Pack Contributors:
- Francisco Javier Fernández Jiménez
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Department | Department |
Device Local IP | Device Local IP |
Source MAC Address | The source MAC address in an event. |
PID | PID |
Resource URL | |
Incident Link | |
Last Update Time | |
Project ID | |
Source Username | The username that was the source of the attack. |
Blocked Action | Blocked Action |
Ticket Number | |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
High Level Categories | The high level categories in the events. |
Job Function | Job Function |
Threat Hunting Detected IP | |
Suspicious Executions Found | |
Agent ID | Agent ID |
Technical User | The technical user of the asset. |
Signature | |
Post Nat Source Port | The source port after NAT. |
User Anomaly Count | |
Hostnames | The hostname in the event. |
Close Time | The closing time. |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Given Name | Given Name |
Parent Process IDs | |
Hunt Results Count | |
Street Address | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Objective | |
Tactic | |
User SID | |
Assignment Group | |
Sensor IP | |
CMD | |
User Groups | |
Source Networks | |
Compliance Notes | Notes regarding the assets compliance. |
Alert Rules | |
Attack Mode | Attack mode as received from the integration JSON |
Parent Process CMD | |
Country Code Number | |
Users | |
ASN Name | |
Device Time | The time from the original logging device when the event occurred. |
Categories | The categories for the incident. |
MITRE Technique ID | |
CVE | |
Campaign Name | |
Technique | |
Escalation | |
Isolated | Isolated |
Policy Description | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Last Modified By | |
Src | Source |
User Agent | |
Suspicious Executions | |
Group ID | |
External End Time | |
Process Names | |
Src Ports | The source ports of the event. |
Manager Name | Manager Name |
Source Hostname | The hostname that performed the port scan. |
Detected User | |
User Id | User Id |
SHA1 | SHA1 |
Device OS Version | |
Device Status | |
Source Category | |
Account Status | |
Technical Owner | The technical owner of the asset. |
Domain Name | |
Alert Name | Alert name as received from the integration JSON |
Source Urgency | Source Urgency |
Employee Display Name | The display name of the employee. |
Source Priority | |
Cloud Account ID | |
Account ID | |
File Hash | |
Last Modified On | |
Location | Location |
User Block Status | |
Rule Name | The name of a YARA rule |
Bugtraq | |
Number of similar files | |
App message | |
Endpoint Isolation Status | |
Command Line | Command Line |
Vendor ID | |
Assigned User | Assigned User |
Post Nat Destination Port | The destination port after NAT. |
Source External IPs | |
Number of Related Incidents | |
Src NT Domain | Source NT Domain |
URLs | |
Timezone | |
File SHA1 | |
Identity Type | |
Source Id | |
Manager Email Address | |
SSDeep | |
State | State |
UUID | UUID as received from the integration JSON |
Process Path | |
Protocol - Event | The network protocol in the event. |
Cost Center | Cost Center |
Source IPs | The source IPs of the event. |
City | |
MD5 | MD5 |
EmailCampaignCanvas | |
Resource Name | |
Dest OS | Destination OS |
Low Level Categories Events | The low level category of the event. |
Resource Type | |
Policy Recommendation | |
Acquisition Hire | |
Process MD5 | |
Affected Users | |
High Risky Hosts | |
OS Version | OS Version |
File Paths | |
Post Nat Source IP | The source IP address after NAT. |
Investigation Stage | The stage of the investigation. |
Source Created By | |
File Names | |
Cloud Resource List | |
Closing Reason | The closing reason |
Region | |
Similar incidents Dbot | |
Zip Code | Zip Code |
Agents ID | |
Use Case Description | |
Username | The username of the account who logged in. |
Destination IPV6 | The destination IPV6 address. |
Parent Process SHA256 | |
Threat Hunting Detected Hostnames | |
Title | Title |
Selected Indicators | Includes the indicators selected by the user. |
Item Owner Email | |
Error Code | |
ASN | |
Policy Deleted | |
Source IPV6 | The source IPV6 address. |
Cloud Operation Type | |
Parent Process | |
Technique ID | |
Work Phone | |
Application Name | Application Name |
Ticket Acknowledged Date | |
Closing User | The closing user. |
Device External IP | Device External IP |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Detected External Hosts | Detected external hosts |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Traffic Direction | The direction of the traffic in the event. |
Vulnerability Category | |
Protocol names | |
Appliance ID | Appliance ID as received from the integration JSON |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Policy Severity | |
Last Seen | |
External Category Name | |
Source Create time | |
Device OU | Device's OU path in Active Directory |
Source Updated by | |
First Name | First Name |
List Of Rules - Event | The list of rules associated to an event. |
External ID | |
Protocols | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Device OS Name | |
Alert Attack Time | |
External System ID | |
Error Message | The error message that contains details about the error that occurred. |
Policy URI | |
Alert Malicious | Whether the alert is malicious. |
App | |
Password Changed Date | |
Country | The country from which the user logged in. |
File Size | File Size |
External Start Time | |
Related Alerts | |
Post Nat Destination IP | The destination IP address after NAT. |
Destination IPs | The destination IPs of the event. |
MITRE Tactic ID | |
Log Source Type | The log source type associated with the event. |
Reporter Email Address | The email address of the user who reported the email. |
Registry Key | |
Birthday | Person's Birthday |
Application Path | |
Registry Hive | |
Policy Type | |
Destination MAC Address | The destination MAC address in an event. |
Location Region | Location Region |
Domain Updated Date | |
Detection Update Time | |
app channel name | |
Destination Hostname | Destination hostname |
Verdict | |
External Severity | |
Org Level 2 | |
Cost Center Code | Cost Center Code |
Personal Email | |
Destination Geolocation | The destination geolocation of the event. |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Domain Registrar Abuse Email | |
Protocol | Protocol |
Resource ID | |
Subtype | Subtype |
Src OS | Src OS |
File Path | |
Detected Internal IPs | Detected internal IPs |
Policy Details | |
Cloud Instance ID | Cloud Instance ID |
End Time | The time when the offense ended. |
Attack Patterns | |
Detected Users | Detected users |
Tools | |
SKU Name | |
RemovedFromCampaigns | |
File Access Date | |
Pre Nat Source Port | The source port before NAT. |
Status Reason | |
Detected Endpoints | |
External Last Updated Time | |
CVE Published | |
Leadership | |
Org Unit | |
Registry Value Type | |
Detection ID | |
similarIncidents | |
Display Name | Display Name |
Caller | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Unique Ports | |
Destination IP | The IP address the impossible traveler logged in to. |
Containment SLA | The time it took to contain the incident. |
Log Source | Log Source |
Endpoint | |
Additional Indicators | |
Category Count | The number of categories that are associated with the offense. |
Rating | |
Appliance Name | Appliance name as received from the integration JSON |
Parent Process Path | |
Alert tags | |
CVE ID | |
Event Descriptions | The description of the event name. |
OS | The operating system. |
Sensor Name | |
Password Reset Successfully | Whether the password has been successfully reset. |
Exposure Level | |
OutgoingMirrorError | |
Changed | The user who changed this incident |
Cloud Service | |
userAccountControl | userAccountControl |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Endpoints Details | |
File SHA256 | |
Org Level 1 | |
Policy Remediable | |
Detected Internal Hosts | Detected internal hosts |
Mobile Device Model | |
SKU TIER | |
Risk Rating | |
Classification | Incident Classification |
Employee Email | The email address of the employee. |
SHA256 | SHA256 |
Srcs | The source values. |
Additional Data | |
Start Time | The time when the offense started. |
Destination Network | |
User Risk Level | |
Org Level 3 | |
Device Id | Device Id |
Detection End Time | |
Process Creation Time | |
Triage SLA | The time it took to investigate and enrich incident information. |
Full Name | Person's Full Name |
Related Campaign | |
Pre Nat Destination Port | The destination port before NAT. |
External Addresses | |
MITRE Technique Name | |
Approver | The person who approved or needs to approve the request. |
Device Hash | Device Hash |
Parent Process Name | |
External Sub Category ID | |
External Status | |
Sub Category | The sub category |
Job Code | Job Code |
Verification Method | The method used to verify the user. |
EmailCampaignSummary | |
Dest Hostname | Destination hostname |
Device Model | Device Model |
Log Source Name | The log source name associated with the event. |
Registry Value | |
Alert Category | The category of the alert |
Last Name | Last Name |
Employee Manager Email | The email address of the employee's manager. |
High Risky Users | |
Users Details | |
Tenant Name | Tenant Name |
Account Member Of | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Process ID | |
EmailCampaignSnippets | |
Region ID | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Alert URL | Alert URL as received from the integration JSON |
Application Id | Application Id |
Dest NT Domain | Destination NT Domain |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Detected IPs | |
Process Name | |
CMD line | |
Src Hostname | Source hostname |
External Link | |
File Relationships | |
User Creation Time | |
Additional Email Addresses | |
Alert Action | Alert action as received from the integration JSON |
Triggered Security Profile | Triggered Security Profile |
Dst Ports | The destination ports of the event. |
Destination Port | The destination port used. |
Event Names | The event name (translated QID ) in the event. |
Mobile Phone | |
Tool Usage Found | |
Operation Name | |
Alert Type ID | |
File MD5 | |
Country Name | Country Name |
Command Line Verdict | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Alert Source | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Registration Email | |
Device MAC Address | |
Country Code | |
Primary Email Address | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Pre Nat Source IP | The source IP before NAT. |
Account Name | Account Name |
Parent Process File Path | |
Policy Actions | |
First Seen | |
MAC Address | MAC Address |
Detected External IPs | Detected external IPs |
Number Of Log Sources | The number of log sources related to the offense. |
OS Type | OS Type |
Referenced Resource Name | |
Vulnerable Product | |
Duration | |
Ticket Opened Date | |
Device Name | Device Name |
String Similarity Results | |
Comment | The comments related with the incident |
Device Username | The username of the user that owns the device |
Tactic ID | |
Dsts | The destination values. |
Item Owner | |
Risk Score | |
Rendered HTML | The HTML content in a rendered form. |
Scenario | |
Source Network | |
Event Type | Event Type |
Phone Number | Phone number |
Events | The events associated with the offense. |
Surname | Surname |
Job Family | Job Family |
Agent Version | Reporting Agent/Sensor Version |
File Name | |
User Engagement Response | |
Child Process | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Vendor Product | |
Ticket Closed Date | |
Parent Process MD5 | |
Source Status | |
Custom Query Results | |
Device Internal IPs | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Internal Addresses | |
Source Geolocation | The source geolocation of the event. |
Alert ID | Alert ID as received from the integration JSON |
Raw Event | The unparsed event data. |
IncomingMirrorError | |
Referenced Resource ID | |
Destination Networks | |
CVSS | |
Usernames | The username in the event. |
IP Blocked Status | |
EmailCampaignMutualIndicators | |
MITRE Tactic Name | |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Follow Up | True if marked for follow up. |
External Category ID | |
Description | The description of the incident |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Dest | Destination |
Device External IPs | |
SHA512 | SHA512 |
IP Reputation | |
Asset ID | |
Source Port | The source port that was used |
File Creation Date | |
Related Report | |
Tags | |
Report Name | |
Team name | |
Parent CMD line | |
Src User | Source User |
Affected Hosts | |
Source IP | The IP Address that the user initially logged in from. |
Block Indicators Status | |
Cloud Region List | |
Process Paths | |
Event ID | Event ID |
External Sub Category Name | |
Verification Status | The status of the user verification. |
Is Active | Alert status |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Technical Owner Contact | The contact details for the technical owner. |
External Confidence | |
Related Endpoints | |
Policy ID | |
Process SHA256 | |
Approval Status | The status for the approval of the request. |
DNS Name | The DNS name of the asset. |
sAMAccountName | User sAMAAccountName |
Email Sent Successfully | Whether the email has been successfully sent. |
Process CMD |
Name | Description |
---|---|
Exfiltration | |
Job | |
Defacement | |
Network | |
Lateral Movement | |
UnknownBinary | |
Simulation | |
C2Communication | |
Exploit | |
Reconnaissance | |
Indicator Feed | |
Hunt | |
Authentication | |
Vulnerability | |
Policy Violation | |
DoS |
Name | Description |
---|---|
Operating System | |
Entry ID | |
Geo Country | |
Email Address | |
Subject | |
Registrant Country | |
STIX Malware Types | |
Surname | Surname |
Signature Algorithm | |
Certificate Names | |
imphash | |
Is Processed | |
Domain Referring Subnets | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Org Level 2 | |
Size | |
Geo Location | |
Manager Email Address | |
Behavior | |
Tool Version | |
Name Servers | |
Internal | |
STIX Resource Level | |
IP Address | |
Path | |
Department | Department |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Signature Description | |
Domains | |
Job Function | |
MAC Address | |
Category | |
Report Object References | A list of STIX IDs referenced in the report. |
Blocked | |
Certificates | |
AS Owner | |
CVSS Vector | |
Resource Level | |
State | |
Domain IDN Name | |
SSDeep | |
Processor | |
Version | |
X.509 v3 Extensions | |
City | City |
Published | |
Tags | |
CVE Modified | |
Name | |
Cost Center Code | |
DHCP Server | |
Is Malware Family | |
Vulnerabilities | |
Registrar Abuse Address | |
MD5 | |
Issuer DN | Issuer Distinguished Name |
Country Code Number | |
STIX Aliases | Alternative names used to identify this object |
Operating System Refs | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Campaign | |
Validity Not Before | |
Implementation Languages | |
STIX Is Malware Family | |
Signature Original Name | |
Admin Name | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Creation Date | |
Registrant Name | |
Signature File Version | |
Sophistication | |
Malware Family | |
OS Version | |
Display Name | |
Applications | |
Tool Types | |
Rank | Used to display rank from different sources |
Office365Required | |
Paths | |
Organization | |
Cost Center | |
Subject DN | Subject Distinguished Name |
Whois Records | |
Primary Motivation | |
Processors | |
Admin Country | |
Org Level 3 | |
Port | |
Hostname | |
STIX Description | |
Associated File Names | |
Malware types | |
Architecture | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Registrant Phone | |
CVSS3 | |
Number of subkeys | |
Admin Phone | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Location Region | |
Admin Email | |
SHA1 | |
Office365Category | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
STIX Sophistication | |
Signed | |
CVSS Version | |
Samples | |
Feed Related Indicators | |
Public Key | |
Manager Name | Manager Name |
Assigned role | |
Groups | |
Threat Actor Types | |
Infrastructure Types | |
Operating System Version | |
Extension | |
Org Unit | |
Device Model | |
Vendor | |
Description | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Short Description | |
Org Level 1 | |
Domain Name | |
Certificate Signature | |
Updated Date | |
Subject Alternative Names | |
Report type | |
Author | |
STIX Roles | |
Signature Copyright | |
Source Priority | |
Detections | |
Serial Number | |
Force Sync | Whether to force user synchronization. |
Memory | |
Organization Type | |
Associations | Known associations to other pieces of Threat Data. |
Work Phone | |
Personal Email | |
DNS | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Subdomains | |
Given Name | Given Name |
Domain Status | |
Capabilities | |
Certificate Validation Checks | |
DNS Records | |
STIX Secondary Motivations | |
Download URL | |
SHA512 | |
Signature Authentihash | |
Assigned user | |
Reports | |
BIOS Version | |
Country Name | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Title | Title |
Registrar Abuse Network | |
Registrar Abuse Email | |
Name Field | |
Roles | |
Issuer | |
Country Code | |
Leadership | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Registrar Abuse Phone | |
Organizational Unit (OU) | |
Community Notes | |
Confidence | |
PEM | Certificate in PEM format. |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Indicator Identification | |
Mitre Tactics | |
Vulnerable Products | |
File Type | |
Registrar Abuse Country | |
Signature Internal Name | |
Registrar Name | |
Street Address | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Job Family | |
STIX Primary Motivation. | |
STIX Goals | |
Domain Referring IPs | |
Registrant Email | |
Action | |
CVSS Table | |
Account Type | |
CVSS Score | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Publications | |
Job Code | Job Code |
STIX Tool Version | |
Actor | |
ASN | |
Validity Not After | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
File Extension | |
SHA256 | |
Office365ExpressRoute | |
Commands | |
Aliases | Alternative names used to identify this object |
Registrar Abuse Name | |
Detection Engines | Total number of engines that checked the indicator |
Mobile Phone | |
Goals | |
STIX Threat Actor Types | |
Username | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Zip Code | |
STIX Tool Types | |
Mitre ID | |
Quarantined | Whether the indicator is quarantined or isolated |
Key Value | |
Expiration Date | |
Location | |
User ID | |
Objective | |
Region | |
Targets | |
Secondary Motivations | |
CVSS | |
CVE Description |
Name | Description |
---|---|
CVE Indicator | CVE Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Campaign | Campaign Indicator Layout |
Vulnerability Incident | |
Report | Report Indicator Layout |
ASN | ASN Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Mutex | Mutex indicator layout |
Email Indicator | Email Indicator Layout |
Malware Indicator | Malware Indicator Layout |
IP Indicator | IP Indicator Layout |
Host Indicator | Host indicator layout |
File Indicator | File Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Account Indicator | Account Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Indicator Feed Incident | |
URL Indicator | URL Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Location | Location indicator layout |
Tool Indicator | Tool Indicator Layout |
Identity | Identity indicator layout |
Intrusion Set | Intrusion Set Layout |
Software | Software Indicator Layout |
Malware |
Name | Description |
---|---|
URL | |
File MD5 | |
CVE | |
IPv6CIDR | |
ASN | |
File SHA-256 | |
IPv6 | |
Mutex | |
X509 Certificate | |
Report | |
Campaign | |
Course of Action | |
Intrusion Set | |
Infrastructure | |
DomainGlob | |
Location | |
IP | |
Tool | |
ssdeep | |
Software | |
File | |
Account | |
Registry Key | |
Attack Pattern | |
File SHA-1 | |
Threat Actor | |
Host | |
CIDR | |
Domain | |
Onion Address | |
Malware | |
Identity |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Approval Status | The status for the approval of the request. |
Resource Name | |
Device Time | The time from the original logging device when the event occurred. |
Blocked Action | Blocked Action |
Destination Networks | |
Technique ID | |
Cloud Instance ID | Cloud Instance ID |
Alert Action | Alert action as received from the integration JSON |
Device OS Version | |
External Sub Category ID | |
IncomingMirrorError | |
Device MAC Address | |
Ticket Closed Date | |
Tactic ID | |
Org Unit | |
Cloud Region List | |
SKU TIER | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
app channel name | |
Parent Process SHA256 | |
Source Urgency | Source Urgency |
Event Descriptions | The description of the event name. |
Process Creation Time | |
Department | Department |
Assignment Group | |
Original Description | The description of the incident |
External Status | |
Work Phone | |
MITRE Tactic ID | |
CVE ID | |
MITRE Technique ID | |
Resource Type | |
Registry Key | |
Rating | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Signature | |
Close Time | The closing time. |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Status Reason | |
RemovedFromCampaigns | |
Last Modified By | |
Affected Hosts | |
Changed | The user who changed this incident |
Policy Severity | |
Original Alert ID | Alert ID as received from the integration JSON |
Registry Value Type | |
Tenant Name | Tenant Name |
Password Changed Date | |
Full Name | Person's Full Name |
Suspicious Executions | |
Zip Code | Zip Code |
Original Alert Name | Alert name as received from the integration JSON |
Mobile Phone | |
Process ID | |
Escalation | |
External Start Time | |
Source Id | |
External Link | |
Account ID | |
Duration | |
App message | |
Detected Endpoints | |
Last Name | Last Name |
External Confidence | |
Detected External IPs | Detected external IPs |
Policy Description | |
Job Function | Job Function |
Manager Name | Manager Name |
Technical Owner Contact | The contact details for the technical owner. |
Command Line Verdict | |
Operation Name | |
Device Internal IPs | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Job Family | Job Family |
Phone Number | Phone number |
SHA1 | SHA1 |
MITRE Tactic Name | |
Suspicious Executions Found | |
Cloud Service | |
Surname | Surname |
Assigned User | Assigned User |
ASN Name | |
Pre Nat Destination Port | The destination port before NAT. |
Country Code Number | |
OS | The operating system. |
Last Update Time | |
Employee Display Name | The display name of the employee. |
Registry Value | |
Parent Process File Path | |
Destination Geolocation | The destination geolocation of the event. |
Parent Process CMD | |
Original Alert Source | |
Resource URL | |
External System ID | |
First Seen | |
Cost Center | Cost Center |
Follow Up | True if marked for follow up. |
Source Create time | |
Source Priority | |
IP Reputation | |
File Size | File Size |
Traffic Direction | The direction of the traffic in the event. |
Device Status | |
Reporter Email Address | The email address of the user who reported the email. |
Vendor Product | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Domain Updated Date | |
Classification | Incident Classification |
UUID | UUID as received from the integration JSON |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
End Time | The time when the offense ended. |
High Risky Users | |
Process Paths | |
Closing User | The closing user. |
Rendered HTML | The HTML content in a rendered form. |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Password Reset Successfully | Whether the password has been successfully reset. |
Vendor ID | |
Verification Method | The method used to verify the user. |
Team name | |
Cloud Account ID | |
Bugtraq | |
Birthday | Person's Birthday |
Policy Recommendation | |
Referenced Resource Name | |
Source Geolocation | The source geolocation of the event. |
External Category ID | |
Asset ID | |
Low Level Categories Events | The low level category of the event. |
Hunt Results Count | |
Tactic | |
Tools | |
Policy Remediable | |
Compliance Notes | Notes regarding the assets compliance. |
Number of similar files | |
Domain Registrar Abuse Email | |
similarIncidents | |
Identity Type | |
Use Case Description | |
Location Region | Location Region |
User Block Status | |
Endpoint Isolation Status | |
Related Endpoints | |
IP Blocked Status | |
EmailCampaignSummary | |
Triggered Security Profile | Triggered Security Profile |
Raw Event | The unparsed event data. |
EmailCampaignMutualIndicators | |
Device Id | Device Id |
Approver | The person who approved or needs to approve the request. |
Log Source Type | The log source type associated with the event. |
Process SHA256 | |
Source Category | |
Investigation Stage | The stage of the investigation. |
Incident Link | |
Exposure Level | |
User Creation Time | |
Scenario | |
Log Source | Log Source |
Account Status | |
Report Name | |
Agent Version | Reporting Agent/Sensor Version |
Attack Mode | Attack mode as received from the integration JSON |
Manager Email Address | |
Sensor IP | |
Device OS Name | |
Process Names | |
SSDeep | |
OutgoingMirrorError | |
User Groups | |
OS Type | OS Type |
Last Seen | |
Given Name | Given Name |
Policy Actions | |
Post Nat Destination IP | The destination IP address after NAT. |
Item Owner Email | |
Error Message | The error message that contains details about the error that occurred. |
Item Owner | |
Parent Process Name | |
User Engagement Response | |
First Name | First Name |
Similar incidents Dbot | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Campaign Name | |
Timezone | |
EmailCampaignCanvas | |
Location | Location |
Pre Nat Source IP | The source IP before NAT. |
Category Count | The number of categories that are associated with the offense. |
List Of Rules - Event | The list of rules associated to an event. |
Detected Internal Hosts | Detected internal hosts |
Related Campaign | |
Rule Name | The name of a YARA rule |
MITRE Technique Name | |
Policy Type | |
Acquisition Hire | |
Source Status | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
External End Time | |
Agents ID | |
Block Indicators Status | |
Org Level 1 | |
Alert tags | |
Last Modified On | |
Referenced Resource ID | |
Account Member Of | |
Application Path | |
Registration Email | |
File Creation Date | |
Region ID | |
SHA512 | SHA512 |
Users Details | |
Unique Ports | |
Primary Email Address | |
Src OS | Src OS |
Vulnerability Category | |
Process CMD | |
Original Events | The events associated with the offense. |
Verdict | |
Cost Center Code | Cost Center Code |
Technical User | The technical user of the asset. |
Policy ID | |
Post Nat Source IP | The source IP address after NAT. |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Employee Manager Email | The email address of the employee's manager. |
Parent Process IDs | |
Protocol names | |
User Anomaly Count | |
Source External IPs | |
Leadership | |
Device Model | Device Model |
Personal Email | |
CVE Published | |
ASN | |
Internal Addresses | |
Isolated | Isolated |
External Severity | |
File Hash | |
Additional Email Addresses | |
Email Sent Successfully | Whether the email has been successfully sent. |
Custom Query Results | |
Country Code | |
Device OU | Device's OU path in Active Directory |
Subtype | Subtype |
User Id | User Id |
Parent Process MD5 | |
File SHA1 | |
sAMAccountName | User sAMAAccountName |
SKU Name | |
Event ID | Event ID |
Objective | |
Error Code | |
CVSS | |
Related Report | |
Risk Rating | |
City | |
Closing Reason | The closing reason |
String Similarity Results | |
Alert Rules | |
Start Time | The time when the offense started. |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Street Address | |
High Risky Hosts | |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Technique | |
Post Nat Destination Port | The destination port after NAT. |
Employee Email | The email address of the employee. |
Technical Owner | The technical owner of the asset. |
Affected Users | |
Selected Indicators | Includes the indicators selected by the user. |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Number Of Log Sources | The number of log sources related to the offense. |
File Access Date | |
Mobile Device Model | |
Detection End Time | |
Policy URI | |
Event Names | The event name (translated QID ) in the event. |
Ticket Acknowledged Date | |
Additional Indicators | |
File Relationships | |
Sub Category | The sub category |
Related Alerts | |
Region | |
External Category Name | |
Parent Process Path | |
Org Level 2 | |
Destination IPV6 | The destination IPV6 address. |
Display Name | Display Name |
Device External IPs | |
Title | Title |
Policy Deleted | |
Device Hash | Device Hash |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Containment SLA | The time it took to contain the incident. |
Source Networks | |
Dest OS | Destination OS |
Pre Nat Source Port | The source port before NAT. |
External Last Updated Time | |
Is Active | Alert status |
Job Code | Job Code |
Dsts | The destination values. |
Project ID | |
CVE | |
Comment | The comments related with the incident |
Policy Details | |
Source Updated by | |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
State | State |
Domain Name | |
Process MD5 | |
Ticket Number | |
userAccountControl | userAccountControl |
EmailCampaignSnippets | |
Log Source Name | The log source name associated with the event. |
Additional Data | |
Source Created By | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Number of Related Incidents | |
Endpoints Details | |
Vulnerable Product | |
Verification Status | The status of the user verification. |
URLs | |
Alert Malicious | Whether the alert is malicious. |
Caller | |
Attack Patterns | |
Risk Score | |
Alert Type ID | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Org Level 3 | |
User SID | |
Group ID | |
External Sub Category Name | |
Triage SLA | The time it took to investigate and enrich incident information. |
Device Name | Device Name |
Detection ID | |
Tool Usage Found | |
Registry Hive | |
Cloud Resource List | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Post Nat Source Port | The source port after NAT. |
Name | Description |
---|---|
Hunt | |
Policy Violation | |
Lateral Movement | |
Defacement | |
C2Communication | |
Vulnerability | |
Reconnaissance | |
Exfiltration | |
Indicator Feed | |
Job | |
Network | |
Exploit | |
UnknownBinary | |
DoS | |
Simulation | |
Authentication |
Name | Description |
---|---|
Org Level 3 | |
Job Family | |
State | |
Department | Department |
Organization | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
CVSS Table | |
Registrar Name | |
Geo Country | |
DHCP Server | |
Office365Required | |
Region | |
imphash | |
Actor | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Registrar Abuse Email | |
Samples | |
Architecture | |
Name Servers | |
Cost Center | |
Creation Date | |
Detection Engines | Total number of engines that checked the indicator |
Serial Number | |
Registrant Phone | |
STIX Goals | |
Processors | |
STIX Threat Actor Types | |
STIX Roles | |
Indicator Identification | |
STIX Tool Version | |
Force Sync | Whether to force user synchronization. |
Operating System | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Org Level 1 | |
Title | Title |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Account Type | |
Device Model | |
Number of subkeys | |
Country Code Number | |
Domains | |
STIX Primary Motivation. | |
Given Name | Given Name |
Work Phone | |
Manager Email Address | |
Signature Copyright | |
Detections | |
Mitre Tactics | |
Organization Type | |
Expiration Date | |
Admin Phone | |
Domain Referring IPs | |
Signature Original Name | |
Report type | |
Targets | |
Subdomains | |
Registrar Abuse Address | |
Location Region | |
STIX Secondary Motivations | |
Issuer | |
File Type | |
SSDeep | |
Goals | |
Org Level 2 | |
Location | |
Vulnerabilities | |
Size | |
Validity Not After | |
AS Owner | |
Groups | |
Mitre ID | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Path | |
Description | |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Tool Version | |
Short Description | |
Validity Not Before | |
Tool Types | |
Signature Description | |
Geo Location | |
Behavior | |
Office365Category | |
Secondary Motivations | |
STIX Malware Types | |
Report Object References | A list of STIX IDs referenced in the report. |
STIX Tool Types | |
Associated File Names | |
User ID | |
Version | |
Certificates | |
Download URL | |
DNS Records | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Certificate Names | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Vulnerable Products | |
OS Version | |
Published | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Assigned user | |
Objective | |
DNS | |
Country Name | |
Roles | |
Infrastructure Types | |
Subject DN | Subject Distinguished Name |
Publications | |
Street Address | |
Subject Alternative Names | |
Zip Code | |
Feed Related Indicators | |
Name Field | |
Aliases | Alternative names used to identify this object |
Job Code | Job Code |
Updated Date | |
Office365ExpressRoute | |
SHA512 | |
Memory | |
Hostname | |
STIX Aliases | Alternative names used to identify this object |
STIX Sophistication | |
Cost Center Code | |
File Extension | |
X.509 v3 Extensions | |
Is Processed | |
City | City |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Confidence | |
STIX Description | |
Signature File Version | |
Operating System Version | |
Service | The specific service of a feed integration from which an indicator was ingested. |
Registrar Abuse Phone | |
Rank | Used to display rank from different sources |
Domain IDN Name | |
Registrant Name | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Entry ID | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Admin Email | |
Commands | |
Sophistication | |
CVE Modified | |
Display Name | |
Personal Email | |
Manager Name | Manager Name |
Registrar Abuse Network | |
Operating System Refs | |
Certificate Signature | |
Registrant Country | |
Organizational Unit (OU) | |
Malware types | |
Applications | |
Internal | |
BIOS Version | |
Malware Family | |
Leadership | |
Resource Level | |
MD5 | |
Key Value | |
CVSS Score | |
Registrar Abuse Name | |
Campaign | |
Whois Records | |
Org Unit | |
Surname | Surname |
CVSS Version | |
Mobile Phone | |
Signature Authentihash | |
Community Notes | |
Is Malware Family | |
Capabilities | |
Source Priority | |
Registrar Abuse Country | |
Primary Motivation | |
Extension | |
Name | |
Processor | |
Signed | |
SHA1 | |
Assigned role | |
Certificate Validation Checks | |
Public Key | |
STIX Is Malware Family | |
ASN | |
Email Address | |
Admin Country | |
Paths | |
PEM | Certificate in PEM format. |
CVSS | |
Issuer DN | Issuer Distinguished Name |
Action | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Vendor | |
Reports | |
Registrant Email | |
Domain Referring Subnets | |
Author | |
Tags | |
Subject | |
Username | |
Domain Name | |
Threat Actor Types | |
Country Code | |
CVSS Vector | |
Quarantined | Whether the indicator is quarantined or isolated |
Admin Name | |
CVSS3 | |
Signature Internal Name | |
SHA256 | |
Signature Algorithm | |
Job Function | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Associations | Known associations to other pieces of Threat Data. |
Port | |
Domain Status | |
Category | |
IP Address | |
CVE Description | |
STIX Resource Level | |
Blocked | |
Implementation Languages |
Name | Description |
---|---|
Indicator Feed Layout Rule | |
Vulnerability Layout Rule |
Name | Description |
---|---|
Campaign | Campaign Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Identity | Identity indicator layout |
File Indicator | File Indicator Layout |
Host Indicator | Host indicator layout |
Vulnerability Incident | |
URL Indicator | URL Indicator Layout |
Report | Report Indicator Layout |
Software | Software Indicator Layout |
Course of Action | Course of Action Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Email Indicator | Email Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Intrusion Set | Intrusion Set Layout |
IP Indicator | IP Indicator Layout |
Indicator Feed Incident | |
CVE Indicator | CVE Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Mutex | Mutex indicator layout |
Location | Location indicator layout |
Account Indicator | Account Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
ASN | ASN Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Name | Description |
---|---|
CIDR | |
Infrastructure | |
Onion Address | |
File | |
ssdeep | |
IPv6CIDR | |
Domain | |
Report | |
IPv6 | |
Campaign | |
Malware | |
Threat Actor | |
File SHA-256 | |
Host | |
Software | |
DomainGlob | |
URL | |
Intrusion Set | |
Mutex | |
Tool | |
Location | |
Identity | |
File SHA-1 | |
Course of Action | |
Registry Key | |
Attack Pattern | |
ASN | |
Account | |
File MD5 | |
X509 Certificate | |
IP | |
CVE |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Cortex REST API | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Location
Added support for incident type Exabeam Notable User.
Department
Added support for incident type Exabeam Notable User.
End Time
Added support for incident type Exabeam Notable User.
Work Phone
Added support for incident type Exabeam Notable User.
Start Time
Added support for incident type Exabeam Notable User.
First Seen
Added support for incident type Exabeam Notable User.
Last Seen
Added support for incident type Exabeam Notable User.
Mobile Phone
Added support for incident type Exabeam Notable User.
Manager Name
Added support for incident type Exabeam Notable User.
User Groups
Added support for incident type Exabeam Notable User.
Title
Added support for incident type Exabeam Notable User.
Email
Added support for incident type Exabeam Notable User.
Username
Added support for incident type Exabeam Notable User.
Risk Score
Added support for incident type Exabeam Notable User.
Display Name
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Last Update Time
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Vendor Product
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Device Id
Added the CrowdStrike Falcon On-Demand Scans Detection
incident type as an associated type.
Intrusion Set
Added the 'Execute Intrusion Set Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Campaign
Added the 'Execute Campaign Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Malware Indicator
Added the 'Execute Malware Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | July 22, 2024 |