-
Notifications
You must be signed in to change notification settings - Fork 11
Alert Format
Hugo Soszynski edited this page Jul 17, 2020
·
1 revision
{
"alert_type": "darwin",
"alert_subtype": "<filter_name>",
"alert_time": "<ISO8601>",
"level": "high",
"rule_name": "<rule_name>",
"tags": ["<tag_0>", "<tag_1>", ...],
"entry": "<filter_input>",
"score": <integer>,
"details": {
"feed": "<the_threat_intell_feed_name>",
"description": "<threat_description>",
"udp_nb_host": <float, number of unique host connected via udp>,
"udp_nb_port": <float, number of unique port connected via udp>,
"tcp_nb_host": <float, number of unique host connected via tcp>,
"tcp_nb_port": <float, number of unique port connected via tcp>,
"distance": <float, distance to the closest normal asset>
}
}
The rule_name contains a short description of the alert for display purposes.
The fields in the details json will vary given the filter raising the alert.
Refer to the filter's documentation for details.