Key Fields for Alert Types

There are Key Fields for the following:

Third Party Native Alert Types
Built-in and Rule-Based Alert Types

Key Fields for Third Party Native Alert Types

Stellar Cyber supports third party native alert integration. The Key Fields for third party native alert types are as follows:

Third Party Display Name

Key Field Name

Display Name

Description

Acronis (Antimalware protection)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
acronis_cyber_protect.details.threatName	Acronis Threat Name	Acronis threat name
event.category	Alert Category	Alert category
host.name	Host Name	Host name
event.severity_str	Acronis Severity Level	Acronis severity level
file.name	File Name	File name
file.path	File Path	File path
file.hash.sha1	File SHA1	File SHA1
file.hash.md5	File MD5	File MD5
file.hash.sha256	File SHA256	File SHA256

Acronis (EDR)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
event.category	Alert Category	Alert category
host.name	Host Name	Host name
event.severity_str	Acronis Severity Level	Acronis severity level
acronis_cyber_protect.details.redirectLink	Acronis Alert Redirect Link	Acronis alert redirect link
acronis_cyber_protect.details.verdict	Acronis Alert Verdict	Acronis alert verdict

Acronis (Email security)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
event.category	Alert Category	Alert category
event.severity_str	Acronis Severity Level	Acronis severity level
email.from.address	Email From Address	Email from address
email.subject	Email Subject	Email Subject

Acronis (URL filtering)

(acronis_cyber_protect)

event.threat.name	Alert Type	Alert type
acronis_cyber_protect.details.threatName	Acronis Threat Name	Acronis threat name
event.category	Alert Category	Alert category
host.name	Host Name	Host name
event.severity_str	Acronis Severity Level	Acronis severity level
url	URL	URL
process.pid	Process ID	Process ID
process.executable	Process Path	Process path

AWS GuardDuty

(aws_guardduty)

aws_guardduty.Title	Alert Title	AWS GuardDuty alert title
host_list	Host IP Address(es)	Private IP addresses of the network interfaces of the resource instance
user.name	User Name	User name associated with the access key details of the resource
event.threat.name	Threat Name	Threat name
event.severity	AWS GuardDuty Severity Score	AWS GuardDuty severity score
cloud.resource.type	Cloud Resource Type	Cloud resource type
cloud.resource.id	Cloud Resource ID	Cloud resource ID
cloud.resource.name	Cloud Resource Name	Cloud resource name

Azure AD

(azure_ad_risk_detection)

userDisplayName	User Name	User name
ipAddress	Host IP Address	Host IP address
riskEventType	Event Type	Risk event type

Bitdefender IP

(bitdefender_ip)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
srcip	Source IP	Source IP address

Bitdefender Threat

(bitdefender_threat)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
event.threat.name	Threat Type	Threat type

Bitdefender URL

(bitdefender_url)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
url	URL	URL

Blackberry CylancePROTECT

(cylance_protect)

host.name	Host Name	Computer name
host.ip	Host IP Address	Host IP address
file_name	File Name	File name
file_path	File Path	File path
process_name	Process Name	Process name

CrowdStrike

(crowdstrike)

host.name	Computer Name	Computer name
hostip	Host IP Address	Host IP address
user.name	User Name	User name
file.name	File Name	File name
file.path	File Path	File path
process.command_line	Command Line	Command line

Cybereason

(cybereason)

user_list	User Names	User names
file.name	File Name	File name
process.name	Process Name	Process name
host_list	Host IP Address(es)	Host IP address(es)

Cynet

(cynet)

host.ip	Host IP Address	Host IP address
event.threat.name	Threat Name	Event threat name
file.name	File Name	File name

Deep Instinct

(deepinstinct)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
file.path	File Path	File path
file.file_hash	File Hash	File hash
deep_instinct.action	Event Action	Deep Instinct event action

Google Workspace Alert

(google_workspace_alert)

source	Alert Source	Alert source
type	Alert Type	Alert type
rule.name	Rule Name	Alert rule name
host.ip	Login IP Address	IP address associated with the warning event
data.email	Data Email	Email of the user to which this event belongs
securityInvestigationToolLink	Investigation Tool Link	Google Workspace security investigation tool link
user.id	User ID	User ID

Microsoft Defender for Endpoint

(ms_defender_atp)

host.name	Host Name	Host name
host.ip	Host IP Address	Host IP address
user.name	User Name	User name
user.domain	User Domain	User domain
threat	Threat Name	Threat name
file_list	File List	File list
process_list	Process List	Process list

Microsoft Office 365

(microsoft_365)

event.threat.name	Threat Name	Threat name
event.severity_str	Microsoft 365 Severity Level	Microsoft 365 severity level
event.category	Category	Microsoft 365 alert category
Source	Source	Microsoft 365 alert source
AlertType	Alert Type	Microsoft 365 alert type
event_summary.alert_entity_list	Alert Entity List	Microsoft 365 Alert entity list
username	User Name	User name

Oracle Cloud Infrastructure (OCI) CloudGuard

(oci_cloudguard)

event.type	Problem Type	Problem type
event.threat.name	Threat Name	Threat name
event.severity_str	OCI Severity Level	OCI CloudGuard severity level
cloud.resource.type	Cloud Resource Type	Cloud resource type
cloud.resource.id	Cloud Resource ID	Cloud resource ID
cloud.resource.name	Cloud Resource Name	Cloud resource name
oracle.data.additionalDetails.problemRecommendation	Problem Recommendation	Problem recommendation from OCI

Proofpoint TAP

(proofpoint_tap)

srcip	Source IP Address	Source IP address
email.subject	Email Subject	Email subject
email.sender.address	Sender Address	Email sender address
email.from.address	Sender Address	Email from address
email.recipient.addresses	Recipient Address(es)	Email recipient address(es)
email.to.addresses	To Address(es)	Email to address(es)
email.x_mailer	X-Mailer	X-Mailer content
event.threat_list	Proofpoint Event Threat List	Threat category: Threat artifact
name	Threat Name	Proofpoint threat name
category	Threat Category	Proofpoint threat category
attachment	Threat Attachment	Proofpoint threat attachment
severity	Proofpoint Threat Severity	Proofpoint threat severity
url	Proofpoint Threat URL	Proofpoint threat URL

SentinelOne Cloud

(sentinelone)

host.name	Host Name	Computer name
host.ip	Host IP Address	Host IP address
file.name	File Name	File name
file.path	File Path	File path
process.parent.name	Parent Process Name	Originator process name

Trellix (FireEye) Endpoint Security (AMSI)

(fireeye_amsi)

fireeye.source	Alert Type	FireEye alert source type
event.threat.name	Threat Name	FireEye alert name
event.severity_str	Severity	Severity level
host.ip	Host IP Address	Host IP address
host.name	Host Name	Host name
file_list	File List	File list
process_list	Process List	Process list: Pid (process command line)
event.url	Event URL	FireEye event URL

Trellix (FireEye) Endpoint Security (IOC)

(fireeye_ioc)

fireeye.source	Alert Type	FireEye alert source type
host.ip	Host IP Address	Host IP address
host.name	Host Name	Host name
event.name	Event Name	Event name
file.name	File Name	File name
process.name	Process Name	Process name
event.url	Event URL	FireEye event URL

Trellix (FireEye) Endpoint Security (MAL)

(fireeye_mal)

fireeye.source	Alert Type	FireEye alert source type
event.threat.name	Threat Name	FireEye alert name
fireeye.infection_type	Infection Type	FireEye Infection Type
event.severity_str	FireEye Severity Level	FireEye severity level
host.ip	Host IP Address	Host IP address
host.name	Host IP Address	Host name
file.path	File Path	File path
file.hash.md5	File MD5 Hash	File MD5 hash
file.hash.sha1	File SHA1 Hash	File SHA1 hash
file.hash.sha256	File SHA256 Hash	File SHA256 hash
process.executable	Event Actor Process Path	FireEye event actor process path
process.pid	Event Actor Process Pid	FireEye event actor process Pid
event.url	Event URL	FireEye event URL

Trellix (FireEye) Endpoint Security (PROCGUARD)

(fireeye_procguard)

fireeye.source	Alert Type	FireEye alert source type
event.threat.name	Threat Name	FireEye alert name
host.ip	Host IP Address	Host IP address
host.name	Host Name	Host name
file_list	File List	File list
process_list	Process List	Process list: Pid (process command line)
event.url	Event URL	FireEye event URL

Varonis DatAdvantage

(varonis_datadvantage)

event.type	Event Type	Event type
event.threat.name	Threat Name	Threat name
event.severity	CEF Severity Level	Original CEF severity level
user.name	User Name	User name
file.name	File Name	File name
file.path	File Path	File path

VMware Carbon Black Cloud

(carbonblack)

host.name	Host Name	Computer name
host.external_ip	Host Name	Host external IP address
host.ip	Host Internal IP Address	Host internal IP address
process.name	Process Name	Process name
event.description	Event Reason	Event reason

Windows Defender Antivirus

(windows_defender_antivirus)

threat	Threat Name	Threat name
host.name	Host Name	Computer name
hostip	Host IP Address	Host IP address
file.path	File Path	File path
process.name	Process Name	Process name

Key Fields for Built-in and Rule-Based Alert Types

The Key Fields for built-in alert types and rule-based alert types are documented in individually. See the Key Fields and Relevant Data Points for any alert type by their display name in Machine Learning Alert Type Details or by their XDR event name in Alert Types by XDR Event Name.