address after NAT. |
City | |
PID | PID |
Identity Type | |
Registry Value | |
Verification Status | The status of the user verification. |
Job Function | Job Function |
Device Name | Device Name |
Source IP | The IP Address that the user initially logged in from. |
Related Report | |
Parent Process SHA256 | |
Status Reason | |
External Category Name | |
File Paths | |
Attack Mode | Attack mode as received from the integration JSON |
EmailCampaignSnippets | |
Suspicious Executions | |
Password Changed Date | |
Description | The description of the incident |
ASN | |
Registry Value Type | |
Endpoints Details | |
OutgoingMirrorError | |
External Confidence | |
Endpoint | |
End Time | The time when the offense ended. |
Is Active | Alert status |
External Status | |
Cloud Account ID | |
Campaign Name | |
Domain Updated Date | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Objective | |
Verdict | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Country Code Number | |
Title | Title |
External Last Updated Time | |
High Level Categories | The high level categories in the events. |
Assigned User | Assigned User |
Agents ID | |
Risk Name | |
Alert tags | |
Event Descriptions | The description of the event name. |
Unique Ports | |
Users Details | |
DNS Name | The DNS name of the asset. |
Isolated | Isolated |
Category Count | The number of categories that are associated with the offense. |
MD5 | MD5 |
SKU Name | |
State | State |
User Engagement Response | |
String Similarity Results | |
Triage SLA | The time it took to investigate and enrich incident information. |
Device Local IP | Device Local IP |
Assignment Group | |
Start Time | The time when the offense started. |
Rendered HTML | The HTML content in a rendered form. |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Source MAC Address | The source MAC address in an event. |
Technique | |
Process SHA256 | |
Referenced Resource ID | |
Hunt Results Count | |
Event ID | Event ID |
File Size | File Size |
Raw Event | The unparsed event data. |
Cost Center | Cost Center |
Compliance Notes | Notes regarding the assets compliance. |
Department | Department |
Cost Center Code | Cost Center Code |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Referenced Resource Name | |
Source Updated by | |
Attack Patterns | |
Job Code | Job Code |
Source Hostname | The hostname that performed the port scan. |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Dest | Destination |
Source Priority | |
Source Category | |
Display Name | Display Name |
Error Code | |
File Path | |
Triggered Security Profile | Triggered Security Profile |
Zip Code | Zip Code |
Suspicious Executions Found | |
Src Ports | The source ports of the event. |
Cloud Instance ID | Cloud Instance ID |
MAC Address | MAC Address |
First Name | First Name |
Technical User | The technical user of the asset. |
Phone Number | Phone number |
File MD5 | |
Destination MAC Address | The destination MAC address in an event. |
CVE Published | |
Sensor Name | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Source Geolocation | The source geolocation of the event. |
Selected Indicators | Includes the indicators selected by the user. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Investigation Stage | The stage of the investigation. |
Affected Users | |
File Relationships | |
Process Path | |
SHA512 | SHA512 |
Account ID | |
Resource Name | |
CVSS | |
External Sub Category ID | |
Process Paths | |
MITRE Technique Name | |
Destination Port | The destination port used. |
Full Name | Person's Full Name |
Detected External Hosts | Detected external hosts |
Ticket Opened Date | |
File Name | |
Additional Indicators | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
App | |
Approver | The person who approved or needs to approve the request. |
Detected User | |
IP Reputation | |
Policy Remediable | |
Exposure Level | |
Device External IP | Device External IP |
sAMAccountName | User sAMAAccountName |
similarIncidents | |
Block Indicators Status | |
Alert URL | Alert URL as received from the integration JSON |
Username | The username of the account who logged in. |
Command Line | Command Line |
MITRE Tactic ID | |
Risk Rating | |
Cloud Operation Type | |
Parent Process File Path | |
Src User | Source User |
Acquisition Hire | |
URLs | |
Alert Attack Time | |
Employee Manager Email | The email address of the employee's manager. |
Tools | |
Ticket Closed Date | |
Policy Actions | |
List Of Rules - Event | The list of rules associated to an event. |
Alert Type ID | |
High Risky Users | |
Source Network | |
Alert Source | |
Device MAC Address | |
Registration Email | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Src | Source |
Process MD5 | |
Password Reset Successfully | Whether the password has been successfully reset. |
Agent ID | Agent ID |
Source Port | The source port that was used |
User Risk Level | |
Additional Data | |
User Creation Time | |
Work Phone | |
Destination IPV6 | The destination IPV6 address. |
EmailCampaignMutualIndicators | |
Comment | The comments related with the incident |
External End Time | |
CVE | |
Dest OS | Destination OS |
Personal Email | |
User Anomaly Count | |
Primary Email Address | |
Device Status | |
Device OU | Device's OU path in Active Directory |
Tactic | |
Similar incidents Dbot | |
Rating | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
SHA256 | SHA256 |
Post Nat Source IP | The source IP address after NAT. |
Policy Deleted | |
Protocol - Event | The network protocol in the event. |
Last Modified By | |
File Names | |
Alert Name | Alert name as received from the integration JSON |
Log Source Type | The log source type associated with the event. |
Name | Description |
---|---|
Exfiltration | |
Reconnaissance | |
Job | |
Network | |
Simulation | |
Vulnerability | |
UnknownBinary | |
Hunt | |
Defacement | |
Lateral Movement | |
DoS | |
Exploit | |
Indicator Feed | |
C2Communication | |
Authentication | |
Policy Violation |
Name | Description |
---|---|
Actor | |
Signature File Version | |
DHCP Server | |
Geo Location | |
CVSS Version | |
Serial Number | |
Org Level 2 | |
Blocked | |
Street Address | |
Objective | |
Domain Referring Subnets | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Behavior | |
Creation Date | |
Registrant Country | |
Entry ID | |
Issuer DN | Issuer Distinguished Name |
MAC Address | |
Admin Name | |
STIX Sophistication | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Hostname | |
Quarantined | Whether the indicator is quarantined or isolated |
Signature Internal Name | |
Registrar Abuse Name | |
STIX Tool Types | |
Goals | |
CVSS Score | |
Architecture | |
Definition | |
Path | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Memory | |
Given Name | Given Name |
STIX Resource Level | |
City | City |
Author | |
Is Malware Family | |
Expiration Date | |
Category | |
Department | Department |
OS Version | |
Registrant Email | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Secondary Motivations | |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Mobile Phone | |
Registrar Abuse Country | |
Domains | |
Issuer | |
Action | |
Mitre ID | |
Publications | |
Paths | |
Query Language | |
Account Type | |
CVSS Vector | |
STIX Description | |
CVSS Table | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Operating System Version | |
IP Address | |
Tool Version | |
STIX Secondary Motivations | |
Name Servers | |
Signed | |
Certificate Names | |
Processors | |
Certificate Validation Checks | |
SHA512 | |
Groups | |
Username | |
Force Sync | Whether to force user synchronization. |
Location | |
Associations | Known associations to other pieces of Threat Data. |
State | |
Office365Required | |
STIX Goals | |
Detections | |
Malware types | |
Infrastructure Types | |
Manager Name | Manager Name |
imphash | |
Public Key | |
Signature Algorithm | |
Org Level 3 | |
Size | |
Targets | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Signature Original Name | |
MD5 | |
Mitre Tactics | |
Indicator Identification | |
STIX Malware Types | |
Org Unit | |
Vendor | |
Domain Name | |
Subdomains | |
Version | |
Registrar Abuse Network | |
Updated Date | |
Campaign | |
Geo Country | |
Zip Code | |
Aliases | Alternative names used to identify this object |
Work Phone | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
User ID | |
Whois Records | |
SSDeep | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Organizational Unit (OU) | |
Confidence | |
Number of subkeys | |
Rank | Used to display rank from different sources |
Description | |
Signature Copyright | |
BIOS Version | |
Domain IDN Name | |
Personal Email | |
Leadership | |
Product | |
Sophistication | |
Capabilities | |
Country Code | |
STIX Primary Motivation. | |
CVSS3 | |
X.509 v3 Extensions | |
Registrant Name | |
STIX Threat Actor Types | |
Organization | |
Email Address | |
SHA256 | |
Signature Authentihash | |
STIX Roles | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Malware Family | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Reports | |
Display Name | |
Assigned user | |
Job Family | |
Registrar Abuse Email | |
Published | |
DNS | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Region | |
Vulnerabilities | |
Title | Title |
Cost Center | |
AS Owner | |
Report Object References | A list of STIX IDs referenced in the report. |
PEM | Certificate in PEM format. |
Admin Email | |
Extension | |
Admin Country | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Key Value | |
File Type | |
Signature Description | |
Office365Category | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Organization Type | |
Detection Engines | Total number of engines that checked the indicator |
ASN | |
DNS Records | |
CVSS | |
Implementation Languages | |
Domain Referring IPs | |
Country Code Number | |
Job Function | |
Processor | |
Community Notes | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Resource Level | |
Domain Status | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Feed Related Indicators | |
Operating System Refs | |
Name Field | |
Registrar Abuse Address | |
Assigned role | |
Source Priority | |
CVE Description | |
Download URL | |
Short Description | |
SHA1 | |
Report type | |
Cost Center Code | |
Vulnerable Products | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Port | |
Internal | |
Location Region | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Subject Alternative Names | |
Primary Motivation | |
Is Processed | |
Associated File Names | |
Surname | Surname |
Admin Phone | |
Tags | |
Device Model | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Samples | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Applications | |
Subject | |
Certificates | |
Commands | |
Manager Email Address | |
STIX Tool Version | |
File Extension | |
STIX Is Malware Family | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Certificate Signature | |
STIX Aliases | Alternative names used to identify this object |
Subject DN | Subject Distinguished Name |
Country Name | |
Registrar Name | |
Office365ExpressRoute | |
Org Level 1 | |
Threat Actor Types | |
Registrar Abuse Phone | |
Roles | |
Tool Types | |
CVE Modified | |
Operating System | |
Job Code | Job Code |
Name | |
Registrant Phone |
Name | Description |
---|---|
Course of Action | Course of Action Indicator Layout |
Mutex | Mutex indicator layout |
Identity | Identity indicator layout |
Vulnerability Incident | |
CVE Indicator | CVE Indicator Layout |
Report | Report Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Location | Location indicator layout |
Infrastructure | Infrastructure Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Campaign | Campaign Indicator Layout |
ASN | ASN Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
IP Indicator | IP Indicator Layout |
Domain Indicator | Domain Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Host Indicator | Host indicator layout |
File Indicator | File Indicator Layout |
Software | Software Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Account Indicator | Account Indicator Layout |
Email Indicator | Email Indicator Layout |
URL Indicator | URL Indicator Layout |
Indicator Feed Incident |
Name | Description |
---|---|
Software | |
Host | |
File | |
Malware | |
Threat Actor | |
Identity | |
X509 Certificate | |
Attack Pattern | |
Domain | |
Tool | |
File SHA-1 | |
File SHA-256 | |
File MD5 | |
Location | |
Course of Action | |
CIDR | |
Infrastructure | |
Report | |
IPv6CIDR | |
IP | |
URL | |
Mutex | |
ssdeep | |
CVE | |
DomainGlob | |
Account | |
ASN | |
Onion Address | |
IPv6 | |
Intrusion Set | |
Campaign | |
Registry Key |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Policy Severity | |
SHA512 | SHA512 |
Post Nat Source Port | The source port after NAT. |
Policy Type | |
Number Of Log Sources | The number of log sources related to the offense. |
SHA1 | SHA1 |
sAMAccountName | User sAMAAccountName |
Country Code Number | |
Scenario | |
IP Blocked Status | |
Related Campaign | |
External Sub Category ID | |
SKU TIER | |
User Id | User Id |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
EmailCampaignSnippets | |
Device Internal IPs | |
End Time | The time when the offense ended. |
Event Descriptions | The description of the event name. |
Command Line Verdict | |
Affected Users | |
Risk Rating | |
Investigation Stage | The stage of the investigation. |
Original Description | The description of the incident |
Technical Owner | The technical owner of the asset. |
Account Member Of | |
Org Level 3 | |
Process Paths | |
Device MAC Address | |
Post Nat Destination Port | The destination port after NAT. |
OutgoingMirrorError | |
Source Urgency | Source Urgency |
Is Active | Alert status |
Original Alert Source | |
Project ID | |
Suspicious Executions Found | |
Asset Name | |
Approval Status | The status for the approval of the request. |
Protocol names | |
Last Update Time | |
Status Reason | |
Related Alerts | |
Attack Mode | Attack mode as received from the integration JSON |
File Size | File Size |
UUID | UUID as received from the integration JSON |
Low Level Categories Events | The low level category of the event. |
Source Category | |
Approver | The person who approved or needs to approve the request. |
File Creation Date | |
Policy URI | |
Tools | |
Registry Hive | |
List Of Rules - Event | The list of rules associated to an event. |
Pre Nat Destination Port | The destination port before NAT. |
similarIncidents | |
Email Sent Successfully | Whether the email has been successfully sent. |
Source Created By | |
Device Time | The time from the original logging device when the event occurred. |
ASN Name | |
RemovedFromCampaigns | |
Job Code | Job Code |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Src OS | Src OS |
Risk Name | |
Reporter Email Address | The email address of the user who reported the email. |
Detected Internal Hosts | Detected internal hosts |
Exposure Level | |
Tool Usage Found | |
Registration Email | |
External Category Name | |
Number of similar files | |
Pre Nat Source Port | The source port before NAT. |
Manager Name | Manager Name |
Cost Center Code | Cost Center Code |
Escalation | |
Attack Patterns | |
Detected Endpoints | |
Start Time | The time when the offense started. |
Agent Version | Reporting Agent/Sensor Version |
Device Name | Device Name |
Rating | |
Ticket Number | |
Org Unit | |
SKU Name | |
Account ID | |
State | State |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Vulnerable Product | |
Account Status | |
Ticket Closed Date | |
City | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
IncomingMirrorError | |
Post Nat Destination IP | The destination IP address after NAT. |
Last Modified On | |
Title | Title |
User Groups | |
Referenced Resource ID | |
External Last Updated Time | |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Rule Name | The name of a YARA rule |
Technique ID | |
Domain Name | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Employee Display Name | The display name of the employee. |
External Link | |
Cloud Region List | |
Alert Malicious | Whether the alert is malicious. |
Last Modified By | |
Domain Updated Date | |
Compliance Notes | Notes regarding the assets compliance. |
Sensor IP | |
Incident Link | |
Original Alert Name | Alert name as received from the integration JSON |
Error Code | |
Resource Type | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
File SHA1 | |
File Hash | |
Alert tags | |
Rendered HTML | The HTML content in a rendered form. |
Detected External IPs | Detected external IPs |
Sub Category | The sub category |
MITRE Technique Name | |
Acquisition Hire | |
Duration | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Zip Code | Zip Code |
Org Level 2 | |
File Relationships | |
Policy Actions | |
Region ID | |
Category Count | The number of categories that are associated with the offense. |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Location | Location |
Last Seen | |
CVE | |
Objective | |
Triggered Security Profile | Triggered Security Profile |
External Category ID | |
External End Time | |
Last Name | Last Name |
Device Hash | Device Hash |
Destination IPV6 | The destination IPV6 address. |
Item Owner Email | |
Device Status | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Process CMD | |
Alert Rules | |
Endpoint Isolation Status | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Process SHA256 | |
Number of Related Incidents | |
Bugtraq | |
IP Reputation | |
Verification Method | The method used to verify the user. |
Mobile Device Model | |
Display Name | Display Name |
First Seen | |
Error Message | The error message that contains details about the error that occurred. |
Related Report | |
High Risky Hosts | |
Vulnerability Category | |
Selected Indicators | Includes the indicators selected by the user. |
External Status | |
Personal Email | |
userAccountControl | userAccountControl |
Assigned User | Assigned User |
Isolated | Isolated |
MITRE Tactic ID | |
Employee Manager Email | The email address of the employee's manager. |
Device OS Name | |
Parent Process Name | |
app channel name | |
Alert Type ID | |
External Start Time | |
Closing Reason | The closing reason |
Parent Process Path | |
Similar incidents Dbot | |
Source External IPs | |
Source Id | |
Technical User | The technical user of the asset. |
Tactic | |
ASN | |
Mobile Phone | |
Related Endpoints | |
Source Networks | |
Vendor Product | |
Alert Action | Alert action as received from the integration JSON |
Verification Status | The status of the user verification. |
Leadership | |
Report Name | |
Process ID | |
Department | Department |
Device Model | Device Model |
EmailCampaignSummary | |
Signature | |
Policy ID | |
Endpoints Details | |
User Anomaly Count | |
Technical Owner Contact | The contact details for the technical owner. |
Process Creation Time | |
Manager Email Address | |
Cloud Instance ID | Cloud Instance ID |
Password Reset Successfully | Whether the password has been successfully reset. |
Job Family | Job Family |
Technique | |
Org Level 1 | |
Process MD5 | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Source Geolocation | The source geolocation of the event. |
URLs | |
Comment | The comments related with the incident |
Full Name | Person's Full Name |
Parent Process IDs | |
OS Type | OS Type |
Source Updated by | |
File Access Date | |
EmailCampaignMutualIndicators | |
Users Details | |
Triage SLA | The time it took to investigate and enrich incident information. |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Vendor ID | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Log Source Name | The log source name associated with the event. |
CVE Published | |
Close Time | The closing time. |
Registry Key | |
Team name | |
Device OS Version | |
Application Path | |
Policy Recommendation | |
Log Source | Log Source |
Assignment Group | |
External Confidence | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Job Function | Job Function |
Blocked Action | Blocked Action |
Additional Data | |
Cloud Account ID | |
Operation Name | |
User Engagement Response | |
Employee Email | The email address of the employee. |
EmailCampaignCanvas | |
Custom Query Results | |
Destination Networks | |
Parent Process MD5 | |
Domain Registrar Abuse Email | |
First Name | First Name |
Affected Hosts | |
Resource URL | |
Parent Process SHA256 | |
External System ID | |
Parent Process CMD | |
Given Name | Given Name |
Identity Type | |
Source Priority | |
Risk Score | |
Region | |
Phone Number | Phone number |
Parent Process File Path | |
Follow Up | True if marked for follow up. |
Use Case Description | |
Pre Nat Source IP | The source IP before NAT. |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Cloud Resource List | |
Work Phone | |
High Risky Users | |
Policy Remediable | |
Primary Email Address | |
Cost Center | Cost Center |
CVE ID | |
Classification | Incident Classification |
Internal Addresses | |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
CVSS | |
Birthday | Person's Birthday |
Hunt Results Count | |
Device OU | Device's OU path in Active Directory |
Tactic ID | |
Detection End Time | |
MITRE Tactic Name | |
Dsts | The destination values. |
Raw Event | The unparsed event data. |
Registry Value Type | |
External Severity | |
Registry Value | |
Group ID | |
Log Source Type | The log source type associated with the event. |
Source Status | |
Event Names | The event name (translated QID ) in the event. |
Policy Details | |
Unique Ports | |
Process Names | |
Ticket Acknowledged Date | |
Additional Indicators | |
Device External IPs | |
Detection ID | |
Agents ID | |
Campaign Name | |
Verdict | |
Policy Description | |
Original Alert ID | Alert ID as received from the integration JSON |
Changed | The user who changed this incident |
Destination Geolocation | The destination geolocation of the event. |
Password Changed Date | |
User Creation Time | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Source Create time | |
App message | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Street Address | |
Original Events | The events associated with the offense. |
Cloud Service | |
Block Indicators Status | |
Tenant Name | Tenant Name |
Timezone | |
Additional Email Addresses | |
External Sub Category Name | |
Traffic Direction | The direction of the traffic in the event. |
Dest OS | Destination OS |
Containment SLA | The time it took to contain the incident. |
User SID | |
Country Code | |
User Block Status | |
Closing User | The closing user. |
Referenced Resource Name | |
Subtype | Subtype |
String Similarity Results | |
Asset ID | |
SSDeep | |
MITRE Technique ID | |
Location Region | Location Region |
Policy Deleted | |
Suspicious Executions | |
Resource Name | |
Item Owner | |
Caller | |
Event ID | Event ID |
Device Id | Device Id |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Post Nat Source IP | The source IP address after NAT. |
Surname | Surname |
OS | The operating system. |
Name | Description |
---|---|
Exfiltration | |
Reconnaissance | |
Lateral Movement | |
Simulation | |
Network | |
Exploit | |
Policy Violation | |
Vulnerability | |
Authentication | |
DoS | |
Hunt | |
Defacement | |
Indicator Feed | |
UnknownBinary | |
C2Communication | |
Job |
Name | Description |
---|---|
Vulnerabilities | |
Personal Email | |
Serial Number | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
First Seen By Source | The first time the indicator was seen by the source vendor. |
imphash | |
Signature Authentihash | |
CVSS Score | |
Account Type | |
Signature Internal Name | |
Expiration Date | |
Sophistication | |
State | |
Internal | |
Definition | |
AS Owner | |
Country Code | |
Operating System Version | |
Port | |
Domain Status | |
Street Address | |
Job Code | Job Code |
Registrar Abuse Network | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Cost Center | |
Quarantined | Whether the indicator is quarantined or isolated |
DNS | |
Targets | |
Admin Phone | |
Registrar Abuse Address | |
Leadership | |
Category | |
STIX Resource Level | |
Download URL | |
File Extension | |
Community Notes | |
Confidence | |
Whois Records | |
Admin Email | |
Global Prevalence | The number of times the indicator is detected across all organizations. |
Force Sync | Whether to force user synchronization. |
Creation Date | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Name | |
STIX Malware Types | |
Groups | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Org Level 2 | |
CVSS Version | |
Operating System Refs | |
Version | |
Assigned role | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Samples | |
Domain Name | |
Mitre Tactics | |
Subject DN | Subject Distinguished Name |
Geo Country | |
Domain Referring Subnets | |
Short Description | |
Public Key | |
STIX Secondary Motivations | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Path | |
STIX Sophistication | |
Name Field | |
Registrar Abuse Phone | |
STIX Threat Actor Types | |
Hostname | |
Indicator Identification | |
OS Version | |
Org Level 1 | |
Malware Family | |
SHA1 | |
Registrar Abuse Name | |
Report type | |
Domains | |
DNS Records | |
MD5 | |
Registrar Abuse Country | |
SSDeep | |
File Type | |
Domain IDN Name | |
Secondary Motivations | |
Job Function | |
Is Processed | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Detections | |
PEM | Certificate in PEM format. |
Description | |
Work Phone | |
Query Language | |
Publications | |
Signature File Version | |
CVSS | |
Zip Code | |
Applications | |
Implementation Languages | |
Report Object References | A list of STIX IDs referenced in the report. |
Display Name | |
Username | |
Cost Center Code | |
Registrant Country | |
Vendor | |
Job Family | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Tags | |
STIX Goals | |
Actor | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Commands | |
Architecture | |
Resource Level | |
STIX Tool Version | |
Updated Date | |
User ID | |
Organization Type | |
Threat Actor Types | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
ASN | |
Admin Name | |
Manager Email Address | |
Aliases | Alternative names used to identify this object |
Tool Version | |
Paths | |
Objective | |
Detection Engines | Total number of engines that checked the indicator |
Processor | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
X.509 v3 Extensions | |
Registrar Name | |
CVSS Vector | |
STIX Tool Types | |
Validity Not After | Specifies the date on which the certificate validity period ends. |
Subject Alternative Names | |
Signature Copyright | |
Organization First Seen | Date and time when the indicator was first seen in the organization. |
Certificate Names | |
Country Code Number | |
Registrar Abuse Email | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Product | |
Geo Location | |
STIX Is Malware Family | |
Certificate Signature | |
Name Servers | |
Key Value | |
Assigned user | |
CVE Description | |
Org Unit | |
Issuer | |
Location | |
Department | Department |
BIOS Version | |
Memory | |
Infrastructure Types | |
Mitre ID | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Processors | |
Admin Country | |
Roles | |
Organizational Unit (OU) | |
Title | Title |
Country Name | |
DHCP Server | |
Certificates | |
Author | |
Primary Motivation | |
Tool Types | |
Malware types | |
Goals | |
Subdomains | |
STIX Aliases | Alternative names used to identify this object |
Feed Related Indicators | |
Operating System | |
Is Malware Family | |
Registrant Name | |
Email Address | |
Organization Prevalence | The number of times the indicator is detected in the organization. |
Campaign | |
Office365Required | |
Device Model | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Organization Last Seen | Date and time when the indicator was last seen in the organization. |
Region | |
IP Address | |
STIX Description | |
Manager Name | Manager Name |
Given Name | Given Name |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Published | |
Org Level 3 | |
Signature Original Name | |
STIX Primary Motivation. | |
Rank | Used to display rank from different sources |
Associations | Known associations to other pieces of Threat Data. |
Signature Algorithm | |
CVSS3 | |
Action | |
Issuer DN | Issuer Distinguished Name |
Source Priority | |
Validity Not Before | Specifies the date on which the certificate validity period begins. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Registrant Email | |
Office365ExpressRoute | |
CVSS Table | |
Entry ID | |
Mobile Phone | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Organization | |
Number of subkeys | |
Location Region | |
STIX Roles | |
Reports | |
CVE Modified | |
Signature Description | |
SHA256 | |
Extension | |
Registrant Phone | |
Surname | Surname |
City | City |
Signed | |
Behavior | |
SHA512 | |
Subject | |
Vulnerable Products | |
Certificate Validation Checks | |
Office365Category | |
Associated File Names | |
Capabilities | |
Blocked | |
Size | |
Domain Referring IPs |
Name | Description |
---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Name | Description |
---|---|
Attack Pattern | Attack Pattern Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Vulnerability Incident | |
Tool Indicator | Tool Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Report | Report Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Software | Software Indicator Layout |
CVE Indicator | CVE Indicator Layout |
Email Indicator | Email Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
File Indicator | File Indicator Layout |
URL Indicator | URL Indicator Layout |
ASN | ASN Indicator Layout |
Location | Location indicator layout |
Intrusion Set | Intrusion Set Layout |
Campaign | Campaign Indicator Layout |
Identity | Identity indicator layout |
Account Indicator | Account Indicator Layout |
Host Indicator | Host indicator layout |
Mutex | Mutex indicator layout |
Course of Action | Course of Action Indicator Layout |
X509 Certificate | CVE Indicator Layout |
IP Indicator | IP Indicator Layout |
Indicator Feed Incident |
Name | Description |
---|---|
Malware | |
DomainGlob | |
Onion Address | |
Course of Action | |
Report | |
Intrusion Set | |
File | |
Host | |
Tool | |
Threat Actor | |
ASN | |
Registry Key | |
CIDR | |
Domain | |
ssdeep | |
Attack Pattern | |
Software | |
Location | |
IPv6CIDR | |
Account | |
IP | |
IPv6 | |
Infrastructure | |
Mutex | |
File SHA-256 | |
File SHA-1 | |
Identity | |
CVE | |
URL | |
File MD5 | |
Campaign | |
X509 Certificate |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Common Scripts | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Added new number field which represents the number of times the indicator is detected in the organization.
Added new number field which represents the number of times the indicator is detected across all organizations.
Added new date field which represents when the indicator was first seen in the organization.
Added new date field which represents when the indicator was last seen in the organization.
File
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
File.OrganizationPrevalence |
globalprevalence |
File.GlobalPrevalence |
organizationfirstseen |
File.OrganizationFirstSeen |
organizationlastseen |
File.OrganizationLastSeen |
firstseenbysource |
File.FirstSeenBySource |
lastseenbysource |
File.LastSeenBySource |
Domain
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
Domain.OrganizationPrevalence |
globalprevalence |
Domain.GlobalPrevalence |
organizationfirstseen |
Domain.OrganizationFirstSeen |
organizationlastseen |
Domain.OrganizationLastSeen |
firstseenbysource |
Domain.FirstSeenBySource |
lastseenbysource |
Domain.LastSeenBySource |
URL
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
URL.OrganizationPrevalence |
globalprevalence |
URL.GlobalPrevalence |
organizationfirstseen |
URL.OrganizationFirstSeen |
organizationlastseen |
URL.OrganizationLastSeen |
firstseenbysource |
URL.FirstSeenBySource |
lastseenbysource |
URL.LastSeenBySource |
IP
Added default mapping to the indicator fields:
CLI Name | Context Path |
---|---|
organizationprevalence |
IP.OrganizationPrevalence |
globalprevalence |
IP.GlobalPrevalence |
organizationfirstseen |
IP.OrganizationFirstSeen |
organizationlastseen |
IP.OrganizationLastSeen |
firstseenbysource |
IP.FirstSeenBySource |
lastseenbysource |
IP.LastSeenBySource |
IPv6
Added default mapping to the indicator fields:
| CLI Name | Context Path |
| --- | --- |
| organizationprevalence
| IPv6.OrganizationPrevalence |
| globalprevalence
| IPv6.GlobalPrevalence |
| organizationfirstseen
| IPv6.OrganizationFirstSeen |
| organizationlastseen
| IPv6.OrganizationLastSeen |
| firstseenbysource
| IPv6.FirstSeenBySource |
| lastseenbysource
| IPv6.LastSeenBySource |
Account Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Domain Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
File Indicator
Changed the name of the "Reputation" section in quick-view to "Verdict" as per the convention.
Registry Key Indicator
Changed the name of the "Reputation" in quick-view section to "Verdict" as per the convention.
Email Indicator
Fixed an issue with the indicator layout quick-view missing the "Verdict" section.
File Indicator
Updated layout with canvas
tab.
Account Indicator
Updated layout with canvas
tab.
Report
Updated layout with canvas
tab.
Threat Actor
Updated layout with canvas
tab.
URL Indicator
Updated layout with canvas
tab.
X509 Certificate
Updated layout with canvas
tab.
Mutex
Updated layout with canvas
tab.
Campaign
Updated layout with canvas
tab.
Location
Updated layout with canvas
tab.
Tool Indicator
Updated layout with canvas
tab.
Attack Pattern
Updated layout with canvas
tab.
Infrastructure
Updated layout with canvas
tab.
IP Indicator
Updated layout with canvas
tab.
Malware Indicator
Updated layout with canvas
tab.
Course of Action
Updated layout with canvas
tab.
Host Indicator
Updated layout with canvas
tab.
Tool
Updated layout with canvas
tab.
Email Indicator
Updated layout with canvas
tab.
CVE Indicator
Updated layout with canvas
tab.
Domain Indicator
Updated layout with canvas
tab.
Identity
Updated layout with canvas
tab.
Software
Updated layout with canvas
tab.
Intrusion Set
Updated layout with canvas
tab.
ASN
Updated layout with canvas
tab.
Registry Key Indicator
Updated layout with canvas
tab.
Malware
Updated layout with canvas
tab.
External ID
Added support for the External ID field in the Exabeam Security Operations Platform.
Last Modified On
Added support for the Last Modified On field in the Exabeam Security Operations Platform.
Risk Score
Added support for the Risk Score field in the Exabeam Security Operations Platform.
File Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Domain Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
URL Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Email Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
IP Indicator
Updated the layout to support enrichment excluded indicators - added a toggle switch when editing the indicator to mark it as "Enrichment Excluded", Once excluded, the "Enrich" buttons will be disabled, a new banner will be displayed next to the indicator value, and a field called "Enrichment Excluded" will be added to the layout and will show as "True". (From Cortex XSOAR 8.8)
Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.
Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | November 18, 2024 |