xdm.alert

Cortex Data Model Schema Guide

Product
Cortex XSIAM
Last date published
2024-11-27
Category
XSIAM Data Model Schema

A potential threat or alert

xdm.alert.category

Description

The threat category. Use https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures.html for standardization

Datatype

XDM_CONST.THREAT_CATEGORY

Dataclass

Scalar

Examples

XDM_CONST.THREAT_CATEGORY_APK, XDM_CONST.THREAT_CATEGORY_DMG, XDM_CONST.THREAT_CATEGORY_FLASH, XDM_CONST.THREAT_CATEGORY_JAVA_CLASS, XDM_CONST.THREAT_CATEGORY_MACHO

xdm.alert.subcategory

Description

The threat subcategory.

Datatype

String

Dataclass

Scalar

xdm.alert.severity

Description

The severity of the threat.

Datatype

String

Dataclass

Scalar

xdm.alert.name

Description

The name of the threat.

Datatype

String

Dataclass

Scalar

xdm.alert.description

Description

The description of the threat.

Datatype

String

Dataclass

Scalar

xdm.alert.mitre_tactics

Description

The threat tactics represent the 'why' of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action.

Datatype

XDM_CONST.MITRE_TACTIC

Dataclass

Array

Examples

XDM_CONST.MITRE_TACTIC_COLLECTION, XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, XDM_CONST.MITRE_TACTIC_DISCOVERY

xdm.alert.mitre_techniques

Description

The threat techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

Datatype

XDM_CONST.MITRE_TECHNIQUE

Dataclass

Array

Examples

XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_BYPASS_USER_ACCOUNT_CONTROL, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_ELEVATED_EXECUTION_WITH_PROMPT, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SETUID_AND_SETGID, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SUDO_AND_SUDO_CACHING

xdm.alert.original_threat_id

Description

The threat ID as received from the source.

Datatype

String

Dataclass

Scalar

xdm.alert.original_threat_name

Description

The threat's name as received from the source.

Datatype

String

Dataclass

Scalar

xdm.alert.original_alert_id

Description

The specific alert ID, the instance of the threat, as received from the source.

Datatype

String

Dataclass

Scalar

xdm.alert.risks

Description

A collection of potential risks, vulnerabilities, or suspicions that are associated with this alert or event.

Datatype

String

Dataclass

Array