Skip to main content

Alert Template Table

The Alert Template Table plays a critical role in the alert processing phase. Each alert requires a corresponding template to define how the system extracts observables from the raw payload. Without a predefined template, the system cannot process the alert.

The table contains multiple fields, including the Vendor name, the Alert Name, the Template itself, a description, and the Case Type. This structure ensures that the system knows how to process different types of alerts from various vendors.

Thumbnail

Here’s how the templates work:

  1. Unique Template for Each Alert

    • Every alert must have a unique template associated with it. Alerts cannot be processed unless they have an existing template in the system.

  2. Templates are Defined Using JSON

    • Templates are structured as JSON entries. These entries define the "path" within the alert payload where each observable can be located, along with its corresponding type (e.g., IP Address, Username, File Hash).

  3. Template JSON Format Example

    • Below is an example of a template in JSON format. The key (e.g., device.external_ip) represents the location of the observable in the alert payload, while the value (e.g., "IP Address") specifies the type of observable.
{
  "agent_id": "Agent ID",
  "device.external_ip": "IP Address",
  "device.local_ip": "Local IP Address",
  "device.hostname": "Target Hostname",
  "user_name": "Username",
  "sha256": "File Hash",
  "user_principal": "Username",
  "parent_details.sha256": "File Hash"
}

Creating Custom Templates Based on Alert Payloads

  1. Understand the Alert Structure
    • Before creating a custom template, you need to examine the alert payload. The payload contains important information, such as the sender's email address or the device information, which will be extracted as observables.

In this example, the alert payload looks like this:

{
  "@odata.etag": "W/\"CQAAABYAAABOkmv/qhPtT7Ka/WdrM4/xAAHdWH1R\"",
  "id": "awdawdawdawda-qhPtT7Ka-WdrM4-xAAAAAAEMAABOkmv-qhPtT7Ka-WdrM4-xAAHd62AUAAA=",
  "receivedDateTime": "2022-04-19T18:33:43Z",
  "sender": {
    "emailAddress": {
      "address": "frodo@middleearth.com",
      "name": "Frodo Baggins"
    }
  },
  "subject": "Mordor-47 CS Sensor installation"
}

  1. Identify the Observable

    • In this example, we want to extract the email address (frodo@middleearth.com) from the alert payload and store it as an observable of type User Email.

    • The email address can be found under:

    "sender.emailAddress.address"

  2. Define the Observable Type

    • Next, we need to determine the type of the observable. In this case, we are extracting an email address, so the type will be "User Email".

  3. Create the Path in the JSON Template

    • The path is the location within the alert payload where the observable can be found. The path follows a dotted notation, starting from the root of the JSON object and navigating to the value you want to extract.
    • In this example, the path to the email address is
    "sender.emailAddress.address"

  4. Build the Custom JSON Template

    • Now that we have both the observable type and path, we can build the JSON template. The template will map the path in the alert payload to the observable type.
    • The custom template looks like this:
    {
      "sender.emailAddress.address": "User Email"
    }

  5. Apply the Template for Other Observables

    • The same process can be repeated for other observables in the alert. For example, if you wanted to extract the sender's name, you would identify the path ("sender.emailAddress.name") and define the appropriate type (e.g., "User Name").

  6. Test the Template

    • After creating the template, test it with similar alerts to ensure that the system correctly extracts the observables based on the path and type you defined.
    • For this example, the final JSON template looks like this:
    {
      "sender.emailAddress.address": "User Email"
    }

This template tells the system to extract the email address from the alert payload and label it as a User Email observable.By following these steps, you can create custom JSON templates for different observables in your alert payloads, ensuring that key data is accurately extracted and categorized for case management.