Document toolboxDocument toolbox

ids.bricata.alerts.all

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Nov 10, 2023
1 min read
[ 1 Introduction ] [ 2 Source tables ] [ 3 Table structure ] [ 4 Field transformations ]

Introduction

This table collects a variety of alert logs analyzed by Bricata IDS.

Source tables

The information displayed is extracted from the following tables:

  • ids.bricata.brocata

  • ids.bricata.burocata

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

originator

str

orig

 

host

str

 

 

destination_ip

str

 

 

destination_ipv4

ip4

dest_ip

 

destination_port

str

dest_port

 

event_type

str

 

 

protocol

str

proto

 

source_ip

str

 

 

source_ipv4

ip4

src_ip

 

source_port

str

src_port

 

timestamp

str

 

 

alert_category

str

 

 

alert_revision

int8

alert_rev

 

alert_severity

int8

 

 

alert_signature

str

 

 

alert_signature_id

int8

 

 

event_format

str

 

 

event_source

str

 

 

event_uuid

str

 

 

sensor_ipv4

ip4

 

 

sensor_uuid

str

 

 

source_geo_city_name

str

src_city_name

 

source_geo_country_name

str

src_country

 

source_geo_latitude

float8

src_lat

 

source_geo_longitude

float8

src_lon

 

destination_geo_city_name

str

dst_city_name

 

destination_geo_country_name

str

dst_country

 

destination_geo_latitude

float8

dst_lat

 

destination_geo_longitude

float8

dst_lon

 

bytes_analyzed

str

 

 

connection_uids

str

conn_uids

 

download

bool

 

 

file_id

str

fid

 

file_description

str

 

 

file_name

str

filename

 

md5

str

 

 

mime_type

str

 

 

bro_protocol

str

bro_proto

 

recipient_destination_ip

str

 

 

recipient_destination_ipv4

ip4

rx_host

 

recipient_destination_port

str

rx_port

 

sha1

str

 

 

stored_as

str

 

 

transfer_protocol

str

transfer_proto

 

transfer_source_ip

str

 

 

transfer_source_ipv4

ip4

tx_host

 

transfer_source_port

str

tx_port

 

cause_message

str

CauseMessage

 

determinant

str

Determinant

 

parse_status

str

ParseStatus

 

sha256

str

SHA256

 

sample_format

str

SampleFormat

 

sample_scoring_activity_version

int8

SampleScoringActivityVersion

 

sample_scoring_version

int8

SampleScoringVersion

 

score

float8

Score

 

status_cause

str

StatusCause

 

raise_exception_imports

bool

RaiseExceptionImports

 

os_info_imports

bool

OSInfoImports

 

debug_check_imports

bool

DebugCheckImports

 

terminate_process_imports

bool

TerminateProcessImports

 

codepage_lookup_imports

bool

CodepageLookupImports

 

hostchain

str

 

 

url

str

 

 

content_type

str

http_content_type

 

method

str

http_method

 

user_agent

str

http_user_agent

 

hostname

str

 

 

json_event

json

jsonEvent

 

tag

str

 

✓

Extra fields

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

ids.bricata.brocata

Field in union table

Field in source table

Field transformation

Type

Extra fields

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

eventdate

 

timestamp

 

originator

originator

 

str

 

host

host

 

str

 

destination_ip

dest_ip

 

str

 

destination_ipv4

destination_ipv4

 

ip4

 

destination_port

destination_port

 

str

 

event_type

event_type

 

str

 

protocol

protocol

 

str

 

source_ip

src_ip

 

str

 

source_ipv4

source_ipv4

 

ip4

 

source_port

source_port

 

str

 

timestamp

timestamp

 

str

 

alert_category

category

 

str

 

alert_revision

alert_revision

 

int8

 

alert_severity

severity

int8(severity)

int8

 

alert_signature

signature

 

str

 

alert_signature_id

signature_id

int8(signature_id)

int8

 

event_format

event_format

 

str

 

event_source

event_source

 

str

 

event_uuid

event_uuid

 

str

 

sensor_ipv4

sensor_ipv4

ip4(sensor_ipv4)

ip4

 

sensor_uuid

sensor_uuid

 

str

 

source_geo_city_name

source_geo_city_name

 

str

 

source_geo_country_name

source_geo_country_name

 

str

 

source_geo_latitude

source_geo_latitude

 

float8

 

source_geo_longitude

source_geo_longitude

 

float8

 

destination_geo_city_name

destination_geo_city_name

 

str

 

destination_geo_country_name

destination_geo_country_name

 

str

 

destination_geo_latitude

destination_geo_latitude

 

float8

 

destination_geo_longitude

destination_geo_longitude

 

float8

 

bytes_analyzed

-

str

 

connection_uids

connection_uids

 

str

 

download

false

bool

 

file_id

file_id

 

str

 

file_description

-

str

 

file_name

file_name

 

str

 

md5

-

str

 

mime_type

-

str

 

bro_protocol

bro_protocol

 

str

 

recipient_destination_ip

-

str

 

recipient_destination_ipv4

recipient_destination_ipv4

 

ip4

 

recipient_destination_port

recipient_destination_port

 

str

 

sha1

-

str

 

stored_as

-

str

 

transfer_protocol

transfer_protocol

 

str

 

transfer_source_ip

-

str

 

transfer_source_ipv4

transfer_source_ipv4

 

ip4

 

transfer_source_port

transfer_source_port

 

str

 

cause_message

cause_message

 

str

 

determinant

determinant

 

str

 

parse_status

parse_status

 

str

 

sha256

sha256

 

str

 

sample_format

sample_format

 

str

 

sample_scoring_activity_version

sample_scoring_activity_version

 

int8

 

sample_scoring_version

sample_scoring_version

 

int8

 

score

score

 

float8

 

status_cause

status_cause

 

str

 

raise_exception_imports

raise_exception_imports

 

bool

 

os_info_imports

os_info_imports

 

bool

 

debug_check_imports

debug_check_imports

 

bool

 

terminate_process_imports

terminate_process_imports

 

bool

 

codepage_lookup_imports

codepage_lookup_imports

 

bool

 

hostchain

hostchain

 

str

 

url

url

 

str

 

content_type

content_type

 

str

 

method

method

 

str

 

user_agent

user_agent

 

str

 

hostname

hostname

 

str

 

json_event

json_event

 

json

 

tag

tag

 

str

✓

ids.bricata.burocata

Field in union table

Field in source table

Field transformation

Type

Extra fields

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

eventdate

 

timestamp

 

originator

originator

 

str

 

host

host

 

str

 

destination_ip

dest_ip

str

 

destination_ipv4

destination_ipv4

 

ip4

 

destination_port

destination_port

 

str

 

event_type

event_type

 

str

 

protocol

protocol

 

str

 

source_ip

src_ip

str

 

source_ipv4

source_ipv4

 

ip4

 

source_port

source_port

 

str

 

timestamp

timestamp

 

str

 

alert_category

alert_category

 

str

 

alert_revision

alert_revision

 

int8

 

alert_severity

alert_severity

int8

 

alert_signature

alert_signature

 

str

 

alert_signature_id

alert_signature_id

int8

 

event_format

event_format

 

str

 

event_source

event_source

 

str

 

event_uuid

event_uuid

 

str

 

sensor_ipv4

sensor_ipv4

 

ip4

 

sensor_uuid

sensor_uuid

 

str

 

source_geo_city_name

source_geo_city_name

 

str

 

source_geo_country_name

source_geo_country_name

 

str

 

source_geo_latitude

source_geo_latitude

 

float8

 

source_geo_longitude

source_geo_longitude

 

float8

 

destination_geo_city_name

destination_geo_city_name

 

str

 

destination_geo_country_name

destination_geo_country_name

 

str

 

destination_geo_latitude

destination_geo_latitude

 

float8

 

destination_geo_longitude

destination_geo_longitude

 

float8

 

bytes_analyzed

bytes_analyzed

 

str

 

connection_uids

connection_uids

 

str

 

download

download

 

bool

 

file_id

file_id

 

str

 

file_description

file_description

 

str

 

file_name

file_name

 

str

 

md5

md5

 

str

 

mime_type

mime_type

 

str

 

bro_protocol

bro_protocol

 

str

 

recipient_destination_ip

rx_host

str

 

recipient_destination_ipv4

recipient_destination_ipv4

 

ip4

 

recipient_destination_port

recipient_destination_port

 

str

 

sha1

sha1

 

str

 

stored_as

stored_as

 

str

 

transfer_protocol

transfer_protocol

 

str

 

transfer_source_ip

tx_host

str

 

transfer_source_ipv4

transfer_source_ipv4

 

ip4

 

transfer_source_port

transfer_source_port

 

str

 

cause_message

cause_message

 

str

 

determinant

determinant

 

str

 

parse_status

parse_status

 

str

 

sha256

sha256

 

str

 

sample_format

sample_format

 

str

 

sample_scoring_activity_version

sample_scoring_activity_version

 

int8

 

sample_scoring_version

sample_scoring_version

 

int8

 

score

score

 

float8

 

status_cause

status_cause

 

str

 

raise_exception_imports

raise_exception_imports

 

bool

 

os_info_imports

os_info_imports

 

bool

 

debug_check_imports

debug_check_imports

 

bool

 

terminate_process_imports

terminate_process_imports

 

bool

 

codepage_lookup_imports

codepage_lookup_imports

 

bool

 

hostchain

-

str

 

url

-

str

 

content_type

content_type

 

str

 

method

method

 

str

 

user_agent

user_agent

 

str

 

hostname

-

str

 

json_event

json_event

 

json

 

tag

tag

 

str

✓