Alert Fields

  • For messages that are an alert, such as an IDS alert
  • For Vendor alert severity levels the vendor_event_severity* fields will be used
Alert Fields
Field Name Example Values Field Type Notes
alert_definitions_version 2020.1 , 4092348 keyword Version or identification value that indicates the version a collection of signatures (A/V, etc.) is in use
alert_category malware, trojan, ransomware keyword Future: How do we define this field considering vendors will have their own categories? Or is that not a concern? Possibly movie this to derived fields & set only allowed values
alert_indicator malware.exe, http://badsite keyword A filename, URL, packet snippet or other artifact that is related to the event that caused the alert to be generated.
alert_signature   keyword Vendor-provided Alert text description
alert_signature_id   keyword Vendor specific unique identifier for alert signature (e.g., 1:1905345:5 for Snort signatures.)
Derived and Enriched Fields (values will be derived or added from external sources)
Field Name Example Values Field Type Notes
alert_severity critical, high, medium, low, informational keyword Severity of Alert
alert_severity_level 1-5 byte Numeric representation of the severity rating of the source message: 1 = Critical, 2 = High, 3 = Medium, 4 = Low, 5 = Informational