Events¶
The Mentat system uses the IDEA message format to represent security events it handles. It is a JSON based text format designed to be both readable by humans and easy to process by machines.
Custom data attributes¶
The Mentat system adds several custom data attributes to official IDEA
message format. All these new data attributes are contained within the _Mentat
data attribute.
Classification¶
Key name:
EventClass
Datatype:
string
Classification is an internal feature similar to Category
. It attempts to
classify events with different syntax and/or from different detectors, that
represent same class of event. For example bruteforce attack to SSH daemon can
be detected both by some kind of network analyzer, or by some kind of local agent
inspecting log files. Both of these detectors can report the event, but the
contents of the event will be different due to the different nature of the detectors.
Classification is calculated by the classification instance of mentat-inspector.py using predefined but customizable set of rules.
The main goal of the classification attempts is to group events of the same kind to be later processed
Severity¶
Key name:
EventSeverity
Datatype:
enum (low|medium|high|critical)
Resolved abuses¶
Key name:
ResolvedAbuses
Datatype:
list of string
Source countries (ASNs)¶
Key name:
SourceResolvedCountry
Datatype:
list of string