🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Note

This schema displays as thirdpartyalert in the Custom Parsers UI in XDR.

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version string sensorVersion$ The agent version as string. (index don't line up with base event bacause of existing field definitions)
created_time_usec uint64 createdTimeUsec$ Alert creation time
closed_time_usec uint64 closedTimeUsec$ Alert closed time
updated_time_usec uint64 updatedTimeUsec$ Time at which alert last updated time
first_event_time_usec uint64 firstEventTimeUsec$ Time at which event that caused this alert first observed.
last_event_time_usec uint64 lastEventTimeUsec$ Time at which last event that caused this alert observed
summary string summary$ Description of the third part alert
title string title$ Title of the alert, shortened form of description available in alert title
severity Thirdparty.AlertSeverity severity$ Alert severity normalized to third party alert severity.
vendor_severity string vendorSeverity$ Alert severity preserved as raw value on the schema.This will help to know what vendor level indicator of severity and to write event filters based on this.
confidence string confidence$ Confidence of the detection logic (generally percentage between 1-100 but can be anything)
status string status$ Alert lifecycle status like unknown, newAlert, inProgress, resolved e.t.c
generator_ids repeated string generatorIds$ Unique identifier's of the underlying detections, analytics, engines, etc that produced the alert
tags repeated string tags$ User-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.)
user_principal_name string userPrincipalName$ User sign-in name
source_user_name string sourceUserName$ Account from which the alert was generated
target_user_name string targetUserName$ Account for which the alert was generated
domain_name string domainName$ Domain of user account
protocol uint32 protocol$ @inject_tag: validate:"lt=256" Network protocol with possible values of tcp,udp,icmp,etc.
direction Thirdparty.Direction direction$ Network connection direction. Possible values are: unknown, inbound, outbound.
action Thirdparty.Action action$ How the threat was handled. Possible values are: action_unknown, attempted, succeeded, blocked, failed.
risk_score float riskScore$ @inject_tag: validate:"min=0.0,max=1.0" Provider generated/calculated risk score. Recommended value range of 0-1, which equates to a percentage.
log_type string logType$ Vendor provided definition of the log type
vendor string vendor$ Name of the alert vendor (for example, Microsoft, Dell, FireEye).
provider string provider$ Specific provider (product/service - not vendor company); for example, WindowsDefenderATP.
sub_provider string subProvider$ Specific sub provider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen.
provider_version string providerVersion$ Version of the provider or sub provider, if it exists, that generated the alert.
ontology string ontology$ Category of the alert (for example, credential theft, ransomware, UnfamiliarLocation, UnauthorizedAccess:S3/TorIPCaller etc.).
technique_ids repeated string techniqueIds$ List of attack technique IDs provided by the provider of the alert
threat_intelligence_indicators repeated Thirdparty.ThreatIntelligenceIndicators threatIntelligenceIndicators$ Details related to threat intelligence indicators (category, last observed date, source, source url, type e.t.c
vulnerabilities repeated Thirdparty.Vulnerabilities vulnerabilities$ List of vulnerabilities information that are associated with this alert.
additional_data KeyValuePairsIndexed additionalData$ Additional interesting data for a given alert in key-value pairs
source_address string sourceAddress$ Information provided by the alert provider about the source ip
destination_address string destinationAddress$ Information provided by the alert provider about the destination ip.
source_port uint32 sourcePort$ @inject_tag: validate:"lt=65536" TCP/UDP source port
destination_port uint32 destinationPort$ @inject_tag: validate:"lt=65536" TCP/UDP destination port
src_ipgeo_summary GeoSummary srcIpgeoSummary$ The geographic location of the source IP
dest_ipgeo_summary GeoSummary destIpgeoSummary$ The geographic location of the destination IP
remediation repeated string remediation Recommended remediation actions from the source provider of the alert(for example, isolate machine, enforce2FA, reimage host).
comments repeated string comments$ Comments and feedback related to alert
source_material repeated string sourceMaterial$ Any alert related source material containing information about the alert or detection(E.g provider's user interface for alerts or log search, etc.)
evidence repeated Thirdparty.Evidence evidence$ Evidence items associated with the alert

Thirdparty.Evidence

Normalized Field Type Parser Field Description
evidence_id string evidenceId$ A unique identifier of the evidence object (used for deduplication)
event_ids repeated string eventIds$ Resource IDs associated with the alert evidence (normally there is only one)
entities repeated string entities$ Entities referenced within the alert evidence
source_data KeyValuePairsIndexed A copy of the attributes of the source evidence object
normalized_events repeated string normalizedEvents$ Normalized events associated with the alert evidence, serialized as JSON (normally there is only one)

Thirdparty.ThreatIntelligenceIndicators

Normalized Field Type Parser Field Description
type string type$ Type of TI, e.g. IP address, Email address, url, hash, malware etc
value string type$ Raw value of the TI indicator, e.g. (1.1.1.1, FAKEURL.COM may be available for sale or other proposals )
category string category$ Category of the TI like C&C, Keylogger, backdoor, etc
last_observation_time_usec uint64 lastObservationTimeUsec$ Timestamp related to when TI last curated.
source string source$ Human readable source if the TI data, e.g. “Microsoft TIC”
source_url string sourceUrl$ URL that provides information about the TI
family string family$ Provider-generated malware family (for example, 'wannacry', 'notpetya', etc.).

Thirdparty.Vulnerabilities

Normalized Field Type Parser Field Description
cvss string cvss$ Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerability.
cve string cve$ Common Vulnerabilities and Exposures (CVE) for the vulnerability.

Thirdparty.Action

Name Number Description
ACTION_UNKNOWN 0
ATTEMPTED 1
SUCCEEDED 2
BLOCKED 3
FAILED 4

Thirdparty.AlertSeverity

Name Number Description
UNKNOWN_SEVERITY 0
INFO 1
LOW 2
MEDIUM 3
HIGH 4
CRITICAL 5

Thirdparty.Direction

Name Number Description
UNKNOWN 0 unused but required for proto3
INBOUND 1 Inbound network connection
OUTBOUND 2 Outbound network connection

 

On this page: