Events
The Mentat system uses the IDEA message format to represent security events it handles. It is a JSON based text format designed to be both readable by humans and easy to process by machines.
Custom data attributes
The Mentat system adds several custom data attributes to official IDEA
message format. All these new data attributes are contained within the _Mentat
data attribute.
Classification
Key name:
EventClassDatatype:
string
Classification is an internal feature similar to Category. It attempts to
classify events with different syntax and/or from different detectors, that
represent same class of event. For example bruteforce attack to SSH daemon can
be detected both by some kind of network analyzer, or by some kind of local agent
inspecting log files. Both of these detectors can report the event, but the
contents of the event will be different due to the different nature of the detectors.
Classification is calculated by the classification instance of mentat-inspector.py using predefined but customizable set of rules.
The main goal of the classification attempts is to group events of the same kind to be later processed
Severity
Key name:
EventSeverityDatatype:
enum (low|medium|high|critical)
Resolved abuses
Key name:
ResolvedAbusesDatatype:
list of string
Source countries (ASNs)
Key name:
SourceResolvedCountryDatatype:
list of string