Alert Fields

  • For messages that are an alert, such as an IDS alert
  • For Vendor alert severity levels the vendor_event_severity* fields will be used
Alert Fields
Field Name Example Values Field Type Notes
alert_definitions_version 2020.1 , 4092348 keyword Version or identification value that indicates the version a collection of signatures (A/V, etc.) is in use
alert_category malware, trojan, ransomware keyword Future: How do we define this field considering vendors will have their own categories? Or is that not a concern? Possibly movie this to derived fields & set only allowed values
alert_indicator malware.exe, http://badsite keyword A filename, URL, packet snippet or other artifact that is related to the event that caused the alert to be generated.
alert_response_level 0, 1, 2 byte Numeric value representing the type of action taken in response to an alert/threat. 0 = Nothing (allowed, ignored), 1 = prevent (blocked, quarantined), 2 = eradicate (deleted). This allows the use of numeric functions to detect unblocked threats where products may log multiple events for a single threat.
alert_signature   keyword Vendor-provided Alert text description
alert_signature_id   keyword Vendor specific unique identifier for alert signature (e.g., 1:1905345:5 for Snort signatures.)
Derived and Enriched Fields (values will be derived or added from external sources)
Field Name Example Values Field Type Notes
alert_severity critical, high, medium, low, informational keyword Severity of Alert
alert_severity_level 1-5 byte Numeric representation of the severity rating of the source message: 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical