Turbine Schema Reference (AI SOC)

turbine schema was formerly known as turbine extensible data schema, or teds this document describes the turbine schema objects used by the ai soc solution for general concepts, best practices, and troubleshooting, see docid\ tojmk0bspocoe9u12tt5m for additional turbine schema objects used across solutions (observable, enrichment, file, file hash, header, mime part, detection rule, attack, tactic, technique, status, error, content, user, and cloud storage query input), see docid\ i0yap22xufzu9tbegkare for ai soc interface contracts (alert to alert, alert search params, email search params, and alert triage ingestion), see docid 5ply7fiylfuyiniusllcy alert object the ai soc alert object captures security events and incidents from siem, xdr, and edr systems it includes fields for alert identification, severity and priority, host and user context, mitre att\&ck and d3fend mappings, observables, and supporting evidence name key type requirement description alert uid alert uid string required unique identifier for the alert title alert title string recommended name or title of the alert description alert description string recommended brief summary of the alert, detailing the nature and significance of the event severity alert severity string recommended alert severity level (for example, high, medium, low) priority alert priority string optional alert priority, distinct from severity, used for triage ordering category alert categories string array optional classification of the alert (for example, "phishing," "malware," "unauthorized access") created timestamp alert created timestamp datetime recommended date and time when the alert was first generated start timestamp alert start timestamp datetime recommended when the triggering activity began end timestamp alert end timestamp datetime recommended when the triggering activity ended ingested timestamp alert ingested timestamp datetime recommended when the alert was ingested into the system provider alert provider string optional tool or service that generated the alert organization alert organization string optional organization impacted by the alert organization id alert organization id string optional unique identifier for the impacted organization permalink alert permalink string optional direct link to the alert in the source system risk score alert risk score integer optional risk score as determined by the alerting system detection rules alert rules detection rule array recommended rules that triggered the alert mitre att\&ck tactic/technique alert mitre attack tactic technique array optional mitre att\&ck tactics and techniques associated with the alert mitre d3fend techniques mitre d3fend techniques string array optional mitre d3fend defensive techniques applicable to the alert impacted hostnames alert impacted hostnames string array optional hostnames of devices affected by the alert impacted ip addresses alert impacted ip addresses ip address array optional ip addresses associated with impacted devices impacted usernames alert impacted usernames string array optional usernames of users impacted by the alert host id alert host id string optional unique identifier of the affected host host criticality alert host criticality string optional criticality level of the affected host (for example, critical, high, medium, low) host data raw alert host data raw string optional raw host data from the alerting system user data raw alert user data raw string optional raw user data from the alerting system command line commands alert command line commands string optional command line commands associated with the alert activity supporting evidence alert supporting evidence string optional additional evidence supporting the alert determination entities alert entities object array optional structured entities associated with the alert (for example, processes, registry keys, network connections) originating files alert originating files file array optional files involved in the alert observables observables observable array recommended indicators of compromise (iocs) linked to the alert raw alert raw alert json required raw json format of the alert as received from the source alert object example { "alert uid" "crowdstrike detection 20260115 001234", "alert title" "suspicious powershell execution detected", "alert description" "powershell script executed with encoded commands on host workstation 01", "alert severity" "high", "alert priority" "p1", "alert created timestamp" "2026 01 15t10 30 00z", "alert start timestamp" "2026 01 15t10 28 15z", "alert end timestamp" "2026 01 15t10 30 00z", "alert ingested timestamp" "2026 01 15t10 30 05z", "alert provider" "crowdstrike falcon", "alert organization" "acme corporation", "alert organization id" "org acme 001", "alert categories" \["malware", "execution"], "alert impacted hostnames" \["workstation 01"], "alert impacted ip addresses" \["192 168 1 100"], "alert impacted usernames" \["jdoe"], "alert host id" "host abc123", "alert host criticality" "high", "alert host data raw" "{\\"os\\" \\"windows 11\\", \\"agent version\\" \\"7 04\\"}", "alert user data raw" "{\\"department\\" \\"engineering\\", \\"role\\" \\"developer\\"}", "alert command line commands" "powershell exe encodedcommand sqbuahyabwbragu ", "alert supporting evidence" "process tree analysis shows parent cmd exe spawned by suspicious macro in document docx", "alert entities" \[ { "entity type" "process", "entity name" "powershell exe", "entity id" "pid 4521" } ], "alert risk score" 85, "alert permalink" "https //falcon crowdstrike com/detections/001234", "alert rules" \[ { "rule id" "cs det 001", "rule name" "suspicious powershell execution", "rule description" "detects powershell execution with base64 encoded commands", "rule type" "behavioral" } ], "alert mitre attack tactic technique" \[ { "tactics" \[ { "uid" "ta0002", "name" "execution" } ], "technique" { "uid" "t1059 001", "name" "powershell" }, "version" "14 1" } ], "mitre d3fend techniques" \[ "d3 psa", "d3 sea" ], "observables" \[ { "observable type" "sha256", "observable value" "a3b5c7d9e1f2a3b5c7d9e1f2a3b5c7d9e1f2a3b5c7d9e1f2a3b5c7d9e1f2a3b5" } ], "raw alert" { "detection id" "ldt\ abc123 456", "severity" 85, "tactic" "execution", "technique" "powershell" } } email object the ai soc email object captures email metadata for phishing triage and email based threat analysis it includes fields for message content, recipients, email authentication (spf, dmarc, dkim), sender analysis, and mitre d3fend mappings name key type requirement description message id email message id string required the message id header value from address email from address email address required email address in the from header to addresses email to addresses email address array required email recipients in the to header cc addresses email cc addresses email address array optional cc recipients bcc addresses email bcc addresses email address array optional bcc recipients reply to addresses email reply to addresses email address array optional reply to addresses subject email subject string recommended the subject header body email body string recommended email body (html version if available, otherwise text) html body email html body string optional html part of the email text body email text body string optional plain text part of the email origination timestamp email origination timestamp datetime required time from the date header when the email was sent delivery timestamp email delivery timestamp datetime optional delivery time of the email organization email organization string optional recipient organization headers email headers header array optional all email headers as key/value pairs mime parts email mime parts mime part array optional non multipart mime parts of the email spf check email spf check string optional spf (sender policy framework) authentication check result (for example, "pass," "fail," "softfail") spf results email spf results string optional detailed spf check results dmarc check email dmarc check string optional dmarc (domain based message authentication) check result dmarc results email dmarc results string optional detailed dmarc check results dkim check email dkim check string optional dkim (domainkeys identified mail) authentication check result dkim results email dkim results string optional detailed dkim check results return path email return path string optional email return path header value mta email mta string optional mail transfer agent that handled the email sender email sender string optional sender identity (may differ from from address) sender domain email sender domain string optional domain of the sender sender ip email sender ip string optional ip address of the sending mail server top level content type email top level content type string optional top level mime content type of the email (for example, "multipart/mixed") additional information email additional information string optional additional context or information about the email mitre d3fend techniques mitre d3fend techniques string array optional mitre d3fend defensive techniques applicable to this email observables observables observable array recommended indicators of compromise within the email raw email raw email string recommended raw email content as received by the server email object example { "email message id" "\<cae1234567890\@mail example com>", "email from address" "attacker\@malicious domain com", "email to addresses" \["user\@example com"], "email cc addresses" \[], "email bcc addresses" \[], "email reply to addresses" \["noreply\@malicious domain com"], "email subject" "urgent action required on your account", "email body" "\<html>\<body>click here to verify your account \</body>\</html>", "email html body" "\<html>\<body>click here to verify your account \</body>\</html>", "email text body" "click here to verify your account http //phishing site com/verify", "email origination timestamp" "2026 01 15t09 00 00z", "email delivery timestamp" "2026 01 15t09 00 15z", "email organization" "example corp", "email spf check" "fail", "email spf results" "v=spf1 all sender 203 0 113 1 not permitted", "email dmarc check" "fail", "email dmarc results" "p=reject; dkim=fail; spf=fail", "email dkim check" "fail", "email dkim results" "signature verification failed", "email return path" "bounce\@malicious domain com", "email mta" "mail malicious domain com", "email sender" "attacker\@malicious domain com", "email sender domain" "malicious domain com", "email sender ip" "203 0 113 1", "email top level content type" "multipart/mixed", "email additional information" "email flagged by gateway filter for suspicious url patterns", "mitre d3fend techniques" \[ "d3 mfa", "d3 eal" ], "email headers" \[ { "header key" "received", "header value" "from mail malicious domain com (\[203 0 113 1])" }, { "header key" "authentication results", "header value" "spf=fail; dkim=fail; dmarc=fail" } ], "observables" \[ { "observable type" "url", "observable value" "http //phishing site com/verify", "observable primary provider" "urlhaus", "observable primary verdict" "malicious" }, { "observable type" "ipv4 public", "observable value" "203 0 113 1", "observable primary provider" "recorded future", "observable primary verdict" "suspicious" } ], "raw email" "return path \<bounce\@malicious domain com> " } additional turbine schema objects the following turbine schema objects are used within the ai soc solution as sub objects of alerts, emails, and other structures refer to docid\ i0yap22xufzu9tbegkare for their complete field definitions observable security relevant entities (ip addresses, domains, file hashes, urls) enrichment threat intelligence context added to observables file file metadata and content file hash hash algorithm and value pairs header http or email header key/value pairs mime part email mime part data detection rule rules that trigger alerts attack mitre att\&ck technique and tactic mappings tactic individual att\&ck tactic identifiers technique individual att\&ck technique identifiers content file like content or attachments error error tracking objects status tool or service status objects user user account information simple observable lightweight observable without enrichment data cloud storage query input cloud storage search parameters references https //attack mitre org/ https //d3fend mitre org/ https //json schema org/