Events

The Mentat system uses the IDEA message format to represent security events it handles. It is a JSON based text format designed to be both readable by humans and easy to process by machines.

Custom data attributes

The Mentat system adds several custom data attributes to official IDEA message format. All these new data attributes are contained within the _Mentat data attribute.

Classification

  • Key name: EventClass

  • Datatype: string

Classification is an internal feature similar to Category. It attempts to classify events with different syntax and/or from different detectors, that represent same class of event. For example bruteforce attack to SSH daemon can be detected both by some kind of network analyzer, or by some kind of local agent inspecting log files. Both of these detectors can report the event, but the contents of the event will be different due to the different nature of the detectors.

Classification is calculated by the classification instance of mentat-inspector.py using predefined but customizable set of rules.

The main goal of the classification attempts is to group events of the same kind to be later processed

Severity

  • Key name: EventSeverity

  • Datatype: enum (low|medium|high|critical)

Resolved abuses

  • Key name: ResolvedAbuses

  • Datatype: list of string

Source autonomous systems (ASNs)

  • Key name: SourceResolvedASN

  • Datatype: list of integer

Source countries (ASNs)

  • Key name: SourceResolvedCountry

  • Datatype: list of string

Storage time