stellar-alerts
Get alerts from Stellar Cyber platform for a specified time period.
stellar-alerts [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [order=ORDER]
- profile=PROFILE
- Stellar Cyber connect profile code
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- order=ORDER
- asc or desc. desc by default.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| event_time | Date | Event time | Time of an action, such as start of session, time of update, etc. |
| src_ip | IP address | Source IP | Source IP address of the session. |
| src_port | Integer | Source port | Layer 4 source port. |
| dst_ip | IP address | Destination IP | Destination IP address of the session. |
| dst_port | Integer | Destination port | Layer 4 destination port. |
| protocol | String | Protocol | Layer 4 protocol name. Can be TCP, UDP, ICMP, or IGMP. |
| app_family | String | App family | The name of the application family to which the application belongs, such as network service, database, web, etc. |
| app | String | App | The name of an application identified by the DPI engine, such as HTTP, DHCP, Google, etc. |
| signature | String | Signature | Display name of the XDR event |
| anomaly_tag | String | Anomaly tag | e.g. rare, spike |
| threat_score | Integer | Threat score | 0 to 100. |
| severity | Integer | Severity | Severity of the event. From 0–100, with a higher value indicating higher severity. |
| fidelity | Double | Fidelity | Machine Learning confidence that an attack is happening. From 0–100, with a higher value indicating higher confidence. |
| src_reputation_source | String | Source reputation source | The source of the reputation data. |
| src_reputation | String | Source reputation | Reputation of the source IP address from Threat Intelligence, such as Good, Bad, Scanner, Spyware, etc. |
| dst_reputation_source | String | Destination reputation source | The source of the reputation data. |
| dst_reputation | String | Destination reputation | Reputation of the destination IP address from Threat Intelligence, such as Good, Bad, Scanner, Spyware, etc. |
| mitre_tactic | String | MITRE tactic ID | e.g. TA0043, XTA0002 |
| mitre_tactic_name | String | MITRE tactic name | e.g. Reconnaissance, XDR NBA |
| mitre_technique | String | MITRE technique ID | e.g. T1595, XT2003 |
| mitre_technique_name | String | MITRE technique name | e.g. Active Scanning, XDR App Anomaly |
| xdr_scope | String | XDR scope | e.g. External, Internal |
| xdr_killchain_stage | String | XDR killchain stage | e.g. Initial Attempts, Persistent Foothold, Exploration |
| login_type | String | Login type | The login type of the login events. e.g. ssh_traffic, smb_traffic |
| login_result | String | Login result | The login result of any user login events. e.g. fail |
| lateral | Bool | Is lateral | Whether the connection is from private to private. |
| description | String | Description | Description of the XDR event. |
| event_source | String | Event source | The data source for the Machine Learning job results. e.g. new_ml, sa |
| event_category | String | Event category | The kill chain event category for the Machine Learning job. e.g. killchain, network |
| event_type | String | Event type | The event type for the Machine Learning job. e.g. reconn, conn |
| event_name | String | Event name | The event name for the job. e.g. scanner_rep, network_uncommon_app, outbytes_anomaly |
| event_score | Integer | Event score | Combination of severity, fidelity, and threat_score. |
| event_status | String | Event status | The current status of a given event record. Can be new, in_progress, closed, or ignored. |
| duration | Integer | Duration | Session duration in milliseconds. |
| state | String | State | The current state of the session. e.g. HalfOpened, Established, Expired, Aborted, Closed |
| app_std_port | String | Standard port | Whether the application is using the standard port. e.g. yes, no |
| net_id | String | Network ID | e.g. 0 |
| net_name | String | Network name | The name of a network ID. |
| flow_score | Integer | Flow score | 0 to 100 |
| src_type | String | Source type | IP address type for the source IP address, such as private, multicast, or public. |
| src_host | String | Source host | Host name or DNS name for the source IP address. |
| src_mac | String | Source MAC address | Source MAC address. |
| src_country | String | Source country code | e.g. US, KR |
| src_country_name | String | Source country name | e.g. United States, South Korea |
| src_region | String | Source region | e.g. Gyeonggi-do, Unknown |
| src_city | String | Source city | e.g. Sungnam-si |
| src_lat | Double | Source latitude | |
| src_lng | Double | Source longitude | |
| dst_type | String | Destination type | The IP address type for the destination IP address, such as private, multicast, or public. |
| dst_host | String | Destination host | Host name or DNS name for the destination IP address. |
| dst_mac | String | Destination MAC address | Destination MAC address. |
| dst_country | String | Destination country code | e.g. GB |
| dst_country_name | String | Destination country name | e.g. United Kingdom |
| dst_region | String | Destination region | e.g. Cardiff |
| dst_city | String | Destination city | e.g. Cardiff |
| dst_lat | Double | Destination latitude | e.g. 51.4866 |
| dst_lng | Double | Destination longitude | e.g. -3.1549 |
| sent_bytes | Long | Sent bytes | The number of bytes sent to the server by the client since the last update. |
| rcvd_bytes | Long | Received bytes | The number of bytes the client received from the server since the last update. |
| sent_pkts | Long | Sent packets | The number of packets sent to the server by the client since the last update. |
| rcvd_pkts | Long | Received packets | The number of packets the client received from the server since the last update. |
| total_bytes | Long | Total bytes | Total number of bytes received and sent by client for a session. |
| total_pkts | Long | Total packets | Total number of packets received and sent by client for a session. |
| total_sent_bytes | Long | Total sent bytes | The number of bytes sent by the client to the server during the session. |
| total_rcvd_bytes | Long | Total received bytes | Total number of bytes the client received from the server during the session. |
| tcp_rtt | Integer | TCP RTT | Round trip time for a TCP connection, which represents the network delay. |
| file_id | String | File ID | Unique identifier for the file. It is a hash based on MD5 and SHA-256. |
| file_name | String | File name | File name of the threat on the endpoint. |
| file_path | String | File path | Directory holding the fileName on the endpoint. |
| md5 | String | MD5 | The MD5 hash value of this file. |
| sha256 | String | SHA256 | The SHA-256 hash value of this file. |
| url | String | URL | The URL that is a reference to a web resource. |
| iface | String | Interface | e.g. ethernet1 |
| dst_asset_id | String | Asset ID | The asset ID associated with the destination IP address. |
| eng_id | String | Engine ID | ID of the sensor. e.g. ad56000c2974bb19 |
| eng_name | String | Engine name | The hostname of the sensor. e.g. Coup-SecuritySensor132 |
| eng_gateway | String | Engine gateway | The gateway of the sensor. |
| start_bucket_time | Date | Start bucket time | Start time of the data that caused the anomaly. |
| end_bucket_time | Date | End bucket time | End time of the data that caused the anomaly, in milliseconds (combines with the start_bucket_time to form a time range). |
| dscp_name | String | DCSP name | Name as described in the commonly used DSCP values in RFC 2475 |
| detected_fields | List | Detected fields | Identification field of the alert type. |
| detected_values | List | Detected values | Identification field's value of the alert type. |
| msg_type | Integer | Message type | Integer value of the Stellar Cyber internal message type |
| msg_type_name | String | Message type name | String value of the Stellar Cyber internal message type. |
| org_id | String | Organization ID | e.g. default-organization |
| org_name | String | Organization name | e.g. default-organization |
| tenant_id | String | Tenant ID | The ID of the tenant. |
| tenant_name | String | Tenant name | The name of the tenant. |
| rcvd_time | Date | Received time | Time the event was received by the DP. |
| write_time | Date | Write time | Time the event was written to Elasticsearch. |
| processing_time | Integer | Processing time | Processing time from the sensor. |
| response_time | Integer | Response time | Server processing time calculated by the sensor. |
| orig_index | Integer | Origin index | Elasticsearch index of the data causing the anomaly. |
| orig_id | Integer | Origin log ID | Elasticsearch ID of the data causing the anomaly. |
| ids | Map | IDS | Namespace for all IDS related fields. |
| metadata | Map | Metadata | Whether any field (such as domain, url, ip) in the metadata is in the whitelist. |