Detection Data Model
All results, from all detection queries that execute, are saved to the detections
table.
The detections table contains several fields.
id
-String
- Unique identified of the runscheduledRunID
-String
- The unique identifier of the scheduled query runworkspaceID
-String
- Your workspace IDdetectionID
-String
- The identified of the detectiondetectionName
-String
- The name of the detectionrecordsReturned
-Int32
- The number of rows returned by the queryrunTime
-Int64
- The number of nanoseconds the query took to runquery
-String
- The actual query that was run for the scheduled queryparams
-Map(String, String)
- The supplied parameters to the scheduled querycolumnNames
-Array(String)
- An ordered array of column names returned by the querycolumnTypes
-Array(String)
- An ordered array of the column types returned by the queryresults
-String
- An array of the first 100 returned values from the queryseverity
-String
- A string representing the severity of the alertactor
-Map(String, String)
- Details about the user that ran the queryresources
-Array(String)
DEFAULT [] - Details about the resources returned from the querysrcIP
-String
- Details about the srcIP in the log entriesdstIP
-String
- Details about the dstIPs from the log entriesnotificationNames
-Array(String)
- The names of the notification channelscategories
-Array(String)
DEFAULT [] - The categories that the query belongs tomitreAttacks
-Array(LowCardinality(String))
DEFAULT [] - The MITRE ATT&CK technique categories that the query belongs to
This table is useful for combining detections and results. There are two helpful views on top of this.
alerts
- The same table as thedetections
table except it only contains entries where an alert was sent to a notification channel.signals
- The same table as thedetections
table except it only contains entries where an alert was not sent to a notification channel.
These tables can be accessed like any other table in RunReveal
To query the detection table:
select * from detections
To query the signals view:
select * from signals
To query the alerts view:
select * from alerts