Key Fields for Alert Types

There are Key Fields for the following:

Key Fields for Third Party Native Alert Types

Stellar Cyber supports third party native alert integration. The Key Fields for third party native alert types are as follows:

Third Party Display Name

Key Field Name

Display Name Description

Acronis (Antimalware protection)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
file.name File Name File name
file.path File Path File path
file.hash.sha1 File SHA1 File SHA1
file.hash.md5 File MD5 File MD5
file.hash.sha256 File SHA256 File SHA256

Acronis (EDR)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
acronis_cyber_protect.details.redirectLink Acronis Alert Redirect Link Acronis alert redirect link
acronis_cyber_protect.details.verdict Acronis Alert Verdict Acronis alert verdict

Acronis (Email security)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
event.category Alert Category Alert category
event.severity_str Acronis Severity Level Acronis severity level
email.from.address Email From Address Email from address
email.subject Email Subject Email Subject

Acronis (URL filtering)

(acronis_cyber_protect)

event.threat.name Alert Type Alert type
acronis_cyber_protect.details.threatName Acronis Threat Name Acronis threat name
event.category Alert Category Alert category
host.name Host Name Host name
event.severity_str Acronis Severity Level Acronis severity level
url URL URL
process.pid Process ID Process ID
process.executable Process Path Process path

AWS GuardDuty

(aws_guardduty)

aws_guardduty.Title Alert Title AWS GuardDuty alert title
host_list Host IP Address(es) Private IP addresses of the network interfaces of the resource instance
user.name User Name User name associated with the access key details of the resource
event.threat.name Threat Name Threat name
event.severity AWS GuardDuty Severity Score AWS GuardDuty severity score
cloud.resource.type Cloud Resource Type Cloud resource type
cloud.resource.id Cloud Resource ID Cloud resource ID
cloud.resource.name Cloud Resource Name Cloud resource name

Bitdefender IP

(bitdefender_ip)

host.name Host Name Host name
host.ip Host IP Address Host IP address
srcip Source IP Source IP address

Bitdefender Threat

(bitdefender_threat)

host.name Host Name Host name
host.ip Host IP Address Host IP address
event.threat.name Threat Type Threat type

Bitdefender URL

(bitdefender_url)

host.name Host Name Host name
host.ip Host IP Address Host IP address
url URL URL

Blackberry CylancePROTECT

(cylance_protect)

host.name Host Name Computer name
host.ip Host IP Address Host IP address
file_name File Name File name
file_path File Path File path
process_name Process Name Process name

CrowdStrike

(crowdstrike)

host.name Computer Name Computer name
hostip Host IP Address Host IP address
user.name User Name User name
file.name File Name File name
file.path File Path File path
process.command_line Command Line Command line

Cybereason

(cybereason)

user_list User Names User names
file.name File Name File name
process.name Process Name Process name
host_list Host IP Address(es) Host IP address(es)

Cynet

(cynet)

host.ip Host IP Address Host IP address
event.threat.name Threat Name Event threat name
file.name File Name File name

Deep Instinct

(deepinstinct)

host.name Host Name Host name
host.ip Host IP Address Host IP address
file.path File Path File path
file.file_hash File Hash File hash
deep_instinct.action Event Action Deep Instinct event action

Google Workspace Alert

(google_workspace_alert)

source Alert Source

Alert source

type Alert Type Alert type
rule.name Rule Name Alert rule name
host.ip Login IP Address IP address associated with the warning event
data.email Data Email Email of the user to which this event belongs
securityInvestigationToolLink Investigation Tool Link Google Workspace security investigation tool link
user.id User ID User ID

LimaCharlie Events

(limacharlie_alert)

srcip_host Source Host Name of the workstation
srcip Source IP IP address of the source
srcport Source IP Port Port of the source IP address
host.name Host Name Host name
host.ip Host IP Host IP address
limacharlie.detect.event.ACTION Action Event action
limacharlie.detect.event.REGISTRY_KEY Registry Key Registry key
limacharlie.detect.event.REGISTRY_VALUE Registry Value Registry value
process.name Process File Path File path of the process
process.hash.sha256 Process File Hash File hash of the process
event.severity_str LimaCharlie Severity Original severity of the LimaCharlie alert
limacharlie.detect.event.EVENT.EventData.TargetUserSid SID SID of the target user
file.path File Path Path of the file
file.hash.sha256 File Hash SHA256 hash of the file
process.command_line Process Command Line Command line of the process
process.pid Process ID Process ID
user.name User Name User name
limacharlie.detect.event.EVENT.System.EventID Event ID Event ID
limacharlie.detect.event.EVENT.EventData.LogonType Logon Type Logon type
limacharlie.detect.event.EVENT.EventData.ProcessName Process Name Process name
limacharlie.detect.event.PARENT.FILE_PATH Parent File Path Path of the parent file
limacharlie.detect.event.PARENT.HASH Parent File Hash Hash of the parent file
process.parent.command_line Parent Process Command Line Command line of the parent process
process.parent.pid Parent Process ID Parent process ID
limacharlie.detect.event.PARENT.USER_NAME Parent User Name User name of the parent process
limacharlie.link LimaCharlie Alert Link LimaCharlie alert link
limacharlie.source_rule Source Rule Source rule that LimaCharlie used to generate the alert
limacharlie.detect_mtd.references Rule References References of the rule

Microsoft Defender for Endpoint

(ms_defender_atp)

host.name Host Name Host name
host.ip Host IP Address Host IP address
user.name User Name User name
user.domain User Domain User domain
threat Threat Name Threat name
file_list File List File list
process_list Process List Process list

Microsoft Entra ID (formerly Azure Active Directory)

(azure_ad_risk_detection)

userDisplayName User Name User name
ipAddress Host IP Address Host IP address
riskEventType Event Type Risk event type

Microsoft Office 365

(microsoft_365)

event.threat.name Threat Name Threat name
event.severity_str Microsoft 365 Severity Level Microsoft 365 severity level
event.category Category Microsoft 365 alert category
Source Source Microsoft 365 alert source
AlertType Alert Type

Microsoft 365 alert type

event_summary.alert_entity_list Alert Entity List Microsoft 365 Alert entity list
username User Name User name

Mimecast Attachment Protect

(mimecast_attachment_protect)

file.name File Name File name of the malicious file
mimecast.fileExt File Extension File extension of the malicious file
mimecast.Size File Size Size (in bytes) of the malicious file
file.hash.md5 File MD5 Hash MD5 hash of the malicious file
file.hash.sha1 File SHA1 Hash SHA1 hash of the malicious file
file.hash.sha256 File SHA256 Hash SHA256 hash of the malicious file
mimecast.fileMime File MIME Type Detected MIME type of the malicious file
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.senderDomain Sender Domain Sender domain
mimecast.route The Route of the Message Route of the message

Mimecast AV

(mimecast_av)

srcip Source IP Address Source IP address
file.name File Name File name
mimecast.fileExt File Extension File extension
mimecast.Size File Size Size (in bytes) of the malicious file
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
mimecast.fileMime File MIME Type File MIME type
email.sender.address Sender Address Sender address
mimecast.senderDomain Sender Domain Sender domain
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Route The Route of the Message Route of the message
mimecast.Virus Virus Signature Virus signature

Mimecast Impersonation Protect

(mimecast_email_impersonation_protect)

mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
event.threat.name Alert Definition Alert definition
mimecast.Hits Number of Items Flagged Number of items flagged for the message
mimecast.Route The Route of the Message Route of the message

Mimecast Internal Email Protect

(mimecast_internal_email_protect)

mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
url Clicked URL URL the user clicked
event.threat.name URL Category URL category
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Route The Route of the Message Route of the message

Mimecast Malicious Receipt Log

(mimecast_receipt_with_virus)

mimecast.aCode Mimecast aCode Unique ID used to track the email through the different log types from Mimecast
srcip Source IP Address Source IP address
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.Error Errors Occurred Information about any errors that occurred during receipt
mimecast.Dir Email Direction Direction of the email based on the sending and receiving domains
mimecast.Virus Virus Signature Virus signature
mimecast.Act Action Action taken at the receipt stage
mimecast.RejInfo Rejection Information Rejection information if the email was rejected at the receipt stage
mimecast.RejType Rejection Type Rejection type if the email was rejected at the receipt stage
mimecast.TlsVer TLS Version TLS version used if the email was received using TLS
mimecast.Cphr TLS Cipher TLS cipher used if the email was received using TLS

Mimecast URL Protect

(mimecast_url_protect)

srcip Source IP Address Source IP address
url Clicked URL URL the user clicked
event.threat.name URL Category URL category
event.reason Reason Event reason
email.sender.address Sender Address Sender address
email.recipient.addresses Recipient Address(es) Recipient address(es)
email.subject Email Subject Email subject
mimecast.action Mimecast Action Mimecast action
mimecast.senderDomain Sender Domain Sender domain
mimecast.route The Route of the Message Route of the message

Oracle Cloud Infrastructure (OCI) CloudGuard

(oci_cloudguard)

event.type Problem Type Problem type
event.threat.name Threat Name Threat name
event.severity_str OCI Severity Level OCI CloudGuard severity level
cloud.resource.type Cloud Resource Type Cloud resource type
cloud.resource.id Cloud Resource ID Cloud resource ID
cloud.resource.name Cloud Resource Name Cloud resource name
oracle.data.additionalDetails.problemRecommendation Problem Recommendation Problem recommendation from OCI

Proofpoint TAP

(proofpoint_tap)

srcip Source IP Address Source IP address
email.subject Email Subject Email subject
email.sender.address Sender Address Email sender address
email.from.address Sender Address Email from address
email.recipient.addresses Recipient Address(es) Email recipient address(es)
email.to.addresses To Address(es) Email to address(es)
email.x_mailer X-Mailer X-Mailer content
event.threat_list Proofpoint Event Threat List Threat category: Threat artifact
name Threat Name Proofpoint threat name
category Threat Category Proofpoint threat category
attachment Threat Attachment Proofpoint threat attachment
severity Proofpoint Threat Severity Proofpoint threat severity
url Proofpoint Threat URL Proofpoint threat URL

SentinelOne Cloud

(sentinelone)

host.name Host Name Computer name
host.ip Host IP Address Host IP address
file.name File Name File name
file.path File Path File path
process.parent.name Parent Process Name Originator process name

Trellix (FireEye) Endpoint Security (AMSI)

(fireeye_amsi)

 

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
event.severity_str Severity Severity level
host.ip Host IP Address Host IP address
host.name Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (IOC)

(fireeye_ioc)

fireeye.source Alert Type FireEye alert source type
host.ip Host IP Address Host IP address
host.name Host Name Host name
event.name Event Name Event name
file.name File Name File name
process.name Process Name Process name
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (MAL)

(fireeye_mal)

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
fireeye.infection_type Infection Type FireEye Infection Type
event.severity_str FireEye Severity Level FireEye severity level
host.ip Host IP Address Host IP address
host.name Host IP Address Host name
file.path File Path File path
file.hash.md5 File MD5 Hash File MD5 hash
file.hash.sha1 File SHA1 Hash File SHA1 hash
file.hash.sha256 File SHA256 Hash File SHA256 hash
process.executable Event Actor Process Path FireEye event actor process path
process.pid Event Actor Process Pid FireEye event actor process Pid
event.url Event URL FireEye event URL

Trellix (FireEye) Endpoint Security (PROCGUARD)

(fireeye_procguard)

fireeye.source Alert Type FireEye alert source type
event.threat.name Threat Name FireEye alert name
host.ip Host IP Address Host IP address
host.name Host Name Host name
file_list File List File list
process_list Process List Process list: Pid (process command line)
event.url Event URL FireEye event URL

Trend Micro Vision One

(trendmicro_visionone)

event.threat.name Threat Name Threat name
event.severity_str Trend Micro Vision One Severity Original Trend Micro Vision One severity level
trendmicro_visionone.workbenchLink Trend Micro Vision One Workbench Link Trend Micro Vision One workbench link
host_list Host(s) Related host(s)
name Host Name Host name
ips Host IP(s) Host IP addresses
process_list Process(es) Related process(es)
file_list File(s) Related file(s)
name File Name File name
path File Path File path
hash.md5 File MD5 Hash File MD5 hash
hash.sha1 File SHA1 Hash File SHA1 hash
hash.sha256 File SHA256 Hash File SHA256 hash
trendmicro_visionone.alertProvider Alert Provider Trend Micro Vision One alert provider
user_list User(s) Related user(s)

Varonis DatAdvantage

(varonis_datadvantage)

event.type Event Type Event type
event.threat.name Threat Name Threat name
event.severity CEF Severity Level Original CEF severity level
user.name User Name User name
file.name File Name File name
file.path File Path File path

VMware Carbon Black Cloud

(carbonblack)

host.name Host Name Computer name
host.external_ip Host Name Host external IP address
host.ip Host Internal IP Address Host internal IP address
process.name Process Name Process name
event.description Event Reason Event reason

Windows Defender Antivirus

(windows_defender_antivirus)

threat Threat Name Threat name
host.name Host Name Computer name
hostip Host IP Address Host IP address
file.path File Path File path
process.name Process Name Process name

Key Fields for Built-in and Rule-Based Alert Types

The Key Fields for built-in alert types and rule-based alert types are documented in individually. See the Key Fields and Relevant Data Points for any alert type by their display name in Machine Learning Alert Type Details or by their XDR event name in Alert Types by XDR Event Name.