Incident Schema

You can refer to this incident schema to configure the payload template for a third-party templated connection.

Schema

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
{
  "accountId": number,
  "analytic_name": "sample_analytic",
  "asset_deployment_type": "string",
  "asset_host_name": "string",
  "asset_native_account_id": "string",
  "assets": {
    "al__deployment": "string",
    "al__subnet": "string",
    "al__vpn": "string"
  },
  "associatedEventCount": number,
  "associatedLogCount": number,
  "attacker": {
    "account": "string",
    "instanceId": "string",
    "ip": "string",
    "port": number,
    "region": "string"
  },
  "attacker_country_code": "string",
  "attacker_country_name": "string",
  "attacker_lset": [
    {
      "ip": "string"
    },
    {
      "value": "string"
    }
  ],
  "correlation_id": "string",
  "correlation_name": "string",
  "createTime": number,
  "createtime_str": "string",
  "customer": "string", 
  "customer_feedback": {
    "feedback": "string",
    "feedback_datetime": "string",
    "feedback_reason": "string",
    "feedback_uid": "string",
    "feedback_user": "string"
  },  
  "customer_status": {
    "notes": "string",
    "reason_code": "string",
    "status": "string",
    "status_change_time": "string"
  },
  "geo_ip_map": {
    "string": {
      "city": "string",
      "continentcode": "string",
      "country": "string",
      "countryname": "string",
      "ip": "string",
      "latitude": number,
      "longitude": number,
      "postcode": "string",
      "regioncode": "string",
      "regionname": "string"
    }
  },
  "humanFriendlyId": "string", 
  "incident": {
    "attackClassId_str": "string",
    "description": "string",
    "escalated": "string",
    "recommendations": "string",
    "summary": "string",
    "threatRating": "string"
  }, 
  "incident_threat_rating": "string",
  "incidentId": "string",
  "keys": {},
  "mitre_classification": [
    {
        "tactic": "string",
        "technique": "string"
    }
  ],
  "notes": {
    "otherNotes": [
      {
        "date": "string",
        "note": "string",
        "who": "string"
      }
    ]
  }, 
  "path": "string",
  "properties": {},
  "snooze_status": { 
    "expiration": number,
    "expiration_str": "string",
    "notes": "string", 
    "period_ms": number,
    "reactivates_at": string,
    "reason_code": "string",
    "snooze_by": "string",
    "snooze_by_uid": "string",
    "snoozed": boolean
  },
  "snooze_status_snoozed": boolean,
  "sources": [
    "string"
  ],
  "updateTime": number,
  "updatetime_str": "string",
  "victim": {
    "value": "['string']" 
  },
  "victim_lset": [
    {
      "value": "['string']" 
    }
  ],
  "extra": { 
    "analyst_notes": [{
      "date": "string",
      "note": "string"
    }],
    "class": "string",
    "incidentUrl": "string",
    "investigation_report": "string",
    "is_escalated": boolean,    
    "location_ip": ["string"],
    "recommendations": "string",
    "status": "string",
    "target_host": ["string"]
  }
}

Definitions

• accountId (number) – Alert Logic customer account identifier (example: 12345678)
• analytic_name (string) - The analytic that generated this incident; this field can be used in the Threat Intel Center to find more information about the analytic

• asset_deployment_type (string) – Deployment type of the asset on which the incident occurred (example: aws)

  Valid values: datacenter, aws, saas, azure

• asset_host_name (string) – Host name of the asset on which the incident occurred (example: 10.1.2.3)

• asset_native_account_id (string) – Native account identifier of the asset on which the incident occurred, such as the AWS or Azure account ID (example: 123456789012)

• assets (object) - Information about the asset or assets affected by the incident (used internally; some or all fields might not be present)

  • al__deployment (string) – Name of the deployment affected by the incident (example: AWS Production Deployment)

  • al__subnet (string) – Name of the subnet affected by the incident (example: subnet-a412345g)

  • al__vpc (string) – Name of the virtual private cloud (VPC) affected by the incident (example: vpc-12345678)

• associatedEventCount (number) - Number of events associated with the incident (example: 2)

• associatedLogCount (number) - Number of logs associated with the incident (example: 2)

• attacker (object) – Information about the attacker, if it can be determined

  • account (string) – Cloud native account identifier (example: 123456789012)

  • instanceId (string) – Cloud instance identifier of the attacker (example: i-0a159b2a553285ebb)

  • ip (string) – IP address of the attacker for the incident (example: 10.10.10.12)

  • port (number) - Port number of the attacker for the incident (example: 40814)

  • region (string) – Cloud region of the attacker (example: us-east-2)

  • value (string) - User name, applies to attacks originating from a user instead of an IP address (example: SomeAttacker)

• attacker_country_code (string) – ISO two-digit code of the country where the attacker is located, if it can be determined (example: BR)

• attacker_country_name (string) – Name of the country where the attacker is located, if it can be determined (example: Brazil)

• attacker_lset (array) - List of information for multiple attackers

  • ip (string) – List of attacker IP addresses for the incident (example: 203.0.113.1)

  • value (string) – List of attacker user names for the incident, applies to attacks originating from a user instead of an IP address (example: SomeAttacker)

• correlation_id (string) – Uppercase full UUID of an incident generated by a correlation (example: 5F36660A-0015-0120-0002-104300000000)

• correlation_name (string) – Name of the correlation for an incident generated by a correlation rule (example: Admin Failed Login Correlation)

• createTime (number) – Epoch time when the incident arrived in the Alert Logic server (example: 1597058547)

• createtime_str (string) – ISO date and time in UTC when the incident arrived in the Alert Logic server (example: 2020-08-10T11:22:27.799796+00:00)

• customer (string) – Name of the Alert Logic customer account affected by the incident (example: XYZ Corporation)

• customer_feedback (object) - Customer feedback information about the incident

  • feedback (string) – Text of the customer feedback (example: The wiggle probe server 10.123.10.57 is making multiple failed login attempts to the James MSSQL servers at INC001DB03G, INC001DB06G, inc001db04g and inc001db05g. This is expected activity in the James environment. \nINC076660)

  • feedback_datetime (string) – ISO date and time in UTC when the customer entered feedback (example: 2020-08-14T09:57:35.535995+00:00)

  • feedback_reason (string) – Feedback assessment (example: threat_not_valid)

  • feedback_uid (string) – User ID of the user who entered the feedback (example: 423A54CE-105F-4089-B713-10A303DE0938)

  • feedback_user (string) – Name and email address of the user who entered the feedback (example: CustomerFirstName CustomerLastName username@xyz.com)

• customer_status (object) - Incident status information set by the customer

  • notes (string) – Incident assessment notes written by the customer (example: The wiggle probe server 10.123.10.57 is making multiple failed login attempts to the James MSSQL servers at INC001DB03G, INC001DB06G, inc001db04g and inc001db05g. This is expected activity in the James environment. \nINC076660)

  • reason_code (string) – Reason for the incident status change (example: threat_not_valid)

  • status (string) – Incident status set by the customer (example: completed)

    Valid values: open, completed

  • status_change_time (string) – ISO date and time in UTC when the customer changed the incident status (example: 2020-08-10T11:22:27.799796+00:00)

• geo_ip_map (object array) – Geographical information for a list of IP addresses

  • city (string) – City in which the IP address is located (example: Palmares do Sul)

  • continentcode (string) – Two-letter ISO code of the continent in which the IP address is located (example: SA)

  • country (string) – Two-letter ISO code of the country in which the IP address is located (example: BR)

  • countryname (string) – Name of the country in which the IP address is located (example: Brazil)

  • ip (string) – IP address (example: 86.34.222.99)

  • latitude (number) – Latitude in which the IP address is located (example: -30.3465)

  • longitude (number) – Longitude in which the IP address is located (example: -50.5482)

  • postcode (string) – Postal code in which the IP address is located (example: 95540)

  • regioncode (string) – ISO region code in which the IP address is located (example: RS)

  • regionname (string) – Name of the region in which the IP address is located (example: Rio Grande do Sul)

• humanFriendlyId (string) – Short incident ID (example: ww1k39)

• incident (object) – Information about the incident

  • attackClassID_str (string) – Incident classification (example: authentication:activity)  

  • description (string) – Incident explanation (example: **Attack Detail**: \n**Attacker:** 172.31.37.117, local_ip \n**Targets:** 122.99.34.111, 172.31.37.90, and 172.31.39.79 \n We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.)

  • escalated (string) – Whether an Alert Logic SOC analyst escalated the incident (example: true)

    Valid values: true, false

  • recommendations (string) – Recommended actions in response to the incident (example: A compromised host should be isolated from the network and cleaned. Remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.)

  • summary (string) – Brief description of the incident that is suitable as a title or message subject (example: Brute force attempt from 1.2.3.4)

  • threatRating (string) – Incident threat level after analysis (example: Medium)

     Valid values: Critical, High, Medium, Low, Info

• incident_threat_rating (string) – Incident threat level after analysis. Alert Logic recommends that you use incident.threatRating instead.

  Valid values: Critical, High, Medium, Low, Info

• incidentId (string) – Unique incident identifier. For Managed Detection and Response incidents, the value is the full uppercase UUID. For Cloud Defender incidents, the value is a hex 64-bit UUID. (Examples: 5F36660A-0015-0120-0002-104300000000 or ea1118de147187ba)

• keys (object) – Incident-specific attributes, with content depending on the incident type and subject to change as Alert Logic updates analytics (example: {“destination_host”: “example-machine.org”})

• mitre_classification (array) - MITRE ATT&CK classifications relevant to the incident

  • tactic (string) - Determined MITRE ATT&CK tactic based on its detection within your environment (example: Initial Access)

  • technique string - Determined MITRE ATT&CK technique based on its detection within your environment (example: Exploit Public-Facing Application)

• notes (array) - List of notes added by Alert Logic SOC analysts
  • OtherNotes (object) - Note added by an Alert Logic analyst

    • date (string) - ISO date and time in UTC when the analyst added the note (example: 2020-08-10T11:22.27.799796+00:00)

    • note (string) - Text of the note added by the analyst (example: Normal Activity:\nThere was 1 AWS EC2 Run Instances event with 1 User Type AssumedRole, 1 userName null, 1 sourceIPAddress autoscaling.amazonaws.com, 1 errorCode null, 1 errorMessage null, 1 ARN arn:aws:sts::261161298046:assumed-role/AWSServiceRoleForAutoScaling/AutoScaling, and 1 eventVersion 1.05.\nThis activity occurred on August 13, 2020 between 6:33:00pm and 6:33:00pm EDT.\nCaptured by 1 Log Source US-West-2-OpsTrail.\n\nThere is no unusual activity.)

    • who (string) - Name and email address of the analyst who added the note (example: AnalystFirstName AnalystLastName <username@alertlogic.com>)

• path (string) - Unique logical name and path of the incident analytic in the Alert Logic console (example: Authentication/UserLoginFailures)

• properties (object) - Properties of the incident, with content depending on the incident analytic and subject to change as Alert Logic updates analytics (example: {“victim”: “example-machine.org”, “message_types”: [“SentinelOne Event’], “message_ids”: [], “file_paths”: [], “file_names”: [], “file_hashes”: [“example_hash”], “event_ids”: [19], “event_count”: 1})

• snooze_status (object) - Information about an incident temporarily removed from the incident list with the snooze feature

  • expiration (number) - Epoch time with milliseconds when snooze is set to expire (1597737611.136183)

  • expiration_str (string) - ISO date and time in UTC when snooze expires (example: 2020-08-10T11:22:27.799796+00:00)

  • notes (string) - Notes added when the incident was snoozed (example: Check with Sally tomorrow)

  • period_ms (number) - Snooze time period in milliseconds (example: 60000)

  • reactivates_at (string) - Time when the incident reactivates and snooze ends (example: 2020-08-10T11:22:27.799796+00:00)

  • reason_code (string) - Snooze duration selected (example: tomorrow)

    Valid values: tomorrow, in couple of days, next week, in two weeks

  • snooze_by (string) - Name and email address of the user who snoozed the incident (example: CustomerFirstName CustomerLastName username@xyz.com)

  • snooze_by_uid (string) - User ID of the user who snoozed the incident (example: CBAA2703-B7F6-43E6-8B17-F75A04A5423E)

  • snoozed (Boolean) - Whether the incident is snoozed (example: true)

    Valid values: true, false

• snooze_status_snoozed (Boolean) - Whether the incident is snoozed, extracted from snooze_status (example: true). Alert Logic recommends that you use snooze_status.snoozed instead.

  Valid values: true, false

• sources (array) - List that contains one entry that indicates the telemetry source of the incident (examples: logreview, IDS, LOG, CLOG, FW)

• updateTime (number) - Epoch time of the last update to the incident (example: 1597348547)

• updatetime_str (string) - ISO date and time in UTC of the last update to the incident (example: 2020-09-11T16:23:47.734796+00:00)

• victim (object) - Information about the target of the incident, if it can be determined

  • ip (string) – IP address of the target for the incident (example: 203.0.113.1)

  • value (string) - User name, applies to attacks that target a user instead of an IP address (example: SomeTarget)

• victim_lset (array) - List of target IP addresses of the incident or targeted users, if they could be determined

  • ip (string) – List of target IP addresses of the incident (example: 203.0.113.1)

  • value (string) - List of target user names, applies to attacks that target a user instead of an IP address (example: SomeTarget)

• extra
  • analyst_notes (list) - All the analyst notes for the incident

    • date (string) - Date and time when the analyst added the note (example: 15th Mar 2020 10:21:00 GMT). Alert Logic recommends that you use notes.otherNotes.date instead.

    • note (string) - Text of the note added by the analyst (example: This looks suspicious.) Alert Logic recommends that you use notes.otherNotes.note instead.

  • class (string) - Incident classification (example: authentication:activity). Alert Logic recommends that you use incident.attackClassID_str instead.

  • incidentUrl (string) - URL that links to the incident in the Alert Logic console (example: https://console.alertlogic.com/fake/incident/url)

  • investigation_report (string) - Incident description that may contain HTML formatting elements (example: <p><strong>Attack Detail</strong>:<br><strong>Attacker:</strong> 172.31.37.117, local_ip <strong>Targets:</strong> 122.99.34.111, 172.31.37.90, and 172.31.39.79 We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.</p>). Alert Logic recommends that you use incident.description instead.

  • is_escalated (Boolean) - Whether an Alert Logic SOC analyst escalated the incident (example: true). Alert Logic recommends that you use incident.escalated instead.

    Valid values: true, false

  • location_ip (array) - One or more IP addresses, if determined, of the attacker for an incident (example: 10.10.10.12). Alert Logic recommends that you use attacker_lset.ip instead.

  • recommendations (string) - Text of the recommendations from the incident investigation report, if any, that may contain HTML formatting elements (example: <p>A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.</p>). Alert Logic recommends that you use incident.recommendations instead.

  • status (string) - Incident status set by the customer (example: closed). Alert Logic recommends that you use customer_status.status instead.

  • target_host (array) - One or more IP addresses, if determined, of the target affected by the incident. Alert Logic recommends that you use victim_lset.ip instead.

Sample JSON

Alert Logic uses this JSON object to test templated connections with an Incident payload type.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
{
  "accountId": 2,
  "asset_deployment_type": "aws",
  "asset_host_name": "10.1.2.3",
  "asset_native_account_id": "2",
  "assets": {
    "al__deployment": "AWS Production Deployment",
    "al__subnet": "subnet-a412345g",
    "al__vpn": "vpc-12345678"
   },
  "associatedEventCount": 2,
  "associatedLogCount": 2,
  "attacker": {
    "account": "2",
    "instanceId": "i-0a159b2a553285ebb",
    "ip": "10.10.10.12",
    "port": 40814,
    "region": "us-east-2"
  },
  "attacker_country_code": "BR",
  "attacker_country_name": "Brazil",
  "attacker_lset": [
    {
      "ip": "86.34.222.99"
    },
    {
      "value": "SomeAttacker"
    }
  ],
  "correlation_id": "5F36660A-0015-0120-0002-104300000000",
  "correlation_name": "Admin Failed Login Correlation",
  "createTime": 1594153092.2202642,
  "createtime_str": "2020-07-07T20:18:12.220264+00:00",
  "customer": "XYZ Corporation",
  "customer_feedback": {
    "feedback": "The wiggle probe server 10.123.10.57 is making multiple failed login attempts to the James MSSQL servers at INC001DB03G, INC001DB06G,  inc001db04g and inc001db05g. This is expected activity in the James environment. \nINC0766607",
    "feedback_datetime": "2020-08-14T09:57:35.535995+00:00",
    "feedback_reason": "threat_not_valid",
    "feedback_uid": "423A54CE-105F-4089-B713-10A303DE0938",
    "feedback_user": "CustomerFirstName CustomerLastName username@xyz.com"
  },
  "customer_status": {
    "notes": "The wiggle probe server 10.123.10.57 is making multiple failed login attempts to the James MSSQL servers at INC001DB03G, INC001DB06G,  inc001db04g and inc001db05g. This is expected activity in the James environment. \nINC076660",
    "reason_code": "threat_not_valid",
    "status": "completed",
    "status_change_time": "2020-08-14T09:58:03.137831+00:00"
  },
  "geo_ip_map": {
    "86.34.222.99": {
      "city": "Palmares do Sul",
      "continentcode": "SA",
      "country": "BR",
      "countryname": "Brazil",
      "ip": "86.34.222.99",
      "latitude": -30.3465,
      "longitude": -50.5482,
      "postcode": "95540",
      "regioncode": "RS",
      "regionname": "Rio Grande do Sul"
    }
  },
  "humanFriendlyId": "ww1k39",
  "incident": {
    "attackClassId_str": "authentication:activity",
    "description": "**Attack Detail**:  \n**Attacker:** 172.31.37.117, local_ip \n**Targets:** 122.99.34.111, 172.31.37.90, and 172.31.39.79 \n We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.",
    "escalated": true,
    "recommendations": "A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.",
    "summary": "Brute force attempt from 1.2.3.4",
    "threatRating": "Medium"
  },
  "incident_threat_rating": "Medium",
  "incidentId": "5F04D7E3-000A-8420-0002-757900000000",
  "keys": {
    "destination_host": "example-machine.org"
  },
  "mitre_classification": [
    {
      "tactic": "Initial Access",
      "technique": "Exploit Public-Facing Application"
    }
  ],
  "notes": {
    "otherNotes": [
      {
        "date": "2020-08-13T07:22:23+00:00",
        "note": "Normal Activity:\nThere was 1 AWS EC2 Run Instances event with 1 User Type AssumedRole, 1 userName null, 1 sourceIPAddress autoscaling.amazonaws.com, 1 errorCode null, 1 errorMessage null, 1 ARN arn:aws:sts::261161298046:assumed-role/AWSServiceRoleForAutoScaling/AutoScaling, and 1 eventVersion 1.05.\nThis activity occurred on August 13, 2020 between 6:33:00pm and 6:33:00pm EDT.\nCaptured by 1 Log Source US-West-2-OpsTrail.\n\nThere is no unusual activity.",
        "who": "AnalystFirstName AnalystLastName <username@alertlogic.com>"
      }
    ]
  },
  "path": "Authentication/UserLoginFailures",
  "properties": {
    "victim": "example-machine.org",
    "message_types": ["SentinelOne Event"],
    "message_ids": ["0AA00000-000A-00AA-A000-000000000000"],
    "file_paths": ["AAAAAAAAAAAAAAAAAAAAAA.MAL"],
    "file_names": ["AAAAAAAAAAAAAAAAAAAAAA.MAL"],
    "file_hashes": ["example_hash"],
    "event_ids": [19],
    "event_count": 1,
    "destination_usernames": [],
    "confidences": ["malicious"],
    "classifications": []
  },
  "snooze_status": {
    "expiration": 1597737611.136183,
    "expiration_str": "2020-08-18T08:00:11.136183+00:00",
    "notes": "Check with Sally tomorrow",
    "period_ms": 67124867,
    "reactivates_at": "2020-08-18 08:00:11.136183",
    "reason_code": "tomorrow",
    "snooze_by": "CustomerFirstName CustomerLastName <username@xyz.com>",
    "snooze_by_uid": "CBAA2703-B7F6-43E6-8B17-F75A04A5423E",
    "snoozed": true
  },
  "snooze_status_snoozed": false,
  "sources": [
    "LOG"
  ],
  "updateTime": 1594153098,
  "updatetime_str": "2020-07-07T20:18:18+00:00",
  "victim": {
    "value": "['username1', 'username2']"
  },
  "victim_lset": [
    {
      "value": "['username1', 'username2']"
    }
  ],
  "extra": {
    "analyst_notes": [{
      "date": "15th Mar 2020 10:21:00 GMT",
      "note": "This looks suspicious"
    }],
    "class": "authentication:activity",
    "incidentUrl": "https://console.alertlogic.com/fake/incident/url",
    "investigation_report": "<p><strong>Attack Detail</strong>:<br><strong>Attacker:</strong> 172.31.37.117, local_ip <strong>Targets:</strong> 122.99.34.111, 172.31.37.90, and 172.31.39.79 We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.</p>",
    "is_escalated": false,
    "location_ip": ["10.10.10.12"],
    "recommendations": "<p>A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.</p>",
    "status": "closed",
    "target_host": ["10.1.2.3"]
  }
}