Alert export schema¶
The alert export schema for Corelight Investigator includes fields that provide comprehensive information for effective incident response and threat analysis.
This table summarizes the fields available in each of the four types of exported alerts.
Field Name |
Description |
Notice Alert |
Suricata Alert |
Machine Learning Alert |
Search Based Alert |
|---|---|---|---|---|---|
|
URL linking the alert to its detection in Corelight Investigator. |
X |
X |
X |
X |
|
The primary entity involved in the alert (such as source or destination IP). |
X |
X |
X |
X |
|
Unique identifier for the alert. |
X |
X |
X |
X |
|
Contains metadata about the alert, such as name and type. |
X |
X |
X |
X |
|
Identifiers linking the alert to a tenant or other Corelight components. |
X |
X |
X |
X |
|
Timestamps indicating when the alert was observed, started, or ended. |
X |
X |
X |
X |
|
List of event IDs related to the alert. |
X |
X |
X |
X |
|
Indicates if the alert is marked as a false positive and the result incorrectly indicates the presence of a condition.. |
X |
X |
X |
X |
|
Entities related to the alert, such as additional source or destination IPs. |
X |
X |
X |
X |
|
Numerical score indicating the severity or priority of the alert. |
X |
X |
X |
X |
|
Severity level of the alert. |
X |
X |
X |
X |
|
MITRE ATT&CK tactics associated with the alert. |
X |
X |
X |
|
|
MITRE ATT&CK techniques associated with the alert. |
X |
X |
X |
|
|
Details specific to notice alerts, such as actions and network paths. |
X |
|||
|
Details specific to Suricata alerts, including flow data and signatures. |
X |
|||
|
Details specific to machine learning alerts, such as model information. |
X |
|||
|
Broader entities related to the alert, often overlapping with related_alert_entities. |
X |
X |
X |
X |
Examples of alert exports¶
Here are samples of an alert export for each alert type.
Notice alert¶
{
"alert-to-detection-url":"https://eu.investigator.corelight.com/alert-to-detection/33e745e6-77da-4849-b0f7-a378875cc514",
"alert_entity":{
"entity_category":"source",
"entity_id":"IP10.0.2.16",
"entity_name":"10.0.2.16",
"entity_type":"IP"
},
"alert_id":"33e745e6-77da-4849-b0f7-a378875cc514",
"alert_info":{
"alert_name":"DGA::Infected_Host_Activity",
"alert_type":"notice",
"content_id":"DGA::Infected_Host_Activity"
},
"alert_keys":{
"tenant":"terrific",
"tenant_alert":"f7e51be65a3650494a04f6ed45b8a2bb",
"tenant_alert_entity":"9020cb47ef7d6621089365f2c92cd51a",
"tenant_entity":"72c06dcc8b62f7a46158d65b5ed2a47e"
},
"alert_timestamp":{
"end":1734563066,
"observed":1734563066,
"start":1734563066,
"ttl":1742339066
},
"event_ids":[
"55ce958f67fc80643a2d271c64c179a4"
],
"false_positive":false,
"mitre_tactics":[
"Command and Control"
],
"mitre_techniques":[
"Command and Control :: Dynamic Resolution"
],
"notice":{
"actions":[
"Notice::ACTION_LOG"
],
"destination_ip":"142.111.199.16",
"dropped":null,
"dst":"142.111.199.16",
"file_desc":null,
"file_mime_type":null,
"fuid":null,
"msg":"Infected host 10.0.2.16 is communicating with IP resolved from DGA domain.",
"n":null,
"note":"DGA::Infected_Host_Activity",
"orig_h":"10.0.2.16",
"orig_p":49179,
"p":80,
"path":"notice",
"peer_descr":"worker-01",
"proto":"tcp",
"remote_location":null,
"resp_h":"142.111.199.16",
"resp_p":80,
"severity_info":{
"level":1,
"name":"alert"
},
"source_ip":"10.0.2.16",
"src":"10.0.2.16",
"sub":null,
"suppress_for":3600.0,
"system_name":"LABSensor2",
"uid":"Cv6ZNV28wwt3SoLS3d"
},
"related_alert_entities":[
{
"entity_category":"source",
"entity_id":"IP10.0.2.16",
"entity_name":"10.0.2.16",
"entity_type":"IP"
},
{
"entity_category":"destination",
"entity_id":"IP142.111.199.16",
"entity_name":"142.111.199.16",
"entity_type":"IP"
}
],
"related_entities":[
{
"entity_category":"source",
"entity_id":"IP10.0.2.16",
"entity_name":"10.0.2.16",
"entity_type":"IP"
},
{
"entity_category":"destination",
"entity_id":"IP142.111.199.16",
"entity_name":"142.111.199.16",
"entity_type":"IP"
}
],
"score":9,
"severity":1,
"tenant":"terrific"
}
Suricata alert¶
{
"alert-to-detection-url": "https://test.investigator.corelight.io/alert-to-detection/5514438b726a6606d9ec014598afb59e",
"alert_entity": {
"entity_id": "IP10.2.128.198",
"entity_name": "10.2.128.198",
"entity_type": "IP"
},
"alert_id": "5514438b726a6606d9ec014598afb59e",
"alert_info": {
"alert_name": "ETPRO MALWARE Variant.Zusy.71154 Checkin 2",
"alert_type": "suricata_corelight",
"content_id": "SURI-2807246"
},
"alert_keys": {
"tenant": "major",
"tenant_alert": "88c00c3762303b3c439100395005fd0c",
"tenant_alert_entity": "4cfff92a42a9d7f3b300e2fb13815aa0",
"tenant_entity": "bc6a24af3853626e360636dfc8ac4999"
},
"alert_timestamp": {
"end": 1689318425,
"observed": 1689318425,
"start": 1689318425,
"ttl": 1697094425
},
"event_ids": [
"5514438b726a6606d9ec014598afb59e"
],
"false_positive": false,
"related_entities": [
{
"entity_id": "IP10.2.128.198",
"entity_name": "10.2.128.198",
"entity_type": "IP"
},
{
"entity_id": "IP15.197.142.173",
"entity_name": "15.197.142.173",
"entity_type": "IP"
}
],
"score": 2,
"severity": 1,
"suricata_corelight": {
"action": "allowed",
"category": "Malware Command and Control Activity Detected",
"community_id": "1:HRr0NqdrDQ0Dr1I9RpE7Br2CRso=",
"destination_ip": "15.197.142.173",
"destination_port": 80,
"flow_id": "1281016746003869",
"gid": 1,
"metadata": [
{
"key": "created_at",
"val": "2013_11_22"
},
{
"key": "former_category",
"val": "MALWARE"
},
{
"key": "updated_at",
"val": "2020_04_27"
}
],
"pcap_cnt": 0,
"rev": null,
"service": "http",
"signature_id": 2807246,
"source_ip": "10.2.128.198",
"source_port": 40988,
"suri_id": "S1GbNMxbhlR9",
"tx_id": 0,
"uid": "CWd35y31qX5yOOcJx3"
},
"tenant": "major"
}
Machine learning alert¶
{
"alert-to-detection-url":"https://eu.investigator.corelight.com/alert-to-detection/3647e185-c925-4126-8062-18bec752552a",
"alert_entity":{
"entity_category":"destination",
"entity_id":"DOMAINxn--googl-r51b.com[googlẹ.com]",
"entity_name":"xn--googl-r51b.com[googlẹ.com]",
"entity_type":"DOMAIN"
},
"alert_id":"3647e185-c925-4126-8062-18bec752552a",
"alert_info":{
"alert_name":"IDN Homograph",
"alert_type":"ml",
"content_id":"d5b300c4-66d1-4c24-9736-c85137902824"
},
"alert_keys":{
"tenant":"terrific",
"tenant_alert":"f696a63546dfc26301366393c780cea4",
"tenant_alert_entity":"2c46a8222cf3a7341c8a550231549b3c",
"tenant_entity":"96346facbc53e59d3efb115b71f7ae6d"
},
"alert_timestamp":{
"end":1734559440,
"observed":1734559440,
"start":1734559440,
"ttl":1742335440
},
"event_ids":[
"fc228800-bd8b-11ef-9075-378201d6ce2c"
],
"false_positive":false,
"mitre_tactics":[
"Initial Access"
],
"mitre_techniques":[
"Initial Access :: Phishing"
],
"ml":{
"average_technique_score_map":{
},
"description":"",
"mode":"realtime",
"models":[
{
"features":[
{
"actual":6,
"contribution":0.0,
"difference":-0.5213735317702346,
"feature_name":"sld_length"
},
{
"actual":0.4,
"contribution":0.04174114181132976,
"difference":0.31983600917002475,
"feature_name":"ratio_sld_vowel"
},
{
"actual":0.6,
"contribution":0.041046442279209526,
"difference":-0.19449521426947136,
"feature_name":"ratio_sld_consonant"
},
{
"actual":1.5,
"contribution":0.03940034636389447,
"difference":-0.4171832415591669,
"feature_name":"ratio_sld_consonant_vowel"
},
{
"actual":0.0,
"contribution":0.035030980647851276,
"difference":-0.18543056603275107,
"feature_name":"ratio_sld_digit"
},
{
"actual":0.0,
"contribution":0.04039587255667663,
"difference":-0.13415568274840564,
"feature_name":"ratio_sld_hyphen"
},
{
"actual":0.47,
"contribution":0.04003574143266214,
"difference":1.0622479614257772,
"feature_name":"frequency_tld"
},
{
"actual":531330261,
"contribution":0.05728694097426741,
"difference":0.404680346265946,
"feature_name":"alexa_rank"
},
{
"actual":1,
"contribution":0.08520089431041751,
"difference":0.596238145178608,
"feature_name":"flag_internationalized_domain"
},
{
"actual":0.9997,
"contribution":0.6198616396236913,
"difference":2.0013104356457436,
"feature_name":"idn_homograph_score"
}
],
"model_alias":[
"IDN Homograph Realtime Classifier v1"
],
"model_name":"domain-homograph_domain_class_realtime_v001",
"model_score":100.0,
"predicted_tag_id":"d5b300c4-66d1-4c24-9736-c85137902824"
}
],
"pipeline":"domain",
"status":"malicious",
"tag_id":"d5b300c4-66d1-4c24-9736-c85137902824",
"user_tag":{
},
"whitelisted_info":[
]
},
"related_alert_entities":[
{
"entity_category":"destination",
"entity_id":"DOMAINxn--googl-r51b.com[googlẹ.com]",
"entity_name":"xn--googl-r51b.com[googlẹ.com]",
"entity_type":"DOMAIN"
}
],
"related_entities":[
{
"entity_category":"destination",
"entity_id":"DOMAINxn--googl-r51b.com[googlẹ.com]",
"entity_name":"xn--googl-r51b.com[googlẹ.com]",
"entity_type":"DOMAIN"
}
],
"score":5,
"severity":55,
"tenant":"terrific"
}
Search-based alert¶
{
"alert-to-detection-url":"https://investigator.corelight.io/alert-to-detection/0614f098-486a-4245-b03b-866a2c2cf23b",
"alert_entity":{
"entity_category":"source",
"entity_id":"IP10.102.84.70",
"entity_name":"10.102.84.70",
"entity_type":"IP"
},
"alert_id":"0614f098-486a-4245-b03b-866a2c2cf23b",
"alert_info":{
"alert_name":"Proxy Not Shell",
"alert_type":"custom_search_rule",
"content_id":"86c04082-5830-4446-ad10-a2aa2258d8a6"
},
"alert_keys":{
"tenant":"major",
"tenant_alert":"613997110ec8c1e0050fe2a641c9123c",
"tenant_alert_entity":"d0ebac49a476ccffed1262acb948371c",
"tenant_entity":"09252be624dc063142d922189b1ab032"
},
"alert_timestamp":{
"end":1734992816,
"observed":1734992816,
"start":1734992816,
"ttl":1742768816
},
"event_ids":[
"df821593158305a3bed62b94eeb1ee4d"
],
"false_positive":false,
"mitre_tactics":[
"Initial Access"
],
"mitre_techniques":[
"Initial Access :: Exploit Public-Facing Application"
],
"related_alert_entities":[
{
"entity_category":"destination",
"entity_id":"IP192.168.0.114",
"entity_name":"192.168.0.114",
"entity_type":"IP"
},
{
"entity_category":"source",
"entity_id":"IP10.102.84.70",
"entity_name":"10.102.84.70",
"entity_type":"IP"
}
],
"related_entities":[
{
"entity_category":"destination",
"entity_id":"IP192.168.0.114",
"entity_name":"192.168.0.114",
"entity_type":"IP"
},
{
"entity_category":"source",
"entity_id":"IP10.102.84.70",
"entity_name":"10.102.84.70",
"entity_type":"IP"
}
],
"score":10,
"severity":0,
"tenant":"major"
}