Indicator fields structure aligned with STIX standards to more easily share and work with IOCs.
Cortex XSOAR IOC fields are based on the STIX 2.1 specifications. These fields provide a guideline for the fields we recommend you maintain within an IOC. None of the fields are mandatory, except the value field. Maintaining this field structure enables you to share and export IOCs to additional threat intel based systems as well as to other cyber security devices.
Like STIX, Cortex XSOAR indicators are divided into two categories, STIX Domain Objects (SDOs) and STIX Cyber-observable Objects (SCOs). The category determines which fields are presented in the layout of that specific IOC. In Cortex XSOAR, all SCOs can be used in a relationship with either SDOs or SCOs.
Each IOC table of fields is separated into three parts:
System fields - Fields created and managed by Cortex XSOAR.
Custom core fields - Custom fields shared by all IOCs of the same time (SDO or SCO). Fields may be empty.
Custom unique fields - Fields unique to a specific type of IOC. If a user associates more fields with the IOC, the additional fields are also treated as unique.
STIX Cyber-observable Objects (SCO)
Similar to STIX User Account Object, this indicator type represents a user account in various platforms such as operating system, social media accounts, and Active Directory. The value for the object is usually the username for logging in.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Blocked | A Boolean switch to mark the object as blocked in the user environment. |
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Account Type | Specifies the type of the account, comes from |
Creation Date | The date the account was created (not the date the indicator was created). |
Display Name | The display name of the account as it is shown in the UI. |
Groups | The groups the account is a member of. |
User ID | The account's unique ID according to the system it was taken from. |
Network domain name, similar to the STIX Domain Name object. The value is the domain address.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Blocked | A Boolean switch to mark the object as blocked in the user environment. |
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Creation Date | The date the domain was created. |
DNS Records | All types of DNS records with a timestamp and their values (GRID). |
Expiration Date | The domain expiration date. |
Certificates | Any certificates issued for the domain. |
WHOIS Records | Any records from WHOIS about the domain (GRID). |
A single user email address.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Blocked | A Boolean switch to mark the object as blocked in the user environment. |
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique |
|---|
None |
Represents a single file. For backward compatibility, the indicator has multiple fields for different types of hashes. New hashes, however, should be stored under the Hashes grid field. The file value should be its hash (either MD5, SHA-1, SHA-256, or SHA-512, in that order).
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Blocked | A Boolean switch to mark the object as blocked in the user environment. |
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Creation Date | The file creation date. |
File Extension | The file extension. |
Associated File Names | Names the file is associated with. |
File Type | The type of the file. |
Hashes | Any hashes not specified in a separate field. |
imphash | The imphash. |
MD5 | The MD5 hash. |
Modified Date | When the file was modified on the origin. |
Path | The path to the file. |
Quarantined | Was the file quarantined? |
SHA1 | The SHA1 hash. |
SHA256 | The SHA256 hash. |
SHA512 | The SHA512 hash. |
Size | The file size. |
SSDeep | The SSDeep hash. |
Represents an IP address and its subnet (CIDR). If no subnet is provided, the address is treated as a single IP (same as a /32 subnet).
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Blocked | A Boolean switch to mark the object as blocked in the user environment. |
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Geo Country | The country where the object is located. |
Geo Location | A set of geographic coordinates for the object. |
WHOIS records | Any records from WHOIS about the domain (GRID). |
Represents the properties of a uniform resource locator.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Blocked | A Boolean switch to mark the object as blocked in the user environment. |
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Certificates | Any certificates issued for the domain. |
STIX Domain Objects (SDO)
Attack patterns are a type of TTP (Tactics, Techniques and Procedures) that describe ways adversaries attempt to compromise targets. Attack patterns help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is spear phishing, where an attacker sends a carefully crafted email message with the intent of getting the target to click a link or open an attachment that delivers malware. Attack patterns can also be more specific, such as spear phishing by a particular threat actor (for example, an email saying the target won a contest).
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Kill Chain Phases | The list of kill chain phases this Attack Pattern is used for. |
External References | List of external references consisting of a source and ID. For example, |
A campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an intrusion set.
Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specifically for conducting that campaign.
Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, malware, tools, etc.) they use.
For example, a campaign can describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2020 to gain secret information about an upcoming merger with another bank.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Aliases | Alternative names used to identify this campaign. |
Objective | The campaign’s primary goal, objective, desired outcome, or intended effect. |
A course of action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls), but can also describe higher level actions such as employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Action | Reserved to capture structured/automated courses of action. |
To preserve backward compatibility, our vulnerability indicator is referred to as CVE, but it is equivalent to the Vulnerability object defined by STIX. Unlike STIX, in TIM the object is identified by its CVE number. A vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (code) found in software and some hardware components (firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
CVSS Version | The version of the CVSS scoring system. |
CVSS Score | The score given to the CVE. |
CVSS Vector | The full CVSS vector. |
CVSS Table | All CVSS data by Metric - Value pairs. |
The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources that support some purpose (for example, C2 servers used as part of an attack, a device or server that is part of a defense, and database servers targeted by an attack). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Aliases | Alternative names used to identify this infrastructure. |
Infrastructure types | The type of infrastructure being described. Values should come from STIX |
An intrusion set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An intrusion set may capture multiple campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown threat actor. New activity can be attributed to an intrusion set even if the threat actors behind the attack are not known. Threat actors can move from supporting one intrusion set to supporting another, or they may support multiple intrusion sets.
Whereas a campaign is a set of attacks over a period of time against a specific set of targets to achieve an objective, an intrusion set is the entire attack package and may be used over a very long period of time in multiple campaigns to achieve potentially multiple purposes.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Aliases | Alternative names used to identify this intrusion set. |
Goals | The high-level goals of this intrusion set, what it is trying to do. |
Primary Motivation | The primary reason, motivation, or purpose behind this intrusion set. Values should come from STIX |
Secondary Motivation | The secondary reason, motivation, or purpose behind this intrusion set. Values should come from STIX |
Resource level | Specifies the organizational level at which this intrusion set typically works. Values should come from STIX |
Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Aliases | A list of other names the malware is known as. |
Architecture | The processor architectures (for exmple, x86, ARM) that the malware instance or family is executable on. The values should come from the STIX |
Capabilities | Any of the capabilities identified for the malware instance or family. The values should come from STIX |
Implementation Languages | The programming language(s) used to implement the malware instance or family. The values should come from the STIX |
Is Malware Family | Whether the object represents a malware family (if true) or a malware instance (if false). |
Malware Types | Which type of malware. Values should come from STIX |
Operating System Refs | Identifier of a software object. |
Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Publications | Links to publications of the report. |
Threat actors are individuals, groups, or organizations believed to be operating with malicious intent. A threat actor is not an intrusion set but may support or be affiliated with various intrusion sets, groups, or organizations over time.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Alias | A list of other names the threat actor is known as. |
Geo country | The country the threat actor is associated with. |
Goals | The high-level goals of this threat actor, what it is trying to do. |
Resource Level | The organizational level at which this threat actor typically works. Values for this property should come from STIX |
Primary Motivation | The primary reason, motivation, or purpose behind this threat actor. Values for this property should come from STIX |
Secondary Motivation | The secondary reasons, motivations, or purposes behind this threat actor. Values for this property should come from STIX |
Sophistication | The skill, specific knowledge, special training, or expertise a threat actor must have to perform the attack. Values for this property should come from STIX |
Threat actor type | The type(s) of this threat actor. Values should come from STIX |
Tools are legitimate software used by threat actors to perform attacks. Knowing how and when threat actors use such tools can help understand how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even regular users. Remote access tools such as RDP and network scanning tools such as Nmap are examples of tools that may be used by a threat actor during an attack.
System Fields | Description |
|---|---|
Value | Defines the indicator on Cortex XSOAR. The value is the main key for the object in the system. |
Verdict | Malicious, Suspicious, Benign, or Unknown. |
Expiration | The expiration date of the object. |
Source Time Stamp | When the object was created in the system. |
Modified | When the object was last modified. |
Custom Fields - Core | Description |
|---|---|
Community Notes | Comments and free form notes regarding the indicator. |
Description | The description of the object. |
STIX ID | The STIX ID for the object in the format of |
Tags | Tags attached to the object. |
Traffic Light Protocol | Red, Amber, Green, or White. |
Custom Fields - Unique | Description |
|---|---|
Alias | Alternative names used to identify this tool. |
Tool Types | The kind(s) of tool(s) being described. Values for this property should come from STIX |
Tool Version | The version identifier associated with the tool. |
Kill Chain Phases | The list of kill chain phases this attack pattern is used for. |