Common Types v3.10.13
This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.
- Author:
- Cortex XSOAR
- Support:
- xsoar
agentixxsiam
Utilities
Classifiers (2)
Incident fields (440)
- ASN
- ASN Name
- Account ID
- Account Member Of
- Account Name
- Account Status
- Acquisition Hire
- Additional Data
- Additional Email Addresses
- Additional Indicators
- Affected Hosts
- Affected Users
- Agent ID
- Agent Version
- Agents ID
- Alert Acknowledgement
- Alert Action
- Alert Attack Time
- Alert Category
- Alert ID
- Alert Malicious
- Alert Name
- Alert Rules
- Alert Source
- Alert Type ID
- Alert URL
- Alert tags
- App
- App message
- Appliance ID
- Appliance Name
- Application Id
- Application Name
- Application Path
- Approval Status
- Approver
- Asset ID
- Asset Name
- Assigned User
- Assignment Group
- Attack Mode
- Attack Patterns
- Audit Logs
- Birthday
- Block Indicators Status
- Blocked Action
- Bugtraq
- CMD
- CMD line
- CVE
- CVE ID
- CVE Published
- CVSS
- CVSS Availability Requirement
- CVSS Collateral Damage Potential
- CVSS Confidentiality Requirement
- CVSS Integrity Requirement
- Caller
- Campaign Name
- Categories
- Category Count
- Changed
- Child Process
- City
- Classification
- Close Time
- Closing Reason
- Closing User
- Cloud Account ID
- Cloud Instance ID
- Cloud Operation Type
- Cloud Region List
- Cloud Resource List
- Cloud Service
- Command Line
- Command Line Verdict
- Comment
- Compliance Notes
- Containment SLA
- Cost Center
- Cost Center Code
- Country
- Country Code
- Country Code Number
- Country Name
- Critical Assets
- Custom Query Results
- DNS Name
- Department
- Description
- Dest
- Dest Hostname
- Dest NT Domain
- Dest OS
- Destination Geolocation
- Destination Hostname
- Destination IP
- Destination IPV6
- Destination IPs
- Destination MAC Address
- Destination Network
- Destination Networks
- Destination Port
- Detected Endpoints
- Detected External Hosts
- Detected External IPs
- Detected IPs
- Detected Internal Hosts
- Detected Internal IPs
- Detected User
- Detected Users
- Detection End Time
- Detection ID
- Detection SLA
- Detection URL
- Detection Update Time
- Device External IP
- Device External IPs
- Device Hash
- Device Id
- Device Internal IPs
- Device Local IP
- Device MAC Address
- Device Model
- Device Name
- Device OS Name
- Device OS Version
- Device OU
- Device Status
- Device Time
- Device Username
- Display Name
- Domain Name
- Domain Registrar Abuse Email
- Domain Squatting Result
- Domain Updated Date
- Dst Ports
- Dsts
- Duration
- Email Sent Successfully
- EmailCampaignCanvas
- EmailCampaignMutualIndicators
- EmailCampaignSnippets
- EmailCampaignSummary
- Employee Display Name
- Employee Email
- Employee Manager Email
- End Time
- Endpoint
- Endpoint Isolation Status
- Endpoints Details
- Error Code
- Error Message
- Escalation
- Event Action
- Event Descriptions
- Event ID
- Event Names
- Event Type
- Events
- Exposure Level
- External Addresses
- External Category ID
- External Category Name
- External Confidence
- External End Time
- External ID
- External Last Updated Time
- External Link
- External Severity
- External Start Time
- External Status
- External Sub Category ID
- External Sub Category Name
- External System ID
- Failed Logon Events
- Failed Logon Events Timeframe
- File Access Date
- File Creation Date
- File Hash
- File MD5
- File Name
- File Names
- File Path
- File Paths
- File Relationships
- File SHA1
- File SHA256
- File Size
- File Upload
- First Name
- First Seen
- Follow Up
- Full Name
- Given Name
- Group ID
- High Level Categories
- High Risky Hosts
- High Risky Users
- Hostnames
- Hunt Results Count
- IP Blocked Status
- IP Reputation
- Identity Type
- Incident Duration
- Incident Link
- IncomingMirrorError
- Internal Addresses
- Investigation Stage
- Is Active
- Isolated
- Item Owner
- Item Owner Email
- Job Code
- Job Family
- Job Function
- Last Mirrored Time Stamp
- Last Modified By
- Last Modified On
- Last Name
- Last Seen
- Last Update Time
- Leadership
- List Of Rules - Event
- Location
- Location Region
- Log Source
- Log Source Name
- Log Source Type
- Low Level Categories Events
- MAC Address
- MD5
- MITRE Tactic ID
- MITRE Tactic Name
- MITRE Technique ID
- MITRE Technique Name
- Macro Source Code
- Manager Email Address
- Manager Name
- Mobile Device Model
- Mobile Phone
- Number Of Found Related Alerts
- Number Of Log Sources
- Number of Related Incidents
- Number of similar files
- OS
- OS Type
- OS Version
- Objective
- Operation Name
- Org Level 1
- Org Level 2
- Org Level 3
- Org Unit
- Original Alert ID
- Original Alert Name
- Original Alert Source
- Original Description
- Original Events
- OutgoingMirrorError
- PID
- Parent CMD line
- Parent Process
- Parent Process CMD
- Parent Process File Path
- Parent Process IDs
- Parent Process MD5
- Parent Process Name
- Parent Process Path
- Parent Process SHA256
- Part of Campaign
- Password Changed Date
- Password Reset Successfully
- Personal Email
- Phone Number
- Policy Actions
- Policy Deleted
- Policy Description
- Policy Details
- Policy ID
- Policy Recommendation
- Policy Remediable
- Policy Severity
- Policy Type
- Policy URI
- Post Nat Destination IP
- Post Nat Destination Port
- Post Nat Source IP
- Post Nat Source Port
- Pre Nat Destination Port
- Pre Nat Source IP
- Pre Nat Source Port
- Process CMD
- Process Creation Time
- Process ID
- Process MD5
- Process Name
- Process Names
- Process Path
- Process Paths
- Process SHA256
- Project ID
- Protocol
- Protocol - Event
- Protocol names
- Protocols
- Rating
- Raw Event
- Referenced Resource ID
- Referenced Resource Name
- Region
- Region ID
- Registration Email
- Registry Hive
- Registry Key
- Registry Value
- Registry Value Type
- Related Alerts
- Related Campaign
- Related Endpoints
- Related Report
- Remediation SLA
- RemovedFromCampaigns
- Rendered HTML
- Report Name
- Reporter Email Address
- Resource ID
- Resource Name
- Resource Type
- Resource URL
- Risk Name
- Risk Rating
- Risk Score
- Rule Name
- SHA1
- SHA256
- SHA512
- SKU Name
- SKU TIER
- SSDeep
- Scenario
- Selected Indicators
- Sensor IP
- Sensor Name
- Signature
- Similar incidents Dbot
- Source Category
- Source Create time
- Source Created By
- Source External IPs
- Source Geolocation
- Source Hostname
- Source IP
- Source IPV6
- Source IPs
- Source Id
- Source MAC Address
- Source Network
- Source Networks
- Source Port
- Source Priority
- Source Status
- Source Updated by
- Source Urgency
- Source Username
- Src
- Src Hostname
- Src NT Domain
- Src OS
- Src Ports
- Src User
- Srcs
- Start Time
- State
- Status Reason
- Street Address
- String Similarity Results
- Sub Category
- Subtype
- Surname
- Suspicious Executions
- Suspicious Executions Found
- Tactic
- Tactic ID
- Tags
- Team name
- Technical Owner
- Technical Owner Contact
- Technical User
- Technique
- Technique ID
- Tenant Name
- Threat Family Name
- Threat Hunting Detected Hostnames
- Threat Hunting Detected IP
- Threat Name
- Ticket Acknowledged Date
- Ticket Closed Date
- Ticket Number
- Ticket Opened Date
- Time to Assignment
- Timezone
- Title
- Tool Usage Found
- Tools
- Traffic Direction
- Triage SLA
- Triggered Security Profile
- URL SSL Verification
- URLs
- UUID
- Unique Ports
- Use Case Description
- User Agent
- User Anomaly Count
- User Block Status
- User Creation Time
- User Engagement Response
- User Groups
- User Id
- User Risk Level
- User SID
- Username
- Usernames
- Users
- Users Details
- Vendor ID
- Vendor Product
- Verdict
- Verification Method
- Verification Status
- Vulnerability Category
- Vulnerable Product
- Work Phone
- Zip Code
- app channel name
- sAMAccountName
- similarIncidents
- userAccountControl
Incident types (16)
Indicator fields (235)
- AS Owner
- ASN
- Account Type
- Acquisition Hire
- Action
- Actor
- Admin Country
- Admin Email
- Admin Name
- Admin Phone
- Aliases
- Applications
- Architecture
- Assigned role
- Assigned user
- Associated File Names
- Associations
- Author
- BIOS Version
- Behavior
- Blocked
- CPE
- CVE Description
- CVE Modified
- CVSS
- CVSS Score
- CVSS Table
- CVSS Vector
- CVSS Version
- CVSS3
- Campaign
- Capabilities
- Category
- Certificate Names
- Certificate Signature
- Certificate Validation Checks
- Certificates
- City
- Commands
- Community Notes
- Confidence
- Cost Center
- Cost Center Code
- Country Code
- Country Code Number
- Country Name
- Creation Date
- DHCP Server
- DNS
- DNS Records
- Definition
- Department
- Description
- Detection Engines
- Detections
- Device Model
- Display Name
- Domain IDN Name
- Domain Name
- Domain Referring IPs
- Domain Referring Subnets
- Domain Status
- Domains
- Download URL
- Email Address
- Entry ID
- Expiration Date
- Extension
- Feed Related Indicators
- File Extension
- File Type
- First Seen By Source
- Force Sync
- Geo Country
- Geo Location
- Given Name
- Global Prevalence
- Goals
- Groups
- Hostname
- IP Address
- Identity class
- Implementation Languages
- Indicator Identification
- Industry sectors
- Infrastructure Types
- Internal
- Is Malware Family
- Is Processed
- Issuer
- Issuer DN
- Job Code
- Job Family
- Job Function
- Key Value
- Kill Chain Phases
- Languages
- Last Seen By Source
- Leadership
- Location
- Location Region
- MAC Address
- MD5
- Malware Family
- Malware types
- Manager Email Address
- Manager Name
- Memory
- Mitre ID
- Mitre Tactics
- Mobile Phone
- Name
- Name Field
- Name Servers
- Number of subkeys
- OS Version
- Objective
- Office365Category
- Office365ExpressRoute
- Office365Required
- Operating System
- Operating System Refs
- Operating System Version
- Org Level 1
- Org Level 2
- Org Level 3
- Org Unit
- Organization
- Organization First Seen
- Organization Last Seen
- Organization Prevalence
- Organization Type
- Organizational Unit (OU)
- PEM
- Path
- Paths
- Personal Email
- Port
- Positive Detections
- Primary Motivation
- Processor
- Processors
- Product
- Public Key
- Publications
- Published
- Quarantined
- Query Language
- Rank
- Region
- Registrant Country
- Registrant Email
- Registrant Name
- Registrant Phone
- Registrar Abuse Address
- Registrar Abuse Country
- Registrar Abuse Email
- Registrar Abuse Name
- Registrar Abuse Network
- Registrar Abuse Phone
- Registrar Name
- Report Object References
- Report type
- Reported By
- Reports
- Resource Level
- Roles
- SHA1
- SHA256
- SHA512
- SPKI SHA256
- SSDeep
- STIX Aliases
- STIX Description
- STIX Goals
- STIX ID
- STIX Is Malware Family
- STIX Kill Chain Phases
- STIX Malware Types
- STIX Primary Motivation.
- STIX Resource Level
- STIX Roles
- STIX Secondary Motivations
- STIX Sophistication
- STIX Threat Actor Types
- STIX Tool Types
- STIX Tool Version
- SWID
- Samples
- Secondary Motivations
- Serial Number
- Service
- Short Description
- Signature Algorithm
- Signature Authentihash
- Signature Copyright
- Signature Description
- Signature File Version
- Signature Internal Name
- Signature Original Name
- Signed
- Size
- Sophistication
- Source Original Severity
- Source Priority
- State
- Street Address
- Subdomains
- Subject
- Subject Alternative Names
- Subject DN
- Surname
- Tags
- Targets
- Threat Actor Types
- Threat Types
- Title
- Tool Types
- Tool Version
- Traffic Light Protocol
- Updated Date
- User ID
- Username
- Validity Not After
- Validity Not Before
- Vendor
- Version
- Vulnerabilities
- Vulnerable Products
- Whois Records
- Work Phone
- X.509 v3 Extensions
- Zip Code
- imphash
Indicator types (40)
- reputation-Attack_Pattern
- reputation-Attack_PatternV2
- reputation-Campaign
- reputation-Course_of_Action
- reputation-Identity
- reputation-Infrastructure
- reputation-Intrusion_Set
- reputation-Location
- reputation-Malware
- reputation-Mutex
- reputation-Onion_Address
- reputation-Report
- reputation-STIX_Attack_Pattern
- reputation-STIX_Malware
- reputation-STIX_Report
- reputation-STIX_Threat_Actor
- reputation-STIX_Tool
- reputation-Software
- reputation-Threat_Actor
- reputation-Tool
- reputation-X509_Certificate
- reputation-account
- reputation-asn
- reputation-cidr
- reputation-cve
- reputation-domain
- reputation-domainGlob
- reputation-email
- reputation-file
- reputation-hashRepMD5
- reputation-hashRepSHA1
- reputation-hashRepSHA256
- reputation-host
- reputation-ip
- reputation-ipv6
- reputation-ipv6_cidr
- reputation-registryKey
- reputation-ssdeepRep
- reputation-tactic
- reputation-url
Layout rules (2)
- Indicator Feed Layout Rule
- Vulnerability Layout Rule
Layouts (49)
- ASN
- ASN
- Account Indicator
- Account Indicator
- Attack Pattern
- Attack Pattern
- CVE Indicator
- CVE Indicator
- Campaign
- Campaign
- Campaign
- Course of Action
- Course of Action
- Domain Indicator
- Domain Indicator
- Email Indicator
- Email Indicator
- File Indicator
- File Indicator
- Host Indicator
- Host Indicator
- IP Indicator
- IP Indicator
- Identity
- Indicator Feed Incident
- Infrastructure
- Infrastructure
- Intrusion Set
- Intrusion Set
- Location
- Malware
- Malware Indicator
- Malware Indicator
- Mutex
- Mutex
- Registry Key Indicator
- Registry Key Indicator
- Report
- Report
- Software
- Tactic Layout
- Threat Actor
- Threat Actor
- Tool
- Tool Indicator
- URL Indicator
- URL Indicator
- Vulnerability Incident
- X509 Certificate