Observation Schema

You can refer to this observation schema to configure the payload template for a third-party templated connection.

Alert Logic generates an observation when it detects an occurrence of a log correlation rule. For more information, see Correlations and Notifications.

Schema

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{
    "fields": {
        "authority": "string",
        "class": "string",
        "confidence": number,
        "desc": "string,
        "end_ts": number,
        "ingest_id": "binary",
        "ingest_ts": number,
        "keys": {
            "message": "string",
            "time_recv": number
        },
        "parents": [
            "string"
        ],
        "path": "string",
        "properties": {},
        "recommendations": "string",
        "severity": "string",
        "start_ts": number,
        "subclass": "string",
        "summary": "string",
        "tactic": "string",
        "technique": "string",
        "ts": number,
        "visibility": "string"
    },
    "id": {
        "account": number,
        "aid": number,
        "msgid": "string"
    },
    "extra": {
        "customer_name": "string",
        "observation_description": "string",
        "correlation_rule_id": "string",
        "correlation_rule_name": "string",
        "observation_id": "string",
        "deployment_name": "string",
        "tld": "string"
    }
}

Definitions

• fields (object)

  • authority (string) – Alert Logic subsystem and component that generated the observation

  • class (string) – Major classification of the observation, the value of which depends on the taxonomy selected for the observation

  • confidence (number) – True positive detection confidence expressed as a number between 0 and 100, representing a rounded whole number percentage. A value of 100 equals 100 percent true positive detection.

  • desc (string) – Observation description

  • end_ts (number) - Epoch time stamp when the last log message triggering this correlation observation occurred

  • ingest_id (binary) - Unique log message identifier

  • ingest_ts (number) - Epoch time stamp (GMT) indicating when Alert Logic processed the log message

  • keys (object) - Set of token-type values that uniquely identify an instance of this observation type

    • message (string) - Details about the observation instance
      

    • time_recv (number) - Epoch time when Alert Logic detected the observation instance

• parents (array of strings) - References to data records that contributed to the generation of this observation and can be used to navigate to the log search used for the log correlation rule

• path (string) - Unique logical name and path of the observation in the Alert Logic console

• properties (object) - Set of token-type values that capture additional information about the observation

• recommendations (string) - Full text of the recommended actions for this observation or incident

• severity (string) - Importance of this observation with respect to the risk to the customer's environment

  Valid values: critical, high, medium, low, info

• start_ts (number) - Epoch time stamp when the first log message triggering this correlation observation occurred

• subclass (string) - Minor classification of the observation, the value of which depends on the taxonomy selected for the observation

• summary (string) - Summary of the observation

• tactic (string) - Determined MITRE ATT&CK tactic based on its detection within the customer's environment

• technique (string) - Determined MITRE ATT&CK technique based on its detection within the customer's environment

• ts (number) - Epoch time stamp (GMT) indicating when the observation observation was generated

• visibility (string) - Defines who can see the observation in the system and is used for notification and incident generation

• id (object) - Information about the observation returned by the search service

  • account (number) - Customer account identifier

  • aid (number) - Internal audit ID

  • msgid (string) - Observation message identifier

• extra (object) - Additional information about the observation

  • customer_name (string) - Customer name of the Alert Logic account where the observation was generated

  • observation_description (string) - Observation description in HTML format

  • correlation_rule_id (string) - Unique identifier of the log correlation rule that generated the observation

  • correlation_rule_name (string) - Name of the log correlation rule that generated the observation

  • observation_id (string) - Identifier of the observation

  • deployment_name (string) - Name of the deployment in which the observation occurred

  • tld (string) - Top-level Alert Logic domain for the customer based on the region in which the data resides.

    Valid values: uk, us

Sample JSON

Alert Logic uses this JSON  object to test templated connections with an Observation payload type.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{
    "fields": {
        "authority": "alertlogic/ae/trigger_eng/1.0",
        "class": "correl:activity",
        "confidence": null,
        "desc": "# Test",
        "end_ts": 1586062782,
        "ingest_id": "XollvQAOASAAAplnAAAAAA==",
        "ingest_ts": 1586062782,
        "keys": {
            "message": "{\"CreationTime\":\"2020-04-05T04:38:02\",\"Id\":\"fdd05f68-fa83-4386-a364-dd7378006cb8\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"bf8d32d3-1c13-4487-af02-80dba2236488\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"UserKey\":\"11110000AD6EA715@alazurealertlogic.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"52.2.16.16\",\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"UserId\":\"azure_valid@alazurealertlogic.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Token\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"UserError\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"76ea01ce-6f1c-4001-aba5-ba32dcd283dd\",\"Type\":0},{\"ID\":\"azure_valid@alazurealertlogic.onmicrosoft.com\",\"Type\":5},{\"ID\":\"11110000AD6EA715\",\"Type\":3}],\"ActorContextId\":\"bf8d32d3-1c13-4487-af02-80dba2236488\",\"ActorIpAddress\":\"52.2.16.16\",\"InterSystemsId\":\"469c2728-ffa1-41aa-aeca-02d0fd0b93c0\",\"IntraSystemId\":\"af113cf1-8ce1-46c7-9cde-91fb0b471901\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"bf8d32d3-1c13-4487-af02-80dba2236488\",\"ApplicationId\":\"04b07795-8ddb-461a-bbee-02f9e1bf7b47\",\"LogonError\":\"InvalidUserNameOrPassword\"}",
            "time_recv": 1586061482
        },
        "parents": [
            "arn:iws:ingest:us-west-2:2:logmsgs/5E895FF3-0002-E920-0002-AA3500000000"
        ],
        "path": "correlation/12345678/22526B99-30B3-46EE-A270-8140052511FF",
        "properties": {},
        "recommendations": null,
        "severity": "critical",
        "start_ts": 1586062782,
        "subclass": "suspicious-activity",
        "summary": "test",
        "tactic": null,
        "technique": null,
        "ts": 1586062782,
        "visibility": "notification"
    },
    "id": {
        "account": 12345678,
        "aid": 0,
        "msgid": "QU1JNAAAAAIAAAAAXollvV6JZb4AAplnAA4AImFwcGxpY2F0aW9uL3gtYWxwYWNrZXQtb2JzZXJ2YXRpb24ACmZha2VTdHJlYW0="
        },
    "extra": {
        "customer_name": "XYZ Corporation",
        "observation_description": "<h1>Test</h1>",
        "correlation_rule_id": "22526B99-30B3-46EE-A270-8140052511FF",
        "correlation_rule_name": "Failed Login Correlation", 
        "observation_id": "00000000-1234-1234-1234-1234567890",
        "deployment_name": "Azure Production Deployment", 
        "tld": "us"
    }
}