A potential threat or alert
xdm.alert.category
Description |
The threat category. Use https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures.html for standardization |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.THREAT_CATEGORY_APK, XDM_CONST.THREAT_CATEGORY_DMG, XDM_CONST.THREAT_CATEGORY_FLASH, XDM_CONST.THREAT_CATEGORY_JAVA_CLASS, XDM_CONST.THREAT_CATEGORY_MACHO |
xdm.alert.subcategory
Description |
The threat subcategory. |
Datatype |
String |
Dataclass |
Scalar |
xdm.alert.severity
Description |
The severity of the threat. |
Datatype |
String |
Dataclass |
Scalar |
xdm.alert.name
Description |
The name of the threat. |
Datatype |
String |
Dataclass |
Scalar |
xdm.alert.description
Description |
The description of the threat. |
Datatype |
String |
Dataclass |
Scalar |
xdm.alert.mitre_tactics
Description |
The threat tactics represent the 'why' of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. |
Datatype |
|
Dataclass |
Array |
Examples |
XDM_CONST.MITRE_TACTIC_COLLECTION, XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, XDM_CONST.MITRE_TACTIC_DISCOVERY |
xdm.alert.mitre_techniques
Description |
The threat techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access. |
Datatype |
|
Dataclass |
Array |
Examples |
XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_BYPASS_USER_ACCOUNT_CONTROL, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_ELEVATED_EXECUTION_WITH_PROMPT, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SETUID_AND_SETGID, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SUDO_AND_SUDO_CACHING |
xdm.alert.original_threat_id
Description |
The threat ID as received from the source. |
Datatype |
String |
Dataclass |
Scalar |
xdm.alert.original_threat_name
Description |
The threat's name as received from the source. |
Datatype |
String |
Dataclass |
Scalar |
xdm.alert.original_alert_id
Description |
The specific alert ID, the instance of the threat, as received from the source. |
Datatype |
String |
Dataclass |
Scalar |
xdm.alert.risks
Description |
A collection of potential risks, vulnerabilities, or suspicions that are associated with this alert or event. |
Datatype |
String |
Dataclass |
Array |