Alerts
Introduction to Alerts
The system generates real-time and Machine Learning-based alerts upon detecting anomalies or abnormal behavior in network traffic and connections, particularly those involving potentially suspicious activity. Additionally, certain traffic properties and attributes are enriched by the NETALERT application.
The Alerts option is accessible by clicking 
at any time from the left-side section of the Web Interface, which will open the corresponding page.
To view an alert, click the 
button, which will open the detailed alert information:
| Name | Attribute | Description |
|---|---|---|
| Alert ID | AlertID | A unique identifier assigned to the alert instance for tracking, reference, and database indexing |
| Alert IDS | Alert_IDS | An identifier associated with the alert, used for internal correlation, grouping of related alerts, and classification based on predefined alert types (as outlined in the Types of Alerts section) |
| Alert Name | AlertName | The name assigned to the detected alert, indicating the type of security event (e.g., BruteForce) (as outlined in the Types of Alerts section) |
| Packet IDS | Packet_IDS | A unique identifier for the packet(s) that triggered the alert, enabling further packet analysis. This identifier helps track the specific network data involved in the alert. In cases where multiple packets are aggregated into a single alert, this field may be absent. The Packet IDS is described in the Traffic |
| Alert IP | Alert_IP | The IP address associated with the alert, typically the source or destination of suspicious activity |
| Alert MAC | Alert_MAC | The MAC address of the device involved in the detected alert |
| Impact | Impact | The estimated impact level of the alert, indicating how critical the event is (LOW, MEDIUM, HIGH, CRITICAL) |
| Severity | Severity | A numerical rating (ranging from 0 to 9) assigned to the alert, indicating its criticality and aiding in prioritizing threat |
| Machine Learning Score | ML_score | A machine learning-generated confidence score (ranging from 0 to 100) that evaluates the severity of the alert and the probability of the event being a genuine threat |
| UTC Time | UTC_ISO8601 | The timestamp indicating when the alert was generated, recorded in ISO 8601 UTC format |
| Content | Content | A detailed description of the alert, including detected suspicious behavior, affected IPs, and attack parameters. For alerts generated by a machine learning algorithm, a JSON object is provided containing the algorithm's name and relevant parameters |
| Flow ID | Flow_ID | A unique identifier assigned to a specific network flow, enabling correlation between multiple packets or events within the same communication session. This identifier is used to generate the alert, aiding in traffic analysis and investigation. In cases where the alert aggregates multiple flows, this field may be absent. The Flow ID is described in the Traffic |
| Attack Stage | AttackStage | The phase of the cyberattack lifecycle in which the alert was triggered, mapped to security frameworks like MITRE ATT&CK (e.g., CredentialAccess) |
| MitreID | MitreID | The corresponding MITRE ATT&CK technique ID(s) associated with the detected attack (e.g., CredentialAccess / BruteForce / T1110) |
| Last Modify | LastModify | The timestamp indicating when the alert entry was last updated |
| Duration | Duration | The total duration of the detected activity that triggered the alert |
| Repeated | Repeated | The number of times this specific alert pattern has been detected within a certain time window |
| Source IP | _info.SrcIP | The IP address of the source of the suspicious traffic |
| Destination Port | _info.DestPort | The network port on the destination system targeted by the detected activity |
| Destination IP | _info.DestIP | The IP address of the target system affected by the detected event |
| Source MAC | _info.SrcMAC | The MAC address of the source device initiating the detected activity |
| Destination MAC | _info.DestMAC | The MAC address of the destination device that received the detected traffic |
| Attack Duration | _info.AttackDuration | The time duration (in seconds) over which the suspicious activity was observed |
| Alert Index | Alert.index | Indicates the database shard where the alert is stored and serves as the alert storage index, formatted by date for efficient log management and retrieval |
| Alert Type | Alert.type | Represents the classification of the alert, typically labeled as alerts, and indicates the database shard where the alert is stored |
| Alert ID | Alert.id | A unique identifier assigned to the alert in the database, used for referencing and tracking the alert entry |
| Alert Score | Alert.score | A numerical score representing the severity of the alert based on static alert rules, ranging from 0 to 1000, indicating the alert’s significance or risk level |
| Local Time | LocalTime | The timestamp indicating when the alert was recorded and inserted into the database, presented in the local time zone format |
Search and filter section
The Search and Filter section offers advanced control over the alerts list, enabling users to refine displayed information through detailed filtering options. It supports the application of specific criteria, the combination of multiple conditions, and the selection of a date and time range to focus on relevant alerts, ensuring accurate and efficient data analysis.
- The Search field allows users to filter displayed alerts using free-text input. If the field is left empty, all alerts will be shown. For examples of Alert Filters, please follow the link: Alerts Filters Examples
- The Start Date and End Date fields allow you to quickly increase or decrease time interval.
- In the top corner, additional filtering options enable users to sort alert data in either descending or ascending order based on UTC Time (UTC_ISO8601 DESC and UTC_ISO8601 ASC), ensuring better control over the displayed results.
- The Quick Filter option allows for easy adjustment of the time interval with preset options like Last 6 Hours or Last Day
- In the top right corner of the Alerts Module, users can apply filters to refine the displayed alert data. The available filtering options include "All Alerts" and "APT Alerts", allowing for a more focused analysis of detected threats.
- The Fields dropdown list provides users with an advanced selection of filtering criteria, allowing them to choose specific alert attributes to customize their searches.
The available filters provide an efficient way to manage alerts by adjusting visibility, categorizing statuses, and taking security actions like blocking suspicious IPs. Selecting specific options helps streamline analysis and response.
-
Add – Includes a specific parameter in the filtered alert view.
-
Exclude – Removes a specific parameter from the displayed alerts.
- Show Chart – Displays a graphical representation of the filtered alerts.
- Exists – Filters alerts to show entries where a specific parameter is present.
- NOT Exists – Filters alerts to exclude entries where a specific parameter is missing.
- Set Alert Status: New – Marks the alert as newly detected.
- Set Alert Status: Acknowledged – Confirms the alert has been reviewed.
- Set Alert Status: False Positive – Marks the alert as a non-threat.
- Set Alert Status: To Be Investigated – Flags the alert for further analysis.
- Set Alert Status: Closed – Marks the alert as resolved.
- Block IP – Adds the associated IP to the Active Blocked IPs list, preventing further activity.
Types of Alerts
All the viewable and searchable alerts generated by the application are summarized in the following table:
| Alert IDS | Alert name | OS7 ID | OS7 Name |
|---|---|---|---|
| 962a05b2-5045-4211-92a4-a5de6262aab6 | Connections | a) | Internal and external connections |
| ef13ca1c-23e0-4f1a-a5a0-ebb16c7cb1d2 | Not available (available as a traffic definition, see the Traffic in OS7 called b) Internal and external data transfer) | b) | Internal and external data transfer |
| 75174f1f-07ae-4ea8-b511-ad699621a707 | Not available (available as a traffic definition, see the Traffic in OS7 called c) Active devices/connections in the internal/external network) | c) | Active devices/connections in the internal/external network |
| 87cbc8ed-71bd-4db2-8953-10986746f42f | DNSRequests | d) | Successful/failed DNS requests |
| 0d3c795e-776b-46a5-b033-8ba09d7b3345 | DNSRequests | d)Static | Excessive or unusual DNS requests detected, potentially indicating suspicious activity |
| c22408ef-db68-4c13-95df-64f7e1d43fe6 | DNSTunnelingStatistically | d) Tunneling Statistics | Detection of potential DNS tunneling based on statistical analysis of DNS traffic patterns |
| 2ca3fa3e-6074-4b7d-8868-a6938ac61dea | DNSTunnelingPossible | d)Tunneling Possible | Indication of potential DNS tunneling activity based on observed anomalies in DNS traffic |
| e5ae5d3b-5aa2-405a-ba59-0ba057a5d0ba | Not available (available as a traffic definition, see the Traffic in OS7 called e) DeviceOS) | e) | Operating system of the devices |
| f73e2df8-6011-44e6-be34-05e578d1c098 | Not available (available as a traffic definition, see the Traffic in OS7 called f) ProxyServers) | f) | Identification of Proxy servers |
| fcc307ff-a286-4bd4-a2fc-8b99f0a4c196 | FileTransfer | g) | Transfer of EXE/RAR files |
| 15dcf633-f961-4c2c-9d94-f84b7256ead5 | UnknownFileTransfer | h) | Transfer of files with unknown format/payload |
| a16afd5d-bbed-4730-8258-1075496a4985 | CryptoMining | i) | Cryptocurrency mining activity |
| cf1bb445-9630-4921-8837-d300e1a008ef | IOCIP | j) | Detection of network activity involving an IP address listed in threat intelligence as an Indicator of Compromise (IOC) |
| 7150af21-d1c5-430c-9b58-e940f744b0d4 | TOR | k) | Communications with the TOR network |
| 13f8a93f-cd38-4136-aaf3-0bf6340a4962 | DynDNS | l) | DynDNS (Dynamic DNS) DNS requests |
| 2ad43e79-414c-4753-a83c-38f0891b8faa | AddressScan | m) | Scanning network addresses |
| d8c3a5cf-c4f3-49c4-a99f-bdbf77d6b15d | DeviceAbnormalBehaviour | n) | Abnormal behavior/abnormal activity/suspicious connections |
| 9aad86fc-124d-43a7-8249-5e19a5ff2a2c | TrafficDNS | o) | Anomalies in DNS server traffic |
| f24a5b1a-b661-4b29-b062-b15492e8e4f4 | Not available (available as a traffic filter example, see the Traffic examples the examples called Filter by connetions that timedout out at the beginning of flow, Filter by connetions that timedout out during data transfer and Filter by connections which are loosing packets) | p) | Excessive loss of connections or packets |
| 8ee012c0-1f1b-4ae4-9895-59f90c4c8a2f | KerberosAnomaly | q) | Kerberos authentications |
| 4ca873a2-f801-4ba4-9a60-965f554dbb47 | LateralMovement | r) | Methods used by malware applications for lateral movement |
| a55f31af-9577-48d9-83d9-7c92777042c8 | BruteForce | s) | Brute force attacks |
| 2d796141-7db3-4244-95c6-a4cdbab0d627 | Heartbleed | t) | Heartbleed attacks |
| 16a5b3cb-b5a4-4745-b56c-6980655594b9 | PortScan | u) | Port scanning |
| b0b2b286-b701-401b-b770-36a4b1238734 | Not available (available as a traffic definition, see the Traffic in OS7 called v) Conectarea de porturi non-standard sau compromiterea unui port legitim/port hijacking | v) | Connecting to non-standard ports or compromising a legitimate port/port hijacking |
| eed8454f-14f4-40de-a3c1-ca175ed451f8 | TrafficSMTP | w) | SMTP traffic monitoring |
| 75f382c5-463b-430d-84ab-da3bf1aaa779 | InvalidSSL | x) | Invalid SSL certificates |
| 75f382c5-463b-430d-84ab-da3bf1aaa780 | MISC | y) | IDS alerts |
| 5b2abae6-48f8-44ba-b176-9c9d4d228441 | External IDS Alert | An alert triggered by an external Intrusion Detection System (IDS) indicating potentially malicious network activity | |
| 86c4d52b-85ff-405f-a62d-c63312e059fe | Large HTTP File Transfer | Detects unusually large file transfers over HTTP, which may indicate data exfiltration or unauthorized file sharing | |
| c19a870c-33ad-4094-ad42-569b154febd8 | Large File Upload from internal network | Detects significant file uploads originating from the internal network, which may indicate potential data exfiltration or unauthorized data transfers | |
| 7a4144f8-482d-4077-87d0-7ef318a4873a | TLS over non standard port | Identifies encrypted TLS traffic running on uncommon ports, which may indicate evasion techniques or unauthorized secure communications | |
| 80463441-7166-4890-b6de-34406facbc54 | Communication over non standard port | Detects network traffic using uncommon ports, which may indicate bypassing security controls or suspicious activity | |
| 229bef7d-d39c-44a0-91c3-e8749e0a38bc | Network Vulnerability Scan | Identifies network scanning activities used to detect open ports, services, or vulnerabilities | |
| 852747f3-c77b-46b1-9272-81244315d05f | IOCDomains | Detects communication with domains listed as Indicators of Compromise (IOCs), which may be associated with malicious activity or known threats | |
| 82f78f11-294f-495a-a29d-acfbf2dcc52c | DNS not in WhiteList | Detects DNS queries to domains that are not included in the approved whitelist | |
| 2daf3325-b873-46bf-a9e1-0f1567dc04c8 | Changed IP/MAC association | ARPspoofing | Detects anomalies in IP-to-MAC address mappings, indicating potential ARP spoofing attacks used for interception or redirection of network traffic |
| ec9dc78c-31a8-488a-bdc9-e85ed30c7566 | High volume connections | Identifies an unusually large number of connections from a single source, which may indicate scanning, brute-force attacks, or potential botnet activity | |
| d0e455b0-e7ac-4d44-9522-1179f054d853 | Mysql activity | Detects database-related network traffic involving MySQL, which may indicate normal database operations or potential unauthorized access attempts | |
| a2a43553-560a-423d-b594-3ee45805ca4b | New Internal Device Detected | Identifies the appearance of a previously unseen device within the internal network, which may indicate a new authorized device or a potential security risk | |
| 0d724ba2-73f7-4dbd-80b3-1b877dcdeedc | New External Device Detected | Identifies the connection of a previously unseen external device to the network, which may pose security risks | |
| 709c9fc8-8823-4443-acc2-33ddca0d4e01 | Possible APTAlert - | Indicates potential Advanced Persistent Threat (APT) activity, suggesting highly targeted and persistent malicious behavior within the network. | |
| 54eaeb1c-06cf-4ebe-bf42-b678d0ddc46f | Volume alert | Indicates an unusually high amount of network traffic, which may suggest data exfiltration, denial-of-service attempts, or other anomalous activities | |
| 75388941-7233-4d04-a5ab-460e04c07bbc | Host traffic volume changed significantly | Detects a notable increase or decrease in network traffic from a specific host, potentially indicating abnormal activity such as data exfiltration, malware communication, or operational disruptions | |
| bb527034-40df-4633-85bb-df03f98e3e57 | Significant internal to external traffic difference | Detects an unusual disparity between internal and external network traffic, which may indicate data exfiltration, command and control activity, or other anomalous behavior | |
| a14aa710-259b-4773-bdc5-ac9dc92c39e5 | Historical IOC IP | Flags communication with an IP address previously identified as an Indicator of Compromise (IOC) based on historical threat intelligence | |
| 689c37a3-bbf7-47fe-ad70-42709b71d616 | Historical Tor Exit Node | Detects communication with an IP address that was previously associated with a TOR exit node | |
| e18a8fa2-c4f1-415b-a07b-2dc57fae5db0 | Historical IOC Domain | Flags communication with a domain previously identified as an Indicator of Compromise (IOC), suggesting potential malicious activity based on historical threat intelligence | |
| b7a799a8-eeef-4567-af29-559f7eb514dd | Slow Network Scan | Detects a network scan occurring at a low rate over an extended period |
OS7 Object
The traffic _OS7 Object provides meta-information about the traffic which are registered. Several fields in this object describe special situations as detected by static analysis methods.
We note that not all traffic information will exhibit all the fields which are described next.
The list of _OS7 Object Fields is:
| Name | Data type | Definitions |
|---|---|---|
| isExternalTraffic | bool | TRUE if one of the source or destination IP addresses does not belong to the non-routable IP addresses. Default is: FALSE. |
| isInternalTraffic | bool | TRUE if both of the source and destination IP addresses belong to the non-routable IP addresses. Default is: FALSE. |
| isInternalTransfer | bool | (isInternalTraffic is TRUE) and (isFile is TRUE). Default is: FALSE. |
| isExternalTransfer | bool | (isExternalTraffic) and (isFile is TRUE). Default is: FALSE. |
| direction | string | Possible values are "Internal to External Communication" and "External to Internal Communication", depensing on the source and destination IP addresses if they are internal or external (as previously defined using the non-routable IP addresses). Default is: field is missing. |
| s_IPClass | string | Source IP class, possible values are: "localhost", "broadcast", "any", "multicast", "Class A", "Class B", and "Class C". Default is: field is missing. |
| d_IPClass | string | Destination IP class, possible values are: "localhost", "broadcast", "any", "multicast", "Class A", "Class B", and "Class C". Default is: field is missing. |
| isDNSRequestSuccess | bool | TRUE if the packet is a DNS request successfull, FALSE if the packet is a DNS request not successfull (any DNS error). Default is: (FALSE if isDNSRequest is TRUE) and (field is missing if isDNSRequest is FALSE). |
| domainTLD | string | A Top-Level Domain (TLD) is the last part of a domain name that helps categorize websites, with options like .com |
| isDNSTunnelling | bool | TRUE if DNS request Cname is larger than usual. Default is false |
| DNS_id | string | DNS ID is a 16-bit identifier , also known as the Transaction ID or Query ID, used for Security ,Query tracking and message pairing |
| CnameSize | int | DNS Request Canonical name characters count |
| isLabelSizeAlert | bool | DNS Request label characters count avarage value is greater than usual( 40 charactes) |
| SrcOS | string | Src Operating System fingerprinting identification based on p0f - fingerprint database. If is not identified the OS fingerprint is written. If not applicable field is missing. |
| DestOS | string | Dest Operating System fingerprinting identification based on p0f - fingerprint database. If is not identified the OS fingerprint is written. If not applicable field is missing. |
| DNSRequestError | string | Field is missing if isDNSRequestSuccess is TRUE. Field contains the DNS request error message if isDNSRequestSuccess is FALSE. Default is: (field is missing) and (field is present only if isDNSRequest is TRUE and isDNSRequestSuccess is FALSE). |
| isDNSRequest | bool | TRUE if packet is DNS request. Default is: FALSE |
| isProxyTraffic | bool | TRUE if proxy protocol was identified by checking HTTP protocol and CONNECT method. Default is: FALSE. |
| proxyDestinationHost | string | IP address of proxy destination. Default is: field is missing if isProxyTraffic is FALSE. |
| proxyDestinationPort | integer | Port number of proxy destination. Default is: field is missing if isProxyTraffic is FALSE. |
| proxyedIP | string | IP address to which the proxy request was made. Default is: field is missing if isProxyTraffic is FALSE. |
| isFile | bool | True if file transfer was identified on download/upload (from header/content information, MIME type, etc.). Default is: FALSE. |
| fileType | string | Identified file type (list contains: Rar Archive, JPEG2000 image files, GZIP archive file, 7-Zip compressed file, bzip2 compressed archive, GIF file, Mozilla archive, Microsoft-MSN MARC archive, MAr compressed archive, Windows dump file, Skype localization data file, TIFF file_3, TIFF file_4, VMware BIOS state file, Microsoft cabinet file, OneNote Package, Powerpoint Packaged Presentation, MS Access Snapshot Viewer file, OLE-SPSS-Visual C++ library file, Microsoft Windows Imaging Format, Sony Compressed Voice File, Windows-DOS executable file, Acrobat plug-in, MS C++ debugging symbols file, Visual Studio .NET file, Windows Media Player playlist, VMapSource GPS Waypoint Database, PGP disk image, PKZIP archive_1, ZLock Pro encrypted ZIP, PKZIP archive_2, PKZIP archive_3, WinRAR compressed archive, WinZip compressed archive, OpenEXR bitmap image, MacOS X image file, ELF executable, PNG image, PGP secret keyring_1, PGP secret keyring_2, PGP public keyring, OS X ABI Mach-O binary (32-bit), OS X ABI Mach-O binary (64-bit), Generic JPEGimage fil, JPEG-EXIF-SPIFF images, etc.). Default is: field is missing if isFile is FALSE. |
| isUnknownFile | bool | TRUE if file type was not identified from FTP/HTTP/SMTP/MIME headers. Default is: FALSE. |
| isCryptoMining | bool | TRUE if source or destination IP addresses belong to a list of known crypto mining sites (list is provided by user). Default is: FALSE. |
| isTOR | bool | TRUE if source or destination IP addresses belong to a list of known TOR exit nodes (list is provided by user). Default is: FALSE. |
| isDynamicDNSRequest | bool | TRUE if source or destination IP addresses belong to a list of known Dynamic DNS sites (list is provided by user). Default is: FALSE. |
| isKerberos | bool | True if the Kerberos content is identified. Default is: FALSE. |
| isICMP | bool | TRUE if ICMP REQUEST. Default is: FALSE. |
| icmp_code | int | ICMP packets that provides additional information about the ICMP message.Default is: field is missing if isICMP is FALSE. |
| icmp_type | int | ICMP type identifies the general category or purpose of an ICMP message. Default is: field is missing if isICMP is FALSE. |
| icmp_id | int | ICMP Identifier a 16-bit identifier that helps match Echo Request messages with their corresponding.Default is: field is missing if isICMP is FALSE. |
| icmp_seq | int | ICMP Sequence Number is a field used in ICMP Echo Request and ICMP Echo Reply messages (ping). Default is: field is missing if isICMP is FALSE. |
| isSSL | bool | True if SSL protocol was identified. Default is: FALSE. |
| SSLversion | string | Version number of SSL protocol. Default is: field is missing if isSSL is FALSE. |
| isHeartBleedRequest | bool | Incorrect Heart Beat request from client (buffer dimension is different from requested bytes). Default is: FALSE. |
| hasHeartBleedResponse | bool | A Heart Bleed response was detected following a Heart Bleed request. Default is: FALSE. |
| clientRequestHeartbeatEnable | bool | Client sends Heart Beat request. Default is: FALSE. |
| serverAcknowledgedHeartbeatRequest | bool | Server acknowledges Heart Beat request from client. Default is: FALSE. |
| isNonStandard | int | Tristate: TRUE if communication ports do not match defaults (DNS port 53, TLS port 443, SSH port 22, SMTP port 25, Kerberos port 88, AMQP ports 5672 or 5671, HTTP ports 80, 8008, 8080 or 8088, HTTP proxy port 3128, etc.), FALSE if communication ports match defaults, field is missing if not applicable (if transfer protocol was not identified or standard port does not exist). Default is: field is missing. |
| hasSSLCertificate | bool | SSL certificate was detected. Default is: FALSE and (field is missing if isSSL is FALSE). |
| isCertificateError | bool | SSL certificate error is detected. Default is: FALSE and (field is missing if isSSL is FALSE). |
| certificateInfo | string | SSL certificate information. Default is: field is missing if isSSL is FALSE. |
| certificateErrorText | string | SSL certificate error text. Default is: field is missing if isSSL is FALSE. |
| isDHCP | bool | TRUE if DHCP protocol detected. Default is: FALSE. |
| isDHCPclient | bool | TRUE if source port is 68 and destionation port is 67. Default is: FALSE. |
| isDHCPserver | bool | TRUE if source port is 67 and destionation port is 68. Default is: FALSE. |
| DHCPXID | string | DHCP transaction ID. Default is: field is missing if isDHCP is FALSE. |
| isSMTP | bool | TRUE if SMTP transfer. Default is: FALSE. |
| ianaProtocol | string | Port string for IANA protocol (from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv with port less than 1025). Default: field is missing. |
| isKnownProtocol | bool | TRUE if protocol/port pair correctly identified from IANA, and port less than 1025. Default is: FALSE. |
| isDetectedFwProtocol | bool | TRUE if Layer 7 protocol detected, from source (connection initiator) to destination. Default is: FALSE. |
| isDetectedRvProtocol | bool | TRUE if Layer 7 protocol detected, from destination to source (connection initiator). Default is: FALSE. |
| detectedFwProtocol | string | Layer 7 detected protocol name. Default: missing if isDetectedFwProtocol is FALSE. |
| detectedRvProtocol | string | Layer 7 detected protocol name. Default: missing if isDetectedRvProtocol is FALSE. |
| hostnames | string array | All hostnames extracted from DNS requests or HTTP/SMTP header. Field is missing if no hostname is detected. |
| emails | string array | All emails extracted from SMTP messages. Field is missing if no email is detected. |
| domain | string | Domain extracted from HTTP header. Field is missing if no domain is detected. |
How to use the alert fields
The tags Alert ID and Alert Name can be used to filter alerts. The following section explains how to apply these properties to filter the alerts.