...
Field | Data type | Description |
---|
alertHost | str
| this field indicates an internal Devo component related to alert dispatching. |
domain | str
| Devo domain to which the alert belongs. |
priority | float
| Priority level assigned to the alert, represented as a numerical value: 0 → Very low 3 → Low 5 → Normal 7 → High 10 → Very high
Note |
---|
Devo alert priorities VS SecOps alert priorities Please keep in mind that these priority levels do not correspond to the ones used in the Security Operations application. |
|
context | str
| Contextualization of the alert resulting from a combination of its category, domain and name. Info |
---|
Special characters in the alert name Alert names are normalized upon creation, replacing all special characters (not alphanumeric) by underscores (_). |
|
category | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
alertId | str
| Unique ID assigned to the alert when triggered. |
status | int
| Condition of the triggered alert regarding their life cycle, represented as a numerical value: Unread → 0 Updated → 1 Watched → 100 False positive → 2 Closed → 300
|
srcIp | ip4
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
srcPort | int
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
srcHost | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
dstIp | ip4
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
dstPort | int
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
dstHost | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
protocol | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
username | str
| User who created the alert definition. |
application | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
engine | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
extraData | str
| Information extracted from different fields to indicate the conditions that triggered the alert (more info here). |
AlertContextSubscription | int
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
Alertcreationdate | timestamp
| Exact date on which the specified alert conditions were met and the alert triggered, which may reveal a slight delay with the eventdate (date on which the event was registered in the Devo table). |
...
Field | Data type | Description |
---|
alertHost | str
| this field indicates an internal Devo component related to alert dispatching. |
errorCode | str
| Explanation about the reason for the alert not being triggered. The most common are: |
domain | str
| Domain to which the alert belongs. |
priority | float
| Priority level assigned to the alert, represented as a numerical value: 0 → Very low 3 → Low 5 → Normal 7 → High 10 → Very high
|
context | str
| Contextualization of the alert resulting from a combination of its category, domain and name. Info |
---|
Special characters in the alert name Alert names are normalized upon creation, replacing all special characters (not alphanumeric) by underscores (_). |
|
category | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
status | int
| Condition of the triggered alert regarding their life cycle, represented as a numerical value: Unread → 0 Updated → 1 Watched → 100 False positive → 2 Closed → 300
|
alertId | str
| Unique ID assigned to the alert when triggered. |
srcIp | ip4
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
srcPort | int
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
srcHost | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
dstIp | ip4
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
dstPort | int
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
dstHost | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
protocol | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
username | str
| User who created the alert definition. |
application | str
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
engine | str
| this field indicates an internal Devo component related to alert dispatching. |
extraData | str
| Information extracted from different fields to indicate the conditions that triggered the alert (more info here). |
AlertContextSubscription | int
| Status |
---|
colour | Red |
---|
title | Deprecated field: |
---|
| information is not provided in this field anymore. |
Alertcreationdate | timestamp
| Exact date on which the specified alert conditions were met but did not trigger an alert due to an error, which may indicate a slight delay with the event date (date on which the error event was registered in the Devo table). |
...
Field | Data type | Description |
---|
actiondate | timestamp
| Date of the action performed. |
Id | str
| Unique ID automatically assigned to the alert when defined. |
name | str
| Name assigned to the alert when defined. |
action | str
| The action carried out, which can be one of the following: CREATE EDIT ENABLE DISABLE DELETE
|
username | str
| User who performed the action. Info |
---|
admin.alerts@devo.com This user represents an internal entity responsible for enabling, disabling, or deleting alerts as an automatic or semi-automatic response to specific events. These events typically involve reattempts after failures, errors requiring immediate action to ensure proper functioning, or situations that activate internal defense mechanisms. |
|
info | json
| Detailed information about the alert definition settings whenever it’s created or edited (name, description, subcategory, ID, triggering method, priority, etc.). When the action involves enabling, disabling, or deleting, this field will be empty. See siem.logtrust.alert.info for the meaning of numerical values in fields such as priority. |
...
In this table, you can find detailed information about all alerts triggered in the current domain and the changes they undergo. You can see below the fields included in this table along with a brief explanation.
Field | Data type | Description |
---|
hostname | str
| Domain where the alert was triggered. |
actiondate | timestamp
| Date of the action performed. |
Id | str
| Unique ID automatically assigned to the alert when defined. |
name | str
| Name assigned to the alert when defined. |
action | str
| The action carried out, which can be one of the following: EDIT STATUS EDIT PRIORITY DELETE CREATE COMMENT REPLY COMMENT UPDATE COMMENT DELETE COMMENT
|
username | str
| User who performed the action. |
info | json
| Whenever a modification is made to a triggered alert, the information related to the change is collected and displayed here to indicate the new values assigned. Depending on the action (indicated in the action field), the displayed values vary: Edit status or : status code and the corresponding status name. Edit priority: numeric values (see siem.logtrust.alert.info for their meaning). Deletion: empty. Comments: type of comment (ALERT-new comment vs REPLY), content of the message, ID assigned to the comment, and other IDs interrelating them with alerts and other comments.
|