Key Fields for Alert Types

There are Key Fields for the following:

Key Fields for Third Party Native Alert Types

Stellar Cyber supports third party native alert integration. The Key Fields for third party native alert types are as follows:

Third Party Display Name

Key Field Name

Display Name Description

Acronis (Antimalware protection)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
file.name File Name File name
file.path File Path File path
file.hash.sha1 File SHA1 File SHA1
file.hash.md5 File MD5 File MD5
file.hash.sha256 File SHA256 File SHA256

Acronis (EDR)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
acronis_cyber_protect.details.redirectLink Acronis Alert Redirect Link Acronis alert redirect link
acronis_cyber_protect.details.verdict Acronis Alert Verdict Acronis alert verdict

Acronis (Email security)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
event.category Alert Category Alert category
event.severity_str Acronis Severity Level Acronis severity level
email.from.address Email From Address Email from address
email.subject Email Subject Email Subject

Acronis (URL filtering)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
url URL URL
process.pid Process ID Process ID
process.executable Process Path Process path

AWS GuardDuty

(aws_guardduty)

aws_guardduty.Title Alert Title AWS GuardDuty alert title
host_list Host IP Address(es) Private IP addresses of the network interfaces of the resource instance
user.name User Name User name associated with the access key details of the resource
event.threat.name Threat Name Threat name
event.severity AWS GuardDuty Severity Score AWS GuardDuty severity score
cloud.resource.type Cloud Resource Type Cloud resource type
cloud.resource.id Cloud Resource ID Cloud resource ID
cloud.resource.name Cloud Resource Name Cloud resource name

Azure AD

(azure_ad_risk_detection)

userDisplayName User Name User name
ipAddress Host IP Address Host IP address
riskEventType Event Type Risk event type

Bitdefender IP

(bitdefender_ip)

host.name Host Name Host name
host.ip Host IP Address Host IP address
srcip Source IP Source IP address

Bitdefender Threat

(bitdefender_threat)

host.name Host Name Host name
host.ip Host IP Address Host IP address
event.threat.name Threat Type Threat type

Bitdefender URL

(bitdefender_url)

host.name Host Name Host name
host.ip Host IP Address Host IP address
url URL URL

Blackberry CylancePROTECT

(cylance_protect)

host.name Host Name Computer name
host.ip Host IP Address Host IP address
file_name File Name File name
file_path File Path File path
process_name Process Name Process name

CrowdStrike

(crowdstrike)

host.name Computer Name Computer name
hostip Host IP Address Host IP address
user.name User Name User name
file.name File Name File name
file.path File Path File path
process.command_line Command Line Command line

Cybereason

(cybereason)

user_list User Names User names
file.name File Name File name
process.name Process Name Process name
host_list Host IP Address(es) Host IP address(es)

Cynet

(cynet)

host.ip Host IP Address Host IP address
event.threat.name Threat Name Event threat name
file.name File Name File name

Deep Instinct

(deepinstinct)

host.name Host Name Host name
host.ip Host IP Address Host IP address
file.path File Path File path
file.file_hash File Hash File hash
deep_instinct.action Event Action Deep Instinct event action

Google Workspace Alert

(google_workspace_alert)

source Alert Source

Alert source

type Alert Type Alert type
rule.name Rule Name Alert rule name
host.ip Login IP Address IP address associated with the warning event
data.email Data Email Email of the user to which this event belongs
securityInvestigationToolLink Investigation Tool Link Google Workspace security investigation tool link
user.id User ID User ID

Microsoft Defender for Endpoint

(ms_defender_atp)

host.name Host Name Host name
host.ip Host IP Address Host IP address
user.name User Name User name
user.domain User Domain User domain
threat Threat Name Threat name
file_list File List File list
process_list Process List Process list

Microsoft Office 365

(microsoft_365)

event.threat.name Threat Name Threat name
event.severity_str Microsoft 365 Severity Level Microsoft 365 severity level
event.category Category Microsoft 365 alert category
Source Source Microsoft 365 alert source
AlertType Alert Type

Microsoft 365 alert type

event_summary.alert_entity_list Alert Entity List Microsoft 365 Alert entity list
username User Name User name

Oracle Cloud Infrastructure (OCI) CloudGuard

(oci_cloudguard)

event.type Problem Type Problem type
event.threat.name Threat Name Threat name
event.severity_str OCI Severity Level OCI CloudGuard severity level
cloud.resource.type Cloud Resource Type Cloud resource type
cloud.resource.id Cloud Resource ID Cloud resource ID
cloud.resource.name Cloud Resource Name Cloud resource name
oracle.data.additionalDetails.problemRecommendation Problem Recommendation Problem recommendation from OCI

Proofpoint TAP

(proofpoint_tap)

srcip Source IP Address Source IP address
email.subject Email Subject Email subject
email.sender.address Sender Address Email sender address
email.from.address Sender Address Email from address
email.recipient.addresses Recipient Address(es) Email recipient address(es)
email.to.addresses To Address(es) Email to address(es)
email.x_mailer X-Mailer X-Mailer content
event.threat_list Proofpoint Event Threat List Threat category: Threat artifact
name Threat Name Proofpoint threat name
category Threat Category Proofpoint threat category
attachment Threat Attachment Proofpoint threat attachment
severity Proofpoint Threat Severity Proofpoint threat severity
url Proofpoint Threat URL Proofpoint threat URL

SentinelOne Cloud

(sentinelone)

host.name Host Name Computer name
host.ip Host IP Address Host IP address
file.name File Name File name
file.path File Path File path
process.parent.name Parent Process Name Originator process name

Trellix (FireEye) Endpoint Security (AMSI)

(fireeye_amsi)

 

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
event.severity_str Severity Severity level
host.ip Host IP Address Host IP address
host.name Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (IOC)

(fireeye_ioc)

fireeye.source Alert Type FireEye alert source type
host.ip Host IP Address Host IP address
host.name Host Name Host name
event.name Event Name Event name
file.name File Name File name
process.name Process Name Process name
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (MAL)

(fireeye_mal)

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
fireeye.infection_type Infection Type FireEye Infection Type
event.severity_str FireEye Severity Level FireEye severity level
host.ip Host IP Address Host IP address
host.name Host IP Address Host name
file.path File Path File path
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
process.executable Event Actor Process Path FireEye event actor process path
process.pid Event Actor Process Pid FireEye event actor process Pid
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (PROCGUARD)

(fireeye_procguard)

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
host.ip Host IP Address Host IP address
host.name Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Varonis DatAdvantage

(varonis_datadvantage)

event.type Event Type Event type
event.threat.name Threat Name Threat name
event.severity CEF Severity Level Original CEF severity level
user.name User Name User name
file.name File Name File name
file.path File Path File path

VMware Carbon Black Cloud

(carbonblack)

host.name Host Name Computer name
host.external_ip Host Name Host external IP address
host.ip Host Internal IP Address Host internal IP address
process.name Process Name Process name
event.description Event Reason Event reason

Windows Defender Antivirus

(windows_defender_antivirus)

threat Threat Name Threat name
host.name Host Name Computer name
hostip Host IP Address Host IP address
file.path File Path File path
process.name Process Name Process name

Key Fields for Built-in and Rule-Based Alert Types

The Key Fields for built-in alert types and rule-based alert types are documented in individually. See the Key Fields and Relevant Data Points for any alert type by their display name in Machine Learning Alert Type Details or by their XDR event name in Alert Types by XDR Event Name.