Observation Schema

You can refer to this observation schema to configure the payload template for a third-party webhook connector.

Alert Logic generates an observation when it detects an occurrence of a log correlation rule. For more information, see Correlations and Notifications.

Schema

Copy

JSON

{
    "fields": {
        "authority": "string",
        "class": "string",
        "confidence": number,
        "desc": "string,
        "end_ts": number,
        "ingest_id": "binary",
        "ingest_ts": number,
        "keys": {
            "message": "string",
            "time_recv": number
        },
        "parents": [
            "string"
        ],
        "path": "string",
        "properties": {},
        "recommendations": "string",
        "severity": "string",
        "start_ts": number,
        "subclass": "string",
        "summary": "string",
        "tactic": "string",
        "technique": "string",
        "ts": number,
        "visibility": "string"
    },
    "id": {
        "account": number,
        "aid": number,
        "msgid": "string"
    },
    "extra": {
        "customer_name": "string",
        "observation_description": "string",
        "correlation_rule_id": "string",
        "correlation_rule_name": "string",
        "observation_id": "string",
        "deployment_name": "string",
        "tld": "string"
    }
}

Definitions

  • fields (object)
    • authority (string) – Alert Logic subsystem and component that generated the observation
    • class (string) – Major classification of the observation, the value of which depends on the taxonomy selected for the observation

    • confidence (number) – True positive detection confidence expressed as a number between 0 and 100, representing a rounded whole number percentage. A value of 100 equals 100 percent true positive detection.

    • desc (string) – Observation description

    • end_ts (number) - Epoch time stamp when the last log message triggering this correlation observation occurred
    • ingest_id (binary) - Unique log message identifier

    • ingest_ts (number) - Epoch time stamp (GMT) indicating when Alert Logic processed the log message

    • keys (object) - Set of token-type values that uniquely identify an instance of this observation type

      • message (string) - Details about the observation instance
      • time_recv (number) - Epoch time when Alert Logic detected the observation instance

  • parents (array of strings) - References to data records that contributed to the generation of this observation and can be used to navigate to the log search used for the log correlation rule

  • path (string) - Unique logical name and path of the observation in the Alert Logic console
  • properties (object) - Set of token-type values that capture additional information about the observation

  • recommendations (string) - Full text of the recommended actions for this observation or incident

  • severity (string) - Importance of this observation with respect to the risk to the customer's environment

    Valid values: critical, high, medium, low, info

  • start_ts (number) - Epoch time stamp when the first log message triggering this correlation observation occurred
  • subclass (string) - Minor classification of the observation, the value of which depends on the taxonomy selected for the observation

  • summary (string) - Summary of the observation
  • tactic (string) - Determined MITRE ATT&CK tactic based on its detection within the customer's environment

  • technique (string) - Determined MITRE ATT&CK technique based on its detection within the customer's environment

  • ts (number) - Epoch time stamp (GMT) indicating when the observation was generated

  • visibility (string) - Defines who can see the observation in the system and is used for notification and incident generation
  • id (object) - Information about the observation returned by the search service
    • account (number) - Customer account identifier

    • aid (number) - Internal audit ID

    • msgid (string) - Observation message identifier

  • extra (object) - Additional information about the observation
    • customer_name (string) - Customer name of the Alert Logic account where the observation was generated

    • observation_description (string) - Observation description in HTML format

    • correlation_rule_id (string) - Unique identifier of the log correlation rule that generated the observation

    • correlation_rule_name (string) - Name of the log correlation rule that generated the observation

    • observation_id (string) - Identifier of the observation

    • deployment_name (string) - Name of the deployment in which the observation occurred

    • tld (string) - Top-level Alert Logic domain for the customer based on the region in which the data resides.

      Valid values: uk, us

Sample JSON

Alert Logic uses this JSON  object to test connectors with an Observation payload type.

Copy

JSON

{
    "fields": {
        "authority": "alertlogic/ae/trigger_eng/1.0",
        "class": "correl:activity",
        "confidence": null,
        "desc": "# Test",
        "end_ts": 1586062782,
        "ingest_id": "XollvQAOASAAAplnAAAAAA==",
        "ingest_ts": 1586062782,
        "keys": {
            "message": "{\"CreationTime\":\"2020-04-05T04:38:02\",\"Id\":\"fdd05f68-fa83-4386-a364-dd7378006cb8\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"bf8d32d3-1c13-4487-af02-80dba2236488\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"UserKey\":\"11110000AD6EA715@alazurealertlogic.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"52.2.16.16\",\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"UserId\":\"azure_valid@alazurealertlogic.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Token\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"UserError\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"76ea01ce-6f1c-4001-aba5-ba32dcd283dd\",\"Type\":0},{\"ID\":\"azure_valid@alazurealertlogic.onmicrosoft.com\",\"Type\":5},{\"ID\":\"11110000AD6EA715\",\"Type\":3}],\"ActorContextId\":\"bf8d32d3-1c13-4487-af02-80dba2236488\",\"ActorIpAddress\":\"52.2.16.16\",\"InterSystemsId\":\"469c2728-ffa1-41aa-aeca-02d0fd0b93c0\",\"IntraSystemId\":\"af113cf1-8ce1-46c7-9cde-91fb0b471901\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"bf8d32d3-1c13-4487-af02-80dba2236488\",\"ApplicationId\":\"04b07795-8ddb-461a-bbee-02f9e1bf7b47\",\"LogonError\":\"InvalidUserNameOrPassword\"}",
            "time_recv": 1586061482
        },
        "parents": [
            "arn:iws:ingest:us-west-2:2:logmsgs/5E895FF3-0002-E920-0002-AA3500000000"
        ],
        "path": "correlation/12345678/22526B99-30B3-46EE-A270-8140052511FF",
        "properties": {},
        "recommendations": null,
        "severity": "critical",
        "start_ts": 1586062782,
        "subclass": "suspicious-activity",
        "summary": "test",
        "tactic": null,
        "technique": null,
        "ts": 1586062782,
        "visibility": "notification"
    },
    "id": {
        "account": 12345678,
        "aid": 0,
        "msgid": "QU1JNAAAAAIAAAAAXollvV6JZb4AAplnAA4AImFwcGxpY2F0aW9uL3gtYWxwYWNrZXQtb2JzZXJ2YXRpb24ACmZha2VTdHJlYW0="
    },
    "extra": {
        "customer_name": "XYZ Corporation",
        "observation_description": "<h1>Test</h1>",
        "correlation_rule_id": "22526B99-30B3-46EE-A270-8140052511FF",
        "correlation_rule_name": "Failed Login Correlation", 
        "observation_id": "25257372-AC77-47CE-A00B-2F0BD35AA3D8",
        "deployment_name": "Azure Production Deployment", 
        "tld": "us"
    }
}