Alert¶
Model for Alerts
Field | Type | Description | Required | Default |
---|---|---|---|---|
alert_id | Keyword | ID of the alert | Yes |
None |
al | ALResults | Assemblyline Result Block | Yes |
None |
archive_ts | Date | None | Optional |
None |
attack | Attack | ATT&CK Block | Yes |
None |
classification | Classification | Classification of the alert | Yes |
None |
expiry_ts | Date | Expiry timestamp | Optional |
None |
extended_scan | Enum | Status of the extended scan Values: "completed", "incomplete", "skipped", "submitted" |
Yes |
None |
file | File | File Block | Yes |
None |
filtered | Boolean | Are the alert results filtered? | Yes |
False |
heuristic | Heuristic | Heuristic Block | Yes |
None |
label | List [Keyword] | List of labels applied to the alert | Yes |
[] |
metadata | FlattenedObject | Metadata submitted with the file | Yes |
{} |
owner | Keyword | Owner of the alert | Optional |
None |
priority | Enum | Priority applied to the alert Values: "CRITICAL", "HIGH", "LOW", "MEDIUM", None |
Optional |
None |
reporting_ts | Date | Alert creation timestamp | Yes |
None |
submission_relations | List [Relationship] | Describes relationships between submissions used to build this alert | Yes |
None |
sid | UUID | Submission ID related to this alert | Yes |
None |
status | Enum | Status applied to the alert Values: "ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE", None |
Optional |
None |
ts | Date | File submission timestamp | Yes |
None |
type | Keyword | Type of alert | Yes |
None |
verdict | Verdict | Verdict Block | Yes |
See Verdict for more details. |
events | List [Event] | An audit of events applied to alert | Yes |
[] |
workflows_completed | Boolean | Have all workflows ran on this alert? | Yes |
False |
ALResults¶
Assemblyline Results Block
Field | Type | Description | Required | Default |
---|---|---|---|---|
attrib | List [Keyword] | List of attribution | Yes |
[] |
av | List [Keyword] | List of AV hits | Yes |
[] |
behavior | List [Keyword] | List of behaviors for the alert | Yes |
[] |
detailed | DetailedResults | Assemblyline Detailed result block | Yes |
None |
domain | List [Domain] | List of all domains | Yes |
[] |
domain_dynamic | List [Domain] | List of domains found during Dynamic Analysis | Yes |
[] |
domain_static | List [Domain] | List of domains found during Static Analysis | Yes |
[] |
ip | List [IP] | List of all IPs | Yes |
[] |
ip_dynamic | List [IP] | List of IPs found during Dynamic Analysis | Yes |
[] |
ip_static | List [IP] | List of IPs found during Static Analysis | Yes |
[] |
request_end_time | Date | Finish time of the Assemblyline submission | Yes |
None |
score | Integer | Maximum score found in the submission | Yes |
None |
uri | List [URI] | List of all URIs | Yes |
[] |
uri_dynamic | List [URI] | List of URIs found during Dynamic Analysis | Yes |
[] |
uri_static | List [URI] | List of URIs found during Static Analysis | Yes |
[] |
yara | List [Keyword] | List of YARA rule hits | Yes |
[] |
DetailedResults¶
Assemblyline Detailed result block
Field | Type | Description | Required | Default |
---|---|---|---|---|
attack_pattern | List [DetailedItem] | List of detailed Att&ck patterns | Yes |
[] |
attack_category | List [DetailedItem] | List of detailed Att&ck categories | Yes |
[] |
attrib | List [DetailedItem] | List of detailed attribution | Yes |
[] |
av | List [DetailedItem] | List of detailed AV hits | Yes |
[] |
behavior | List [DetailedItem] | List of detailed behaviors for the alert | Yes |
[] |
domain | List [DetailedItem] | List of detailed domains | Yes |
[] |
heuristic | List [DetailedItem] | List of detailed heuristics | Yes |
[] |
ip | List [DetailedItem] | List of detailed IPs | Yes |
[] |
uri | List [DetailedItem] | List of detailed URIs | Yes |
[] |
yara | List [DetailedItem] | List of detailed YARA rule hits | Yes |
[] |
DetailedItem¶
Assemblyline Results Block
Field | Type | Description | Required | Default |
---|---|---|---|---|
type | Keyword | Type of data that generated this item | Yes |
None |
value | Keyword | Value of the item | Yes |
None |
verdict | Enum | Verdict of the item Values: "info", "malicious", "safe", "suspicious" |
Yes |
None |
subtype | Enum | None Values: "CFG", "EXP", "IMP", "OB", "TA" |
Optional |
None |
Attack¶
ATT&CK Block
Field | Type | Description | Required | Default |
---|---|---|---|---|
pattern | List [Keyword] | List of related ATT&CK patterns | Yes |
[] |
category | List [Keyword] | List of related ATT&CK categories | Yes |
[] |
Event¶
Model of Workflow Event
Field | Type | Description | Required | Default |
---|---|---|---|---|
entity_type | Enum | Type of entity associated to event Values: "user", "workflow" |
Yes |
None |
entity_id | Keyword | ID of entity associated to event | Yes |
None |
entity_name | Keyword | Name of entity | Yes |
None |
ts | Date | Timestamp of event | Yes |
NOW |
labels | List [Keyword] | Labels added during event | Yes |
[] |
labels_removed | List [Keyword] | Labels removed during event | Yes |
[] |
status | Enum | Status applied during event Values: "ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE" |
Optional |
None |
priority | Enum | Priority applied during event Values: "CRITICAL", "HIGH", "LOW", "MEDIUM" |
Optional |
None |
File¶
File Block Associated to the Top-Level/Root File of Submission
Field | Type | Description | Required | Default |
---|---|---|---|---|
md5 | MD5 | MD5 hash of file | Yes |
None |
name | Keyword | Name of the file | Yes |
None |
sha1 | SHA1 | SHA1 hash of the file | Yes |
None |
sha256 | SHA256 | SHA256 hash of the file | Yes |
None |
size | Integer | Size of the file in bytes | Yes |
None |
type | Keyword | Type of file as identified by Assemblyline | Yes |
None |
screenshots | List [Screenshot] | Screenshots of the file | Yes |
[] |
Screenshot¶
Assemblyline Screenshot Block
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | Keyword | Name of the screenshot | Yes |
None |
description | Keyword | Description of the screenshot | Yes |
None |
img | SHA256 | SHA256 hash of the image | Yes |
None |
thumb | SHA256 | SHA256 hash of the thumbnail | Yes |
None |
Heuristic¶
Heuristic Block
Field | Type | Description | Required | Default |
---|---|---|---|---|
name | List [Keyword] | List of related Heuristic names | Yes |
[] |
Relationship¶
Submission relations for an alert
Field | Type | Description | Required | Default |
---|---|---|---|---|
child | UUID | None | Yes |
None |
parent | UUID | None | Optional |
None |
Verdict¶
Verdict Block of Submission
Field | Type | Description | Required | Default |
---|---|---|---|---|
malicious | List [Keyword] | List of users that claim submission as malicious | Yes |
[] |
non_malicious | List [Keyword] | List of users that claim submission as non-malicious | Yes |
[] |