Schema
AlphaSOC supports two schemas for delivering security alerts: the industry-standard OCSF Detection Finding and our legacy v1.EventAlert. While both schemas effectively convey security event information, they serve different integration needs and compatibility requirements.
OCSF Detection Finding Schema
The OCSF (Open Cybersecurity Schema Framework) Detection Finding schema is an open-source, vendor-agnostic standard for security telemetry. This schema:
- Adheres to industry best practices for security event formatting.
- Provides comprehensive attack categorization and findings.
- Includes comprehensive event context and metadata.
Here's an example of a finding following the OCSF 1.2.0 Detection Finding schema:
{
"category_name": "Findings",
"category_uid": 2,
"class_name": "DetectionFinding",
"class_uid": 2004,
"type_name": "DetectionFinding: Create",
"type_uid": 200401,
"count": 22,
"time": 1723905503,
"time_dt": "2024-08-17T14:38:23Z",
"enrichments": [
{
"data": {
"aggregation": {
"key": {
"workspaceID": "9269f7ee-115c-46da-8445-62ebff28217e",
"srcIP": "10.14.1.43",
"detections": [
{
"id": "dns_tunnel",
"key": "evrl.to",
"severity": 4,
"mitreAttack": [
"TA0010:T1048",
"TA0011:T1071.004",
"TA0011:T1572"
],
"threat": "multiple_long_hostnames"
}
]
v1.EventAlert Schema
The v1.EventAlert schema is AlphaSOC's proprietary format for security alerts. It captures network security events with essential metadata and contextual information. This schema:
- Enhances detection with threat categories and contextual intelligence.
- Provides compact output focused on key event details.
- Supports automated parsing and integration across security tools.
Here's an example of a finding following the v1.EventAlert schema:
{
"id": "94a81d5a-26af-569f-a137-f21f22ec6873",
"eventType": "dns",
"event": {
"ts": "2024-08-17T14:27:45.128161624Z",
"srcIP": "10.14.1.43",
"srcPort": 51450,
"query": "00efwukoewpbpwbmkvbefiqbhtccsbhkafydmhvnermqnwipwnuwkm.00.evrl.to",
"qtype": "A",
"rcode": ""
},
"threats": [
"multiple_long_hostnames"
],
"wisdom": {
"flags": [
"perplexing_host",
"suspicious_tld",
"unique"
],
"domain": "evrl.to"
},
"detections": [
{
"id": "dns_tunnel",
"key": "evrl.to",
"severity": 4
}
],
"mitreAttack": [
Schema Comparison: v1.EventAlert versus OCSF Detection Finding
Note: Both schemas support full security event representation but organize data differently.
| Feature | v1.EventAlert | OCSF Detection Finding |
|---|---|---|
| Threat Detection | Indexed threat IDs | Complete threat description |
| MITRE ATT&CK | Concise attack references | Detailed attack categorization |
| Severity | Detection-specific severity rating | Single highest severity value |
| Mapping Structure | Mapped to specific evidence fields | Unmapped Wisdom data |
| Event Data | Preserves multiple source event fields | Aggregated in single source event field |