Integration of Third Party Native Alerts

Stellar Cyber's built-in alerts are created from data pathways that leverage raw data collected from all forms of data sources, including third party services and Stellar Cyber’s sensors. You can choose to allow Stellar Cyber's Machine Learning (ML) and Statistical Analysis (SA) to generate alerts based on raw data ingested from third party services. For certain services, you can additionally choose to ingest and integrate alerts that are natively created in those services.

This topic summarizes which third party services and products Stellar Cyber supports for native alert integration and how those alerts are mapped in Stellar Cyber.

Third Party Native Alert Mapping

Stellar Cyber handles each service and product in a custom manner, according to the nature of the incoming data, including third party native alerts and other security events. To view alerts and events from multiple sources in our unified, common platform, Stellar Cyber normalizes and enriches the third party native alerts and security events during the data ingestion process. With ingested, normalized, and enriched third party native alerts and security events, Stellar Cyber further applies ML/SA engines, a direct mapping, or a combination of the two, to create Stellar Cyber alerts mapped to the XDR Kill Chain with additional de-duplication to reduce noise and alert fatigue.

Review the following to better understand the native third party alert mapping Stellar Cyber is doing to help you get to the decision points more efficiently:

De-duplication: In mapping third-party native alerts and security events to the XDR Kill Chain, Stellar Cyber uses a variety of methods to identify and eliminate potential duplicates for each applicable alert or event type. In particular, Stellar Cyber identifies a combination of fields and values to be key characteristics and uses those to identify duplicates. An example method is to compare the values in that combination for each new third party native alert; if the same value set occurs within a time threshold, that record is considered a duplicate and only the original record is mapped. This process is a critical mechanism to eliminate noise and reduce alert fatigue.
Normalization: A key benefit of Stellar Cyber is standardization of all incoming data sources to a common data model (Interflow record), that includes some fields based on the Elastic Common Schema (ECS). Values from the incoming raw data are mapped into standardized fields in Stellar Cyber. In some cases, the original data field is still saved with the Interflow record. This normalization allows Stellar Cyber Analytics and Machine Learning to perform complex analysis and identify related events from disparate ingestion sources. Here are examples of normalization:
- crowdstrike.event.LocalIP is mapped to Stellar Cyber's host.ip field
- threatInfo.classification is mapped to Stellar Cyber threat field
Enrichment: Stellar Cyber's data framework requires certain fields to help identify the data source, the category of data, the type of event, to support scoring calculations and certain other activities. In some cases, the ingested data can be directly mapped into these fields. In other cases, Stellar Cyber generates that data. Examples of data enrichment are:
- (No incoming source field) msg_origin.source is created and populated with the vendor name, such as crowdstrike
- (No incoming source field) msg_origin.category is created and populated with the applicable category for the data type, such as endpoint
- Incoming data source field crowdstrike.metadata.eventType field exists and its value (such as crowdstrike_detection_summary) is mapped to Stellar Cyber field msg_class
- Incoming data source field event.technique.name field exists and its value is either mapped directly or algorithmically standardized to populate to Stellar Cyber field xdr.event_name.
- Populating the xdr_event structure is a key part of enrichment, with Stellar Cyber ensuring that a Tactic, Technique, and Procedure name, and important scores, are present in every Alert record.

Supported Native Third Party Alerts

The table below lists all the services and products for which Stellar Cyber has developed direct integration of third party native alerts, which includes mapping to the Stellar Cyber XDR Kill Chain and adding those alerts to the Alert index. Data not directly mapped is still run through the Stellar Cyber ML/SA pipeline, where applicable. The third party native alerts that are not mapped are ingested and available for creating ATH rules for automatic actions and entry of the result into the Alert index.

Use the table below to identify the data applicable for direct alert mapping, the method of ingestion, and the nature of the mapping.

In cases where a value is indicated as Derived, Stellar Cyber assigns a value based on other attributes in the ingested data.
Where possible, links to the third party data type format are provided for reference.

For the Key Fields for Third Party Alerts, see Key Fields for Third Party Native Alert Types.

Third Party Service

Third Party Data Type

Ingestion
Method

Mapping of Native Alerts to Stellar Cyber Alerts

Notable Interflow Fields

Acronis Cyber Protect Cloud

Acronis Cyber Protect Cloud Alerts

Acronis Cyber Protect Cloud Connector

This connector ingests logs from Acronis Cyber Protect Cloud to get the raw alerts that are stored in the Syslog index.

Stellar Cyber maps Acronis Cyber Protect Cloud alerts. The alerts are read from the Syslog index, enriched with Stellar Cyber fields, and mapped (with de-duplication) to the Alerts index.

The following four alert types are supported: Email security, EDR, Antimalware protection, and URL filtering.

Tactic and Technique are based on alert type.

Alerts from Acronis Email security are not correlated into cases in Case Management.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: acronis_cyber_protect
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: acronis_cyber_protect_alert
Event (Alert) Name Interflow field: xdr_event.display_name:
- Acronis Cyber Protect: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Acronis Cyber Protect Cloud: Phishing
- Acronis Cyber Protect: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Acronis Cyber Protect Cloud: XDR Anomaly
- Acronis Cyber Protect: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Acronis Cyber Protect Cloud: Hide Artifacts
- Acronis Cyber Protect: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Acronis Cyber Protect Cloud: Drive-by Compromise
Severity Interflow field: severity or event.severity: Derived from event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are derived

AWS GuardDuty

AWS GuardDuty Alerts

Refer to Amazon GuardDuty.

AWS GuardDuty Connector

This connector ingests logs from AWS GuardDuty to get the raw alerts that are stored in the Syslog index.

Stellar Cyber maps AWS GuardDuty alerts. The alerts are read from the Syslog index, enriched with Stellar Cyber fields, and mapped (with de-duplication) to the Alerts index.

Deduplication is by aws_guardduty_id.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: aws_guardduty
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: aws_guardduty_finding
Event (Alert) Name Interflow field: xdr_event.display_name: AWS GuardDuty: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example AWS GuardDuty: Valid Accounts
Severity Interflow field: severity or event.severity: Derived from event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are derived

Azure AD New feature in noted release

riskDetections>riskEvents

Azure AD Connector

This connector can ingest several log types. Only Risk Detection logs are relevant to alert mapping.

The value in the fields for the data type noted at left are mapped to Stellar Cyber's XDR Alert index. These alerts are suitable for MITRE | ATT&CK classification, but do not contain tactic and technique values. Stellar Cyber has evaluated each possible alert and assigned a corresponding MITRE | ATT&CK Stage, Tactic and Technique.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: azure_ad
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: azure_ad_risk_detection
Event (Alert) Name Interflow field: xdr_event.display_name: AzureAdRiskDetection: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example AzureAdRiskDetection: Valid Accounts
Severity Interflow field: severity or event.severity: Derived from riskLevel
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are derived

Bitdefender New feature in noted release

URL--based

Antiphishing

Data Protection

User Control / Content Control

IP-based

Firewall

Ransomware activity detection

Threat-based

Advanced Threat Control (ATC)

Antiexploit Event

Antimalware

Hyper Detect event

Sandbox Analyzer Detection

Storage Antimalware

Configure ingestion of Bitdefender's Push event for JSON RPC messages to send data to a Stellar Cyber sensor configured to ingest httpjson (port 5200) over TLS.

Of the different record types you can configure to push to Stellar Cyber's httpjson parser, the 11 at left are normalized and enriched as they are added to the Syslog index. The records are evaluated against existing records in the Alert index-- those that do not already exist are directly mapped to the Alert index and XDR Kill chain. The other records are run through the ML/SA pipeline, which may generate alerts based on those algorithms. The labels assigned to the alert groups at left refer simply to the nature of the key data points for those alerts. Specifically, these data are supplied with the relevant alert description (Bitdefender field in parenthesis):

URL-based alerts: event.type (module acronym), host.name (computer_fqdn), host.ip (computer_ip), url
IP-based alerts: event.type (module acronym), host.name (computer_fqdn), host.ip (computer_ip), srcip (attack source or source-ip)
Threat-based alerts: event.type (module acronym), host.name (computer_fqdn), host.ip (computer_ip), threatName, where threatName varies depending on the record type (malware_name, threatType, detection_threatName, attack_types, aph_type, exploit_type, or target_type)

See the Bitdefender connector information card for more details on normalization of these and other Bitdefender records.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: bitdefender
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: Several. See the Bitdefender connector information card for a full list.
Event (Alert) Name Interflow field: xdr_event.display_name: Bitdefender: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Bitdefender: Data Encrypted for Impact
Severity Interflow field: severity or event.severity: Derived from event.type
Fidelity Interflow field: fidelity: Is Severity by default

MITRE | ATT&CK Technique and Tactic values are assigned as follows:

Advanced Threat Control (ATC) Antiexploit Event Antimalware Hyper Detect event Sandbox Analyzer Detection	XDR Malware; XDR Misc Malware
User Control/Content Control	Execution; Exploitation for Client Execution
Data Protection Storage Antimalware Event	Impact; Data Manipulation
Ransomware activity detection	Impact; Data Encrypted for Impact
Antiphishing	Initial Access; Phishing
Firewall	XDR NBA; XDR Firewall Anomaly

Blackberry CylancePROTECT and CylanceOPTICS

CylancePROTECT:

CylanceOPTICS:

Forward log files to port 5177 (specific for handling Cylance logs)

The Blackberry Cylance Connector is applicable only for response actions.

For CylancePROTECT, three types of Cylance events are mapped to the XDR Kill Chain and Stellar Cyber's Alert index: Exploit Attempts, Script Control, and Threats. The other data (Audit Log, Device, Device Control, and Threat Classification) are ingested and mapped to the Syslog index (not Alerts index), and are not run through the ML/SA pipeline.
For CylanceOPTICS, Detection events are evaluated with Stellar Cyber time series analysis models to determine abnormality of the event before mapping.

CylancePROTECT

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: cylance_protect
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: cylance_protect_alert
Event (Alert) Name Interflow field: xdr_event.display_name: CylancePROTECT: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example CylancePROTECT: OS Credential Dumping
Severity Interflow field: severity or event.severity: Not present in incoming data; Derived
Fidelity Interflow field: fidelity: cylance_score unless blank, then is populated with the same value as Severity
Kill Chain & MITRE | ATT&CK values are derived from event_type and violation_type/threat_classification

CylanceOPTICS

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: cylance_optics
msg_class: Interflow field to which Stellar Cyber assigns a value, which can be used for filtering. cylance_optics_event
Event (Alert) Name Interflow field: xdr_event.display_name: CylanceOPTICS: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example CylanceOPTICS: XDR Anomaly
Severity Interflow field: severity or event.severity: severity
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are assigned a value during processing of CylanceOPTICS in the ML/SA pipeline

CrowdStrike Falcon

Detections

4.3.0-4.3.4:

CrowdStrike (Hosts Only) Connector (Applicable for Hosts but that data is not mapped to alerts)
CrowdStrike (Events) SIEM Connector
Applicable for incidents and Detections)

4.3.5+:

CrowdStrike Streaming Connector can be configured to collect Hosts and Events (including Detections)

Of the above, only Detections are relevant to alert mapping.

For Detections, CrowdStrike's DetectionSummaryEvent and PatternDisposition records are used to derive certain fields for populating the alert into the Stellar Cyber alert index. The Tactic and Technique fields in the record are more directly mapped to Stellar Cyber's XDR Kill Chain.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: crowdstrike
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: crowdstrike_detection_summary
Event (Alert) Name Interflow field: xdr_event.display_name: CrowdStrike: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example CrowdStrike: OS Credential Dumping
Severity Interflow field: severity or event.severity: event.Severity
Fidelity Interflow field: fidelity:Is Severity by default
Kill Chain & MITRE | ATT&CK values:
- Stage Interflow field: xdr_kill_chain_stage : event.Objective
- Tactic Interflow field: xdr_event._tactic: event.Tactic
- Technique Interflow field: xdr_event.technique: event.Technique

Cybereason New feature in noted release

Malops

Cybereason Connector

Stellar Cyber can generate alerts based on the Cybereason sensor and MalOp data, however the MalOp records are most applicable for direct mapping. The value in malopDetectionType is reformatted and used for the alert name. Stellar Cyber has evaluated each possible alert and assigned a corresponding MITRE | ATT&CK Stage, Tactic and Technique.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: cybereason_malops_all_types
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: cybereason_malops_all_types
Event (Alert) Name Interflow field: xdr_event.display_name: Cybereason: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Cybereason: Phishing
Severity Interflow field: severity or event.severity: Derived from threat and event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are derived from malopDetectionType

Cynet New feature in noted release

ADT Alerts

NextGen Antivirus Alerts

Threat Intelligence Alerts

Memory Protection Alerts

Network Activity Alerts

AMSI Alerts

Feature Alerts

Configure ingestion of CEF format logs to a Stellar Cyber sensor.

The collection of Cynet alerts listed here are read from the Syslog index, enriched and mapped (with de-duplication) to the Alert index and Stellar Cyber Kill Chain. The Cynet alert type is mapped to Stellar Cyber's event.threat.name, which is shown in the key fields.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: cynet
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: cynet_alerts
Event (Alert) Name Interflow field: xdr_event.display_name: Cynet: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Cynet: Data Encrypted for Impact
Severity Interflow field: severity or event.severity: Derived from event.threat.name and event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are assigned based on the value in Cynet's alert type which is mapped to event.threat.name

Deep Instinct New feature in noted release

Events

Deep Instinct Connector

The connector can be used for three data types but only Events are applicable for alert mapping.

The Events record includes a MITRE | ATT&CK structure with values that support direct mapping to Stellar Cyber's XDR Kill Chain. If the incoming tactic or technique are blank, the following values are assigned in Stellar Cyber:
tactic_name = XDR Malware
technique_name = XDR Miscellaneous Malware

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: deep_instinct
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: deep_instinct_maliciousevent
Event (Alert) Name Interflow field: xdr_event.display_name: DeepInstinct: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example DeepInstinct: User Execution
Severity Interflow field: severity or event.severity: Derived from event.threat.name and event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values:
- Stage Interflow field: xdr_kill_chain_stage: Derived from MitreClassifications.mitre_id
- Tactic Interflow field: xdr_event._tactic: MitreClassifications.tactic_name
- Technique Interflow field: xdr_event.technique: MitreClassifications.technique_name
See also:
- event.reason contains trigger
- action contains act

Google Workspace Alert New feature in noted release

Alerts

Google Workspace Connector

This connector can ingest Alerts from Google's Alert center and Application (audit) reports. The Gmail Phishing, Google Identity, and User Changes events from the Alert reports (and are specifically relevant to this mapping).

The Gmail Phishing, Google Identity, and User Changes alerts are mapped. All other data from Alerts and Applications (audit reports) are processed through Stellar Cyber's ML/SA workflow.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: gsuite
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: gsuite_alert
Alert Subtype: gsuite.type or type
Event (Alert) Name Interflow field: xdr_event.display_name: Google Workspace Alert: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Google Workspace Alert: Phishing
Severity Interflow field: severity or event.severity: metadata.severity
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are assigned

Microsoft Defender for Endpoint New feature in noted release

Syslog

Microsoft Defender for Endpoint Connectors

This connector ingests logs from Microsoft Defender for Endpoint (connector).

Select the Alerts content type.

There may be two data sources for third party native alerts if you have integrated both Microsoft Defender for Endpoint (connector) and Windows Defender Antivirus (free version).

The integration of Microsoft Defender for Endpoint (connector) may stop the alert mapping for Windows Defender Antivirus (free version).

Stellar Cyber maps Microsoft Defender ATP alerts.

The lastUpdateTime timestamp is used with the API to pull alerts/events. The alertCreationTime timestamp is not used. This may result in the old event being pulled again when an update happens on the event.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: microsoft_defender
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: microsoft_defender_alerts
Alert Subtype: microsoft_defender.title
Event (Alert) Name Interflow field: xdr_event.display_name: Microsoft Defender ATP: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Microsoft Defender ATP: OS Credential Dumping
Severity Interflow field: severity or event.severity: Derived from threat and event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Tactic Interflow field: xdr_event._tactic: XDR Malware
Mitre TTP mappings are provided by the Microsoft ATP field microsoft_defender.mitreTechniques. When the field is empty, Stellar Cyber's own TTP mapping is used.

Microsoft Office 365 New feature in noted release

Windows Events

Office 365 Connectors

This connector ingests logs from Microsoft Office 365. Select the Audit General content type.

Only the AlertTriggered operation is relevant to alert mapping.

Stellar Cyber maps Microsoft Office 365 alerts from the AlertTriggered operation.

For the Audit General content type, Office 365 alerts contain events from the AlertTriggered operation, which are sent to the Alerts index.

The source records may also include related events in the AlertEntityGenerated operation. Some information (AlertEntityId and EntityType) from the AlertEntityGenerated operation is merged with the AlertTriggered operation for the same Alert ID. The information (AlertEntityId and EntityType) is stored in the event_summary field.

Deduplication is by AlertId.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.:office365
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: office365_audit_general
Alert Subtype: event.threat.name or office365.Name
Event (Alert) Name Interflow field: xdr_event.display_name: Microsoft 365: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique. and the assigned (Tactic), for example Microsoft 365: Valid Accounts (Privilege Escalation)
Fidelity Interflow field: fidelity: Is Severity by default
Severity Interflow field: severity or event.severity: Derived from Office 365 alert policy Severity event.severity_str:
- High: 75
- Medium: 55
- Low: 35
- Informational: 15

Kill Chain & MITRE | ATT&CK values are mapped to the Office 365 alert policies and the category to which each policy is assigned. You can also refer to the Microsoft documentation.

Click Here for Alert Details

Categories and Alerts	Tactic	Technique	Severity
Information governance:
Unusual external user file activity	Impact/Exfiltration	Data Destruction, Exfiltration Over Web Service	High
Unusual volume of external file sharing	Exfiltration	Exfiltration Over Web Service	Medium
Unusual volume of file deletion	Impact	Data Destruction	Medium
Mail flow:
Messages have been delayed	XDR NBA	XDR Rule Violation	High
Permissions:
Elevation of Exchange admin privilege	Privilege Escalation	Valid Accounts	Low
Threat management:
A potentially malicious URL click was detected	Initial Access	Phishing	High
A user clicked through to a potentially malicious URL	Initial Access	Phishing	High
Admin submission result completed	XDR UBA	XDR Anomaly	Info
Admin triggered manual investigation of email	XDR UBA	XDR Anomaly	Info
Admin triggered user compromise investigation	XDR UBA	XDR Suspicious User	Medium
Administrative action submitted by an Administrator	XDR UBA	XDR Anomaly	Info
Creation of forwarding/redirect rule	Collection	Email Collection	Info
eDiscovery search started or exported	Discovery	Account Discovery	Info
Email messages containing malicious file removed after delivery	Initial Access	Phishing	Info
Email messages containing malicious URL removed after delivery	Initial Access	Phishing	Info
Email messages containing malware removed after delivery	Initial Access	Phishing	Info
Email messages containing phish URLs removed after delivery	Initial Access	Phishing	Info
Email messages from a campaign removed after delivery	Initial Access	Phishing	Info
Email messages removed after delivery	Initial Access	Phishing	Info
Email reported by user as malware or phish	Initial Access	Phishing	Low
Email sending limit exceeded	Initial Access	Valid Accounts	Medium
Form blocked due to potential phishing attempt	Lateral Movement	Internal Spearphishing	High
Form flagged and confirmed as phishing	Initial Access	Phishing	High
Malware not zapped because ZAP is disabled	Initial Access	Phishing	Info
Messages containing malicious entity not removed after delivery	Initial Access	Phishing	Medium
Phish delivered because a user's Junk Mail folder is disabled	Initial Access	Phishing	Info
Phish delivered due to an ETR override	Initial Access	Phishing	Info
Phish delivered due to an IP allow policy	Initial Access	Phishing	Info
Phish not zapped because ZAP is disabled	Initial Access	Phishing	Info
Potential nation-state activity	Initial Access	Valid Accounts	High
Remediation action taken by admin on emails or URL or sender	Initial Access	Phishing	Info
Suspicious connector activity	Initial Access	Phishing	High
Suspicious email forwarding activity	Collection	Email Collection	High
Suspicious email sending patterns detected	Initial Access	Valid Accounts	Medium
Suspicious tenant sending patterns observed	Privilege Escalation	Valid Accounts	High
Tenant Allow/Block List entry is about to expire	XDR UBA	XDR Policy Anomaly	Info
Tenant restricted from sending email	Privilege Escalation	Valid Accounts	High
Tenant restricted from sending unprovisioned email	Initial Access	Valid Accounts	High
User requested to release a quarantined message	Initial Access	Valid Accounts	Info
User restricted from sending email	Initial Access	Valid Accounts	High
User restricted from sharing forms and collecting responses	Lateral Movement	Internal Spearphishing	High

Oracle Cloud Infrastructure (OCI) CloudGuard

OCI CloudGuard Alerts

Refer to OCI CloudGuard.

Oracle Cloud Infrastructure (OCI) Connector

This connector ingests logs from OCI to get the raw alerts that are stored in the Syslog index.

Stellar Cyber maps OCI CloudGuard alerts. The alerts are read from the Syslog index, enriched with Stellar Cyber fields, and mapped (with de-duplication) to the Alerts index.

Deduplication is by tenantid, oracle.data.additionalDetails.tenantId, event.threat.name, and cloud.resource.id.

Alerts from OCI CloudGuard are not correlated into cases in Case Management.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: oracle_cloud_infrastructure
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: oracle_cloud_guard
Event (Alert) Name Interflow field: xdr_event.display_name: OCI CloudGuard: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example OCI CloudGuard: Modify Cloud Compute
Severity Interflow field: severity or event.severity: Derived from event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are derived

Proofpoint Targeted Attack Protection (TAP)

Proofpoint TAP Alerts

There are the following categories of alerts:

Phish: Phishing is when attackers send malicious emails designed to trick people into falling for a scam. Typically, the intent is to get users to reveal financial information, system credentials or other sensitive data.
Imposter: A scammer sets up an email address that looks like it is from your company. Then the scammer sends out messages using that email address. This practice is called spoofing, and the scammer is what we call a business email imposter.
Malware: Malware is a common cyber attack and an umbrella term for various malicious programs delivered and installed on end-user systems and servers. These attacks are designed to cause harm to a computer, server, or computer network, and are used by cyber criminals to obtain data for financial gain
Toad (Telephone-Oriented Attack Delivery): Toad is a type of social engineering attack that lures potential victims to contact fraudulent call centers managed by threat actors in attempts to steal credentials or install malware onto their systems.
Spam: Email spam, also known as junk email, refers to unsolicited email messages, usually sent in bulk to a large list of recipients.

Proofpoint TAP Connector

This connector ingests logs from Proofpoint TAP to get the raw alerts that are stored in the Syslog index.

Stellar Cyber maps Proofpoint TAP alerts. The alerts are read from the Syslog index, enriched with Stellar Cyber fields, and mapped (with de-duplication) to the Alerts index.

Deduplication is by email.sender.address.

There are the following event types:

Proofpoint TAP messageBlocked
Proofpoint TAP messageDelivered
Proofpoint TAP clickBlocked
Proofpoint TAP clickDelivered

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: proofpoint_tap
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: proofpoint_tap_event
Event (Alert) Name Interflow field: xdr_event.display_name: Proofpoint TAP: with the event type and the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Proofpoint TAP messageBlocked: Phishing
Severity Interflow field: severity or event.severity: Derived from event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are derived

SentinelOne Cloud

Threats

SentinelONE Connector

This connector can ingest Hosts, Threats, and Vulnerabilities. Of these, only Threats are relevant for alert mapping.

The threat dataset includes a variety of fields that enable Stellar Cyber to map the native SentinelOne alerts to the Stellar Cyber alert index. For example, threatInfo.classification describes the event (such as Trojan). That and other fields in the threatInfo record support direct mapping of SentinelOne's MITRE | ATT&CK Tactic and Technique fields to Stellar Cyber's XDR Kill Chain.

For SentinelOne, the UpdatedAt timestamp is used with the API to pull alerts/events. The CreatedAt timestamp is not used. This may result in the old event being pulled again when an update happens on the event.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: sentinelone_endpoint
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: sentinelone_threat_detection
Event (Alert) Name Interflow field: xdr_event.display_name: SentinelOne: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example SentinelOne: User Execution
Severity Interflow field: severity or event.severity: Derived from threat
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are mapped from the indicators field set.

If more than one value is present in the Tactic and/or Technique fields, Stellar Cyber software determines which pair of values reflects the most severe position in the XDR Killchain and uses that pair for mapping.

If those source fields are empty, the Tactic is set to XDR Malware, Technique set to XDR Miscellaneous Malware, and Stage is set to Persistent Foothold.

Trellix (FireEye) Endpoint Security

Alerts

Trellix (FireEye) Endpoint Security HX

The connector can be used for three data types but only Alerts are applicable for alert mapping.

Stellar Cyber identifies the FireEye data logged into the Syslog index. Records of the type Alerts are then normalized, enriched, and mapped to the Alerts index. The following fields are included as part of the Stellar Cyber alert description: indicator.name and agent.url. Each relevant Syslog record is compared against existing records in the Alert index and not added to that index if the values in the following fields match those of an existing record logged in the previous 24 hours: org_id, tenantid, user.name, host.ip, event.name, file.path, process.path.

The following four alert types are supported: IOC, MAL, AMSI, and PROCGUARD. Tactic and Technique are based on alert type.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: fireeye_hx
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: fireeye_alerts
Alert Subtype:
- IOC: event.name
- MAL: event.threat.name
- AMSI: event.threat.name
- PROCGUARD: event.threat.name
Event (Alert) Name Interflow field: xdr_event.display_name:
- Fireeye IOC: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example: Fireeye IOC: XDR Indicator of Compromise
- Fireeye MAL: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example: Fireeye MAL: User Execution
- Fireeye AMSI: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example: Fireeye AMSI: Windows Management Instrumentation
- Fireeye PROCGUARD: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example: Fireeye PROCGUARD: OS Credential Dumping
Severity Interflow field: severity or event.severity: Derived from alert source and severity level event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are assigned

Varonis DatAdvantage

Varonis Alerts

File system operation
Directory services operation

Configure ingestion of CEF format logs to a Stellar Cyber sensor.

Varonis sends Syslog CEF events to Stellar Cyber, which maps Varonis DatAdvantage alerts to the Alerts index.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: varonis_datadvantage
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: varonis_datadvantage_file_system_operation, varonis_datadvantage_directory_services_operation
Alert Subtype: varonis.rulename
Event (Alert) Name Interflow field: xdr_event.display_name: Varonis DatAdvantage: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Varonis DatAdvantage: File and Directory Discovery
Severity Interflow field: severity or event.severity: Derived from CEF severity
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain & MITRE | ATT&CK values are derived

VMware Carbon Black Cloud New feature in noted release

Alerts of type CB Analytics, Device Control, and Watchlist

VMware Carbon Black Cloud Connector

VMware Carbon Black alerts are assigned a MITRE technique / tactic / procedure (TTP) which is reformatted but otherwise preserved during mapping, except as noted below.

CB Analytics and Device Control:

Alerts with a threat_cause_threat_category of NON_MALWARE, NEW_MALWARE, and KNOWN_MALWARE are directly mapped to the Alerts index. The kill_chain_status values (RECONNAISSANCE, WEAPONIZE, DELIVER_EXPLOIT, INSTALL_RUN, COMMAND_AND_CONTROL, EXECUTE_GOAL, BREACH) are preserved and mapped to the Stellar Cyber XDR Kill Chain.
Alerts with a threat category value of RISKY_PROGRAM are assigned a Tactic of XDR Malware and Techinque of XDR PUA.
Alerts with threat category value of UNKNOWN are run through Stellar Cyber's ML/SA pipeline, to better ascertain the nature of the alert before mapping it to the Alert index. This type is assigned an Tactic of XDR EBA and Technique of XDR Anomaly

Watchlist: This type of alert is considered noisy (generates a large volume of hits), so it is routed through the ML/SA pipeline using our Time Series Analytic and Rare models, along with de-duplication, before being mapped to the Alerts index. This type of alert is classified as Tactic: XDR EBA with Technique: XDR Anomaly.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: carbonblack_cloud
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: carbonblack_alert
Event (Alert) Name Interflow field: xdr_event.display_name: Carbon Black: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example Carbon Black: OS Credential Dumping
Severity Interflow field: severity or event.severity: Assigned based on threat_cause_threat_category, values range from 20-55
Fidelity Interflow field: fidelity: Is Severity by default, except Watchlist alerts and alerts with threat category of UNKNOWN which receive a computed value from the ML/SA pipeline
Kill Chain & MITRE | ATT&CK values are derived from the ttps field of the threat_indicators record. If those fields are empty or the threat_type is UNKNOWN, the Tactic is set to XDR Malware, Technique is set to XDR Miscellaneous Malware, and Stage is set to Persistent Foothold.

ORIGINAL FIELDS: In addition to the mapping of fields to Stellar Cyber Interflow fields, all of the original fields for this alert type are included in the Interflow record.

Windows Defender Antivirus

(free version only)

Events

Windows Agent Detection Logs ingested from a Windows Agent

These events are ingested to the Stellar Cyber Windows Event index. As of the v4.3.2 release, they are also now processed into the Alerts index. In these logs, multiple events correlate to a single incident, such as event_id 1116 (malware detected), one with event_id 1117 (means malware is quarantined). Stellar Cyber manages this, tracking the events to the related incident during the mapping process.

msg_origin.source Interflow field to which Stellar Cyber assigns a vendor identifying value, which can be used for filtering.: windows_agent
msg_class Interflow field to which Stellar Cyber assigns a value, which can be used for filtering.: Microsoft-Windows-Windows Defender
Event (Alert) Name Interflow field: xdr_event.display_name: WindowsDefenderAntivirus: with the assigned Technique Technique includes both those based on the MITRE | ATT&CK framework, as well as native XDR versions developed by Stellar Cyber, which will be used only when there is no available Mitre technique., for example WindowsDefenderAntivirus: XDR Trojan
Severity Interflow field: severity or event.severity: Derived from threat name and severity level event.severity_str
Fidelity Interflow field: fidelity: Is Severity by default
Kill Chain values are derived (not displayed if values are blank)
See also:
- event.ms_incident_id contains Detection ID
- threat contains Threat name