Thirdparty Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Data Lake Search shows only searchable fields.
Note
This schema displays as thirdpartyalert in the Custom Parsers UI in XDR.
Thirdparty🔗
| Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record. |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| visibility | Visibility | visibility$ | Constraints on visibility of the record |
| normalizer | string | normalizer$ | Name & version of normalizer that created this record |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak, iSensor |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3 secureworks:redcloak:::::::: |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- unique identifier for the host where the event originated; preferably a uuid internal: leveraged by assets-v2 |
| sensor_version | string | sensorVersion$ | The agent version as string. (index don't line up with base event bacause of existing field definitions) |
| normalizer_version | string | normalizerVersion$ | The normalizer version (git tag) |
| normalizer_revision | string | normalizerRevision$ | The normalizer revision (git commit hash) |
| created_time_usec | uint64 | createdTimeUsec$ | Alert creation time |
| closed_time_usec | uint64 | closedTimeUsec$ | Alert closed time |
| updated_time_usec | uint64 | updatedTimeUsec$ | Time at which alert last updated time |
| first_event_time_usec | uint64 | firstEventTimeUsec$ | Time at which event that caused this alert first observed. |
| last_event_time_usec | uint64 | lastEventTimeUsec$ | Time at which last event that caused this alert observed |
| summary | string | summary$ | Description of the third party alert |
| title | string | title$ | Title of the alert, shortened form of description available in alert title |
| severity | Thirdparty.AlertSeverity | severity$ | Alert severity normalized to third party alert severity. |
| vendor_severity | string | vendorSeverity$ | Alert severity preserved as raw value on the schema.This will help to know what vendor level indicator of severity and to write event filters based on this. |
| confidence | string | confidence$ | Confidence of the alert logic (generally percentage between 1-100 but can be anything) |
| status | string | status$ | Alert lifecycle status like unknown, newAlert, inProgress, resolved e.t.c |
| user_principal_name | string | userPrincipalName$ | User sign-in name |
| source_user_name | string | sourceUserName$ | Account from which the alert was generated |
| target_user_name | string | targetUserName$ | Account for which the alert was generated |
| domain_name | string | domainName$ | Domain of user account |
| protocol | uint32 | protocol$ | Network protocol with possible values of tcp,udp,icmp,etc. |
| direction | Thirdparty.Direction | direction$ | Network connection direction. Possible values are: unknown, inbound, outbound. |
| action | Thirdparty.Action | action$ | How the threat was handled. Possible values are: action_unknown, attempted, succeeded, blocked, failed. |
| risk_score | float | riskScore$ | Provider generated/calculated risk score. Recommended value range of 0-1, which equates to a percentage. |
| log_type | string | logType$ | Vendor provided definition of the log type |
| destination_service_name | string | destinationServiceName$ | The destination cloud app or service name of the alert |
| destination_service_class | string | destinationServiceClass$ | The classification of the destination cloud app or service name of the alert |
| destination_url | string | destinationUrl$ | The destination URL provided by the alert producer |
| user_agent | string | userAgent$ | The user-agent string used in the request |
| alert_id | string | alertId$ | Unique identifier of the alert object |
| source_user_id | string | sourceUserId$ | Account ID from which the alert was generated |
| target_user_id | string | targetUserId$ | Account ID for which the alert was generated |
| destination_mac | string | destinationMac$ | Destination MAC address for which the alert was generated |
| source_mac | string | sourceMac$ | Source MAC address for which the alert was generated |
| target_host_name | string | targetHostName$ | Target host name for which the alert was generated |
| target_host | HostPart | targetHost$ | Standardized format for target_host_name |
| source_host_name | string | sourceHostName$ | Source host name for which the alert was generated |
| source_host | HostPart | sourceHost$ | Standardized format for source_host_name |
| is_custom_alert | NullableBoolean | isCustomAlert$ | True when the detection reflects customer or tenant logic: wholly custom rules or indicators, or vendor-supplied templates, content packs, or building blocks that the tenant instantiated or materially configured (for example policies, named rule instances, thresholds, or scope). False when the alert is produced solely by vendor-default, uniformly deployed detection without meaningful per-tenant logic. Unknown when provenance cannot be determined from the source. |
| is_generated | NullableBoolean | isGenerated$ | Indicates whether the alert is from programmatically generated data ("true") or from material telemetry ("false") |
| action_reason | string | actionReason$ | A reason supplied by the actioning device for the action taken |
| device_location | string | deviceLocation$ | A label that indicates the logical location of the device that produced the log, for example "Build A Devices" |
| user_location | string | userLocation$ | A label that indicates the the logical location of the user contained in the log or of the user that produced the action contained in the log, for example "Traveling worker" |
| alert_category | string | alertCategory$ | A vendor-provided general categorization to classify alerts into broad categories such as "Threat", "Policy Violation", "Operational Issue", etc. This differs from log_type, which is a vendor-provided definition of the log type, and ontology, which is a more specific and formal category of the alert based on domain knowledge |
| target_os | OperatingSystem | targetOs$ | Operating system, architecture of the target of the alert |
| source_user_type | string | sourceUserType$ | Type of the audited user, categoried by alert provider |
| vendor | string | vendor$ | Name of the alert vendor (for example, Microsoft, Dell, FireEye). |
| provider | string | provider$ | Specific provider (product/service - not vendor company); for example, WindowsDefenderATP. |
| sub_provider | string | subProvider$ | Specific sub provider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen. |
| provider_version | string | providerVersion$ | Version of the provider or sub provider, if it exists, that generated the alert. |
| ontology | string | ontology$ | Category of the alert (for example, credential theft, ransomware, UnfamiliarLocation, UnauthorizedAccess:S3/TorIPCaller etc.). |
| additional_data | KeyValuePairsIndexed | additionalData$ | Additional interesting data for a given alert in key-value pairs |
| source_address | string | sourceAddress$ | Information provided by the alert provider about the source ip |
| destination_address | string | destinationAddress$ | Information provided by the alert provider about the destination ip. |
| source_port | uint32 | sourcePort$ | TCP/UDP source port |
| destination_port | uint32 | destinationPort$ | TCP/UDP destination port |
| src_ipgeo_summary | GeoSummary | srcIpgeoSummary$ | The geographic location of the source IP |
| dest_ipgeo_summary | GeoSummary | destIpgeoSummary$ | The geographic location of the destination IP |
| vendor_src_ipgeo_summary | GeoSummary | vendorSrcIpgeoSummary$ | The geographic srcip location provided by the alert producer |
| vendor_dst_ipgeo_summary | GeoSummary | vendorDstIpgeoSummary$ | The geographic dstip location provided by the alert producer |
| session_id | string | sessionId$ | An identifier for the communication channel between two devices or applications across the network. |
Note
When is_custom_alert is true:
- Detection severity is not altered.
- The detections produced by these events bypass the MDR service queue and are delivered directly to the tenant as custom detections for self-service, because they fall outside the Taegis MDR service scope.
Thirdparty.Evidence🔗
| Field | Type | Parser Field | Description |
|---|---|---|---|
| evidence_id | string | evidenceId$ | A unique identifier of the evidence object (used for deduplication) |
| source_data | KeyValuePairsIndexed | sourceData$ | A copy of the attributes of the source evidence object |
Thirdparty.ThreatIntelligenceIndicators🔗
| Field | Type | Parser Field | Description |
|---|---|---|---|
| type | string | type$ | Type of TI, e.g. IP address, Email address, url, hash, malware etc |
| value | string | value$ | Raw value of the TI indicator, e.g. (1.1.1.1, FAKEURL.COM may be available for sale or other proposals ) |
| category | string | category$ | Category of the TI provided by the threat identifier, representing a grouping based on shared characteristics or attributes of the threat indicators, facilitating the organization and understanding of the types of threats. |
| last_observation_time_usec | uint64 | lastObservationTimeUsec$ | Timestamp related to when TI last curated. |
| source | string | source$ | Human readable source if the TI data, e.g. “Microsoft TIC” |
| source_url | string | sourceUrl$ | URL that provides information about the TI |
| family | string | family$ | Provider-generated malware family (for example, 'wannacry', 'notpetya', etc.). |
| classification | string | classification$ | Classification of the TI provided by the threat identifier, referring to the systematic arrangement in classes or groups based on established criteria, which aids in the assignment of threat indicators to specific classes within a classification system, reflecting their severity, urgency, or potential impact. |
Thirdparty.Vulnerabilities🔗
| Field | Type | Parser Field | Description |
|---|---|---|---|
| cvss | string | cvss$ | Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerability. |
| cve | string | cve$ | Common Vulnerabilities and Exposures (CVE) for the vulnerability. |
Thirdparty.Action🔗
| Name | Number | Description |
|---|---|---|
| ACTION_UNKNOWN | 0 | |
| ATTEMPTED | 1 | |
| SUCCEEDED | 2 | |
| BLOCKED | 3 | |
| FAILED | 4 |
Thirdparty.AlertSeverity🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN_SEVERITY | 0 | |
| INFO | 1 | |
| LOW | 2 | |
| MEDIUM | 3 | |
| HIGH | 4 | |
| CRITICAL | 5 |
Thirdparty.Direction🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | unused but required for proto3 |
| INBOUND | 1 | Inbound network connection |
| OUTBOUND | 2 | Outbound network connection |