Detections
Data Model

Detection Data Model

All results, from all detection queries that execute, are saved to the detections table.

The detections table contains several fields.

  • id - String - Unique identified of the run
  • scheduledRunID - String - The unique identifier of the scheduled query run
  • workspaceID - String - Your workspace ID
  • detectionID - String - The identified of the detection
  • detectionName - String - The name of the detection
  • recordsReturned - Int32 - The number of rows returned by the query
  • runTime - Int64 - The number of nanoseconds the query took to run
  • query - String - The actual query that was run for the scheduled query
  • params - Map(String, String) - The supplied parameters to the scheduled query
  • columnNames - Array(String) - An ordered array of column names returned by the query
  • columnTypes - Array(String) - An ordered array of the column types returned by the query
  • results - String - An array of the first 100 returned values from the query
  • severity - String - A string representing the severity of the alert
  • actor - Map(String, String) - Details about the user that ran the query
  • resources - Array(String) DEFAULT [] - Details about the resources returned from the query
  • srcIP - String - Details about the srcIP in the log entries
  • dstIP - String - Details about the dstIPs from the log entries
  • notificationNames - Array(String) - The names of the notification channels
  • categories - Array(String) DEFAULT [] - The categories that the query belongs to
  • mitreAttacks - Array(LowCardinality(String)) DEFAULT [] - The MITRE ATT&CK technique categories that the query belongs to

This table is useful for combining detections and results. There are two helpful views on top of this.

  • alerts - The same table as the detections table except it only contains entries where an alert was sent to a notification channel.
  • signals - The same table as the detections table except it only contains entries where an alert was not sent to a notification channel.

These tables can be accessed like any other table in RunReveal

To query the detection table:

select * from detections

To query the signals view:

select * from signals

To query the alerts view:

select * from alerts
Tailscale FlowWriting a Detection