Alert¶
Model for Alerts
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| alert_id | Keyword | ID of the alert | Yes |
None |
| al | ALResults | Assemblyline Result Block | Yes |
None |
| archive_ts | Date | None | Optional |
None |
| attack | Attack | ATT&CK Block | Yes |
None |
| classification | Classification | Classification of the alert | Yes |
None |
| expiry_ts | Date | Expiry timestamp | Optional |
None |
| extended_scan | Enum | Status of the extended scan Values: "completed", "incomplete", "skipped", "submitted" |
Yes |
None |
| file | File | File Block | Yes |
None |
| filtered | Boolean | Are the alert results filtered? | Yes |
False |
| heuristic | Heuristic | Heuristic Block | Yes |
None |
| label | List [Keyword] | List of labels applied to the alert | Yes |
[] |
| metadata | FlattenedObject | Metadata submitted with the file | Yes |
{} |
| owner | Keyword | Owner of the alert | Optional |
None |
| priority | Enum | Priority applied to the alert Values: "CRITICAL", "HIGH", "LOW", "MEDIUM", None |
Optional |
None |
| reporting_ts | Date | Alert creation timestamp | Yes |
None |
| submission_relations | List [Relationship] | Describes relationships between submissions used to build this alert | Yes |
None |
| sid | UUID | Submission ID related to this alert | Yes |
None |
| status | Enum | Status applied to the alert Values: "ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE", None |
Optional |
None |
| ts | Date | File submission timestamp | Yes |
None |
| type | Keyword | Type of alert | Yes |
None |
| verdict | Verdict | Verdict Block | Yes |
See Verdict for more details. |
| events | List [Event] | An audit of events applied to alert | Yes |
[] |
| workflows_completed | Boolean | Have all workflows ran on this alert? | Yes |
False |
ALResults¶
Assemblyline Results Block
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attrib | List [Keyword] | List of attribution | Yes |
[] |
| av | List [Keyword] | List of AV hits | Yes |
[] |
| behavior | List [Keyword] | List of behaviors for the alert | Yes |
[] |
| detailed | DetailedResults | Assemblyline Detailed result block | Yes |
None |
| domain | List [Domain] | List of all domains | Yes |
[] |
| domain_dynamic | List [Domain] | List of domains found during Dynamic Analysis | Yes |
[] |
| domain_static | List [Domain] | List of domains found during Static Analysis | Yes |
[] |
| ip | List [IP] | List of all IPs | Yes |
[] |
| ip_dynamic | List [IP] | List of IPs found during Dynamic Analysis | Yes |
[] |
| ip_static | List [IP] | List of IPs found during Static Analysis | Yes |
[] |
| request_end_time | Date | Finish time of the Assemblyline submission | Yes |
None |
| score | Integer | Maximum score found in the submission | Yes |
None |
| uri | List [URI] | List of all URIs | Yes |
[] |
| uri_dynamic | List [URI] | List of URIs found during Dynamic Analysis | Yes |
[] |
| uri_static | List [URI] | List of URIs found during Static Analysis | Yes |
[] |
| yara | List [Keyword] | List of YARA rule hits | Yes |
[] |
DetailedResults¶
Assemblyline Detailed result block
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attack_pattern | List [DetailedItem] | List of detailed Att&ck patterns | Yes |
[] |
| attack_category | List [DetailedItem] | List of detailed Att&ck categories | Yes |
[] |
| attrib | List [DetailedItem] | List of detailed attribution | Yes |
[] |
| av | List [DetailedItem] | List of detailed AV hits | Yes |
[] |
| behavior | List [DetailedItem] | List of detailed behaviors for the alert | Yes |
[] |
| domain | List [DetailedItem] | List of detailed domains | Yes |
[] |
| heuristic | List [DetailedItem] | List of detailed heuristics | Yes |
[] |
| ip | List [DetailedItem] | List of detailed IPs | Yes |
[] |
| uri | List [DetailedItem] | List of detailed URIs | Yes |
[] |
| yara | List [DetailedItem] | List of detailed YARA rule hits | Yes |
[] |
DetailedItem¶
Assemblyline Results Block
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| type | Keyword | Type of data that generated this item | Yes |
None |
| value | Keyword | Value of the item | Yes |
None |
| verdict | Enum | Verdict of the item Values: "info", "malicious", "safe", "suspicious" |
Yes |
None |
| subtype | Enum | None Values: "CFG", "EXP", "IMP", "OB", "TA" |
Optional |
None |
Attack¶
ATT&CK Block
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| pattern | List [Keyword] | List of related ATT&CK patterns | Yes |
[] |
| category | List [Keyword] | List of related ATT&CK categories | Yes |
[] |
Event¶
Model of Workflow Event
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| entity_type | Enum | Type of entity associated to event Values: "user", "workflow" |
Yes |
None |
| entity_id | Keyword | ID of entity associated to event | Yes |
None |
| entity_name | Keyword | Name of entity | Yes |
None |
| ts | Date | Timestamp of event | Yes |
NOW |
| labels | List [Keyword] | Labels added during event | Yes |
[] |
| labels_removed | List [Keyword] | Labels removed during event | Yes |
[] |
| status | Enum | Status applied during event Values: "ASSESS", "MALICIOUS", "NON-MALICIOUS", "TRIAGE" |
Optional |
None |
| priority | Enum | Priority applied during event Values: "CRITICAL", "HIGH", "LOW", "MEDIUM" |
Optional |
None |
File¶
File Block Associated to the Top-Level/Root File of Submission
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| md5 | MD5 | MD5 hash of file | Yes |
None |
| name | Keyword | Name of the file | Yes |
None |
| sha1 | SHA1 | SHA1 hash of the file | Yes |
None |
| sha256 | SHA256 | SHA256 hash of the file | Yes |
None |
| size | Integer | Size of the file in bytes | Yes |
None |
| type | Keyword | Type of file as identified by Assemblyline | Yes |
None |
| screenshots | List [Screenshot] | Screenshots of the file | Yes |
[] |
Screenshot¶
Assemblyline Screenshot Block
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the screenshot | Yes |
None |
| description | Keyword | Description of the screenshot | Yes |
None |
| img | SHA256 | SHA256 hash of the image | Yes |
None |
| thumb | SHA256 | SHA256 hash of the thumbnail | Yes |
None |
Heuristic¶
Heuristic Block
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | List [Keyword] | List of related Heuristic names | Yes |
[] |
Relationship¶
Submission relations for an alert
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| child | UUID | None | Yes |
None |
| parent | UUID | None | Optional |
None |
Verdict¶
Verdict Block of Submission
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| malicious | List [Keyword] | List of users that claim submission as malicious | Yes |
[] |
| non_malicious | List [Keyword] | List of users that claim submission as non-malicious | Yes |
[] |