Correlation Rule Observation Schema

You can refer to this observation schema to configure the payload template for a third-party templated connection.

Alert Logic generates an observation when it detects an occurrence of a log correlation rule. For more information, see Correlations and Notifications.

Schema

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{
  "fields": {
      "account_id": number,
      "authority": "string",
      "class": "string",
      "confidence": number,
      "desc": "string",
      "end_ts": number,
      "evolved_to": "string",
      "handling": [],
      "id": "string",
      "ingest_id": "binary",
      "ingest_ts": number,
      "keys": {},
      "parents": [
          "string"
      ],
      "path": "string",
      "properties": {},
      "recommendations": "string",
      "severity": "string",
      "start_ts": number,
      "subclass": "string",
      "summary": "string",
      "tactic": "string",
      "technique": "string",
      "ts": number,
      "visibility": "string"
  },
  "id": {
      "account": number,
      "aid": number,
      "msgid": "string"
  },
  "extra": {
      "cid": number,
      "correlation_rule_id": "string",
      "correlation_rule_name": "string",
      "create_date": "string",
      "customer_name": "string",
      "deployment_name": "string",
      "location_ip": "string",
      "observation_description": "string",
      "observation_id": "string",
      "observation_summary": "string",
      "target_host": "string"
  }
}

Definitions

• fields (object)

  • account_id (number) - Customer account identifier (example: 12345678)

  • authority (string) – Alert Logic subsystem and component that generated the observation (example: alertlogic/ae/trigger_eng/1.0)

  • class (string) – Major classification of the observation, the value of which depends on the taxonomy selected for the observation (example: correl:activity)

  • confidence (number) – True positive detection confidence expressed as a number between 0 and 100, representing a rounded whole number percentage. A value of 100 equals 100 percent true positive detection.

    Valid values: 0–100

  • desc (string) – Detailed description of the observation (example: Brute Force Attempt: At least 10 failed login attempts to Some.Target.Hostname from Some.Attacker.Hostname occurred in the last 5 minutes.)

  • end_ts (number) - Epoch time stamp when the last log message triggering this correlation observation occurred (example: 1661505312)

  • evolved_to (string) - Parent observation to which this observation evolved (for internal use; value not defined and might change)

  • handling (array)- Specification of how to handle the resulting incident automatically (for internal use; value not defined and might change)

  • id (string) - Unique identifier of the observation instance (example: NDNCMUYyRkItRjlBQi1GRTU3LUQ1NDUtQUI5NjZBQkM3N0VC) (for internal use; format of the string might change)

  • ingest_id (binary) - Unique log message identifier (example: XollvQAOASAAAplnAAAAAA==)

  • ingest_ts (number) - Epoch time stamp (GMT) indicating when Alert Logic processed the log message (example: 1661505312)

  • keys (object) - Set of token-type values that uniquely identifies an instance of this observation type. Must be present and not empty. Content depends on the search query defined in the log correlation rule (example: {"user_name": "SomeTarget.Hostname", "host_name": Some.Attacker.Hostname"})

  • parents (array of strings) - References data records that contributed to the generation of this observation and can be used to navigate to the log search used for the log correlation rule (example: arn:iws:ingest:us-west-2:7825:logmsgs/63088992-07D8-CC21-0002-6E3100000001)

  • path (string) - Unique logical name and path of the observation in the Alert Logic console (example: correlation/12345678/F5C6ED1A-07F4-4398-B069-6CA92F56EF98)

  • properties (object) - Set of values that captures additional information about the observation, with content depending on the search query defined in the correlation rule (example: {"victim": "SomeTarget.Hostname", "min": 1661504062, "max": 1661504093, "attacker": "SomeAttacker.Hostname", "MessageCount": 12, "IntervalTime": 1661503500})

  • recommendations (string) - Full text of the recommended actions for the incident generated by the observation (example: Confirm whether the activity is expected. Lock out the remote IP address with multiple failed login attempts.)

  • severity (string) - Importance of this observation with respect to the risk to your environment (example: critical)

    Valid values: critical, high, medium, low, info

  • start_ts (number) - Epoch time stamp when the first log message triggering this correlation observation occurred (example: 1661505312)

  • subclass (string) - Minor classification of the observation, the value of which depends on the taxonomy selected for the observation (example: suspicious-activity)

  • summary (string) - Summary of the observation (example: Ten Failed Logins in 5 Minutes)

  • tactic (string) - Determined MITRE ATT&CK tactic based on its detection your environment (example: Credential Access)

  • technique (string) - Determined MITRE ATT&CK technique based on its detection within your environment (example: Brute Force)

  • ts (number) - Epoch time stamp (GMT) indicating when the observation was generated (example: 1661505312)

  • visibility (string) - Defines who can see the observation in the system and is used for notification and incident generation (example: notification)

• id (object) - Information about the observation returned by the search service

  • account (number) - Customer account identifier (example: 12345678). Alert Logic recommends that you use fields.account_id instead.

  • aid (number) - Internal audit ID

  • msgid (string) - Observation message identifier

• extra (object) - Additional information about the observation

  • cid (number) - Customer account identifier (example: 12345678). Alert Logic recommends that you use fields.account_id instead.

  • correlation_rule_id (string) - Unique identifier of the log correlation rule that generated the observation (example: 22526B99-30B3-46EE-A270-8140052511FF)

  • correlation_rule_name (string) - Name of the log correlation rule that generated the observation (example: Brute Force Attempt)

  • create_date (string) - Date when the correlation rule triggered the observation (example: 26th Aug 2022 09:15:12 GMT)

  • customer_name (string) - Customer name of the Alert Logic account where the observation was generated (example: XYZ Corporation)

  • deployment_name (string) - Name of the deployment in which the observation occurred (example: Azure Production Deployment)

  • location_ip (string) - IP address or hostname, if determined, of the attacker for an observation (example: Some.Attacker.Hostname)

  • observation_description (string) - Observation description in HTML format (example: <p>The user Some.Target.Hostname has had <strong>10</strong> failed logins within a <strong>5</strong> minute time span from Some.Attacker.Hostname.)

  • observation_id (string) - Identifier of the observation (example: 25257372-AC77-47CE-A00B-2F0BD35AA3D8)

  • observation_summary (string) - Summary of the observation (example: Ten Failed Logins in 5 Minutes). Alert Logic recommends that you use fields.summary instead.

  • target_host (string) - IP address or hostname, if determined, of the target affected by the observation (examples: 10.1.2.3, Some.Target.Hostname)

Sample JSON

Alert Logic uses this JSON object to test templated connections with an Observation payload type.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
  "fields": {
    "account_id": 12345678,
    "authority": "alertlogic/ae/trigger_eng/1.0",
    "class": "correl:activity",
    "confidence": null,
    "desc": "Brute Force Attempt: At least 10 failed login attempts to Some.Target.Hostname from Some.Attacker.Hostname occurred in the last 5 minutes.",
    "end_ts": 1661505312,
    "evolved_to": "",
    "handling": [],
    "id": "NDNCMUYyRkItRjlBQi1GRTU3LUQ1NDUtQUI5NjZBQkM3N0VC",
    "ingest_id": "XollvQAOASAAAplnAAAAAA==",
    "ingest_ts": 1661505312,
    "keys": {
      "key1": "value1",
      "key2": "value2"
    },
    "parents": [
      "arn:iws:ingest:us-west-2:2:logmsgs/5E895FF3-0002-E920-0002-AA3500000000"
    ],
    "path": "correlation/12345678/22526B99-30B3-46EE-A270-8140052511FF",
    "properties": {},
    "recommendations": "Confirm whether the activity is expected. Lock out the remote IP address with multiple failed login attempts.",
    "severity": "critical",
    "start_ts": 1661505312,
    "subclass": "suspicious-activity",
    "summary": "Ten Failed Logins in 5 Minutes",
    "tactic": "Credential Access",
    "technique": "Brute Force",
    "ts": 1661505312,
    "visibility": "notification"
  },
  "id": {
    "account": 12345678,
    "aid": 0,
    "msgid": "QU1JNAAAAAIAAAAAXollvV6JZb4AAplnAA4AImFwcGxpY2F0aW9uL3gtYWxwYWNrZXQtb2JzZXJ2YXRpb24ACmZha2VTdHJlYW0="
  },
  "extra": {
    "cid": 12345678,
    "correlation_rule_id": "22526B99-30B3-46EE-A270-8140052511FF",
    "correlation_rule_name": "Failed Login Correlation",
    "create_date": "26th Aug 2022 09:15:12 GMT",
    "customer_name": "XYZ Corporation",
    "deployment_name": "Azure Production Deployment",
    "location_ip": "Some.Attacker.Hostname",
    "observation_description": "<p>The user Some.Target.Hostname has had <strong>10</strong> failed logins within a <strong>5</strong> minute time span from Some.Attacker.Hostname.",
    "observation_id": "25257372-AC77-47CE-A00B-2F0BD35AA3D8",
    "target_host": "Some.Target.Hostname"
  }
}