Pack Contributors:
- Francisco Javier Fernández Jiménez
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Related Alerts | |
CMD line | |
Protocol - Event | The network protocol in the event. |
Alert Action | Alert action as received from the integration JSON |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
User Block Status | |
Post Nat Source Port | The source port after NAT. |
State | State |
Policy Type | |
List Of Rules - Event | The list of rules associated to an event. |
Street Address | |
Tools | |
File Upload | Used to upload files to incidents in a way that would make them distinguishable from the rest of the incident files. This field can be used, for example, to execute commands on manually uploaded files with the click of an incident layout button. |
Application Name | Application Name |
Incident Link | |
Device Model | Device Model |
Affected Hosts | |
Source Networks | |
Employee Manager Email | The email address of the employee's manager. |
Display Name | Display Name |
OutgoingMirrorError | |
Agents ID | |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
Ticket Opened Date | |
Src User | Source User |
userAccountControl | userAccountControl |
Alert Name | Alert name as received from the integration JSON |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Verification Method | The method used to verify the user. |
Full Name | Person's Full Name |
Dest Hostname | Destination hostname |
OS | The operating system. |
Objective | |
Post Nat Source IP | The source IP address after NAT. |
Command Line Verdict | |
Location Region | Location Region |
Manager Email Address | |
Source Priority | |
Team name | |
Appliance ID | Appliance ID as received from the integration JSON |
Device External IPs | |
Command Line | Command Line |
Username | The username of the account who logged in. |
Suspicious Executions | |
Parent Process Path | |
Assigned User | Assigned User |
Endpoint | |
File Size | File Size |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
DNS Name | The DNS name of the asset. |
Mobile Device Model | |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
EmailCampaignMutualIndicators | |
OS Version | OS Version |
Process Path | |
Org Level 1 | |
Cloud Resource List | |
Detected External Hosts | Detected external hosts |
Additional Email Addresses | |
Source Status | |
Compliance Notes | Notes regarding the assets compliance. |
Risk Rating | |
Source Category | |
Verdict | |
Country Code | |
File Hash | |
Changed | The user who changed this incident |
Device External IP | Device External IP |
Process Name | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
MITRE Tactic ID | |
External System ID | |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
Dest | Destination |
Assignment Group | |
External Start Time | |
Asset ID | |
Ticket Number | |
Parent Process File Path | |
Primary Email Address | |
Event Type | Event Type |
City | |
App message | |
Region ID | |
IP Reputation | |
File Names | |
External Addresses | |
Account ID | |
Technical Owner Contact | The contact details for the technical owner. |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Acquisition Hire | |
SHA1 | SHA1 |
Traffic Direction | The direction of the traffic in the event. |
Destination IPs | The destination IPs of the event. |
Device MAC Address | |
Vulnerability Category | |
Alert ID | Alert ID as received from the integration JSON |
Isolated | Isolated |
Alert Malicious | Whether the alert is malicious. |
Reporter Email Address | The email address of the user who reported the email. |
Technical Owner | The technical owner of the asset. |
Src Ports | The source ports of the event. |
Log Source Name | The log source name associated with the event. |
Ticket Acknowledged Date | |
Parent Process | |
Blocked Action | Blocked Action |
Parent Process SHA256 | |
Policy Actions | |
Alert URL | Alert URL as received from the integration JSON |
Surname | Surname |
Policy URI | |
Escalation | |
app channel name | |
High Risky Hosts | |
Subtype | Subtype |
Src OS | Src OS |
Destination IP | The IP address the impossible traveler logged in to. |
Manager Name | Manager Name |
Detected Endpoints | |
Source MAC Address | The source MAC address in an event. |
Tags | |
Is Active | Alert status |
Attack Patterns | |
Threat Hunting Detected Hostnames | |
Dest NT Domain | Destination NT Domain |
Destination Network | |
Source IPV6 | The source IPV6 address. |
External Category Name | |
Zip Code | Zip Code |
Destination Geolocation | The destination geolocation of the event. |
Attack Mode | Attack mode as received from the integration JSON |
High Risky Users | |
Application Id | Application Id |
Pre Nat Source IP | The source IP before NAT. |
Tool Usage Found | |
Log Source Type | The log source type associated with the event. |
Policy Deleted | |
Source Port | The source port that was used |
PID | PID |
Containment SLA | The time it took to contain the incident. |
Location | Location |
Similar incidents Dbot | |
Alert Type ID | |
Source Username | The username that was the source of the attack. |
Device OU | Device's OU path in Active Directory |
Usernames | The username in the event. |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Country Code Number | |
First Seen | |
UUID | UUID as received from the integration JSON |
External Severity | |
Approver | The person who approved or needs to approve the request. |
Referenced Resource Name | |
Selected Indicators | Includes the indicators selected by the user. |
Alert Source | |
Work Phone | |
Org Level 2 | |
EmailCampaignSummary | |
External Confidence | |
Approval Status | The status for the approval of the request. |
String Similarity Results | |
Sensor IP | |
Endpoints Details | |
File Creation Date | |
Signature | |
Device Local IP | Device Local IP |
Number of Related Incidents | |
Process MD5 | |
URLs | |
Event Descriptions | The description of the event name. |
Destination Hostname | Destination hostname |
Destination Port | The destination port used. |
Device Username | The username of the user that owns the device |
External Sub Category ID | |
Job Code | Job Code |
Alert tags | |
Domain Name | |
Technique | |
Protocols | |
Detected Internal IPs | Detected internal IPs |
Device Time | The time from the original logging device when the event occurred. |
User Creation Time | |
Resource ID | |
Cloud Operation Type | |
Cost Center Code | Cost Center Code |
High Level Categories | The high level categories in the events. |
Job Family | Job Family |
Device Hash | Device Hash |
Comment | The comments related with the incident |
Cloud Instance ID | Cloud Instance ID |
Device Name | Device Name |
Rendered HTML | The HTML content in a rendered form. |
Dest OS | Destination OS |
Detected User | |
Related Campaign | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Log Source | Log Source |
Policy Recommendation | |
Use Case Description | |
Source Geolocation | The source geolocation of the event. |
Application Path | |
EmailCampaignCanvas | |
Dst Ports | The destination ports of the event. |
Registry Hive | |
Process ID | |
Alert Attack Time | |
Additional Indicators | |
Policy Description | |
Birthday | Person's Birthday |
Affected Users | |
Employee Email | The email address of the employee. |
Child Process | |
Exposure Level | |
User SID | |
Source Updated by | |
Parent Process IDs | |
Start Time | The time when the offense started. |
IncomingMirrorError | |
Custom Query Results | |
Region | |
User Risk Level | |
Parent Process Name | |
Pre Nat Source Port | The source port before NAT. |
Project ID | |
Number of similar files | |
SSDeep | |
Cloud Account ID | |
File MD5 | |
Follow Up | True if marked for follow up. |
Investigation Stage | The stage of the investigation. |
Org Unit | |
Post Nat Destination Port | The destination port after NAT. |
Process CMD | |
Post Nat Destination IP | The destination IP address after NAT. |
SKU TIER | |
Device Status | |
Endpoint Isolation Status | |
File Paths | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Src NT Domain | Source NT Domain |
Detection ID | |
External Link | |
Policy Details | |
Given Name | Given Name |
Item Owner Email | |
Report Name | |
Verification Status | The status of the user verification. |
Additional Data | |
Cloud Region List | |
Source Hostname | The hostname that performed the port scan. |
Detected External IPs | Detected external IPs |
Registry Value Type | |
sAMAccountName | User sAMAAccountName |
External Sub Category Name | |
Block Indicators Status | |
similarIncidents | |
Protocol | Protocol |
Sensor Name | |
Internal Addresses | |
Personal Email | |
File Access Date | |
Account Name | Account Name |
Error Message | The error message that contains details about the error that occurred. |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
Rule Name | The name of a YARA rule |
Detected Users | Detected users |
Agent Version | Reporting Agent/Sensor Version |
Account Status | |
Registry Value | |
Source Urgency | Source Urgency |
Source Network | |
Mobile Phone | |
Last Modified On | |
Alert Category | The category of the alert |
Leadership | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Ticket Closed Date | |
MITRE Technique Name | |
MITRE Technique ID | |
Closing Reason | The closing reason |
Referenced Resource ID | |
MAC Address | MAC Address |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Related Endpoints | |
Users | |
Identity Type | |
ASN Name | |
Process Names | |
External Category ID | |
Resource Name | |
Sub Category | The sub category |
Timezone | |
Src Hostname | Source hostname |
Detected Internal Hosts | Detected internal hosts |
Source External IPs | |
Source Created By | |
Detection Update Time | |
SHA512 | SHA512 |
Hunt Results Count | |
User Groups | |
MITRE Tactic Name | |
End Time | The time when the offense ended. |
Dsts | The destination values. |
OS Type | OS Type |
CMD | |
Srcs | The source values. |
Agent ID | Agent ID |
Parent Process CMD | |
File SHA1 | |
Cost Center | Cost Center |
EmailCampaignSnippets | |
Vendor ID | |
Scenario | |
Source IPs | The source IPs of the event. |
Pre Nat Destination Port | The destination port before NAT. |
Bugtraq | |
MD5 | MD5 |
Last Seen | |
Last Modified By | |
Last Name | Last Name |
Detection End Time | |
Threat Hunting Detected IP | |
SKU Name | |
Suspicious Executions Found | |
Source Create time | |
File SHA256 | |
Category Count | The number of categories that are associated with the offense. |
Phone Number | Phone number |
Low Level Categories Events | The low level category of the event. |
Event Names | The event name (translated QID ) in the event. |
Unique Ports | |
Related Report | |
External Status | |
Cloud Service | |
Event ID | Event ID |
Raw Event | The unparsed event data. |
Number Of Log Sources | The number of log sources related to the offense. |
Policy Severity | |
CVSS | |
Duration | |
Job Function | Job Function |
Registry Key | |
Title | Title |
Item Owner | |
Src | Source |
Source Id | |
Risk Score | |
Status Reason | |
Vendor Product | |
External End Time | |
Technique ID | |
Appliance Name | Appliance name as received from the integration JSON |
Department | Department |
Employee Display Name | The display name of the employee. |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
Process Creation Time | |
CVE | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
Process Paths | |
Hostnames | The hostname in the event. |
Destination MAC Address | The destination MAC address in an event. |
Parent Process MD5 | |
Group ID | |
File Name | |
Incident Duration | How long it took for the playbook of the incident to finish, from the moment it started. |
Tactic | |
Classification | Incident Classification |
Triage SLA | The time it took to investigate and enrich incident information. |
User Agent | |
Error Code | |
Country Name | Country Name |
Rating | |
App | |
Device Id | Device Id |
Account Member Of | |
Org Level 3 | |
Device OS Version | |
User Id | User Id |
Users Details | |
Device OS Name | |
First Name | First Name |
Process SHA256 | |
Technical User | The technical user of the asset. |
Device Internal IPs | |
Campaign Name | |
Source IP | The IP Address that the user initially logged in from. |
Destination Networks | |
Close Time | The closing time. |
Policy Remediable | |
Resource Type | |
Tactic ID | |
Categories | The categories for the incident. |
File Path | |
Description | The description of the incident |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
Parent CMD line | |
Email Sent Successfully | Whether the email has been successfully sent. |
File Relationships | |
Destination IPV6 | The destination IPV6 address. |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Policy ID | |
Protocol names | |
Closing User | The closing user. |
ASN | |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Events | The events associated with the offense. |
Tenant Name | Tenant Name |
Detected IPs | |
User Engagement Response | |
Last Update Time | |
Password Reset Successfully | Whether the password has been successfully reset. |
SHA256 | SHA256 |
Country | The country from which the user logged in. |
Password Changed Date | |
IP Blocked Status | |
Caller | |
External ID | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Operation Name | |
Triggered Security Profile | Triggered Security Profile |
Name | Description |
---|---|
Network | |
Indicator Feed | |
DoS | |
Defacement | |
Authentication | |
Policy Violation | |
Exfiltration | |
Simulation | |
Lateral Movement | |
UnknownBinary | |
C2Communication | |
Exploit | |
Hunt | |
Job | |
Vulnerability | |
Reconnaissance |
Name | Description |
---|---|
Geo Location | |
Registrar Abuse Email | |
Cost Center Code | |
Updated Date | |
Cost Center | |
Commands | |
Malware Family | |
Serial Number | |
Entry ID | |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Given Name | Given Name |
Zip Code | |
Blocked | |
CVSS Vector | |
Memory | |
X.509 v3 Extensions | |
Mobile Phone | |
Username | |
Registrar Name | |
Organization Type | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
City | City |
Subject | |
Country Code | |
Issuer | |
Certificate Signature | |
STIX Tool Version | |
Location Region | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Primary Motivation | |
Confidence | |
Applications | |
Domain Referring Subnets | |
Manager Name | Manager Name |
Region | |
Manager Email Address | |
Description | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Country Name | |
Job Function | |
STIX Is Malware Family | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Signature Description | |
Validity Not Before | |
Display Name | |
Expiration Date | |
Subject DN | Subject Distinguished Name |
Operating System Version | |
Rank | Used to display rank from different sources |
Vendor | |
Country Code Number | |
Processor | |
imphash | |
STIX Tool Types | |
Department | Department |
Registrant Country | |
Name | |
File Type | |
Indicator Identification | |
Objective | |
SHA1 | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
Operating System | |
Office365Required | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
STIX Sophistication | |
Behavior | |
Campaign | |
Name Servers | |
Tags | |
Resource Level | |
Job Family | |
Email Address | |
Registrar Abuse Country | |
DNS Records | |
Assigned user | |
Org Level 3 | |
Admin Email | |
Registrant Email | |
Is Malware Family | |
SHA512 | |
Admin Name | |
File Extension | |
Vulnerabilities | |
Creation Date | |
Report type | |
CVSS Table | |
Groups | |
MAC Address | |
Size | |
Implementation Languages | |
DHCP Server | |
CVE Modified | |
Mitre Tactics | |
ASN | |
Malware types | |
Subject Alternative Names | |
Report Object References | A list of STIX IDs referenced in the report. |
Title | Title |
Vulnerable Products | |
Domain Name | |
Mitre ID | |
Location | |
Sophistication | |
Personal Email | |
Is Processed | |
STIX Secondary Motivations | |
Name Field | |
Publications | |
Public Key | |
Operating System Refs | |
Feed Related Indicators | |
STIX Roles | |
Certificates | |
Domain IDN Name | |
Signed | |
Registrar Abuse Phone | |
Assigned role | |
STIX Resource Level | |
Work Phone | |
Tool Version | |
Infrastructure Types | |
Paths | |
Extension | |
Office365Category | |
SSDeep | |
PEM | Certificate in PEM format. |
STIX Description | |
Issuer DN | Issuer Distinguished Name |
Signature Algorithm | |
AS Owner | |
STIX Aliases | Alternative names used to identify this object |
STIX Primary Motivation. | |
Capabilities | |
Signature Copyright | |
Quarantined | Whether the indicator is quarantined or isolated |
Source Priority | |
Job Code | Job Code |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
Certificate Names | |
Published | |
Domain Status | |
STIX Goals | |
Goals | |
Actor | |
State | |
SHA256 | |
CVSS Version | |
CVSS3 | |
Registrant Name | |
Detection Engines | Total number of engines that checked the indicator |
Org Level 2 | |
CVSS Score | |
MD5 | |
Architecture | |
Whois Records | |
Validity Not After | |
Key Value | |
OS Version | |
Tool Types | |
Category | |
Version | |
Organization | |
Path | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Org Level 1 | |
DNS | |
IP Address | |
Domain Referring IPs | |
Roles | |
Associated File Names | |
Registrant Phone | |
Subdomains | |
Targets | |
Registrar Abuse Name | |
Organizational Unit (OU) | |
Registrar Abuse Address | |
Signature File Version | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Detections | |
Community Notes | |
Reports | |
User ID | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Geo Country | |
Action | |
Download URL | |
Associations | Known associations to other pieces of Threat Data. |
STIX Malware Types | |
Internal | |
Street Address | |
Org Unit | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Short Description | |
Leadership | |
Port | |
BIOS Version | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Secondary Motivations | |
Admin Phone | |
CVSS | |
Processors | |
Hostname | |
Signature Authentihash | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Force Sync | Whether to force user synchronization. |
Account Type | |
Device Model | |
Admin Country | |
CVE Description | |
STIX Threat Actor Types | |
Domains | |
Aliases | Alternative names used to identify this object |
Service | The specific service of a feed integration from which an indicator was ingested. |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Registrar Abuse Network | |
Signature Original Name | |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Certificate Validation Checks | |
Office365ExpressRoute | |
Surname | Surname |
Signature Internal Name | |
Threat Actor Types |
Name | Description |
---|---|
Attack Pattern | Attack Pattern Indicator Layout |
Account Indicator | Account Indicator Layout |
Malware Indicator | Malware Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Mutex | Mutex indicator layout |
Software | Software Indicator Layout |
CVE Indicator | CVE Indicator Layout |
ASN | ASN Indicator Layout |
Infrastructure | Infrastructure Indicator Layout |
Domain Indicator | Domain Indicator Layout |
Report | Report Indicator Layout |
Threat Actor | Threat Actor Indicator Layout |
Vulnerability Incident | |
Host Indicator | Host indicator layout |
File Indicator | File Indicator Layout |
URL Indicator | URL Indicator Layout |
Identity | Identity indicator layout |
Intrusion Set | Intrusion Set Layout |
Course of Action | Course of Action Indicator Layout |
Campaign | Campaign Indicator Layout |
IP Indicator | IP Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Location | Location indicator layout |
X509 Certificate | CVE Indicator Layout |
Email Indicator | Email Indicator Layout |
Malware | |
Indicator Feed Incident |
Name | Description |
---|---|
Course of Action | |
Campaign | |
Onion Address | |
Malware | |
Location | |
CVE | |
Report | |
Mutex | |
Threat Actor | |
Domain | |
IPv6CIDR | |
ssdeep | |
IP | |
DomainGlob | |
Intrusion Set | |
Software | |
CIDR | |
Account | |
Tool | |
Identity | |
File SHA-1 | |
Attack Pattern | |
Infrastructure | |
File SHA-256 | |
File | |
Host | |
URL | |
X509 Certificate | |
Registry Key | |
ASN | |
File MD5 | |
IPv6 |
Name | Description |
---|---|
Mail Listener - Classifier | Classifies phishing email messages. |
Mail Listener - Incoming Mapper | Maps incoming phishing email messages fields. |
Name | Description |
---|---|
User Block Status | |
Error Code | |
Detected External IPs | Detected external IPs |
Detection End Time | |
Ticket Closed Date | |
Triage SLA | The time it took to investigate and enrich incident information. |
Display Name | Display Name |
Policy Severity | |
Vendor Product | |
Process Paths | |
Event Action | Action taken on user accounts - Create, Update, Deactivate, Reactivate |
Parent Process SHA256 | |
Org Unit | |
Primary Email Address | |
Verdict | |
SHA512 | SHA512 |
Phone Number | Phone number |
Zip Code | Zip Code |
Part of Campaign | The ID of the campaign incident of which the current incident is part of. |
Asset ID | |
Source Status | |
Log Source | Log Source |
Org Level 2 | |
Cloud Account ID | |
Follow Up | True if marked for follow up. |
Source Created By | |
Parent Process File Path | |
Low Level Categories Events | The low level category of the event. |
Category Count | The number of categories that are associated with the offense. |
EmailCampaignCanvas | |
Rule Name | The name of a YARA rule |
Account Status | |
String Similarity Results | |
Source Id | |
Process SHA256 | |
File Creation Date | |
Registry Value | |
Traffic Direction | The direction of the traffic in the event. |
Assigned User | Assigned User |
Signature | |
EmailCampaignMutualIndicators | |
Source Networks | |
Country Code Number | |
Street Address | |
Post Nat Source IP | The source IP address after NAT. |
Domain Name | |
External Link | |
Risk Rating | |
Password Changed Date | |
State | State |
Department | Department |
Employee Display Name | The display name of the employee. |
Detection ID | |
Changed | The user who changed this incident |
Affected Hosts | |
Region | |
Assignment Group | |
Rendered HTML | The HTML content in a rendered form. |
Scenario | |
Org Level 3 | |
Destination Networks | |
Original Description | The description of the incident |
IP Blocked Status | |
Parent Process MD5 | |
Additional Email Addresses | |
Objective | |
Device Status | |
Rating | |
Is Active | Alert status |
SHA1 | SHA1 |
Team name | |
Status Reason | |
CVE | |
Tool Usage Found | |
Device Id | Device Id |
Log Source Name | The log source name associated with the event. |
Sub Category | The sub category |
Original Alert Source | |
External Start Time | |
Device Name | Device Name |
Title | Title |
Bugtraq | |
Account Member Of | |
Policy ID | |
Last Name | Last Name |
Policy URI | |
Source Priority | |
Alert tags | |
Users Details | |
Technique | |
Detection URL | URL of the ExtraHop Reveal(x) detection |
Referenced Resource ID | |
Command Line Verdict | |
Group ID | |
Source Updated by | |
Closing Reason | The closing reason |
Affected Users | |
Employee Email | The email address of the employee. |
Agents ID | |
Region ID | |
Application Path | |
Cost Center | Cost Center |
Policy Type | |
Technical User | The technical user of the asset. |
Mobile Device Model | |
Policy Details | |
Employee Manager Email | The email address of the employee's manager. |
MITRE Technique ID | |
Process MD5 | |
CVSS Confidentiality Requirement | The CVSS confidentiality requirement of the asset. |
Use Case Description | |
Pre Nat Source IP | The source IP before NAT. |
Work Phone | |
Related Report | |
Item Owner Email | |
Triggered Security Profile | Triggered Security Profile |
Detected Endpoints | |
Password Reset Successfully | Whether the password has been successfully reset. |
Protocol names | |
Job Function | Job Function |
Last Modified On | |
Policy Recommendation | |
Verification Status | The status of the user verification. |
Related Alerts | |
Policy Description | |
Detected Internal Hosts | Detected internal hosts |
CVSS Collateral Damage Potential | The CVSS collateral damage potential of the asset. |
External Severity | |
Cloud Region List | |
Sensor IP | |
Cloud Service | |
userAccountControl | userAccountControl |
Additional Data | |
Account ID | |
Surname | Surname |
Src OS | Src OS |
Registry Value Type | |
Process Creation Time | |
Event Names | The event name (translated QID ) in the event. |
List Of Rules - Event | The list of rules associated to an event. |
First Name | First Name |
OS | The operating system. |
Device Time | The time from the original logging device when the event occurred. |
Process Names | |
Pre Nat Destination Port | The destination port before NAT. |
Caller | |
Comment | The comments related with the incident |
sAMAccountName | User sAMAAccountName |
Domain Squatting Result | The result of the domain-squatting check for the attacker's email. |
User Creation Time | |
Approval Status | The status for the approval of the request. |
MITRE Tactic ID | |
Resource Name | |
CVSS Availability Requirement | The CVSS availability requirement for the asset. |
Vendor ID | |
First Seen | |
File Relationships | |
MITRE Tactic Name | |
Attack Mode | Attack mode as received from the integration JSON |
URL SSL Verification | Indicates whether the URLs passed the SSL certificate verification. |
Exposure Level | |
Related Campaign | |
Org Level 1 | |
Macro Source Code | In case there's a macro in a Microsoft file such as docm, xlsm or pptm, this field will hold the source code of the macro. |
Containment SLA | The time it took to contain the incident. |
Registry Hive | |
Critical Assets | A table of critical assets involved in the incident, including the name and asset type. |
Vulnerability Category | |
Threat Family Name | Threat Family Name Associated with an Attacking Vector. I.E. Meterpreter as toolkit or Extortion\ÖżFraud\Espionage |
Number of similar files | |
Device Model | Device Model |
Campaign Name | |
Job Code | Job Code |
Ticket Number | |
Additional Indicators | |
Original Events | The events associated with the offense. |
Alert Malicious | Whether the alert is malicious. |
Report Name | |
Escalation | |
Source Urgency | Source Urgency |
File Size | File Size |
End Time | The time when the offense ended. |
High Risky Hosts | |
EmailCampaignSnippets | |
Device Hash | Device Hash |
Pre Nat Source Port | The source port before NAT. |
Referenced Resource Name | |
Source External IPs | |
Destination IPV6 | The destination IPV6 address. |
Remediation SLA | The time it took since remediation of the incident began, and until it ended. |
Tactic | |
Tenant Name | Tenant Name |
Technique ID | |
Device OU | Device's OU path in Active Directory |
ASN | |
OutgoingMirrorError | |
MITRE Technique Name | |
IncomingMirrorError | |
Policy Deleted | |
Acquisition Hire | |
OS Type | OS Type |
Dsts | The destination values. |
Alert Acknowledgement | Alert acknowledgement as received from the integration JSON |
Original Alert ID | Alert ID as received from the integration JSON |
Detection SLA | The time it took from incident creation until the maliciousness was determined. |
Classification | Incident Classification |
City | |
Timezone | |
Birthday | Person's Birthday |
Device MAC Address | |
Selected Indicators | Includes the indicators selected by the user. |
Ticket Acknowledged Date | |
Threat Name | Define the threat name such as malware/exploit/phishing/etc |
User Engagement Response | |
Duration | |
Tools | |
Post Nat Source Port | The source port after NAT. |
App message | |
Compliance Notes | Notes regarding the assets compliance. |
Cost Center Code | Cost Center Code |
Parent Process CMD | |
Email Sent Successfully | Whether the email has been successfully sent. |
Full Name | Person's Full Name |
Last Seen | |
Subtype | Subtype |
Failed Logon Events | The number of failed logon events in a specific timeframe. Can be used with reference to the "Failed Logon Events Timeframe" field. |
Alert Type ID | |
Verification Method | The method used to verify the user. |
Agent Version | Reporting Agent/Sensor Version |
Isolated | Isolated |
Number Of Found Related Alerts | Medium or Higher Severity Alerts |
File Access Date | |
Mobile Phone | |
Last Update Time | |
External System ID | |
Technical Owner | The technical owner of the asset. |
Suspicious Executions Found | |
ASN Name | |
Policy Actions | |
Device OS Name | |
Source Category | |
Event ID | Event ID |
Investigation Stage | The stage of the investigation. |
Post Nat Destination Port | The destination port after NAT. |
Approver | The person who approved or needs to approve the request. |
Device Internal IPs | |
Operation Name | |
Cloud Resource List | |
Alert Action | Alert action as received from the integration JSON |
External Status | |
SSDeep | |
similarIncidents | |
External Sub Category ID | |
Blocked Action | Blocked Action |
Attack Patterns | |
Incident Link | |
Hunt Results Count | |
User Groups | |
Number Of Log Sources | The number of log sources related to the offense. |
Manager Email Address | |
Reporter Email Address | The email address of the user who reported the email. |
Closing User | The closing user. |
Original Alert Name | Alert name as received from the integration JSON |
Location | Location |
IP Reputation | |
Failed Logon Events Timeframe | The timeframe which the failed logon events occurred in. |
Process CMD | |
External Category Name | |
Time to Assignment | The time it took from when the incident was created until a user was assigned to it. |
Location Region | Location Region |
Endpoints Details | |
UUID | UUID as received from the integration JSON |
Registry Key | |
External Sub Category Name | |
Identity Type | |
Log Source Type | The log source type associated with the event. |
SKU TIER | |
Unique Ports | |
EmailCampaignSummary | |
Parent Process IDs | |
External Category ID | |
Tactic ID | |
CVSS Integrity Requirement | The CVSS integrity requirement for the asset. |
High Risky Users | |
User SID | |
Error Message | The error message that contains details about the error that occurred. |
Project ID | |
Block Indicators Status | |
Resource Type | |
Dest OS | Destination OS |
CVSS | |
Related Endpoints | |
Personal Email | |
Last Mirrored Time Stamp | The last time the incident was mirrored in. |
File SHA1 | |
Given Name | Given Name |
Parent Process Path | |
Source Geolocation | The source geolocation of the event. |
Internal Addresses | |
External End Time | |
URLs | |
Destination Geolocation | The destination geolocation of the event. |
User Id | User Id |
Parent Process Name | |
app channel name | |
Raw Event | The unparsed event data. |
Job Family | Job Family |
Similar incidents Dbot | |
Suspicious Executions | |
Device External IPs | |
Endpoint Isolation Status | |
Risk Score | |
Device OS Version | |
Last Modified By | |
Post Nat Destination IP | The destination IP address after NAT. |
Close Time | The closing time. |
Technical Owner Contact | The contact details for the technical owner. |
Cloud Instance ID | Cloud Instance ID |
Start Time | The time when the offense started. |
Country Code | |
Policy Remediable | |
Custom Query Results | |
External Confidence | |
SKU Name | |
Manager Name | Manager Name |
Event Descriptions | The description of the event name. |
Item Owner | |
File Hash | |
Number of Related Incidents | |
Source Create time | |
Process ID | |
Leadership |
Name | Description |
---|---|
Indicator Feed | |
Exploit | |
Hunt | |
Reconnaissance | |
C2Communication | |
Defacement | |
Vulnerability | |
Network | |
Lateral Movement | |
Exfiltration | |
Policy Violation | |
Job | |
Authentication | |
Simulation | |
UnknownBinary | |
DoS |
Name | Description |
---|---|
Groups | |
Registrar Abuse Network | |
Applications | |
Service | The specific service of a feed integration from which an indicator was ingested. |
STIX Is Malware Family | |
STIX Tool Version | |
STIX Primary Motivation. | |
Last Seen By Source | The last time the indicator was seen by the Source vendor. |
STIX Secondary Motivations | |
X.509 v3 Extensions | |
Secondary Motivations | |
Creation Date | |
Short Description | |
Signature Algorithm | |
Blocked | |
DNS Records | |
Mitre Tactics | |
CVSS Table | |
CVSS | |
City | City |
Registrar Abuse Name | |
Cost Center Code | |
Admin Country | |
Feed Related Indicators | |
Tool Types | |
File Type | |
Threat Types | The threat category associated to this indicator by the source vendor. For example, Phishing, Command \u0026 Control, TOR, etc. |
Location | |
DHCP Server | |
Account Type | |
Confidence | |
Updated Date | |
Organization | |
Publications | |
Job Code | Job Code |
Geo Location | |
BIOS Version | |
Aliases | Alternative names used to identify this object |
Registrant Email | |
Behavior | |
Operating System Refs | |
User ID | |
Subject Alternative Names | |
Actor | |
Serial Number | |
Country Code | |
STIX Threat Actor Types | |
Registrant Name | |
Category | |
Sophistication | |
Signature Authentihash | |
Display Name | |
Certificate Validation Checks | |
Campaign | |
Languages | Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to - RFC5646. |
Version | |
Roles | |
Registrar Name | |
CVSS Vector | |
Is Processed | |
Description | |
Tool Version | |
Registrant Country | |
Domains | |
Domain Name | |
Assigned role | |
Force Sync | Whether to force user synchronization. |
Location Region | |
Signed | |
STIX Sophistication | |
Paths | |
Key Value | |
Admin Name | |
Office365ExpressRoute | |
Manager Email Address | |
Domain Status | |
Signature Description | |
Registrar Abuse Email | |
Rank | Used to display rank from different sources |
Report Object References | A list of STIX IDs referenced in the report. |
Source Priority | |
Quarantined | Whether the indicator is quarantined or isolated |
Leadership | |
Organizational Unit (OU) | |
Personal Email | |
Industry sectors | Industry sector is an open vocabulary that describes industrial and commercial sectors. |
CPE | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary |
Goals | |
Region | |
AS Owner | |
Registrar Abuse Country | |
Operating System | |
Title | Title |
Manager Name | Manager Name |
Name | |
Username | |
Memory | |
Primary Motivation | |
Signature File Version | |
STIX Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
Detection Engines | Total number of engines that checked the indicator |
DNS | |
Subject DN | Subject Distinguished Name |
File Extension | |
Given Name | Given Name |
MD5 | |
Certificate Names | |
Whois Records | |
Positive Detections | Number of engines that positively detected the indicator as malicious |
Name Servers | |
Admin Email | |
Validity Not After | |
Infrastructure Types | |
STIX Tool Types | |
Cost Center | |
Indicator Identification | |
Registrar Abuse Phone | |
SPKI SHA256 | SHA256 fingerprint of Subject Public Key Info |
Org Level 3 | |
Vulnerabilities | |
CVE Description | |
Certificate Signature | |
Issuer | |
Traffic Light Protocol | TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). |
Assigned user | |
Email Address | |
ASN | |
Kill Chain Phases | The list of Kill Chain Phases for which this object is used. |
STIX ID | An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way |
Processor | |
CVSS Version | |
Department | Department |
Entry ID | |
Expiration Date | |
SHA256 | |
Issuer DN | Issuer Distinguished Name |
imphash | |
CVE Modified | |
State | |
Mobile Phone | |
IP Address | |
Extension | |
Name Field | |
Implementation Languages | |
Resource Level | |
Published | |
STIX Malware Types | |
Validity Not Before | |
Subdomains | |
Objective | |
PEM | Certificate in PEM format. |
Signature Copyright | |
Zip Code | |
Malware types | |
Tags | |
Job Family | |
STIX Aliases | Alternative names used to identify this object |
First Seen By Source | The first time the indicator was seen by the source vendor. |
Associated File Names | |
Malware Family | |
Office365Category | |
Hostname | |
Report type | |
Registrant Phone | |
Detections | |
Registrar Abuse Address | |
Reported By | The source that reported this indicator. Can be a feed, an incident, or users. |
Download URL | |
Reports | |
Size | |
Is Malware Family | |
OS Version | |
Surname | Surname |
Geo Country | |
Subject | |
Port | |
Operating System Version | |
Office365Required | |
Action | |
Country Name | |
STIX Roles | |
Architecture | |
Associations | Known associations to other pieces of Threat Data. |
Job Function | |
Processors | |
Domain Referring Subnets | |
Org Level 1 | |
SHA512 | |
Country Code Number | |
STIX Resource Level | |
Org Level 2 | |
Threat Actor Types | |
Community Notes | |
Admin Phone | |
Source Original Severity | The original score/severity provided by the source without DBot translation. |
Commands | |
Vendor | |
Org Unit | |
Work Phone | |
Acquisition Hire | Whether the employee is an acquisition hire. |
Signature Internal Name | |
Identity class | The type of entity that this Identity describes, e.g., an individual or organization. |
Mitre ID | |
SSDeep | |
STIX Goals | |
Signature Original Name | |
Certificates | |
Capabilities | |
Street Address | |
SHA1 | |
SWID | Specifies the Software Identification (SWID) tags entry for the software |
Device Model | |
Internal | |
CVSS Score | |
Public Key | |
Domain Referring IPs | |
Organization Type | |
CVSS3 | |
Vulnerable Products | |
Targets | |
Domain IDN Name | |
Path | |
STIX Description |
Name | Description |
---|---|
Vulnerability Layout Rule | |
Indicator Feed Layout Rule |
Name | Description |
---|---|
Infrastructure | Infrastructure Indicator Layout |
Campaign | Campaign Indicator Layout |
Email Indicator | Email Indicator Layout |
Host Indicator | Host indicator layout |
Threat Actor | Threat Actor Indicator Layout |
File Indicator | File Indicator Layout |
Software | Software Indicator Layout |
Identity | Identity indicator layout |
Domain Indicator | Domain Indicator Layout |
Course of Action | Course of Action Indicator Layout |
CVE Indicator | CVE Indicator Layout |
ASN | ASN Indicator Layout |
Tool Indicator | Tool Indicator Layout |
Mutex | Mutex indicator layout |
Report | Report Indicator Layout |
X509 Certificate | CVE Indicator Layout |
Attack Pattern | Attack Pattern Indicator Layout |
Registry Key Indicator | Registry Key Indicator Layout |
Account Indicator | Account Indicator Layout |
Malware Indicator | Malware Indicator Layout |
IP Indicator | IP Indicator Layout |
Intrusion Set | Intrusion Set Layout |
Indicator Feed Incident | |
URL Indicator | URL Indicator Layout |
Vulnerability Incident | |
Location | Location indicator layout |
Name | Description |
---|---|
Malware | |
Attack Pattern | |
ASN | |
CVE | |
IP | |
Campaign | |
DomainGlob | |
X509 Certificate | |
File SHA-1 | |
IPv6CIDR | |
Tool | |
Report | |
File SHA-256 | |
URL | |
Location | |
Registry Key | |
Account | |
File MD5 | |
File | |
Onion Address | |
ssdeep | |
Threat Actor | |
Domain | |
IPv6 | |
Identity | |
Mutex | |
CIDR | |
Intrusion Set | |
Host | |
Software | |
Infrastructure | |
Course of Action |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Common Scripts | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
Intrusion Set
Added the 'Execute Intrusion Set Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Campaign
Added the 'Execute Campaign Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Malware Indicator
Added the 'Execute Malware Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
Custom mapping for the indicator was updated adding mapping to new fields.
Vulnerable Products
with all the relevant CPEs in a grid field.Added the following incident fields:
New: ASN
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
New: Account Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
New: Campaign
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
New: Email Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
New: File Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
IP Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
New: Infrastructure
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
New: Intrusion Set
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
New: Malware Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
Mutex
Updated the indicator layout Edit/New tab to display only the relevant fields.
Threat Actor
Updated the indicator layout Edit/New tab to display only the relevant fields.
New: Tool Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
New: URL Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
Host Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Identity
Updated the indicator layout Edit/New tab to display only the relevant fields.
Location
Updated the indicator layout Edit/New tab to display only the relevant fields.
Course of Action
Updated the indicator layout Edit/New tab to display only the relevant fields.
New: Mutex
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
Report
Updated the indicator layout Edit/New tab to display only the relevant fields.
Attack Pattern
Updated the indicator layout Edit/New tab to display only the relevant fields.
Registry Key Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Software
Updated the indicator layout Edit/New tab to display only the relevant fields.
New: IP Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
Malware
Updated the indicator layout Edit/New tab to display only the relevant fields.
CVE Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Tool
Updated the indicator layout Edit/New tab to display only the relevant fields.
New: Threat Actor
Updated the indicator layout Edit/New tab to display only the relevant fields. (Available from Cortex XSOAR 6.10.0).
Domain Indicator
Updated the indicator layout Edit/New tab to display only the relevant fields.
Vulnerability Incident
Updated the indicator layout Edit/New tab to display only the relevant fields.
Added the Prisma Cloud - VM Alert Prioritization incident type to the following incident fields:
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 26, 2020 | |
Last Release | March 11, 2024 |