A trigger of a security rule was recorded on a security product or program
| Parameter | Value |
|---|---|
| Subject | rule |
| Activity | trigger |
| Activity Type | rule-trigger |
| Pretty Name | Rule Trigger |
The possible fields for this activity type will vary depending on whether the activity was a success or a fail.
| Field | Core | Detection | Informational |
|---|---|---|---|
| observed_activity | ✓ | ||
| event_field | ✓ | ||
| local_user_name | |||
| rule | ✓ | ||
| technique | ✓ | ||
| rules | ✓ | ||
| rule_usecases | ✓ | ||
| type | ✓ | ||
| src_local_host | ✓ | ||
| tactic | ✓ | ||
| src_ip | ✓ | ||
| subscription_code | ✓ | ||
| src_product | ✓ | ||
| trigger_time | ✓ | ||
| field_value | ✓ | ||
| src_vendor | ✓ | ||
| dest_local_zone | ✓ | ||
| event_filter | ✓ | ||
| create_case | ✓ | ||
| rule_severity | ✓ | ||
| rule_source | ✓ | ||
| entity_key | ✓ | ||
| recoverability | ✓ | ||
| risk_score | ✓ | ||
| dest_local_host | ✓ | ||
| previous_id | ✓ | ||
| event_to_time_millis | ✓ | ||
| src_host | ✓ | ||
| case_description | ✓ | ||
| log_time | ✓ | ||
| event_url | ✓ | ||
| tactic_key | ✓ | ||
| technique_key | ✓ | ||
| event_id | ✓ | ||
| entity_type | ✓ | ||
| rule_reason | ✓ | ||
| entities | ✓ | ||
| dest_ip | ✓ | ||
| local_zone | ✓ | ||
| event_from_time_millis | ✓ | ||
| src_local_zone | ✓ | ||
| dest_host | ✓ | ||
| local_asset | ✓ | ||
| mitre_labels | ✓ | ||
| asset_labels | ✓ | ||
| user | ✓ | ||
| event_time | ✓ |
| Field | Core | Detection | Informational |
|---|---|---|---|
| observed_activity | ✓ | ||
| event_field | ✓ | ||
| local_user_name | |||
| rule | ✓ | ||
| technique | ✓ | ||
| rules | ✓ | ||
| rule_usecases | ✓ | ||
| type | ✓ | ||
| tactic | ✓ | ||
| src_ip | ✓ | ||
| subscription_code | ✓ | ||
| src_product | ✓ | ||
| trigger_time | ✓ | ||
| src_vendor | ✓ | ||
| event_filter | ✓ | ||
| create_case | ✓ | ||
| rule_severity | ✓ | ||
| rule_source | ✓ | ||
| failure_code | ✓ | ||
| entity_key | ✓ | ||
| recoverability | ✓ | ||
| risk_score | ✓ | ||
| previous_id | ✓ | ||
| event_to_time_millis | ✓ | ||
| src_host | ✓ | ||
| failure_reason | ✓ | ||
| case_description | ✓ | ||
| log_time | ✓ | ||
| event_url | ✓ | ||
| tactic_key | ✓ | ||
| technique_key | ✓ | ||
| event_id | ✓ | ||
| entity_type | ✓ | ||
| rule_reason | ✓ | ||
| entities | ✓ | ||
| dest_ip | ✓ | ||
| event_from_time_millis | ✓ | ||
| dest_host | ✓ | ||
| mitre_labels | ✓ | ||
| asset_labels | ✓ | ||
| user | ✓ | ||
| event_time | ✓ |