• Home
  • /
  • Monad database schemas

Monad database schemas

On this page

Managing your security data efficiently and understanding your security posture is nearly impossible with data scattered across multiple tools and data silos.

Monad aims to effectively address this challenge by providing centralized visibility into the entire security posture of your organization to efficiently identify key areas of concern. To do this, Monad processes all of your security data into a common, open data model called the Monad Object Model (MoM).

What is the MoM?

To put it simply, the MoM is a schema for security data that Monad has developed with the goal of providing a flexible and accessible approach towards the analysis and use of security data. Monad takes data from your security tools (which we call “connectors”), normalizes it, and transforms it into the MoM. And then the MoM, which can be seamlessly integrated into various data warehouses, enables direct interaction through SQL, and third-party BI tools to facilitate the rapid development of dynamic security and compliance applications by security and devops teams.

The MoM can drill down into granular details specific to a particular connector. In this case, the tables in the MoM can provide a broader context, especially considering that many connectors include specialized areas that warrant deeper exploration. The MoM can also consolidate analogous information from various connectors, such as Snyk, SonarQube, Rapid7, etc. This approach streamlines the analysis process by eliminating the need for complex joins.

Schema

The MoM includes several “data mart” tables. These tables store a subset of the normalized data, so you can quickly query specific types of data. The tables you see depend on which input connectors you have, and what type of data they produce.

Monad MoM

mart_finding

Unified findings based on mart_machine_finding and mart_sast_finding

  • ss_id: The source system ID - identifies the finding in the original source tool that reported it.
  • organization_id: The Monad organization ID of the organization that owns the machine.
  • connector_type: The type of connector that reported the finding.
  • asset_type: The type of asset (code, machine, etc).
  • import_time: The time that data is imported by the flow.
  • asset_id: The unique id of the asset from the source system.
  • location_name: The line and file path where a code analysis finding occurred.
  • project_branch: The branch where the finding occurred.
  • project_origin: The data source where the vulnerable code was uploaded and scanned.
  • asset_operating_systems: The operating systems that the vulnerability is found on.
  • repository: The repository where the finding occurred.
  • severity: The severity of the vulnerability.
  • priority: A numeric value that represents the severity of the finding.
  • cves: The CVEs associated with the vulnerability.
  • cwes: The CWEs associated with the vulnerability.
  • code_owner: The author or owner of the vulnerable code.
  • description: The description of the vulnerability.
  • commit_hash: The commit hash where the vulnerability was introduced.
  • has_exploit: The type of exploit used to test the vulnerability.
  • remediation: The remediation suggestion for this vulnerability.
  • cvss_score: The CVSS score for the vulnerability.
  • first_seen_at: The time that the finding was first discovered by a scan.
  • last_seen_at: The time that the finding was last discovered by a scan.
  • finding_status: The status of a vulnerability (open, closed, reopened, etc).
  • title: The title of the vulnerability.
  • vuln_id: The vulnerability’s identifier, generated by rules in the scanner tool.
  • finding_url: Url to finding.
  • location_url: Url to code where the finding occurred.
  • vuln_labels: Misc labels for grouping findings.

mart_sast_finding

Findings based on static analysis of code repositories and container registries.

  • ss_id: The source system ID - identifies the finding in the original source tool that reported it.
  • organization_id: The Monad organization ID of the organization that owns the asset.
  • connector_type: The type of connector that reported the finding.
  • asset_type: The type of asset (code, machine, etc).
  • import_time: The time that data is imported by the flow.
  • asset_id: The unique identifier for the affected asset.
  • finding_location_name: The line and file path where a code analysis finding occurred.
  • finding_priority: A numeric value that represents the severity of the finding.
  • issue_type: The type of issue created, either ‘dependency’ or ‘code_analysis’.
  • finding_location_filepath: The file path where a code analysis finding occurred.
  • finding_location_line: The line where a code analysis finding occurred.
  • finding_location_dependency_name: The name of the vulnerable dependency.
  • finding_location_dependency_version: The version of the vulnerable dependency.
  • finding_location_dependency_type: The type of the vulnerable dependency.
  • finding_project_branch: The branch where the finding occurred.
  • finding_project_origin: The data source where the vulnerable code was uploaded and scanned.
  • finding_repository: The repository where the finding occurred.
  • vuln_severity: The severity of the vulnerability.
  • vuln_cves: The CVEs associated with the vulnerability.
  • vuln_cwes: The CWEs associated with the vulnerability.
  • asset_owner: The author or owner of the vulnerable code.
  • vuln_description: The description of the vulnerability.
  • finding_commit_hash: The commit hash where the vulnerability was introduced.
  • vuln_remediation: The remediation suggestion for this vulnerability.
  • vuln_has_exploit: The type of exploit used to test the vulnerability.
  • vuln_cvss_score: The CVSS score for the vulnerability.
  • first_seen_at: The time that the finding was first discovered by a scan.
  • last_seen_at: The time that the finding was last discovered by a scan.
  • finding_status: The status of a vulnerability (open, closed, reopened, etc).
  • vuln_title: The title of the vulnerability.
  • vuln_id: The vulnerability’s identifier, generated by rules in the scanner tool.
  • finding_url: Url to finding.
  • location_url: Url to code where the finding occurred.
  • vuln_labels: Misc labels for grouping findings.

mart_machine_finding

Findings about vulnerable machines based on dynamic analysis of applications and APIs.

  • ss_id: The source system ID - identifies the finding in the original source tool that reported it.
  • organization_id: The Monad organization ID of the organization that owns the machine.
  • connector_type: The type of connector that reported the finding.
  • asset_type: The type of asset (code, machine, etc).
  • import_time: The time that data is imported by the flow.
  • asset_id: The unique identifier for the affected asset.
  • asset_hostname: The hostname of the vulnerable machine.
  • asset_operating_systems: The operating systems that the vulnerability is found on.
  • asset_ipv4: The IPv4 address of the vulnerable machine.
  • asset_device_type: The type of usage the device will be used for.
  • vuln_cves: The CVEs for the vulnerability found on the machine.
  • vuln_cvss3_base_score: The CVSS3 base score for the vulnerability found on the machine.
  • vuln_cvss_base_score: The CVSS base score for the vulnerability found on the machine.
  • vuln_description: A description of the vulnerability found on the machine.
  • vuln_exploit_available: Information about if the vulnerability found on the machine is exploitable.
  • vuln_risk_factor: A level system that describes the risk for this vulnerability.
  • vuln_name: The name of the vulnerability found on the machine.
  • vuln_port: The open port used to access the vulnerable machine.
  • vuln_id: The id of the plugin.
  • vuln_remediation: The remediation suggestion to solve the vulnerability.
  • vuln_severity: An assessment of how severe the vulnerability is, sourced from the tool that scanned the machine.
  • finding_priority: A numeric value that represents the severity of the finding.
  • severity_modification_type: Determine if a severity has been recasted or accepted.
  • first_seen_at: The time that the finding was first discovered by a scan.
  • last_seen_at: The time that the finding was last discovered by a scan.
  • finding_state: The status of a vulnerability (open, closed, reopened, etc).
  • asset_operating_system_version: The version of the asset.
  • asset_fqdn: The Fully Qualified Domain Name of the asset.
  • finding_url: Url to finding.
  • location_url: Url to code where the finding occurred.
  • vuln_labels: Misc labels for grouping findings.

mart_machine

Machines on which findings can occur

  • ss_id: Source system ID - used as primary key for the original data source.
  • organization_id: The organization that owns the connector instance from which the issue data is collected.
  • first_seen_at: The first date that the vulnerability was found on this machine.
  • last_seen_at: The most recent date that the vulnerability was found on this machine.
  • region: Region the machine is located in (e.g., us-west-2).
  • instance_id: Instance ID of the machine.

ocsf_finding

Mart findings in OCSF format

  • activity_name: The event activity name, as defined by the activity_id.
  • activity_id: The normalized identifier of the activity that triggered the event.
  • attacks: The attack object describes the technique and associated tactics as defined by ATT&CK MatrixTM.
  • category_name: The event category name, as defined by category_uid value.
  • category_uid: The category unique identifier of the event.
  • class_name: The event class name, as defined by class_uid value.
  • class_uid: The unique identifier of a class. A Class describes the attributes available in an event.
  • compliance: The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS or NIST) and contains compliance-related details.
  • confidence: The confidence of the reported event severity as a percentage (0%-100%).
  • count: The number of times that events in the same logical group occurred during the event Start Time to End Time period.
  • data: Additional data that is associated with the event.
  • duration: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
  • end_time: The end time of a time period, or the time of the most recent event included in the aggregate event.
  • enrichments: The additional information from an external data source, which is associated with the event. For example, adding location information for the IP address in the DNS answers.
  • time: The normalized event occurrence time.
  • finding: The Finding object provides details related to a finding generated by a security tool.
  • malware: The list of malware identified by a finding.
  • message: The description of the event, as defined by the event source.
  • metadata: The metadata associated with the event.
  • observables: The observables associated with the event.
  • process: The Process object.
  • raw_data: The event data as received from the event source.
  • resources: Describes details about resources that were affected by the activity/event.
  • severity: The event severity, normalized to the caption of the severity_id value. In the case of ‘Other’, it is defined by the event source.
  • severity_id: The normalized identifier of the event severity.
  • start_time: The start time of a time period, or the time of the least recent event included in the aggregate event.
  • state: The normalized state of a security finding.
  • state_id: The normalized state identifier of a security finding.
  • status: The event status, normalized to the caption of the status_id value. In the case of ‘Other’, it is defined by the event source.
  • status_code: The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of ‘Failure Code’, e.g., 0x18.
  • status_detail: The status details contain additional information about the event outcome.
  • status_id: The normalized identifier of the event status.
  • timezone_offset: The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
  • type_uid: The event type ID. It identifies the event’s semantics and structure. The value is calculated by the logging system as class_uid * 100 + activity_id.
  • type_name: The event type name, as defined by the type_uid.
  • unmapped: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
  • vulnerabilities: This object describes vulnerabilities reported in a security finding.

mart_identity_event

Imported events from a 3rd party.

  • ss_id: Source system ID - used as a primary key for the original data source.
  • organization_id: The Monad organization ID of the organization that owns the machine.
  • connector_type: The type of connector that reported the finding.
  • import_time: The time that data is imported by the flow.
  • event_id: UUID for the event given by the source.
  • event_type: The type of event.
  • sub_type: Subtype of event type.
  • message: The user-readable action message/description.
  • event_time: The time the event occurred.
  • actor_id: ID of the user causing the event.
  • actor_name: Human-readable ID of the user causing the event.
  • actor_email: Email of the user causing the event.
  • actor_type: The type of actor creating the action (User vs. Application, etc.).
  • additional_actor_details: JSON of any actor details that may not fit the model.
  • client_id: The client ID of the user making the action.
  • client_type: The client type of the user making the action.
  • client_user_agent: The client user agent information.
  • client_geo_country: The client’s country.
  • client_geo_country_code: The client’s country code.
  • client_geo_continent_code: The client’s continent code.
  • client_geo_region: The client’s region.
  • client_geo_city: The client’s city.
  • client_geo_coordinate: The client’s geographical coordinates.
  • client_device: The client device type.
  • client_ip_address: The client’s IP.
  • client_ip_chain: The client’s IP chain.
  • additional_client_details: JSON of any client details that may not fit the model.
  • target_id: The target ID of the event.
  • target_name: The target name of the event.
  • target_ip_address: IP of the target.
  • additional_target_details: JSON of any target information that may not fit the model.
  • network_id: The ID of the event’s network (nullable).
  • network_subnet_id: The subnet ID of the network.
  • network_traffic_path: The network path chain of the event.
  • network_protocol: The event network’s protocol.
  • additional_network_details: JSON of any network details that do not fit the model.
  • result: The result of the action.
  • result_reason: The reason for the result.
  • is_suspicious: Boolean of whether the event is suspicious.
  • severity: Mapped severity if the source provides it.
  • additional_context: JSON of any context about the event that does not fit the model.

mart_endpoint_alert

Unified alerts from EDR tools.

  • ss_id: Source system ID - used as a primary key for the original data source.
  • organization_id: The organization that owns the connector instance from which the issue data is collected.
  • connector_type: The type of connector that reported the alert.
  • id: The alert ID as reported from the source system.
  • title: The title of the alert.
  • description: The description of the alert.
  • related_user: The ID of the related user.
  • last_event_time: The last time this event happened.
  • first_event_time: The first time this event happened.
  • last_update_time: The last time this alert instance was updated.
  • resolved_time: If this alert was resolved, when that occurred.
  • logged_on_users: All users logged on to the asset at the time of the event.
  • comments: Any comments about the alert.
  • evidence: List of evidence, including involved files.
  • mitre: List of MITRE techniques involved.
  • severity: The alert severity.
  • status: The status of the alert.
  • asset_id: The id of the associated asset.
  • additional_data: An array of data the source provides that is not supported by the model (i.e. vendor specific information).
  • import_time: When Monad first imported this alert into the warehouse.

mart_firewall_event

Currently in development - check back later!

This page was last modified: 15 Nov 2023