-
For messages that are an alert, such as an IDS alert
-
For Vendor alert severity levels, the
vendor_event_severity* fields will be used
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
alert_definitions_version
|
2020.14092348 | keyword | Version or identification value that indicates the version a collection of signatures (A/V etc.) is in use |
alert_category
|
malware, trojan, ransomeware | keyword | Future: How do we define this field considering vendors will have their own categories? Or is that not a concern? Possibly movie this to derived fields & set only allowed values |
alert_indicator
|
malware.exe, http://badsite | keyword | A filename, URL, packet snippet or other artifact that is related to the event that caused the alert to be generated. |
alert_response_level
|
0, 1, 2 | byte | Numeric value representing the type of action taken in response to an alert/threat. 0 = Nothing (allowed, ignored), 1 = prevent (blocked, quarantined), 2 = eradicate (deleted). This allows the use of numeric functions to detect unblocked threats where products may log multiple events for a single threat. |
|
|
|
keyword |
Vendor-provided Alert text description |
alert_signature_id
|
keyword | Vendor specific unique identifier for alert signature (e.g., 1:1905345:5 for Snort signatures.) |
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
alert_severity
|
critical, high, medium, low, informational | keyword | Severity of Alert |
alert_severity_level
|
1-5 | byte | Numeric representation of the severity rating of the source message: 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical |
