ace Database¶

The ace database contains most of the ace-related data objects including

alerts.
user settings.
workload information.
engine node status.
observable and tag mappings.

Database Table Documentation¶

`alerts`¶

The alerts table contains all of the alert meta data. Each row represents an alert.

This database table is used as an index into the alert data and to keep track of state related to analyst dispositions. The authoritative source is currently the JSON data.

`comments`¶

This table holds any comments added by the analysts in the GUI.

`config`¶

This table holds various configuration data including

`delayed_analysis`¶

Part of the analysis workload management queue tracking work that has been delayed.

`encrypted_passwords`¶

Storage location of encrypted passwords in the configuration file.

`incoming_workload`¶

Used by collectors to manage the incoming requests.

`locks`¶

Used by the [engine] as part of the workload management to synchronize access to work items.

`nodes`¶

Contains an entry for each engine in the cluster. These entries are populated by the engine and updated at a frequency specified by the node_status_update_frequency configuration in the [service_engine] section.

`node_modes`¶

Contains a listing of what analysis modes each node supports.

Note that the nodes table contains a any_mode column which indicates that the engine supports any mode (this is the default). In this case the node would have no entries in this table, but could have entries in the node_modes_excluded table.

`node_modes_excluded`¶

Contains a list of what [analysis modes] (../design/analysis_mode.md) each node does not support.

`observables`¶

Contains an entry for each unique observable ever seen by ACE.

`observable_mapping`¶

Maps observables seen by ACE to each alert they have been seen in.

`observable_tag_index`¶

Unknown.

`observable_tag_mapping`¶

Unknown.

`persistence`¶

Contains the persistence data for this cluster.

`remediation`¶

Contains the remediation history for this cluster.

`tags`¶

Contains an entry for each unique tag that ACE has ever used.

`tag_mapping`¶

Maps tags used by ACE to each alert they have been used in.

`users`¶

Contains credentials and basic settings for all analysts (users) in ACE.

`work_distribution`¶

Used by collectors to manage the routing of submissions to engine clusters.

`workload`¶

The primary table for managing the workload assignment for the entire cluster.

ace Database¶

Database Table Documentation¶

alerts¶

comments¶

config¶

delayed_analysis¶

encrypted_passwords¶

incoming_workload¶

locks¶

nodes¶

node_modes¶

node_modes_excluded¶

observables¶

observable_mapping¶

observable_tag_index¶

observable_tag_mapping¶

persistence¶

remediation¶

tags¶

tag_mapping¶

users¶

work_distribution¶

workload¶