Skip to content

Reference: alert template schema

This section documents the alert schema for use with alert templates.

The types defined in the Type column are either native Go types or are custom types that Sophos defined. This document uses lowercase names for native Go types and capitalized names for custom types. Every custom type defined below has its own section. The Usage Example column provides a template example that can be copied and pasted into your template for certain use cases. In the case of nested fields, the example inclides the names of the parent fields required for access (for example {{.ProcessInfo.Program}}). In the case of slices, data is accessible through either the range action or the index function (for example {{range .Lineage}} {{.Program.Path}} {{end}}). Remember that the provided usage examples aren't the only way to use the alert fields in an Alert Template. The alert schema differs between the JSON and Alert Template formats. For that reason, it's important to consult this documentation. See Alert configuration templates.

Alert

Alert is the top-level Sophos Linux Sensor Alert type.

FieldTypeDescriptionUsage Example
GroupIDstringThe Unix group ID.{{.GroupID}}
Timestampint64The Unix timestamp of when the Alert was generated.{{.Timestamp}}
DescriptionstringThe description of the Alert from Policy.{{.Description}}
CommentsstringThe comments on the Alert from Policy.{{.Comments}}
UUIDstringThe Universally Unique ID for this Alert.{{.UUID}}
AlertLabelsmap[string]stringThe Alert labels from Policy.{{.AlertLabels}}
PriorityPriorityThe Alert's priority.{{.Priority}}
ConfidenceConfidenceThe confidence that the Alert is not a false positive.{{.Confidence}}
LocationAlertLocationThe location of where the Alert was generated.{{.Location}}
ProcessInfoProcessInfoThe information about the process that generated the Alert (if available).{{.ProcessInfo}}
Lineage[]ProcessInfoThe information about both the process and program's lineage (if enabled).{{.Lineage}}
StrategyNamestringThe name and release version of the Policy.{{.StrategyName}}
PolicyTypePolicyThe Policy's type (for example Program).{{.PolicyType}}
ScopeScopeThe scope of the Alert's process.{{.Scope}}
Notifications[]AlertNotificationThe notifications associated with the Alert and its response actions.{{.Notifications}}
MatchedObjects[]AlertFilterMatchThe objects that were matched that caused the Alert.{{.MatchedObjects}}
MatchedRulestringThe policy rule that was matched that caused the Alert.{{.MatchedRule}}
Metadatamap[string]stringThe system metadata from the Alert process' host.{{.Metadata}}
CategoriesstringThe MITRE categories this Alert belongs to.{{.Categories}}

AlertLocation

AlertLocation is accessible through the Alert Location field.

FieldTypeDescriptionUsage Example
NodeNamestringNode name is the host name of the underlying node.{{.Location.NodeName}}
PodNamestringPod name from Kubernetes.{{.Location.PodName}}
K8sNamespacestringK8sNamespace is the kubernetes name space for the pod.{{.Location.K8sNamespace}}
ContainerIDstringUnique Identifier for a running Container Instance.{{.Location.ContainerID}}
ContainerNamestringContainer Name a string name assigned to the container.{{.Location.ContainerName}}
ImageIDstringUnique Image ID that the container was built from.{{.Location.ImageID}}
ImageNamestringString name of the Image that the Container was built from.{{.Location.ImageName}}
SensorIDstringThe unique identifier for the sensor that this container is running on.{{.Location.SensorID}}

AlertNotification

AlertNotification is accessible through the Alert Notifications field which is a slice.

FieldTypeDescriptionUsage Example
Timestampint64The timestamp of the notification.{{range .Notifications}} {{.Timestamp}} {{end}}
NamestringThe name of the notification.{{range .Notifications}} {{.Name}} {{end}}
ActorUUIDstringThe UUID of the notification's actor.{{range .Notifications}} {{.ActorUUID}} {{end}}
MessagestringThe message associated with the notification.{{range .Notifications}} {{.Message}} {{end}}
MessageFieldsAlertMessageFieldsThe message fields associated with the notification.{{range .Notifications}} {{.MessageFields}} {{end}}

AlertMessageFields

AlertMessageFields are accessible through the Alert Notification's MessageFields.

FieldTypeDescriptionUsage Example
ActionTypestringThe type of response action taken for example "kill" or "stop".{{range .Notifications}} {{.MessageFields.ActionType}} {{end}}
ActionTargetTypestringThe type of target a response action is being taken against for example "process" or "container".{{range .Notifications}} {{.MessageFields.ActionTargetType}} {{end}}
ActionResultstringThe outcome of a given action for example "successful" or "unsuccessful".{{range .Notifications}} {{.MessageFields.ActionResult}} {{end}}
ActionResultDetailsstringAdditional messages about the action's outcome.{{range .Notifications}} {{.MessageFields.ActionResultDetails}} {{end}}
ConnectionDirectionstringThe inbound/outbound nature of a network event.{{range .Notifications}} {{.MessageFields.ConnectionDirection}} {{end}}
DisabledMechanismstringThe disabled security mechanism referenced in an alert.{{range .Notifications}} {{.MessageFields.DisabledMechanism}} {{end}}
FilePathstringThe file path in a relevant event.{{range .Notifications}} {{.MessageFields.FilePath}} {{end}}
FileSHA256HashstringThe calculated content hash of the file at FilePath.{{range .Notifications}} {{.MessageFields.FileSHA256Hash}} {{end}}
SourceFilePathstringThe source file path that was linked or moved into FilePath in a relevant event.{{range .Notifications}} {{.MessageFields.SourceFilePath}} {{end}}
InstanceCountint32The number of times the relevant event occurred.{{range .Notifications}} {{.MessageFields.InstanceCount}} {{end}}
KernelFunctionstringThe kernel function in a kernel payload event.{{range .Notifications}} {{.MessageFields.KernelFunction}} {{end}}
LocalPortuint16The local port in a network event.{{range .Notifications}} {{.MessageFields.LocalPort}} {{end}}
ModifiedCredentialFieldsstringThe lists cred struct members that changed.{{range .Notifications}} {{.MessageFields.ModifiedCredentialFields}} {{end}}
ModuleNamestringThe kernel module loaded.{{range .Notifications}} {{.MessageFields.ModuleName}} {{end}}
NewPermissionsMaskstringThe octal version of new file permissions.{{range .Notifications}} {{.MessageFields.NewPermissionsMask}} {{end}}
NewPermissionsStringsstringThe string list of new file permissions.{{range .Notifications}} {{.MessageFields.NewPermissionsStrings}} {{end}}
NewUidint32The newly assigned uid.{{range .Notifications}} {{.MessageFields.NewUid}} {{end}}
NewEuidint32The newly assigned euid.{{range .Notifications}} {{.MessageFields.NewEuid}} {{end}}
NewSuidint32The newly assigned suid.{{range .Notifications}} {{.MessageFields.NewSuid}} {{end}}
NewFsuidint32The newly assigned fsuid.{{range .Notifications}} {{.MessageFields.NewFsuid}} {{end}}
NewGidint32The newly assigned gid.{{range .Notifications}} {{.MessageFields.NewGid}} {{end}}
NewEgidint32The newly assigned egid.{{range .Notifications}} {{.MessageFields.NewEgid}} {{end}}
NewSgidint32The newly assigned sgid.{{range .Notifications}} {{.MessageFields.NewSgid}} {{end}}
NewFsgidint32The newly assigned fsgid.{{range .Notifications}} {{.MessageFields.NewFsgid}} {{end}}
PtraceActionstringThe ptrace method used against a process.{{range .Notifications}} {{.MessageFields.PtraceAction}} {{end}}
RemoteHoststringThe remote host in a network event.{{range .Notifications}} {{.MessageFields.RemoteHost}} {{end}}
RemotePortuint16The remote port in a network event.{{range .Notifications}} {{.MessageFields.RemotePort}} {{end}}
SystemCallstringThe syscall name referenced in an alert.{{range .Notifications}} {{.MessageFields.SystemCall}} {{end}}
DurationUnitsstringThe time unit in which relevant events occurred.{{range .Notifications}} {{.MessageFields.DurationUnits}} {{end}}
DurationValuefloat64The number of time units in which relevant events occurred.{{range .Notifications}} {{.MessageFields.DurationValue}} {{end}}
ModifiedElements[]ModifiedElementA map of elements that have changed, along with their old and new values.{{range .Notifications}} {{.MessageFields.ModifiedElements}} {{end}}
OperationsstringThe list of operations that were performed during the event.{{range .Notifications}} {{.MessageFields.Operations}} {{end}}

ModifiedElement

ModifiedElement is accessible through the Alert Notification's MessageFields.ModifiedElements field which is a slice.

FieldTypeDescriptionUsage Example
ElementNamestringThe element's name.{{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.ElementName}} {{end}} {{end}}
ExpectedValuestringThe "normal" value.{{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.ExpectedValue}} {{end}} {{end}}
PreviousValuestringThe element's old value.{{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.PreviousValue}} {{end}} {{end}}
NewValuestringThe element's new value.{{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.NewValue}} {{end}} {{end}}

AlertFilterMatch

AlertFilterMatch is accessible through the Alert MatchedObjects field which is a slice.

FieldTypeDescriptionUsage Example
MatchedFieldstringThe field name.{{range .MatchedObjects}} {{.MatchedField}} {{end}}
MatchedValuestringThe field value.{{range .MatchedObjects}} {{.MatchedValue}} {{end}}
MatchOperatorstringThe operator used in the comparison.{{range .MatchedObjects}} {{.MatchOperator}} {{end}}
MatchedPatternstringWhat the field name was matched to.{{range .MatchedObjects}} {{.MatchedPattern}} {{end}}
MatchedDescriptionstringThe user-supplied description of the pattern.{{range .MatchedObjects}} {{.MatchedDescription}} {{end}}

ProcessInfo

ProcessInfo is accessible through the Alert ProcessInfo field and the Alert Lineage field which is a slice.

The usage examples below illustrate the simpler path through the Alert ProcessInfo field.

For access through the Alert Lineage field do the following:

{{range .Lineage}} {{.$FIELD}} {{end}}

Replace $FIELD with your field name of choice (for example Uuid).

FieldTypeDescriptionUsage Example
UuidstringThe UUID of this process.{{.ProcessInfo.Uuid}}
TimestampHostMonouint64The Unix timestamp fork mono, or first seen host mono for this process.{{.ProcessInfo.TimestampHostMono}}
ThreadGroup*ThreadGroupInfoThe process this thread belongs to{{.ThreadGroup}}
Tgiduint32The process' ID in userland. same as .ThreadGroup.Tgid{{.ProcessInfo.Tgid}}
Tiduint32The process' ID in kerneland{{.ProcessInfo.Tid}}
Program*ProgramInfoThe current program.{{.ProcessInfo.Program}}
CurrentWorkingDirectorystringThe current working directory of this process.{{.ProcessInfo.CurrentWorkingDirectory}}
Privileges[]intThe process' privileges.{{.ProcessInfo.Privileges}}
UsernamestringThe username for user ID of the task/thread.{{.ProcessInfo.Username}}
GroupstringThe group name for group ID of the task/thread.{{.ProcessInfo.Group}}
EffectiveUsernamestringThe effective username for user ID of the task/thread.{{.ProcessInfo.EffectiveUsername}}
EffectiveGroupstringThe effective group for group ID of the task/thread.{{.ProcessInfo.EffectiveGroup}}
SavedUsernamestringThe saved username for saved user ID of the task/thread.{{.ProcessInfo.SavedUsername}}
SavedGroupnamestringThe saved group name for saved group ID of the task/thread.{{.ProcessInfo.SavedGroupname}}
FileSystemUsernamestringThe filesystem username for the FsUID of the task/thread.{{.ProcessInfo.FileSystemUsername}}
FileSystemGroupstringThe filesystem group for the FsGID of the task/thread.{{.ProcessInfo.FileSystemGroup}}
ExitTimestampHostMonouint64The time the process exited.{{.ProcessInfo.ExitTimestampHostMono}}

ThreadGroupInfo

ThreadGroupInfo is accessible through the Alert ThreadGroupInfo field and the Alert Lineage's ThreadGroupInfo field.

The usage examples below illustrate the simpler path through the Alert ThreadGroupInfo field.

For access through the Alert Lineage field do the following:

{{range .Lineage}} {{.ThreadGroupInfo.$FIELD}} {{end}}

Replace $FIELD with your field name of choice (for example Parent).

FieldTypeDescriptionUsage Example
UuidstringThe thread uuid of the thread group leader{{.Uuid}}
TimestampHostMonouint64The Unix timestamp fork mono, or first seen host mono for this process.{{.TimestampHostMono}}
Parent*ThreadGroupInfoThe current parent, not necessarily creator{{.Parent}}
PreviousState*ThreadGroupInfoThe possible previous state of this process (for example before an execve(2)).{{.PreviousState}}
Tgiduint32The process' ID in userland{{.Tgid}}
Leader*ProcessInfoThe leading thread{{.Leader}}
Program*ProgramInfoThe current program.{{.ProcessInfo.Program}}

ProgramInfo

ProgramInfo is accessible through the Alert ProcessInfo field and the Alert Lineage's ProcessInfo field.

The usage examples below illustrate the simpler path through the Alert ProcessInfo field.

For access through the Alert Lineage field do the following:

{{range .Lineage}} {{.Program.$FIELD}} {{end}}

Replace $FIELD with your field name of choice (for example Path).

FieldTypeDescriptionUsage Example
PathstringThe path to the program's executable.{{.Program.Path}}
CmdLinestringThe command line.{{.Program.CmdLine}}
Arguments[]stringThe program's arguments.{{.Program.Arguments}}
TimestampHostMonouint64The timestamp of exec or first seen program event time.{{.Program.TimestampHostMono}}
CompleteboolDetermines if the program exec event was not observed such as if this program existed before program tracking began.{{.Program.Complete}}

Enum Types

Priority

String Integer
Unknown 0
Info 1
Low 2
Medium 3
High 4

Confidence

String Integer
Zero 0
Low 1
MediumLow 2
MediumHigh 4
High 5
Max 6

PolicyType

String Integer
AppArmor 0
BPFExec 1
Chmod 2
Connect 3
ContainerEscape 4
CloudMetadata 5
File 6
FileMonitor 7
FileAccess 8
Filter 9
InteractiveShell 10
KernelPayload 11
LoadKernelModule 12
MemoryProtection 13
NewFileExec 14
UnauthorizedKernelCredentialChange 15
Program 16
Ptrace 17
RemoteInteractiveShell 18
Segfault 19
SELinux 20
Sendto 21
SetPrivilege 22
Setrlimit 23
SmepSmap 24
SpectreMeltdown 25
StackPivotDetection 26
NetworkService 27
YaraScan 28
UserFaultFD 29
ShellCommand 30
Heartbeat 31
CoverageDrop 32
Kprobe 33
TagEvent 34
 Uprobe 35

Scope

String Integer
Other 0
Process 1
RootProcess 2
Container 3
Node 4
Subnet 5
Socket 6

GroupingScope

String Integer
None 0
Process 1
ParentProcess 2
Container 3
Host 4
Back to top