Auto-Generated Documentation
This set of documentation is automatically generated from source, and will help ensure any change to functionality will always be documented and available on release.
HowlerData¶
Howler specific definition of the hit that matches the outline.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| id | UUID | A UUID for this hit. | Yes | None |
| analytic | CaseInsensitiveKeyword | Title of the analytic. | Yes | None |
| assignment | Keyword | Unique identifier of the assigned user. | Yes | unassigned |
| bundles | List [Keyword] | None | Yes | [] |
| data | List [Keyword] | None | Yes | [] |
| links | List [Link] | A list of links associated with this hit. | Yes | [] |
| detection | CaseInsensitiveKeyword | The detection that produced this hit. | Optional | None |
| hash | HowlerHash | A hash of the event used for deduplicating hits. Supports any hexadecimal string between 1 and 64 characters long. | Yes | None |
| hits | List [Keyword] | None | Yes | [] |
| bundle_size | Integer | Number of hits in bundle | Yes | 0 |
| is_bundle | Boolean | Is this hit a bundle or a normal hit? | Yes | False |
| related | List [Keyword] | None | Yes | [] |
| reliability | Float | Metric decoupled from the value in the detection information. | Optional | None |
| severity | Float | Metric decoupled from the value in the detection information. | Optional | None |
| volume | Float | Metric decoupled from the value in the detection information. | Optional | None |
| confidence | Float | Metric decoupled from the value in the detection information. | Optional | None |
| score | Float | A score assigned by an enrichment to help prioritize triage. | Optional | 0 |
| status | Enum | Status of the hit. Values: "in-progress", "on-hold", "open", "resolved" |
Yes | open |
| scrutiny | Enum | Level of scrutiny done to this hit. Values: "inspected", "investigated", "scanned", "surveyed", "unseen" |
Yes | unseen |
| escalation | Enum | Level of escalation of this hit. Values: "alert", "evidence", "hit", "miss" |
Yes | hit |
| expiry | Date | User selected time for hit expiry | Optional | None |
| assessment | Enum | Assessment of the hit. Values: "ambiguous", "attempt", "compromise", "development", "false-positive", "legitimate", "mitigated", "recon", "security", "trivial" |
Optional | None |
| rationale | Text | The rationale behind the hit assessment. Allows it to be understood and verified by other analysts. | Optional | None |
| comment | List [Comment] | A list of comments with timestamps and attribution. | Yes | [] |
| log | List [Log] | A list of changes to the hit with timestamps and attribution. | Yes | [] |
| monitored | Keyword | Link to the incident monitoring dashboard. | Optional | None |
| reported | Keyword | Link to the incident report. | Optional | None |
| mitigated | Keyword | Link to the mitigation record (tool dependent). | Optional | None |
| outline | Header | The user specified header of the hit | Optional | None |
| incidents | List [Incident] | Fields describing an incident associated with this alert. | Yes | [] |
| labels | Label | List of labels relating to the hit | Optional | See Label for more details. |
| votes | Votes | Votes relating to the hit | Optional | See Votes for more details. |
| dossier | List [Lead] | A list of leads forming the dossier associated with this hit | Yes | [] |
| viewers | List [Keyword] | None | Yes | [] |