Noafr

Here`s an example of a task start event (some information was removed). As part of this event, we are also reporting the process that caused this task to be executed...

Thank you - I've been told the "severity" column is just a reflection of the severity id (e.g. "Low", "Critical" etc.).

Why Malware object? Not all events are classified as malware. Why not add the raw_score (I`d vote for ref_score) to the base event?

Example (most values were intentionally removed): ``` { "Alert_Level": 15, "src-ip": "", "mitre_tactic": [ "Discovery" ], "reference_id": "", "src-port": , "src_ep_guid": "", "ep_aid": "0", "subscriberId": "", "Details": "Multiple AD Queries...

@davaya Wouldn't you expect a user to be able to query for the MITRE tactic id = 'X'? Presenting a MITRE ID without providing the associate tactic name doesn't make...