Incident Schema

You can refer to this incident schema to configure the payload template for a third-party webhook connector.

Schema

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
{
    "accountId": number,
    "asset_deployment_type": "string"
    "asset_host_name": "string"
    "asset_native_account_id": "string"
    "assets": {},
    "attacker": {
        "account": "string",
        "instanceId": "string",
        "ip": "string",
        "port": number,
        "region": "string"
    },
    "attacker_country_code": "string",
    "attacker_country_name": "string",
    "attacker_lset": [
        {
            "ip": "string"
        },
        {
            "value": "string"
        }
    ],
    "closed_time": "string",
    "correlation_id": "string",
    "correlation_name": "string",
    "createTime": number,
    "createtime_str": "string,
    "customer": "string", 
    "customer_feedback": {
        "feedback": "string",
        "feedback_datetime": "string",
        "feedback_reason": "string",
        "feedback_uid": "string",
        "feedback_user": "string"
    },  
    "customer_status": {
        "notes": "string",
        "reason_code": "string",
        "status": "string",
        "status_change_time": "string"
    },
    "customer_status_status": "string",
    "defaultThreatRating": "string", 
    "deployment,": "string",
    "deployment_subnet": "string", 
    "deployment_vpc": "string",
    "detection_source": "string",
    "first_closed_time": "string",
    "geo_ip_map": {
        "string": {
            "city": "string",
            "continentcode": "string",
            "country": "string",
            "countryname": "string",
            "ip": "string",
            "latitude": number,
            "longitude": number,
            "postcode": "string",
            "regioncode": "string",
            "regionname": "string"
        }
    },
    "humanFriendlyId": "string", 
    "incident": {
        "attackClassId": number,
        "attackClassId_str": "string",
        "description": "string",
        "escalated": true,
        "recommendations": "string",
        "summary": "string",
        "threatRating": "string"
    }, 
    "incidentId": "string", 
    "incident_attack_class": "string",
    "incident_class": "string",
    "incident_escalated": "string", 
    "incident_threat_rating": "string",
    "incident_type": string,
    "notes": {
        "otherNotes": [
            {
                "date": "string",
                "note": "string",
                "who": "string"
            }
        ]
    }, 
    "path": "string",
    "recommendations": "string",
    "scope_type": "string",
    "snooze_status": { 
        "expiration": number,
        "expiration_str": "string",
        "notes": "string", 
        "period_ms": number,
        "reactivates_at": string,
        "reason_code": "string",
        "snooze_by": "string",
        "snooze_by_uid": "string",
        "snoozed": boolean
    },
    "snooze_status_snoozed": false,
    "sources": [
        "string"
    ],
    "stack_region": "string",
    "updateTime": number,
    "updatetime_str": "string",
    "victim": {
        "value": "['string']" 
    },
    "victim_lset": [
        {
            "value": "['string']" 
        }
    ],
    "extra": { 
        "incidentUrl": "string",
        "class": "string",
        "analyst_notes": [{
            "date": "string",
            "note": "string"
        }],
        "status": "string",
        "tld": "string",
        "is_escalated": boolean,
        "investigation_report": "string",
        "recommendations": "string",
        "location_ip": ["string"],
        "target_host": ["string"]
    }
}

Definitions

• accountId (number) – Customer account identifier

• asset_deployment_type (string) – Deployment type of the asset on which the incident occurred

  Valid values: datacenter, aws, saas, azure

• asset_host_name (string) – Host name of the asset on which the incident occurred

• asset_native_account_id (string) – Native account identifier of the asset on which the incident occurred such as the AWS account ID or the Azure account ID

• assets (object) - Used internally

• attacker (object) – Information about the attacker, if it can be determined

  • account (string) – Cloud native account identifier

  • instanceId (string) – Cloud instance identifier of the attacker

  • ip (string) – IP address of the attacker for this incident

  • port (number) - Port number of the attacker for this incident

  • region (string) – Cloud region of the attacker

  • value (string) - User name, applicable to attacks originating from a user instead of an IP address

• attacker_country_code (string) – ISO two-digit code of the country where the attacker is located, if it can be determined

• attacker_country_name (string) – Name of the country where attacker is located, if it can be determined

• attacker_lset (array) - Information for multiple attackers

  • ip (string) – IP address of an attacker for this incident
  • value (string) – User name, applicable to attacks originating from a user instead of an IP address

• closed_time (string) – ISO time in UTC when an Alert Logic analyst closed the incident

• correlation_id (string) – Uppercase full UUID of the correlation

• correlation_name (string) – Name of correlation that triggered the incident

• createTime (number) – Epoch time when incident arrived in the Alert Logic server

• createtime_str (string) – Incident creation date and time in UTC

• customer (string) – Customer name of the Alert Logic account affected by the incident

• customer_feedback (object) - Customer feedback information about the incident

  • feedback (string) – Text of the customer feedback

  • feedback_datetime (string) – ISO time in UTC when the customer entered feedback

  • feedback_reason (string) – Feedback assessment, such as "threat_not_valid"

  • feedback_uid (string) – User ID of the user who entered the feedback

  • feedback_user (string) – Name and email address of the user who entered the feedback

• customer_status (object) - Incident status set by the customer

  • notes (string) – Incident assessment notes written by the customer

  • reason_code (string) – Reason for the incident status change

  • status (string) – Whether the customer closed the incident in the Alert Logic console

    Valid values: open, completed

  • status_change_time (string) – ISO time in UTC when the customer changed the incident status

• customer_status_status (string) – Whether the customer closed the incident in the Alert Logic console

  Valid values: open, completed

• defaultThreatRating (string) – Initially assigned threat level

  Valid values: Critical, High, Medium, Low, Info

• deployment (string) – Name of the deployment affected by the incident

• deployment_subnet (string) – Name of the subnet affected by the incident

• deployment_vpc (string) – Name of the virtual private cloud (VPC) affected by the incident

• detection_source (string) – The source of the incident

  Valid values: GuardDuty, Network IDS, Web App IDS, Log Mgmt, Correlation Rules, Web Log Analytics, Firewall, Manual, Log Review

• first_closed_time (string) – ISO time in UTC when a Security Operations Center (SOC) analyst closed the incident for the first time

• geo_ip_map (object array) – Geographical information for a list of IP addresses

  • ip

    • city (string) – City in which the IP address is located

    • continentcode (string) – Two-letter ISO code of the continent in which the IP address is located

    • country (string) – Two-letter ISO code of the country in which the IP address is located

    • countryname (string) – Name of the country in which the IP address is located

    • ip (string) – IP address

    • latitude (number) – Latitude in which the IP address is located

    • longitude (number) – Longitude in which the IP address is located

    • postcode (string) – Postal code in which the IP address is located

    • regioncode (string) – ISO region code in which the IP address is located

    • regionname (string) – Name of the region in which the IP address is located

  • humanFriendlyId (string) – Short incident ID

  • incident(object) – Information about the incident

    • attackClassId (number)

    • attackClassId_str (string)

    • description (string) – Incident explanation

    • escalated (string) – Escalation status. Customers can subscribe to receive notifications about escalated incidents.

    • recommendations (string) – Recommended actions in response to the incident

    • summary (string) – Brief description of the incident that is suitable as a title or message subject

    • threatRating (string)

  • incident_attack_class (string) – Attack classification type (Cloud Defender)

  • incident_class (string) – Attack classification type

  • incident_escalated (string) – Escalation status. Customers can subscribe to receive notifications about escalated incidents.

    Valid values: true, false

  • incident_threat_rating (string) – Incident threat level after analysis

    Valid valued: Critical, High, Medium, Low, Info

  • incident_type (string) – Type of incident

  • incidentId (string) – Unique incident identifier. For MDR incidents, the value is the full uppercase UUID. For Cloud Defender incidents, the value is a hex 64-bit UUID.

  • notes (array) - Notes added by Alert Logic SOC analysts

    • OtherNotes (object)

      • date (string) - ISO time in UTC when the analyst added the note

      • note (string) - Text of the note added by the analyst

      • who (string) - Name and email address of the analyst who added the note

  • snooze_status (object) - Information about an incident temporarily removed from the incident list with the snooze feature

    • expiration (number) - Date and time in Epoch time with microseconds when snooze is set to expire

    • expiration_str (string) - ISO time in UTC when snooze is set to expire

    • notes (string) - Notes added when the incident was snoozed

    • period_ms (number) - Snooze period

    • reactivates_at (string) - Time when the incident will be reactivated

    • reason_code (string) - Snooze duration option selected such as tomorrow or next week

    • snooze_by (string) - Name and email address of the user who snoozed the incident

    • snooze_by_uid (string) - User ID of the user who snoozed the incident

    • "snoozed" (Boolean) - Whether the incident is snoozed

  • snooze_status_snoozed (Boolean) - Whether the incident is snoozed, extracted from snooze_status

  • sources (array) - Incident source

  • stack_region (string) - Internal value that refers to the Alert Logic region of the customer account in which the incident occurred

    Valid values: cd-us-production, cd-uk-production

  • updateTime (number) - Epoch time of the last update to the incident

  • updatetime_str (string) - UTC ISO time of the last update to the incident

  • victim (object) - Information about the target (IP address, port number, and protocol) of this incident or the targeted user, if it could be determined

    • ip (string)

    • port (number)

    • protocol (string)

    • value
  • victim_lset - (array) One or more target IP addresses of this incident or targeted users, if they could be determined

    • ip (string)

    • value (string)
  • extra

    • incidentUrl (string) - URL that links to the incident in the Alert Logic console

    • class (string) - Incident classification

    • analyst_notes (list) - All the analyst notes for the incident

      • date (string)

      • note (string)

    • status (string) - Whether the customer closed the incident in the Alert Logic console

    • tld (string) - Top-level Alert Logic domain of the customer based on the region in which the data resides

      Valid values:  uk, us

    • is_escalated (boolean) - Escalation status. Customers can subscribe to receive notifications about escalated incidents.

    • investigation_report (string) - Incident description that may contain HTML formatting elements

    • recommendations (string) - Text of the recommendations from the incident investigation report, if any, that may contain HTML formatting elements

    • location_ip (array) - One or more IP addresses, if determined, of the attacker for this incident

    • target_host (array) - One or more IP addresses, if determined, of the target affected by the incident

Sample JSON

Alert Logic uses this JSON  object to test connectors with an Incident payload type.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
{
    "accountId": 2,
    "asset_deployment_type": "aws",
    "asset_host_name": "10.1.2.3",
    "asset_native_account_id": "2",
    "assets": {},
    "attacker": {
        "account": "2",
        "instanceId": "i-0a159b2a553285ebb",
        "ip": "10.10.10.12",
        "port": 40814,
        "region": "us-east-2"
    },
    "attacker_country_code": "BR",
    "attacker_country_name": "Brazil",
    "attacker_lset": [
        {
            "ip": "86.34.222.99"
        },
        {
            "value": "SomeAttacker"
        }
    ],
    "closed_time": "2020-08-10T11:24:27.765796+00:00",
    "correlation_id": "5F36660A-0015-0120-0002-104300000000",
    "correlation_name": "Admin Failed Login Correlation",
    "createTime": 1594153092.2202642,
    "createtime_str": "2020-07-07T20:18:12.220264+00:00",
    "customer": "XYZ Corporation",
    "customer_feedback": {
        "feedback": "The wiggle probe server 10.123.10.57 is making multiple failed login attempts to the James MSSQL servers at INC001DB03G, INC001DB06G,  inc001db04g and inc001db05g. This is expected activity in the James environment. \nINC0766607",
        "feedback_datetime": "2020-08-14T09:57:35.535995+00:00",
        "feedback_reason": "threat_not_valid",
        "feedback_uid": "423A54CE-105F-4089-B713-10A303DE0938",
        "feedback_user": "CustomerFirstName CustomerLastName username@xyz.com"
    },
    "customer_status": {
        "notes": null,
        "reason_code": "threat_not_valid",
        "status": "completed",
        "status_change_time": "2020-08-14T09:58:03.137831+00:00"
    },
    "customer_status_status": "open",
    "defaultThreatRating": "medium",
    "deployment,": "AWS Production Deployment",
    "deployment_subnet": "subnet-a412345g",
    "deployment_vpc": "vpc-12345678",
    "detection_source": "Log Mgmt",
    "first_closed_time": "2020-09-10T13:22:27.799796+00:00",
    "geo_ip_map": {
        "86.34.222.99": {
            "city": "Palmares do Sul",
            "continentcode": "SA",
            "country": "BR",
            "countryname": "Brazil",
            "ip": "86.34.222.99",
            "latitude": -30.3465,
            "longitude": -50.5482,
            "postcode": "95540",
            "regioncode": "RS",
            "regionname": "Rio Grande do Sul"
        }
    },
    "humanFriendlyId": "ww1k39",
    "incident": {
        "attackClassId": 19,
        "attackClassId_str": "authentication:activity",
        "description": "**Attack Detail**:  \n**Attacker:** 172.31.37.117, local_ip \n**Targets:** 122.99.34.111, 172.31.37.90, and 172.31.39.79 \n We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.",
        "escalated": true,
        "recommendations": "A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.",
        "summary": "Brute force attempt from 1.2.3.4",
        "threatRating": "Medium"
    },
    "incidentId": "5F04D7E3-000A-8420-0002-757900000000",
    "incident_attack_class": "authentication:activity",
    "incident_class": "authentication:activity",
    "incident_escalated": "true",
    "incident_threat_rating": "Medium",
    "incident_type": null,
    "notes": {
        "otherNotes": [
            {
                "date": "2020-08-13T07:22:23+00:00",
                "note": "Normal Activity:\nThere was 1 AWS EC2 Run Instances event with 1 User Type AssumedRole, 1 userName null, 1 sourceIPAddress autoscaling.amazonaws.com, 1 errorCode null, 1 errorMessage null, 1 ARN arn:aws:sts::261161298046:assumed-role/AWSServiceRoleForAutoScaling/AutoScaling, and 1 eventVersion 1.05.\nThis activity occurred on August 13, 2020 between 6:33:00pm and 6:33:00pm EDT.\nCaptured by 1 Log Source US-West-2-OpsTrail.\n\nThere is no unusual activity.",
                "who": "AnalystFirstName AnalystLastName <username@alertlogic.com>"
            }
        ]
    },
    "path": "Authentication/UserLoginFailures",
    "recommendations": "<p>A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.</p>",
    "scope_type": "host_uuid",
    "snooze_status": {
        "expiration": 1597737611.136183,
        "expiration_str": "2020-08-18T08:00:11.136183+00:00",
        "notes": "Check with Sally tomorrow",
        "period_ms": 67124867,
        "reactivates_at": "2020-08-18 08:00:11.136183",
        "reason_code": "tomorrow",
        "snooze_by": "CustomerFirstName CustomerLastName <username@xyz.com>",
        "snooze_by_uid": "CBAA2703-B7F6-43E6-8B17-F75A04A5423E",
        "snoozed": true
    },
    "snooze_status_snoozed": false,
    "sources": [
        "LOG"
    ],
    "stack_region": "cd-us-production",
    "updateTime": 1594153098,
    "updatetime_str": "2020-07-07T20:18:18+00:00",
    "victim": {
        "value": "['username1', 'username2']"
    },
    "victim_lset": [
        {
            "value": "['username1', 'username2']"
        }
    ],
    "extra": {
        "incidentUrl": "https://console.alertlogic.com/fake/incident/url",
        "class": "authentication:activity",
        "analyst_notes": [{
            "date": "15th Mar 2020 10:21:00 GMT",
            "note": "This looks suspicious"
        }],
        "status": "closed",
        "tld": "us",
        "is_escalated": false,
        "investigation_report": "<p><strong>Attack Detail</strong>:<br><strong>Attacker:</strong> 172.31.37.117, local_ip <strong>Targets:</strong> 122.99.34.111, 172.31.37.90, and 172.31.39.79 We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.</p>",
        "recommendations": "<p>A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.</p>",
        "location_ip": ["10.10.10.12"],
        "target_host": ["10.1.2.3"]
    }
}