Skip to content

Alert

The Alert object model, as defined in this documentation, specifies the structured representation of alert data within the Assemblyline application's Alert index. Each field delineated in the schema is an attribute of the Alert document, characterized by its data type, semantic definition, mandatory status, and default instantiation value.

Comprehension of this schema is pivotal for the construction of targeted Lucene search queries, which are instrumental in the interrogation and retrieval of alert-specific data from Assemblyline's analytical output. The schema's fields provide the analytical lexicon necessary to query and dissect alert data, facilitating the isolation of alerts based on defined parameters such as threat identifiers, heuristic evaluations, and temporal metadata.

This schema serves as a technical blueprint for cybersecurity professionals to navigate Assemblyline's alerting system, enabling refined query strategies and data extraction methodologies that align with operational cybersecurity imperatives and threat intelligence workflows.

Field Type Description Required Default
alert_id Keyword Unique identifier for the alert.
Yes
None
al ALResults Contains the results of the Assemblyline analysis for the alert.
Yes
None
archive_ts Date Timestamp indicating when the alert was archived in the system.
Optional
None
attack Attack Structured data representing MITRE ATT&CK information associated with the alert.
Yes
None
classification Classification Security classification level of the alert.
Yes
None
expiry_ts Date Timestamp indicating when the alert is scheduled to expire from the system.
Optional
None
extended_scan Enum Indicates the status of an extended scan, if applicable. Extended scans are additional analyses performed after the initial analysis.
Supported values are:
"completed", "incomplete", "skipped", "submitted"
Yes
None
file File Information about the file associated with the alert.
Yes
None
filtered Boolean Indicates whether portions of the submission's analysis results have been omitted due to the user's classification level not meeting the required threshold for viewing certain data.
Yes
False
heuristic Heuristic Data regarding the heuristics that triggered the alert.
Yes
None
label List [Keyword] Labels assigned to the alert for categorization and filtering.
Yes
[]
metadata FlattenedObject Additional metadata provided with the file at the time of submission.
Yes
{}
owner Keyword Specifies the user or system component that has taken ownership of the alert. If no user has claimed the alert, it remains under system ownership with no specific user associated, indicated by a value of None.
Optional
None
priority Enum Indicates the importance level assigned to the alert.
Supported values are:
"CRITICAL", "HIGH", "LOW", "MEDIUM", None
Optional
None
reporting_ts Date Timestamp when the alert was created.
Yes
None
submission_relations List [Relationship] Describes the hierarchical relationships between submissions that contributed to this alert.
Yes
None
sid UUID Identifier for the submission associated with this alert.
Yes
None
status Enum Reflects the current state of the alert throughout its lifecycle. This status is subject to change as a result of user actions, automated processes, or the execution of workflows within Assemblyline. The status provides insight into the current phase of analysis or response.
Supported values are:
"ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE", None
Optional
None
ts Date Timestamp of when the file submission occurred that led to the generation of this alert.
Yes
None
type Keyword The type or category of the alert as specified at submission time by the user.
Yes
None
verdict Verdict Consolidates user assessments of the submission's nature. It records the user identifiers of those who have evaluated the submission, categorizing it as either malicious or non-malicious.
Yes
See Verdict for more details.
events List [Event] An audit trail of events and actions taken on the alert.
Yes
[]
workflows_completed Boolean Flag indicating whether all configured workflows have been executed for this alert.
Yes
False

ALResults

Contains the aggregated results of the analysis performed by Assemblyline. It includes information such as attribution, behaviors observed, domains and IPs related to the threat, and the overall score indicating the severity of the findings.

Field Type Description Required Default
attrib List [Keyword] A list of attribution tags that provide context by suggesting associations with known malware families, suspected threat actors, or ongoing campaigns.
Yes
[]
av List [Keyword] List of antivirus signatures that matched the file associated with the alert.
Yes
[]
behavior List [Keyword] Descriptions of behaviors exhibited by the analyzed file or artifact that led to the alert.
Yes
[]
detailed DetailedResults Provides a more detailed breakdown of the analysis results.
Yes
None
domain List [Domain] Aggregate list of domains related to the alert, derived from both static and dynamic analysis.
Yes
[]
domain_dynamic List [Domain] List of domains observed during dynamic analysis of the artifact.
Yes
[]
domain_static List [Domain] List of domains extracted from static analysis of the artifact.
Yes
[]
ip List [IP] Aggregate list of IP addresses related to the alert, derived from both static and dynamic analysis.
Yes
[]
ip_dynamic List [IP] List of IP addresses observed during dynamic analysis of the artifact.
Yes
[]
ip_static List [IP] List of IP addresses extracted from static analysis of the artifact.
Yes
[]
request_end_time Date The timestamp indicating when the processing of the submission completed.
Yes
None
score Integer The highest score assigned to any part of the submission based on the analysis results.
Yes
None
uri List [URI] Aggregate list of URIs related to the alert, derived from both static and dynamic analysis.
Yes
[]
uri_dynamic List [URI] List of URIs observed during dynamic analysis of the artifact.
Yes
[]
uri_static List [URI] List of URIs extracted from static analysis of the artifact.
Yes
[]
yara List [Keyword] List of YARA rule matches that contributed to the alert.
Yes
[]

DetailedResults

Provides a comprehensive breakdown of specific attributes and their associated analysis results.

Field Type Description Required Default
attack_pattern List [DetailedItem] Detailed information on MITRE ATT&CK® framework patterns identified in the analysis.
Yes
[]
attack_category List [DetailedItem] Detailed information on MITRE ATT&CK® framework categories associated with the alert.
Yes
[]
attrib List [DetailedItem] Detailed attribution information that provides context by suggesting associations with known malware families, suspected threat actors, or ongoing campaigns.
Yes
[]
av List [DetailedItem] Detailed information on antivirus signature matches.
Yes
[]
behavior List [DetailedItem] Detailed descriptions of the behaviors exhibited by the analyzed file or artifact that led to the alert.
Yes
[]
domain List [DetailedItem] Detailed domain information related to the alert.
Yes
[]
heuristic List [DetailedItem] Detailed heuristic information that triggered the alert.
Yes
[]
ip List [DetailedItem] Detailed IP address information related to the alert.
Yes
[]
uri List [DetailedItem] Detailed URI information related to the alert.
Yes
[]
yara List [DetailedItem] Detailed information on YARA rule matches that contributed to the alert.
Yes
[]

DetailedItem

Represents a granular element within the detailed analysis results, providing specific insights into the analysis findings.

Field Type Description Required Default
type Keyword Defines the specific attribute or aspect of the analysis that this detailed item pertains to.
Yes
None
value Keyword The specific value or identifier for the detail item.
Yes
None
verdict Enum Represents the security assessment or classification of the detailed item, indicating its potential threat level.
Supported values are:
"info", "malicious", "safe", "suspicious"
Yes
None
subtype Enum Adds further specificity to the detailed item, elaborating on its role or nature within the broader type category. Supported subtypes include configuration blocks (CFG), exploits (EXP), implants (IMP), obfuscation methods (OB), and threat actors (TA).
Supported values are:
"CFG", "EXP", "IMP", "OB", "TA"
Optional
None

Attack

The Attack submodel is a component of the Alert model that records information aligned with the MITRE ATT&CK framework. It lists the ATT&CK patterns and categories that have been identified in the analysis, helping to map the threat to known adversary tactics and techniques.

Field Type Description Required Default
pattern List [Keyword] List of MITRE ATT&CK® framework patterns that are relevant to the alert.
Yes
[]
category List [Keyword] List of MITRE ATT&CK® framework categories that are relevant to the alert.
Yes
[]

Event

Describes an event or action that has occurred during the lifecycle of the alert, capturing changes in status, priority, or labels.

Field Type Description Required Default
entity_type Enum The type of entity associated with the event.
Supported values are:
"user", "workflow"
Yes
None
entity_id Keyword The unique identifier of the entity associated with the event.
Yes
None
entity_name Keyword The name of the entity associated with the event.
Yes
None
ts Date The timestamp when the event occurred.
Yes
NOW
labels List [Keyword] Labels that were added to the alert during the event.
Yes
[]
labels_removed List [Keyword] Labels that were removed from the alert during the event.
Yes
[]
status Enum The status of the alert after the event took place.
Supported values are:
"ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE"
Optional
None
priority Enum The priority level assigned to the alert during the event.
Supported values are:
"CRITICAL", "HIGH", "LOW", "MEDIUM"
Optional
None

File

Captures comprehensive metadata and unique identifiers for the original file submitted for analysis, which is central to the generation of the alert.

Field Type Description Required Default
md5 MD5 The MD5 hash of the file.
Yes
None
name Keyword The original name of the file as submitted.
Yes
None
sha1 SHA1 The SHA1 hash of the file.
Yes
None
sha256 SHA256 The SHA256 hash of the file.
Yes
None
size Integer The size of the file in bytes.
Yes
None
type Keyword The file type as identified by Assemblyline's analysis.
Yes
None
screenshots List [Screenshot] Screenshots taken of the file during analysis, if applicable.
Yes
[]

Screenshot

Stores information about screenshots taken during the analysis of the file. Each screenshot has a name, description, and the hashes of the image and its thumbnail, offering a visual reference that can aid in manual review processes.

Field Type Description Required Default
name Keyword The name or title of the screenshot.
Yes
None
description Keyword A brief description of the screenshot's content.
Yes
None
img SHA256 The SHA256 hash of the full-size screenshot image.
Yes
None
thumb SHA256 The SHA256 hash of the thumbnail version of the screenshot.
Yes
None

Heuristic

Summarizes the heuristic rules triggered during the analysis. These rules are part of the detection logic used by Assemblyline to identify suspicious or malicious behavior in the analyzed file.

Field Type Description Required Default
name List [Keyword] Names of the heuristics that have been matched in the analysis.
Yes
[]

Relationship

Describes the relationship between different submissions that are linked to the formation of the alert, highlighting parent-child connections.

Field Type Description Required Default
child UUID The identifier of the child submission in the relationship.
Yes
None
parent UUID The identifier of the parent submission, if applicable.
Optional
None

Verdict

The Verdict submodel captures the conclusions drawn by users regarding the nature of a submission. It lists user identifiers for those who have deemed the submission as either malicious or non-malicious, representing a collective assessment of the threat.

Field Type Description Required Default
malicious List [Keyword] User identifiers of those who have marked the submission as malicious.
Yes
[]
non_malicious List [Keyword] User identifiers of those who have marked the submission as non-malicious.
Yes
[]