alerts

id	Primary key of this query source
type_id	The Type identifier (ID) represents a unique "class" of the Alert, that characterizes what the Alert is about in a unique way
name	Name of the type ID. It can be updated dynamically by the correlation engine.
description	More details about the alert
severity	Syslog-like severity
mac_src	Source media access control (MAC) address
mac_dst	Destination MAC address
ip_src	Source internet protocol (IP) address
ip_dst	Destination IP address
risk	Risk, between 0 and 10
protocol	The protocol in which this entity has been observed
src_roles	Roles of the source node
dst_roles	Roles of the target node
time	Time when the first packet triggers the alert; for incidents, it is the time of the last correlated alert, which updates over time
ack	True if the Alert has been acknowledged
id_src	ID of the source node
id_dst	ID of the destination node
synchronized	True if this entity has been synchronized with the upper Central Management Console (CMC) or Vantage
zone_src	Source zone
zone_dst	Destination zone
appliance_id	The id of the sensor where this entity has been observed
port_src	Source port
port_dst	Destination port
label_src	Label of the source node
label_dst	Label of the destination node
trigger_id	ID of the triggering engine entity
trigger_type	Name of the trigger/engine
appliance_host	The hostname of the sensor where this entity has been observed
appliance_ip	The IP address of the sensor where this entity has been observed
transport_protocol	Name of the transport protocol (e.g. tcp/udp/icmp...)
is_security	True if the alert is a Cybersecurity alert. False otherwise (e.g. a network monitoring one)
note	User-defined note about the Alert
appliance_site	Site name of the sensor where this alert has been generated
parents	ID of parent incidents.
is_incident	True if this Alert is an incident grouping more alerts
properties	JavaScript Object Notation (JSON) with additional information for this alert
created_time	Time when the alert record was created
incident_keys	(Internal use)
bpf_filter	Berkeley Packet Filter (BPF) filter for the entity, used when performing traces for this entity
closed_time	Time in epoch milliseconds when the alert has been closed. 0 if still open.
status	Status of the alert
session_id	ID of the Session during which this alert was raised
replicated	This is true if the record has been replicated on the replica machine
capture_device	Name of the interface from which this entity has been detected
threat_name	In case of known threat, this holds the threat name
type_name	Name of the type ID. It is immutable.
sec_profile_visible	True if the alert is visible according to the Security Profile. For alerts that are part of incidents, the field value is set to True when at least one child alert has the field value equal to True.

id

Primary key of this query source

type_id

The Type identifier (ID) represents a unique "class" of the Alert, that characterizes what the Alert is about in a unique way

name

Name of the type ID. It can be updated dynamically by the correlation engine.

description

More details about the alert

severity

Syslog-like severity

mac_src

Source media access control (MAC) address

mac_dst

Destination MAC address

ip_src

Source internet protocol (IP) address

ip_dst

Destination IP address

risk

Risk, between 0 and 10

protocol

The protocol in which this entity has been observed

src_roles

Roles of the source node

dst_roles

Roles of the target node

time

Time when the first packet triggers the alert; for incidents, it is the time of the last correlated alert, which updates over time

ack

True if the Alert has been acknowledged

id_src

ID of the source node

id_dst

ID of the destination node

synchronized

True if this entity has been synchronized with the upper Central Management Console (CMC) or Vantage

zone_src

Source zone

zone_dst

Destination zone

appliance_id

The id of the sensor where this entity has been observed

port_src

Source port

port_dst

Destination port

label_src

Label of the source node

label_dst

Label of the destination node

trigger_id

ID of the triggering engine entity

trigger_type

Name of the trigger/engine

appliance_host

The hostname of the sensor where this entity has been observed

appliance_ip

The IP address of the sensor where this entity has been observed

transport_protocol

Name of the transport protocol (e.g. tcp/udp/icmp...)

is_security

True if the alert is a Cybersecurity alert. False otherwise (e.g. a network monitoring one)

note

User-defined note about the Alert

appliance_site

Site name of the sensor where this alert has been generated

parents

ID of parent incidents.

is_incident

True if this Alert is an incident grouping more alerts

properties

JavaScript Object Notation (JSON) with additional information for this alert

created_time

Time when the alert record was created

incident_keys

(Internal use)

bpf_filter

Berkeley Packet Filter (BPF) filter for the entity, used when performing traces for this entity

closed_time

Time in epoch milliseconds when the alert has been closed. 0 if still open.

status

Status of the alert

session_id

ID of the Session during which this alert was raised

replicated

This is true if the record has been replicated on the replica machine

capture_device

Name of the interface from which this entity has been detected

threat_name

In case of known threat, this holds the threat name

type_name

Name of the type ID. It is immutable.

sec_profile_visible

True if the alert is visible according to the Security Profile. For alerts that are part of incidents, the field value is set to True when at least one child alert has the field value equal to True.