Alert Data Structure¶
Alert data is stored in the storage defined for alerts and is composed of three types of data.
Alert Data JSON¶
Both Alerts and root analysis objects are stored as JSON formatted files named data.json inside the storage directory of the object.
This JSON contains everything associated to the alert or root analysis except for analysis data and file observable data. The JSON contains references to the locations of these other types of data.
This is done because analysis data can become very large. This allows ACE to load a root analysis-based object without having to load all the individual analysis JSON data.
Analysis Data JSON¶
Analysis data is stored in individual files inside of a hidden .ace subdirectory inside of the storage directory of the root analysis-based object.
This analysis data is only loaded when it is requested.
File Observable Data¶
File observables represent file data. File data is stored in the storage directory of the root analysis-based object. The exact location of the data is stored as the value of the observable.