Auto-Generated Documentation
This set of documentation is automatically generated from source, and will help ensure any change to functionality will always be documented and available on release.
HowlerData¶
Howler specific definition of the hit that matches the outline.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| id | UUID | A UUID for this hit. | Yes | None |
| analytic | Keyword | Title of the analytic. | Yes | None |
| assignment | Keyword | Unique identifier of the assigned user. | Yes | unassigned |
| bundles | List [Keyword] | A list of bundle IDs this hit is a part of. Corresponds to the howler.id of the bundle. | Yes | [] |
| data | List [Keyword] | Raw telemetry records associated with this hit. | Yes | [] |
| links | List [Link] | A list of links associated with this hit. | Yes | [] |
| detection | Keyword | The detection that produced this hit. | Optional | None |
| hash | SHA256 | A hash of the event used for deduplicating hits. | Yes | None |
| hits | List [Keyword] | A list of hit IDs this bundle represents. Corresponds to the howler.id of the child hit. | Yes | [] |
| is_bundle | Boolean | Is this hit a bundle or a normal hit? | Yes | False |
| related | List [Keyword] | Related hits grouped by the enrichment that correlated them. Populated by enrichments. | Yes | [] |
| reliability | Float | Metric decoupled from the value in the detection information. | Optional | None |
| severity | Float | Metric decoupled from the value in the detection information. | Optional | None |
| volume | Float | Metric decoupled from the value in the detection information. | Optional | None |
| confidence | Float | Metric decoupled from the value in the detection information. | Optional | None |
| score | Float | A score assigned by an enrichment to help prioritize triage. | Yes | None |
| status | Enum | Status of the hit. Values: "in-progress", "on-hold", "open", "resolved" |
Yes | open |
| scrutiny | Enum | Level of scrutiny done to this hit. Values: "inspected", "investigated", "scanned", "surveyed", "unseen" |
Yes | unseen |
| escalation | Enum | Level of escalation of this hit. Values: "alert", "evidence", "hit", "miss" |
Yes | hit |
| assessment | Enum | Assessment of the hit. Values: "ambiguous", "attempt", "compromise", "development", "false-positive", "legitimate", "mitigated", "recon", "security", "trivial" |
Optional | None |
| rationale | Text | The rationale behind the hit assessment. Allows it to be understood and verified by other analysts. | Optional | None |
| comment | List [Comment] | A list of comments with timestamps and attribution. | Yes | [] |
| log | List [Log] | A list of changes to the hit with timestamps and attribution. | Yes | [] |
| retained | Keyword | If the hit was retained, this is a link to it in Alfred. | Optional | None |
| monitored | Keyword | Link to the incident monitoring dashboard. | Optional | None |
| reported | Keyword | Link to the incident report. | Optional | None |
| mitigated | Keyword | Link to the mitigation record (tool dependent). | Optional | None |
| outline | Header | The user specified header of the hit | Optional | None |
| labels | Label | List of labels relating to the hit | Optional | See Label for more details. |
| votes | Votes | Votes relating to the hit | Optional | See Votes for more details. |
| dossier | FlattenedObject | Raw data provided by the different sources. | Optional | None |
| viewers | List [Keyword] | A list of users currently viewing the hit | Yes | [] |