Alert¶
The Alert object model, as defined in this documentation, specifies the structured representation of alert data within the Assemblyline application's Alert index. Each field delineated in the schema is an attribute of the Alert document, characterized by its data type, semantic definition, mandatory status, and default instantiation value.
Comprehension of this schema is pivotal for the construction of targeted Lucene search queries, which are instrumental in the interrogation and retrieval of alert-specific data from Assemblyline's analytical output. The schema's fields provide the analytical lexicon necessary to query and dissect alert data, facilitating the isolation of alerts based on defined parameters such as threat identifiers, heuristic evaluations, and temporal metadata.
This schema serves as a technical blueprint for cybersecurity professionals to navigate Assemblyline's alerting system, enabling refined query strategies and data extraction methodologies that align with operational cybersecurity imperatives and threat intelligence workflows.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| alert_id | Keyword | Unique identifier for the alert. | Yes |
None |
| al | ALResults | Contains the results of the Assemblyline analysis for the alert. | Yes |
None |
| archive_ts | Date | Timestamp indicating when the alert was archived in the system. | Optional |
None |
| attack | Attack | Structured data representing MITRE ATT&CK information associated with the alert. | Yes |
None |
| classification | Classification | Security classification level of the alert. | Yes |
None |
| expiry_ts | Date | Timestamp indicating when the alert is scheduled to expire from the system. | Optional |
None |
| extended_scan | Enum | Indicates the status of an extended scan, if applicable. Extended scans are additional analyses performed after the initial analysis. Supported values are: "completed", "incomplete", "skipped", "submitted" |
Yes |
None |
| file | File | Information about the file associated with the alert. | Yes |
None |
| filtered | Boolean | Indicates whether portions of the submission's analysis results have been omitted due to the user's classification level not meeting the required threshold for viewing certain data. | Yes |
False |
| heuristic | Heuristic | Data regarding the heuristics that triggered the alert. | Yes |
None |
| label | List [Keyword] | Labels assigned to the alert for categorization and filtering. | Yes |
[] |
| metadata | FlattenedObject | Additional metadata provided with the file at the time of submission. | Yes |
{} |
| owner | Keyword | Specifies the user or system component that has taken ownership of the alert. If no user has claimed the alert, it remains under system ownership with no specific user associated, indicated by a value of None. |
Optional |
None |
| priority | Enum | Indicates the importance level assigned to the alert. Supported values are: "CRITICAL", "HIGH", "LOW", "MEDIUM", None |
Optional |
None |
| reporting_ts | Date | Timestamp when the alert was created. | Yes |
None |
| submission_relations | List [Relationship] | Describes the hierarchical relationships between submissions that contributed to this alert. | Yes |
None |
| sid | UUID | Identifier for the submission associated with this alert. | Yes |
None |
| status | Enum | Reflects the current state of the alert throughout its lifecycle. This status is subject to change as a result of user actions, automated processes, or the execution of workflows within Assemblyline. The status provides insight into the current phase of analysis or response. Supported values are: "ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE", None |
Optional |
None |
| ts | Date | Timestamp of when the file submission occurred that led to the generation of this alert. | Yes |
None |
| type | Keyword | The type or category of the alert as specified at submission time by the user. | Yes |
None |
| verdict | Verdict | Consolidates user assessments of the submission's nature. It records the user identifiers of those who have evaluated the submission, categorizing it as either malicious or non-malicious. | Yes |
See Verdict for more details. |
| events | List [Event] | An audit trail of events and actions taken on the alert. | Yes |
[] |
| workflows_completed | Boolean | Flag indicating whether all configured workflows have been executed for this alert. | Yes |
False |
ALResults¶
Contains the aggregated results of the analysis performed by Assemblyline. It includes information such as attribution, behaviors observed, domains and IPs related to the threat, and the overall score indicating the severity of the findings.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attrib | List [Keyword] | A list of attribution tags that provide context by suggesting associations with known malware families, suspected threat actors, or ongoing campaigns. | Yes |
[] |
| av | List [Keyword] | List of antivirus signatures that matched the file associated with the alert. | Yes |
[] |
| behavior | List [Keyword] | Descriptions of behaviors exhibited by the analyzed file or artifact that led to the alert. | Yes |
[] |
| detailed | DetailedResults | Provides a more detailed breakdown of the analysis results. | Yes |
None |
| domain | List [Domain] | Aggregate list of domains related to the alert, derived from both static and dynamic analysis. | Yes |
[] |
| domain_dynamic | List [Domain] | List of domains observed during dynamic analysis of the artifact. | Yes |
[] |
| domain_static | List [Domain] | List of domains extracted from static analysis of the artifact. | Yes |
[] |
| ip | List [IP] | Aggregate list of IP addresses related to the alert, derived from both static and dynamic analysis. | Yes |
[] |
| ip_dynamic | List [IP] | List of IP addresses observed during dynamic analysis of the artifact. | Yes |
[] |
| ip_static | List [IP] | List of IP addresses extracted from static analysis of the artifact. | Yes |
[] |
| request_end_time | Date | The timestamp indicating when the processing of the submission completed. | Yes |
None |
| score | Integer | The highest score assigned to any part of the submission based on the analysis results. | Yes |
None |
| uri | List [URI] | Aggregate list of URIs related to the alert, derived from both static and dynamic analysis. | Yes |
[] |
| uri_dynamic | List [URI] | List of URIs observed during dynamic analysis of the artifact. | Yes |
[] |
| uri_static | List [URI] | List of URIs extracted from static analysis of the artifact. | Yes |
[] |
| yara | List [Keyword] | List of YARA rule matches that contributed to the alert. | Yes |
[] |
DetailedResults¶
Provides a comprehensive breakdown of specific attributes and their associated analysis results.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attack_pattern | List [DetailedItem] | Detailed information on MITRE ATT&CK® framework patterns identified in the analysis. | Yes |
[] |
| attack_category | List [DetailedItem] | Detailed information on MITRE ATT&CK® framework categories associated with the alert. | Yes |
[] |
| attrib | List [DetailedItem] | Detailed attribution information that provides context by suggesting associations with known malware families, suspected threat actors, or ongoing campaigns. | Yes |
[] |
| av | List [DetailedItem] | Detailed information on antivirus signature matches. | Yes |
[] |
| behavior | List [DetailedItem] | Detailed descriptions of the behaviors exhibited by the analyzed file or artifact that led to the alert. | Yes |
[] |
| domain | List [DetailedItem] | Detailed domain information related to the alert. | Yes |
[] |
| heuristic | List [DetailedItem] | Detailed heuristic information that triggered the alert. | Yes |
[] |
| ip | List [DetailedItem] | Detailed IP address information related to the alert. | Yes |
[] |
| uri | List [DetailedItem] | Detailed URI information related to the alert. | Yes |
[] |
| yara | List [DetailedItem] | Detailed information on YARA rule matches that contributed to the alert. | Yes |
[] |
DetailedItem¶
Represents a granular element within the detailed analysis results, providing specific insights into the analysis findings.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| type | Keyword | Defines the specific attribute or aspect of the analysis that this detailed item pertains to. | Yes |
None |
| value | Keyword | The specific value or identifier for the detail item. | Yes |
None |
| verdict | Enum | Represents the security assessment or classification of the detailed item, indicating its potential threat level. Supported values are: "info", "malicious", "safe", "suspicious" |
Yes |
None |
| subtype | Enum | Adds further specificity to the detailed item, elaborating on its role or nature within the broader type category. Supported subtypes include configuration blocks (CFG), exploits (EXP), implants (IMP), obfuscation methods (OB), and threat actors (TA). Supported values are: "CFG", "EXP", "IMP", "OB", "TA" |
Optional |
None |
Attack¶
The Attack submodel is a component of the Alert model that records information aligned with the MITRE ATT&CK framework. It lists the ATT&CK patterns and categories that have been identified in the analysis, helping to map the threat to known adversary tactics and techniques.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| pattern | List [Keyword] | List of MITRE ATT&CK® framework patterns that are relevant to the alert. | Yes |
[] |
| category | List [Keyword] | List of MITRE ATT&CK® framework categories that are relevant to the alert. | Yes |
[] |
Event¶
Describes an event or action that has occurred during the lifecycle of the alert, capturing changes in status, priority, or labels.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| entity_type | Enum | The type of entity associated with the event. Supported values are: "user", "workflow" |
Yes |
None |
| entity_id | Keyword | The unique identifier of the entity associated with the event. | Yes |
None |
| entity_name | Keyword | The name of the entity associated with the event. | Yes |
None |
| ts | Date | The timestamp when the event occurred. | Yes |
NOW |
| labels | List [Keyword] | Labels that were added to the alert during the event. | Yes |
[] |
| labels_removed | List [Keyword] | Labels that were removed from the alert during the event. | Yes |
[] |
| status | Enum | The status of the alert after the event took place. Supported values are: "ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE" |
Optional |
None |
| priority | Enum | The priority level assigned to the alert during the event. Supported values are: "CRITICAL", "HIGH", "LOW", "MEDIUM" |
Optional |
None |
File¶
Captures comprehensive metadata and unique identifiers for the original file submitted for analysis, which is central to the generation of the alert.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| md5 | MD5 | The MD5 hash of the file. | Yes |
None |
| name | Keyword | The original name of the file as submitted. | Yes |
None |
| sha1 | SHA1 | The SHA1 hash of the file. | Yes |
None |
| sha256 | SHA256 | The SHA256 hash of the file. | Yes |
None |
| size | Integer | The size of the file in bytes. | Yes |
None |
| type | Keyword | The file type as identified by Assemblyline's analysis. | Yes |
None |
| screenshots | List [Screenshot] | Screenshots taken of the file during analysis, if applicable. | Yes |
[] |
Screenshot¶
Stores information about screenshots taken during the analysis of the file. Each screenshot has a name, description, and the hashes of the image and its thumbnail, offering a visual reference that can aid in manual review processes.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | The name or title of the screenshot. | Yes |
None |
| description | Keyword | A brief description of the screenshot's content. | Yes |
None |
| img | SHA256 | The SHA256 hash of the full-size screenshot image. | Yes |
None |
| thumb | SHA256 | The SHA256 hash of the thumbnail version of the screenshot. | Yes |
None |
Heuristic¶
Summarizes the heuristic rules triggered during the analysis. These rules are part of the detection logic used by Assemblyline to identify suspicious or malicious behavior in the analyzed file.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | List [Keyword] | Names of the heuristics that have been matched in the analysis. | Yes |
[] |
Relationship¶
Describes the relationship between different submissions that are linked to the formation of the alert, highlighting parent-child connections.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| child | UUID | The identifier of the child submission in the relationship. | Yes |
None |
| parent | UUID | The identifier of the parent submission, if applicable. | Optional |
None |
Verdict¶
The Verdict submodel captures the conclusions drawn by users regarding the nature of a submission. It lists user identifiers for those who have deemed the submission as either malicious or non-malicious, representing a collective assessment of the threat.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| malicious | List [Keyword] | User identifiers of those who have marked the submission as malicious. | Yes |
[] |
| non_malicious | List [Keyword] | User identifiers of those who have marked the submission as non-malicious. | Yes |
[] |