From 826f656485260bd28a8e0b6e31ff34872f6869c4 Mon Sep 17 00:00:00 2001
From: Hanbeom kim <hbkim@cluml.com>
Date: Fri, 27 Sep 2024 15:28:48 +0900
Subject: [PATCH] Add packet attribute triage function

- Add triage functionality for scoring with attributes of each protocol.
  - Add the `target_attribute` to the `Match` trait.
  - Implement `score_by_packet_attr` under `Match` trait.
- Modify the `ValueKind` enum to support different types of input.
- Remove the `tor` module file. The structures (`HttpEventFields`,
  `TorConnection`) and implementations within that module have been
  moved to `crate::event::http`.
- Fix HTTP detection events to consistently use `referrer` instead of
  `referrer` and `referer` interchangeably.
- Change the type of fields in the detection event structure for some
  protocols.
  - `post_body`: `Vec<u8>` to `String`.
  - `chaddr`: `Vec<u8>` to `String`.
  - `class_id`: `Vec<u8>` to `String`.
  - `client_id`: `Vec<u8>` to `String`.

Close: #354
---
 CHANGELOG.md                          |  40 ++-
 Cargo.toml                            |   1 +
 src/event.rs                          |  23 +-
 src/event/bootp.rs                    |  43 ++-
 src/event/common.rs                   | 454 +++++++++++++++++++++++++-
 src/event/conn.rs                     |  78 ++++-
 src/event/dcerpc.rs                   |  12 +-
 src/event/dhcp.rs                     |  65 +++-
 src/event/dns.rs                      |  52 ++-
 src/event/ftp.rs                      |  57 +++-
 src/event/http.rs                     | 366 ++++++++++++++++++---
 src/event/kerberos.rs                 |  35 +-
 src/event/ldap.rs                     |  51 ++-
 src/event/log.rs                      |  12 +-
 src/event/mqtt.rs                     |  38 ++-
 src/event/network.rs                  |  29 +-
 src/event/nfs.rs                      |  28 +-
 src/event/ntlm.rs                     |  31 +-
 src/event/rdp.rs                      |  41 ++-
 src/event/smb.rs                      |  37 ++-
 src/event/smtp.rs                     |  33 +-
 src/event/ssh.rs                      |  41 ++-
 src/event/sysmon.rs                   |  31 +-
 src/event/tls.rs                      |  69 +++-
 src/migration.rs                      |   4 +-
 src/migration/migration_structures.rs |  16 +-
 src/tables/triage_policy.rs           |   6 +-
 27 files changed, 1498 insertions(+), 195 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8383618..d5ba438 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,35 @@ file is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and
 this project adheres to [Semantic
 Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+- Added triage functionality for scoring with attributes of each raw event.
+  - Added a new enum type `AttrValue`. This type is used to convert the
+    attribute value of each raw event to its corresponding type to perform
+    comparison operations.
+  - Added the `target_attribute` to the `Match` trait to generate an `AttrValue`
+    from the field in all detection event.
+  - Implemented `score_by_packet_attr` under `Match` trait.
+
+### Changed
+
+- Removed the `tor` module file. The structures (`HttpEventFields`,
+  `TorConnection`) and implementations within that module have been moved to
+  `crate::event::http`.
+- Fixed HTTP detection events to consistently use `referrer` instead of
+  `referrer` and `referrer` interchangeably.
+- Modified the `ValueKind` enum to support different types of input for packet
+  attribute triage.
+- Changed the type of fields in the detection event structure for some raw
+  event. This change allows users to see meaningful values directly without
+  having to do any special conversion for that field.
+  - `post_body`(HTTP): `Vec<u8>` to `String`.
+  - `chaddr`(BOOTP): `Vec<u8>` to `String`.
+  - `class_id`(DHCP): `Vec<u8>` to `String`.
+  - `client_id`(DHCP): `Vec<u8>` to `String`.
+
 ## [0.33.0] - 2024-12-12
 
 ### Changed
@@ -327,7 +356,7 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 - Changed the return type of `Store::network_map` to `IndexedTable<Network>`
   to enhance security by preventing direct exposure of internal structure.
 - Replaced `IndexedMap::get_by_id` function with `Indexed::get_by_id`, providing
-   a more structured and type-safe result.
+  a more structured and type-safe result.
   - Previously, the function returned a binary representation of the key-value
     pair: `Result<(Option<impl AsRef<[u8]>>, Option<impl AsRef<[u8]>>)>`.
   - Now, it returns `Result<Option<T>>`, where T is the entry type.
@@ -343,8 +372,8 @@ Versioning](https://semver.org/spec/v2.0.0.html).
   more straightforward and human-readable format compared to the raw binary
   format exposed by `IndexSet`.
 - Replaced the `IndexedTable<Category>::get`, `IndexedTable<Qualifier>::get` and
- `IndexedTable<Status>::get` method with the more general function
- `IndexedTable<R>::get_by_id`. This change enhances flexibility by allowing
+  `IndexedTable<Status>::get` method with the more general function
+  `IndexedTable<R>::get_by_id`. This change enhances flexibility by allowing
   retrieval based on any type R rather than being limited to a specific category.
   Existing code using get for categories should be updated to use get_by_id with
   the appropriate type.
@@ -386,7 +415,7 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 - Added new functions to facilitate insert, remove, and update operations,
   ensuring a more controlled and secure template management.
 - Introduced `Structured`, `Unstructured`, `StructuredClusteringAlgorithm` and
- `UnstructuredClusteringAlgorithm` to describe data stored in `Table<Template>`.
+  `UnstructuredClusteringAlgorithm` to describe data stored in `Table<Template>`.
 - Introduced `TriageResponse` to describe data stored in `IndexedTable<TriageResponse>`.
 - Introduced `TriageResponseUpdate` to support `TriageResponse` record update.
 - Added new functions to facilitate insert, remove, and update operations,
@@ -607,7 +636,7 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 - Removed `batch_info` and `scores` arguments from `Model::from_storage` function.
   These arguments were previously used for custom initialization of the
   `batch_info` and `scores` fields within the model. This change means that when
-  you create a model using `Model::from_storage`, the  `batch_info` and `scores`
+  you create a model using `Model::from_storage`, the `batch_info` and `scores`
   fields will now be initialized with their default values. If you previously
   relied on custom values for these fields, you will need to update your code accordingly.
 
@@ -740,6 +769,7 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 - Modified `FtpBruteForce` by adding an `is_internal` field which is a boolean
   indicating whether it is internal or not.
 
+[Unreleased]: https://github.com/aicers/review-database/compare/0.33.0...main
 [0.33.0]: https://github.com/petabi/review-database/compare/0.32.0...0.33.0
 [0.32.0]: https://github.com/petabi/review-database/compare/0.31.0...0.32.0
 [0.31.0]: https://github.com/petabi/review-database/compare/0.30.0...0.31.0
diff --git a/Cargo.toml b/Cargo.toml
index 17afa9f..8546a2f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -52,6 +52,7 @@ tokio = { version = "1", features = ["macros"] }
 tokio-postgres-rustls = "0.13"
 toml = "0.8.13"
 tracing = "0.1"
+attrievent = { git = "https://github.com/aicers/attrievent.git", rev = "c10065a" }
 
 [dev-dependencies]
 tempfile = "3"
diff --git a/src/event.rs b/src/event.rs
index c8e8c22..d942b25 100644
--- a/src/event.rs
+++ b/src/event.rs
@@ -20,7 +20,6 @@ mod smtp;
 mod ssh;
 mod sysmon;
 mod tls;
-mod tor;
 
 use std::{
     collections::HashMap,
@@ -57,8 +56,9 @@ pub use self::{
     },
     ftp::{BlockListFtp, FtpBruteForce, FtpBruteForceFields, FtpEventFields, FtpPlainText},
     http::{
-        BlockListHttp, BlockListHttpFields, DgaFields, DomainGenerationAlgorithm, HttpThreat,
-        HttpThreatFields, NonBrowser, RepeatedHttpSessions, RepeatedHttpSessionsFields,
+        BlockListHttp, BlockListHttpFields, DgaFields, DomainGenerationAlgorithm, HttpEventFields,
+        HttpThreat, HttpThreatFields, NonBrowser, RepeatedHttpSessions, RepeatedHttpSessionsFields,
+        TorConnection,
     },
     kerberos::{BlockListKerberos, BlockListKerberosFields},
     ldap::{BlockListLdap, LdapBruteForce, LdapBruteForceFields, LdapEventFields, LdapPlainText},
@@ -73,7 +73,6 @@ pub use self::{
     ssh::{BlockListSsh, BlockListSshFields},
     sysmon::WindowsThreat,
     tls::{BlockListTls, BlockListTlsFields, SuspiciousTlsTraffic},
-    tor::{HttpEventFields, TorConnection},
 };
 use super::{
     types::{Endpoint, HostNetworkGroup},
@@ -2719,7 +2718,7 @@ mod tests {
             method: "GET".to_string(),
             host: "example.com".to_string(),
             uri: "/uri/path".to_string(),
-            referer: "-".to_string(),
+            referrer: "-".to_string(),
             version: "1.1".to_string(),
             user_agent: "browser".to_string(),
             request_len: 100,
@@ -2749,7 +2748,7 @@ mod tests {
         let syslog_message = format!("{msg}");
         assert_eq!(
             &syslog_message,
-            r#"time="1970-01-01T00:01:01+00:00" event_kind="DomainGenerationAlgorithm" category="CommandAndControl" sensor="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="80" proto="6" duration="1000" method="GET" host="example.com" uri="/uri/path" referer="-" version="1.1" user_agent="browser" request_len="100" response_len="100" status_code="200" status_msg="-" username="-" password="-" cookie="cookie" content_encoding="encoding type" content_type="content type" cache_control="no cache" orig_filenames="a1,a2" orig_mime_types="" resp_filenames="" resp_mime_types="b1,b2" post_body="1234567890..." state="" confidence="0.8""#
+            r#"time="1970-01-01T00:01:01+00:00" event_kind="DomainGenerationAlgorithm" category="CommandAndControl" sensor="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="80" proto="6" duration="1000" method="GET" host="example.com" uri="/uri/path" referrer="-" version="1.1" user_agent="browser" request_len="100" response_len="100" status_code="200" status_msg="-" username="-" password="-" cookie="cookie" content_encoding="encoding type" content_type="content type" cache_control="no cache" orig_filenames="a1,a2" orig_mime_types="" resp_filenames="" resp_mime_types="b1,b2" post_body="1234567890..." state="" confidence="0.8""#
         );
 
         let dga = DomainGenerationAlgorithm::new(
@@ -2760,7 +2759,7 @@ mod tests {
         let dga_display = format!("{event}");
         assert_eq!(
             &dga_display,
-            r#"time="1970-01-01T00:01:01+00:00" event_kind="DomainGenerationAlgorithm" category="CommandAndControl" sensor="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="80" proto="6" duration="1000" method="GET" host="example.com" uri="/uri/path" referer="-" version="1.1" user_agent="browser" request_len="100" response_len="100" status_code="200" status_msg="-" username="-" password="-" cookie="cookie" content_encoding="encoding type" content_type="content type" cache_control="no cache" orig_filenames="a1,a2" orig_mime_types="" resp_filenames="" resp_mime_types="b1,b2" post_body="1234567890..." state="" confidence="0.8" triage_scores="""#
+            r#"time="1970-01-01T00:01:01+00:00" event_kind="DomainGenerationAlgorithm" category="CommandAndControl" sensor="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="80" proto="6" duration="1000" method="GET" host="example.com" uri="/uri/path" referrer="-" version="1.1" user_agent="browser" request_len="100" response_len="100" status_code="200" status_msg="-" username="-" password="-" cookie="cookie" content_encoding="encoding type" content_type="content type" cache_control="no cache" orig_filenames="a1,a2" orig_mime_types="" resp_filenames="" resp_mime_types="b1,b2" post_body="1234567890..." state="" confidence="0.8" triage_scores="""#
         );
     }
 
@@ -2858,7 +2857,7 @@ mod tests {
             method: "GET".to_string(),
             host: "example.com".to_string(),
             uri: "/uri/path".to_string(),
-            referer: "-".to_string(),
+            referrer: "-".to_string(),
             version: "1.1".to_string(),
             user_agent: "browser".to_string(),
             request_len: 100,
@@ -2893,7 +2892,7 @@ mod tests {
         let syslog_message = format!("{msg}");
         assert_eq!(
             &syslog_message,
-            r#"time="1970-01-01T00:01:01+00:00" event_kind="HttpThreat" category="Reconnaissance" sensor="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="80" proto="6" duration="1000" method="GET" host="example.com" uri="/uri/path" referer="-" version="1.1" user_agent="browser" request_len="100" response_len="100" status_code="200" status_msg="-" username="-" password="-" cookie="cookie" content_encoding="encoding type" content_type="content type" cache_control="no cache" orig_filenames="a1,a2" orig_mime_types="" resp_filenames="" resp_mime_types="b1,b2" post_body="1234567890..." state="" db_name="db" rule_id="12000" matched_to="match" cluster_id="1111" attack_kind="attack" confidence="0.8""#
+            r#"time="1970-01-01T00:01:01+00:00" event_kind="HttpThreat" category="Reconnaissance" sensor="collector1" src_addr="127.0.0.1" src_port="10000" dst_addr="127.0.0.2" dst_port="80" proto="6" duration="1000" method="GET" host="example.com" uri="/uri/path" referrer="-" version="1.1" user_agent="browser" request_len="100" response_len="100" status_code="200" status_msg="-" username="-" password="-" cookie="cookie" content_encoding="encoding type" content_type="content type" cache_control="no cache" orig_filenames="a1,a2" orig_mime_types="" resp_filenames="" resp_mime_types="b1,b2" post_body="1234567890..." state="" db_name="db" rule_id="12000" matched_to="match" cluster_id="1111" attack_kind="attack" confidence="0.8""#
         );
 
         let http_threat =
@@ -3403,7 +3402,7 @@ mod tests {
             message: "message".to_string(),
             renewal_time: 100,
             rebinding_time: 200,
-            class_id: vec![4, 5, 6],
+            class_id: "MSFT 5.0".to_string().into_bytes(),
             client_id_type: 1,
             client_id: vec![7, 8, 9],
             category: EventCategory::InitialAccess,
@@ -3422,7 +3421,7 @@ mod tests {
         let syslog_message = message.to_string();
         assert_eq!(
             &syslog_message,
-            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="04:05:06" client_id_type="1" client_id="07:08:09""#,
+            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="MSFT 5.0" client_id_type="1" client_id="07:08:09""#,
         );
 
         let block_list_dhcp = Event::BlockList(RecordType::Dhcp(BlockListDhcp::new(
@@ -3433,7 +3432,7 @@ mod tests {
 
         assert_eq!(
             &block_list_dhcp,
-            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="04:05:06" client_id_type="1" client_id="07:08:09" triage_scores="""#
+            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="MSFT 5.0" client_id_type="1" client_id="07:08:09" triage_scores="""#
         );
     }
 
diff --git a/src/event/bootp.rs b/src/event/bootp.rs
index 17aaf37..9ec882d 100644
--- a/src/event/bootp.rs
+++ b/src/event/bootp.rs
@@ -1,10 +1,39 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{BootpAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::{to_hardware_address, triage_scores_to_string};
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{to_hardware_address, triage_scores_to_string, AttrValue};
+
+macro_rules! bootp_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Bootp(attr) = $raw_event_attr {
+            let target_value = match attr {
+                BootpAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                BootpAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                BootpAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                BootpAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                BootpAttr::Proto => AttrValue::UInt($event.proto.into()),
+                BootpAttr::Op => AttrValue::UInt($event.op.into()),
+                BootpAttr::Htype => AttrValue::UInt($event.htype.into()),
+                BootpAttr::Hops => AttrValue::UInt($event.hops.into()),
+                BootpAttr::Xid => AttrValue::UInt($event.xid.into()),
+                BootpAttr::CiAddr => AttrValue::Addr($event.ciaddr),
+                BootpAttr::YiAddr => AttrValue::Addr($event.yiaddr),
+                BootpAttr::SiAddr => AttrValue::Addr($event.siaddr),
+                BootpAttr::GiAddr => AttrValue::Addr($event.giaddr),
+                BootpAttr::ChAddr => AttrValue::String(&$event.chaddr),
+                BootpAttr::SName => AttrValue::String(&$event.sname),
+                BootpAttr::File => AttrValue::String(&$event.file),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListBootpFields {
@@ -73,7 +102,7 @@ pub struct BlockListBootp {
     pub yiaddr: IpAddr,
     pub siaddr: IpAddr,
     pub giaddr: IpAddr,
-    pub chaddr: Vec<u8>,
+    pub chaddr: String,
     pub sname: String,
     pub file: String,
     pub category: EventCategory,
@@ -99,7 +128,7 @@ impl fmt::Display for BlockListBootp {
             self.yiaddr.to_string(),
             self.siaddr.to_string(),
             self.giaddr.to_string(),
-            to_hardware_address(&self.chaddr),
+            self.chaddr,
             self.sname.to_string(),
             self.file.to_string(),
             triage_scores_to_string(self.triage_scores.as_ref())
@@ -126,7 +155,7 @@ impl BlockListBootp {
             yiaddr: fields.yiaddr,
             siaddr: fields.siaddr,
             giaddr: fields.giaddr,
-            chaddr: fields.chaddr,
+            chaddr: to_hardware_address(&fields.chaddr),
             sname: fields.sname,
             file: fields.file,
             category: fields.category,
@@ -176,7 +205,7 @@ impl Match for BlockListBootp {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        bootp_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/common.rs b/src/event/common.rs
index 6a55b71..2c4600c 100644
--- a/src/event/common.rs
+++ b/src/event/common.rs
@@ -6,13 +6,15 @@ use std::{
 };
 
 use anyhow::{bail, Result};
+use attrievent::attribute::RawEventKind;
+use bincode::Options;
 use num_traits::ToPrimitive;
 use serde::{Deserialize, Serialize};
 
 use super::{
     eq_ip_country, EventCategory, EventFilter, FlowKind, LearningMethod, TrafficDirection,
-    TriagePolicy,
 };
+use crate::{AttrCmpKind, Confidence, PacketAttr, Ti};
 
 // TODO: Make new Match trait to support Windows Events
 
@@ -30,14 +32,24 @@ pub(super) trait Match {
     fn kind(&self) -> &str;
     fn sensor(&self) -> &str;
     fn confidence(&self) -> Option<f32>;
-
-    /// Calculates a score based on packet attributes according to the triage policy.
-    ///
-    /// Note: This method is currently unused. All implementations return 0.0.
-    /// It's retained for future use as planned by @syncpark.
-    /// For more details, see:
-    /// <https://github.com/petabi/review-database/pull/321#discussion_r1721392271>
-    fn score_by_packet_attr(&self, triage: &TriagePolicy) -> f64;
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue>;
+    fn score_by_packet_attr(&self, packet_attr: &[PacketAttr]) -> f64 {
+        let mut total_score = 0.0;
+        for attr in packet_attr {
+            let Ok(raw_event_attr) =
+                RawEventKind::from_type_and_attr_name(&attr.raw_event_type, &attr.attr_name)
+            else {
+                continue;
+            };
+            let Some(target_attr_val) = self.target_attribute(raw_event_attr) else {
+                continue;
+            };
+            if process_attr_compare(target_attr_val, attr) {
+                total_score += attr.weight.unwrap_or_default();
+            }
+        }
+        (total_score * 100.0).trunc() / 100.0
+    }
 
     /// Returns whether the event matches the filter and the triage scores. The triage scores are
     /// only returned if the event matches the filter.
@@ -197,9 +209,9 @@ pub(super) trait Match {
                 let triage_scores = triage_policies
                     .iter()
                     .filter_map(|triage| {
-                        let score = self.score_by_ti_db(triage)
-                            + self.score_by_packet_attr(triage)
-                            + self.score_by_confidence(triage);
+                        let score = self.score_by_ti_db(&triage.ti_db)
+                            + self.score_by_packet_attr(&triage.packet_attr)
+                            + self.score_by_confidence(&triage.confidence);
                         if triage.response.iter().any(|r| score >= r.minimum_score) {
                             Some(TriageScore {
                                 policy_id: triage.id,
@@ -220,13 +232,13 @@ pub(super) trait Match {
         Ok((true, None))
     }
 
-    fn score_by_ti_db(&self, _triage: &TriagePolicy) -> f64 {
+    fn score_by_ti_db(&self, _ti_db: &[Ti]) -> f64 {
         // TODO: implement
         0.0
     }
 
-    fn score_by_confidence(&self, triage: &TriagePolicy) -> f64 {
-        triage.confidence.iter().fold(0.0, |score, conf| {
+    fn score_by_confidence(&self, confidence: &[Confidence]) -> f64 {
+        confidence.iter().fold(0.0, |score, conf| {
             if conf.threat_category == self.category()
                 && conf.threat_kind.to_lowercase() == self.kind().to_lowercase()
                 && self.confidence().map_or(true, |c| {
@@ -295,7 +307,194 @@ pub fn to_hardware_address(chaddr: &[u8]) -> String {
     )
 }
 
+pub enum AttrValue<'a> {
+    Addr(IpAddr),
+    Bool(bool),
+    #[allow(dead_code)]
+    Float(f64),
+    SInt(i64),
+    UInt(u64),
+    String(&'a str),
+    VecAddr(&'a [IpAddr]),
+    #[allow(dead_code)]
+    VecFloat(Vec<f64>),
+    VecSInt(Vec<i64>),
+    VecUInt(Vec<u64>),
+    VecString(&'a [String]),
+}
+
+fn check_all_or_any<'a, T, F>(attr_val: &'a [T], packet_attr: &'a PacketAttr, compare_fn: F) -> bool
+where
+    F: Fn(&'a T, &'a PacketAttr) -> bool,
+{
+    match packet_attr.cmp_kind {
+        AttrCmpKind::NotEqual | AttrCmpKind::NotContain => {
+            attr_val.iter().all(|x| compare_fn(x, packet_attr))
+        }
+        _ => attr_val.iter().any(|x| compare_fn(x, packet_attr)),
+    }
+}
+
+fn process_attr_compare(target_value: AttrValue, attr: &PacketAttr) -> bool {
+    match target_value {
+        AttrValue::Addr(ip_addr) => compare_addr_attribute(&ip_addr, attr),
+        AttrValue::Bool(bool_val) => compare_bool_attribute(bool_val, attr),
+        AttrValue::Float(float_val) => compare_number_attribute::<_, f64>(&float_val, attr),
+        AttrValue::SInt(signed_int_val) => {
+            compare_number_attribute::<_, i64>(&signed_int_val, attr)
+        }
+        AttrValue::UInt(unsigned_int_val) => {
+            compare_number_attribute::<_, u64>(&unsigned_int_val, attr)
+        }
+        AttrValue::String(str_val) => compare_string_attribute(str_val, attr),
+        AttrValue::VecAddr(vec_addr_val) => {
+            check_all_or_any(vec_addr_val, attr, compare_addr_attribute)
+        }
+        AttrValue::VecFloat(vec_float_val) => {
+            check_all_or_any(&vec_float_val, attr, compare_number_attribute::<_, f64>)
+        }
+        AttrValue::VecSInt(vec_sint_val) => {
+            check_all_or_any(&vec_sint_val, attr, compare_number_attribute::<_, i64>)
+        }
+        AttrValue::VecUInt(vec_uint_val) => {
+            check_all_or_any(&vec_uint_val, attr, compare_number_attribute::<_, u64>)
+        }
+        AttrValue::VecString(vec_str_val) => check_all_or_any(vec_str_val, attr, |val, attr| {
+            compare_string_attribute(val.as_str(), attr)
+        }),
+    }
+}
+
+fn deserialize<'de, T>(value: &'de [u8]) -> Option<T>
+where
+    T: Deserialize<'de>,
+{
+    bincode::DefaultOptions::new().deserialize::<T>(value).ok()
+}
+
+fn check_second_value<'de, T, K>(kind: AttrCmpKind, value: Option<&'de Vec<u8>>) -> Option<T>
+where
+    T: TryFrom<K> + std::cmp::PartialOrd,
+    K: Deserialize<'de>,
+{
+    match kind {
+        AttrCmpKind::OpenRange
+        | AttrCmpKind::CloseRange
+        | AttrCmpKind::LeftOpenRange
+        | AttrCmpKind::RightOpenRange
+        | AttrCmpKind::NotOpenRange
+        | AttrCmpKind::NotCloseRange
+        | AttrCmpKind::NotLeftOpenRange
+        | AttrCmpKind::NotRightOpenRange => {
+            let value = value.as_ref()?;
+            let de_second_value: K = deserialize(value)?;
+            T::try_from(de_second_value).ok()
+        }
+        _ => None,
+    }
+}
+
+fn compare_all_attr_cmp_kind<T>(
+    cmp_kind: AttrCmpKind,
+    attr_val: &T,
+    first_val: &T,
+    second_val: Option<T>,
+) -> bool
+where
+    T: PartialOrd,
+{
+    match (cmp_kind, second_val) {
+        (AttrCmpKind::Less, _) => attr_val < first_val,
+        (AttrCmpKind::LessOrEqual, _) => attr_val <= first_val,
+        (AttrCmpKind::Equal, _) => attr_val == first_val,
+        (AttrCmpKind::NotEqual, _) => attr_val != first_val,
+        (AttrCmpKind::Greater, _) => attr_val > first_val,
+        (AttrCmpKind::GreaterOrEqual, _) => attr_val >= first_val,
+        (AttrCmpKind::OpenRange, Some(second_val)) => {
+            (first_val < attr_val) && (second_val > *attr_val)
+        }
+        (AttrCmpKind::CloseRange, Some(second_val)) => {
+            (first_val <= attr_val) && (second_val >= *attr_val)
+        }
+        (AttrCmpKind::LeftOpenRange, Some(second_val)) => {
+            (first_val < attr_val) && (second_val >= *attr_val)
+        }
+        (AttrCmpKind::RightOpenRange, Some(second_val)) => {
+            (first_val <= attr_val) && (second_val > *attr_val)
+        }
+        (AttrCmpKind::NotOpenRange, Some(second_val)) => {
+            !((first_val < attr_val) && (second_val > *attr_val))
+        }
+        (AttrCmpKind::NotCloseRange, Some(second_val)) => {
+            !((first_val <= attr_val) && (second_val >= *attr_val))
+        }
+        (AttrCmpKind::NotLeftOpenRange, Some(second_val)) => {
+            !((first_val < attr_val) && (second_val >= *attr_val))
+        }
+        (AttrCmpKind::NotRightOpenRange, Some(second_val)) => {
+            !((first_val <= attr_val) && (second_val > *attr_val))
+        }
+        _ => false,
+    }
+}
+
+fn compare_bool_attribute(attr_val: bool, packet_attr: &PacketAttr) -> bool {
+    deserialize::<bool>(&packet_attr.first_value).is_some_and(|compare_val| {
+        match packet_attr.cmp_kind {
+            AttrCmpKind::Equal => attr_val == compare_val,
+            AttrCmpKind::NotEqual => attr_val != compare_val,
+            _ => false,
+        }
+    })
+}
+
+fn compare_string_attribute(attr_val: &str, packet_attr: &PacketAttr) -> bool {
+    deserialize::<String>(&packet_attr.first_value).is_some_and(|compare_val| {
+        let cmp_result = attr_val.contains(&compare_val);
+        match packet_attr.cmp_kind {
+            AttrCmpKind::Contain => cmp_result,
+            AttrCmpKind::NotContain => !cmp_result,
+            _ => false,
+        }
+    })
+}
+
+fn compare_addr_attribute(attr_val: &IpAddr, packet_attr: &PacketAttr) -> bool {
+    if let Some(first_val) = deserialize::<IpAddr>(&packet_attr.first_value) {
+        let second_val = packet_attr
+            .second_value
+            .as_ref()
+            .and_then(|serde_val| deserialize::<IpAddr>(serde_val));
+        return compare_all_attr_cmp_kind(packet_attr.cmp_kind, attr_val, &first_val, second_val);
+    }
+    false
+}
+
+fn compare_number_attribute<'de, T, K>(attr_val: &T, packet_attr: &'de PacketAttr) -> bool
+where
+    T: TryFrom<K> + PartialOrd,
+    K: Deserialize<'de>,
+{
+    if let Some(first_val) = deserialize::<K>(&packet_attr.first_value) {
+        if let Ok(first_val) = T::try_from(first_val) {
+            let second_val =
+                check_second_value::<T, K>(packet_attr.cmp_kind, packet_attr.second_value.as_ref());
+            return compare_all_attr_cmp_kind(
+                packet_attr.cmp_kind,
+                attr_val,
+                &first_val,
+                second_val,
+            );
+        }
+    };
+    false
+}
+
 mod tests {
+
+    use bincode::Options;
+    use serde::Serialize;
+
     #[test]
     fn empty_byte_slice_to_colon_separated_string() {
         assert_eq!(super::to_hardware_address(&[]), "");
@@ -308,4 +507,229 @@ mod tests {
             "12:34:56:78:9a:bc"
         );
     }
+
+    #[allow(dead_code)]
+    fn serialize<T>(v: &T) -> Option<Vec<u8>>
+    where
+        T: Serialize,
+    {
+        bincode::DefaultOptions::new().serialize(v).ok()
+    }
+
+    #[test]
+    fn compare_attribute() {
+        use std::net::{IpAddr, Ipv4Addr};
+
+        use attrievent::attribute::{DhcpAttr, DnsAttr, HttpAttr, RawEventType};
+        use chrono::{TimeZone, Utc};
+
+        use crate::{
+            event::common::Match, AttrCmpKind, BlockListDhcp, BlockListDhcpFields, DgaFields,
+            DnsCovertChannel, DnsEventFields, DomainGenerationAlgorithm, EventCategory, PacketAttr,
+            ValueKind,
+        };
+
+        let time = Utc.with_ymd_and_hms(1970, 1, 1, 0, 1, 1).unwrap();
+
+        // Compare `Addr`, `String`, `UInt`, `VecString` type
+        let fields = DgaFields {
+            sensor: "sensor".to_string(),
+            src_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 5)),
+            src_port: 10000,
+            dst_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 6)),
+            dst_port: 80,
+            proto: 6,
+            duration: 1000,
+            method: "GET".to_string(),
+            host: "example.com".to_string(),
+            uri: "/uri/path".to_string(),
+            referrer: "-".to_string(),
+            version: "1.1".to_string(),
+            user_agent: "browser".to_string(),
+            request_len: 100,
+            response_len: 100,
+            status_code: 200,
+            status_msg: "-".to_string(),
+            username: "-".to_string(),
+            password: "-".to_string(),
+            cookie: "cookie".to_string(),
+            content_encoding: "encoding type".to_string(),
+            content_type: "content type".to_string(),
+            cache_control: "no cache".to_string(),
+            orig_filenames: vec!["a1".to_string(), "a2".to_string()],
+            orig_mime_types: Vec::new(),
+            resp_filenames: Vec::new(),
+            resp_mime_types: vec!["b1".to_string(), "b2".to_string()],
+            post_body: "12345678901234567890".to_string().into_bytes(),
+            state: String::new(),
+            confidence: 0.8,
+            category: EventCategory::CommandAndControl,
+        };
+
+        let http_event = DomainGenerationAlgorithm::new(time, fields);
+        let success_packet_attr = vec![
+            PacketAttr {
+                raw_event_type: RawEventType::Http.to_string(),
+                attr_name: HttpAttr::SrcAddr.to_string(),
+                value_kind: ValueKind::IpAddr,
+                cmp_kind: AttrCmpKind::CloseRange,
+                first_value: serialize(&IpAddr::V4(Ipv4Addr::new(127, 0, 0, 5))).unwrap(),
+                second_value: serialize(&IpAddr::V4(Ipv4Addr::new(127, 0, 0, 6))),
+                weight: Some(0.1),
+            },
+            PacketAttr {
+                raw_event_type: RawEventType::Http.to_string(),
+                attr_name: HttpAttr::Uri.to_string(),
+                value_kind: ValueKind::String,
+                cmp_kind: AttrCmpKind::Contain,
+                first_value: serialize(&"path").unwrap(),
+                second_value: None,
+                weight: Some(0.2),
+            },
+        ];
+        let score_result = http_event.score_by_packet_attr(&success_packet_attr);
+        assert_eq!(score_result, 0.3_f64);
+
+        let fail_packet_attr = vec![
+            PacketAttr {
+                raw_event_type: RawEventType::Http.to_string(),
+                attr_name: HttpAttr::DstPort.to_string(),
+                value_kind: ValueKind::UInteger,
+                cmp_kind: AttrCmpKind::OpenRange,
+                first_value: serialize(&80_u64).unwrap(),
+                second_value: serialize(&82_u64),
+                weight: Some(0.1),
+            },
+            PacketAttr {
+                raw_event_type: RawEventType::Http.to_string(),
+                attr_name: HttpAttr::RespMimeTypes.to_string(),
+                value_kind: ValueKind::String,
+                cmp_kind: AttrCmpKind::NotContain,
+                first_value: serialize(&"b1").unwrap(),
+                second_value: None,
+                weight: Some(0.1),
+            },
+        ];
+        let score_result = http_event.score_by_packet_attr(&fail_packet_attr);
+        assert_eq!(score_result, 0.0_f64);
+
+        // Compare `Bool`, `SInt`, `VecSInt`
+        let fields = DnsEventFields {
+            sensor: "sensor".to_string(),
+            session_end_time: Utc::now(),
+            src_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)),
+            src_port: 10000,
+            dst_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 2)),
+            dst_port: 53,
+            proto: 17,
+            query: "foo.com".to_string(),
+            answer: vec!["1.1.1.1".to_string()],
+            trans_id: 1,
+            rtt: 5,
+            qclass: 0,
+            qtype: 0,
+            rcode: 0,
+            aa_flag: false,
+            tc_flag: false,
+            rd_flag: false,
+            ra_flag: false,
+            ttl: vec![1, 3, 5, 7],
+            confidence: 0.8,
+            category: EventCategory::CommandAndControl,
+        };
+        let dns_event = DnsCovertChannel::new(time, fields);
+        let success_packet_attr = vec![
+            PacketAttr {
+                raw_event_type: RawEventType::Dns.to_string(),
+                attr_name: DnsAttr::Rtt.to_string(),
+                value_kind: ValueKind::SInteger,
+                cmp_kind: AttrCmpKind::Less,
+                first_value: serialize(&6_i64).unwrap(),
+                second_value: None,
+                weight: Some(0.3),
+            },
+            PacketAttr {
+                raw_event_type: RawEventType::Dns.to_string(),
+                attr_name: DnsAttr::Ttl.to_string(),
+                value_kind: ValueKind::SInteger,
+                cmp_kind: AttrCmpKind::NotEqual,
+                first_value: serialize(&9_i64).unwrap(),
+                second_value: None,
+                weight: Some(0.5),
+            },
+        ];
+        let score_result = dns_event.score_by_packet_attr(&success_packet_attr);
+        assert_eq!(score_result, 0.8_f64);
+
+        let fail_packet_attr = vec![PacketAttr {
+            raw_event_type: RawEventType::Dns.to_string(),
+            attr_name: DnsAttr::AA.to_string(),
+            value_kind: ValueKind::Bool,
+            cmp_kind: AttrCmpKind::Equal,
+            first_value: serialize(&true).unwrap(),
+            second_value: None,
+            weight: Some(0.2),
+        }];
+        let score_result = dns_event.score_by_packet_attr(&fail_packet_attr);
+        assert_eq!(score_result, 0.0_f64);
+
+        // Compare `VecAddr`, `VecUInt`
+        let fields = BlockListDhcpFields {
+            sensor: "sensor".to_string(),
+            src_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)),
+            src_port: 68,
+            dst_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 2)),
+            dst_port: 67,
+            proto: 17,
+            last_time: 100,
+            msg_type: 1,
+            ciaddr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 5)),
+            yiaddr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 6)),
+            siaddr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 7)),
+            giaddr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 8)),
+            subnet_mask: IpAddr::V4(Ipv4Addr::new(255, 255, 255, 255)),
+            router: vec![
+                IpAddr::V4(Ipv4Addr::new(127, 0, 0, 7)),
+                IpAddr::V4(Ipv4Addr::new(127, 0, 0, 8)),
+                IpAddr::V4(Ipv4Addr::new(127, 0, 0, 9)),
+            ],
+            domain_name_server: vec![IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1))],
+            req_ip_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 100)),
+            lease_time: 100,
+            server_id: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)),
+            param_req_list: vec![2, 3, 4],
+            message: "message".to_string(),
+            renewal_time: 100,
+            rebinding_time: 200,
+            class_id: "MSFT 5.0".to_string().into_bytes(),
+            client_id_type: 1,
+            client_id: vec![7, 8, 9],
+            category: EventCategory::InitialAccess,
+        };
+
+        let dhcp_event = BlockListDhcp::new(time, fields);
+        let success_packet_attr = vec![PacketAttr {
+            raw_event_type: RawEventType::Dhcp.to_string(),
+            attr_name: DhcpAttr::Router.to_string(),
+            value_kind: ValueKind::IpAddr,
+            cmp_kind: AttrCmpKind::LeftOpenRange,
+            first_value: serialize(&IpAddr::V4(Ipv4Addr::new(127, 0, 0, 8))).unwrap(),
+            second_value: serialize(&IpAddr::V4(Ipv4Addr::new(127, 0, 0, 9))),
+            weight: Some(0.15),
+        }];
+        let score_result = dhcp_event.score_by_packet_attr(&success_packet_attr);
+        assert_eq!(score_result, 0.15_f64);
+
+        let fail_packet_attr = vec![PacketAttr {
+            raw_event_type: RawEventType::Dhcp.to_string(),
+            attr_name: DhcpAttr::ParamReqList.to_string(),
+            value_kind: ValueKind::UInteger,
+            cmp_kind: AttrCmpKind::RightOpenRange,
+            first_value: serialize(&1_u64).unwrap(),
+            second_value: serialize(&2_u64),
+            weight: Some(0.35),
+        }];
+        let score_result = dhcp_event.score_by_packet_attr(&fail_packet_attr);
+        assert_eq!(score_result, 0.0_f64);
+    }
 }
diff --git a/src/event/conn.rs b/src/event/conn.rs
index a79eac9..9591c40 100644
--- a/src/event/conn.rs
+++ b/src/event/conn.rs
@@ -4,11 +4,38 @@ use std::{
     num::NonZeroU8,
 };
 
+use attrievent::attribute::{ConnAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::{triage_scores_to_string, vector_to_string};
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, vector_to_string, AttrValue};
+
+macro_rules! conn_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Conn(attr) = $raw_event_attr {
+            let target_value = match attr {
+                ConnAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                ConnAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                ConnAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                ConnAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                ConnAttr::Proto => AttrValue::UInt($event.proto.into()),
+                ConnAttr::ConnState => AttrValue::String(&$event.conn_state),
+                ConnAttr::Duration => AttrValue::SInt($event.duration),
+                ConnAttr::Service => AttrValue::String(&$event.service),
+                ConnAttr::OrigBytes => AttrValue::UInt($event.orig_bytes),
+                ConnAttr::RespBytes => AttrValue::UInt($event.resp_bytes),
+                ConnAttr::OrigPkts => AttrValue::UInt($event.orig_pkts),
+                ConnAttr::RespPkts => AttrValue::UInt($event.resp_pkts),
+                ConnAttr::OrigL2Bytes => AttrValue::UInt($event.orig_l2_bytes),
+                ConnAttr::RespL2Bytes => AttrValue::UInt($event.resp_l2_bytes),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct PortScanFields {
@@ -122,8 +149,20 @@ impl Match for PortScan {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Conn(attr) = raw_event_attr {
+            match attr {
+                ConnAttr::SrcAddr => Some(AttrValue::Addr(self.src_addr)),
+                ConnAttr::DstAddr => Some(AttrValue::Addr(self.dst_addr)),
+                ConnAttr::DstPort => Some(AttrValue::VecUInt(
+                    self.dst_ports.iter().map(|val| u64::from(*val)).collect(),
+                )),
+                ConnAttr::Proto => Some(AttrValue::UInt(self.proto.into())),
+                _ => None,
+            }
+        } else {
+            None
+        }
     }
 }
 
@@ -239,8 +278,18 @@ impl Match for MultiHostPortScan {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Conn(attr) = raw_event_attr {
+            match attr {
+                ConnAttr::SrcAddr => Some(AttrValue::Addr(self.src_addr)),
+                ConnAttr::DstPort => Some(AttrValue::UInt(self.dst_port.into())),
+                ConnAttr::DstAddr => Some(AttrValue::VecAddr(&self.dst_addrs)),
+                ConnAttr::Proto => Some(AttrValue::UInt(self.proto.into())),
+                _ => None,
+            }
+        } else {
+            None
+        }
     }
 }
 
@@ -351,8 +400,17 @@ impl Match for ExternalDdos {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Conn(attr) = raw_event_attr {
+            match attr {
+                ConnAttr::SrcAddr => Some(AttrValue::VecAddr(&self.src_addrs)),
+                ConnAttr::DstAddr => Some(AttrValue::Addr(self.dst_addr)),
+                ConnAttr::Proto => Some(AttrValue::UInt(self.proto.into())),
+                _ => None,
+            }
+        } else {
+            None
+        }
     }
 }
 
@@ -513,7 +571,7 @@ impl Match for BlockListConn {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        conn_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/dcerpc.rs b/src/event/dcerpc.rs
index 1ad74e8..be523a6 100644
--- a/src/event/dcerpc.rs
+++ b/src/event/dcerpc.rs
@@ -1,10 +1,11 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::RawEventKind;
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListDceRpcFields {
@@ -142,7 +143,10 @@ impl Match for BlockListDceRpc {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    // Since `dcerpc` is not currently an event type collected by Feature Sensor, and as a result,
+    // the notation for each attribute of `dcerpc` has not been finalized. Therefore, we will
+    // proceed with this part after the collection and notation of dcerpc events is finalized.
+    fn target_attribute(&self, _raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        None
     }
 }
diff --git a/src/event/dhcp.rs b/src/event/dhcp.rs
index 4fbe79d..898fd97 100644
--- a/src/event/dhcp.rs
+++ b/src/event/dhcp.rs
@@ -1,11 +1,56 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{DhcpAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
+use super::{
+    common::{AttrValue, Match},
+    EventCategory, TriageScore, MEDIUM,
+};
 use crate::event::common::{to_hardware_address, triage_scores_to_string, vector_to_string};
 
+macro_rules! dhcp_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Dhcp(attr) = $raw_event_attr {
+            let target_value = match attr {
+                DhcpAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                DhcpAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                DhcpAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                DhcpAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                DhcpAttr::Proto => AttrValue::UInt($event.proto.into()),
+                DhcpAttr::MgsType => todo!(),
+                DhcpAttr::CiAddr => AttrValue::Addr($event.ciaddr),
+                DhcpAttr::YiAddr => AttrValue::Addr($event.yiaddr),
+                DhcpAttr::SiAddr => AttrValue::Addr($event.siaddr),
+                DhcpAttr::GiAddr => AttrValue::Addr($event.giaddr),
+                DhcpAttr::SubNetMask => AttrValue::Addr($event.subnet_mask),
+                DhcpAttr::Router => AttrValue::VecAddr(&$event.router),
+                DhcpAttr::DomainNameServer => AttrValue::VecAddr(&$event.domain_name_server),
+                DhcpAttr::ReqIpAddr => AttrValue::Addr($event.req_ip_addr),
+                DhcpAttr::LeaseTime => AttrValue::UInt($event.lease_time.into()),
+                DhcpAttr::ServerId => AttrValue::Addr($event.server_id),
+                DhcpAttr::ParamReqList => AttrValue::VecUInt(
+                    $event
+                        .param_req_list
+                        .iter()
+                        .map(|val| u64::from(*val))
+                        .collect(),
+                ),
+                DhcpAttr::Message => AttrValue::String(&$event.message),
+                DhcpAttr::RenewalTime => AttrValue::UInt($event.renewal_time.into()),
+                DhcpAttr::RebindingTime => AttrValue::UInt($event.rebinding_time.into()),
+                DhcpAttr::ClassId => AttrValue::String(&$event.class_id),
+                DhcpAttr::ClientIdType => AttrValue::UInt($event.client_id_type.into()),
+                DhcpAttr::ClientId => AttrValue::String(&$event.client_id),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
+
 #[derive(Serialize, Deserialize)]
 pub struct BlockListDhcpFields {
     pub sensor: String,
@@ -68,7 +113,7 @@ impl fmt::Display for BlockListDhcpFields {
             self.message.to_string(),
             self.renewal_time.to_string(),
             self.rebinding_time.to_string(),
-            to_hardware_address(&self.class_id),
+            String::from_utf8(self.class_id.clone()).unwrap_or_default(),
             self.client_id_type.to_string(),
             to_hardware_address(&self.client_id),
         )
@@ -100,9 +145,9 @@ pub struct BlockListDhcp {
     pub message: String,
     pub renewal_time: u32,
     pub rebinding_time: u32,
-    pub class_id: Vec<u8>,
+    pub class_id: String,
     pub client_id_type: u8,
-    pub client_id: Vec<u8>,
+    pub client_id: String,
     pub category: EventCategory,
     pub triage_scores: Option<Vec<TriageScore>>,
 }
@@ -133,9 +178,9 @@ impl fmt::Display for BlockListDhcp {
             self.message.to_string(),
             self.renewal_time.to_string(),
             self.rebinding_time.to_string(),
-            to_hardware_address(&self.class_id),
+            self.class_id,
             self.client_id_type.to_string(),
-            to_hardware_address(&self.client_id),
+            self.client_id,
             triage_scores_to_string(self.triage_scores.as_ref())
         )
     }
@@ -167,9 +212,9 @@ impl BlockListDhcp {
             message: fields.message,
             renewal_time: fields.renewal_time,
             rebinding_time: fields.rebinding_time,
-            class_id: fields.class_id,
+            class_id: String::from_utf8(fields.class_id.clone()).unwrap_or_default(),
             client_id_type: fields.client_id_type,
-            client_id: fields.client_id,
+            client_id: to_hardware_address(&fields.client_id),
             category: fields.category,
             triage_scores: None,
         }
@@ -217,7 +262,7 @@ impl Match for BlockListDhcp {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        dhcp_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/dns.rs b/src/event/dns.rs
index b5bc13a..33f1f81 100644
--- a/src/event/dns.rs
+++ b/src/event/dns.rs
@@ -1,11 +1,43 @@
 #![allow(clippy::module_name_repetitions, clippy::struct_excessive_bools)]
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{DnsAttr, RawEventKind};
 use chrono::{serde::ts_nanoseconds, DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, HIGH, MEDIUM};
-use crate::event::common::{triage_scores_to_string, vector_to_string};
+use super::{common::Match, EventCategory, TriageScore, HIGH, MEDIUM};
+use crate::event::common::{triage_scores_to_string, vector_to_string, AttrValue};
+
+macro_rules! dns_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Dns(attr) = $raw_event_attr {
+            let target_value = match attr {
+                DnsAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                DnsAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                DnsAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                DnsAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                DnsAttr::Proto => AttrValue::UInt($event.proto.into()),
+                DnsAttr::Query => AttrValue::String(&$event.query),
+                DnsAttr::Answer => AttrValue::VecString(&$event.answer),
+                DnsAttr::TransId => AttrValue::UInt($event.trans_id.into()),
+                DnsAttr::Rtt => AttrValue::SInt($event.rtt.into()),
+                DnsAttr::QClass => AttrValue::UInt($event.qclass.into()),
+                DnsAttr::QType => AttrValue::UInt($event.qtype.into()),
+                DnsAttr::RCode => AttrValue::UInt($event.rcode.into()),
+                DnsAttr::AA => AttrValue::Bool($event.aa_flag),
+                DnsAttr::TC => AttrValue::Bool($event.tc_flag),
+                DnsAttr::RD => AttrValue::Bool($event.rd_flag),
+                DnsAttr::RA => AttrValue::Bool($event.ra_flag),
+                DnsAttr::Ttl => {
+                    AttrValue::VecSInt($event.ttl.iter().map(|val| i64::from(*val)).collect())
+                }
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Deserialize, Serialize)]
 pub struct DnsEventFields {
@@ -189,8 +221,8 @@ impl Match for DnsCovertChannel {
         Some(self.confidence)
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        dns_target_attr!(self, raw_event_attr)
     }
 }
 
@@ -322,8 +354,8 @@ impl Match for LockyRansomware {
         Some(self.confidence)
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        dns_target_attr!(self, raw_event_attr)
     }
 }
 
@@ -509,8 +541,8 @@ impl Match for CryptocurrencyMiningPool {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        dns_target_attr!(self, raw_event_attr)
     }
 }
 
@@ -690,7 +722,7 @@ impl Match for BlockListDns {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        dns_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/ftp.rs b/src/event/ftp.rs
index 0acaff3..30c103d 100644
--- a/src/event/ftp.rs
+++ b/src/event/ftp.rs
@@ -1,11 +1,41 @@
 #![allow(clippy::module_name_repetitions)]
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{FtpAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! ftp_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Ftp(attr) = $raw_event_attr {
+            let target_value = match attr {
+                FtpAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                FtpAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                FtpAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                FtpAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                FtpAttr::Proto => AttrValue::UInt($event.proto.into()),
+                FtpAttr::User => AttrValue::String(&$event.user),
+                FtpAttr::Password => AttrValue::String(&$event.password),
+                FtpAttr::Command => AttrValue::String(&$event.command),
+                FtpAttr::ReplyCode => AttrValue::String(&$event.reply_code),
+                FtpAttr::ReplyMsg => AttrValue::String(&$event.reply_msg),
+                FtpAttr::DataPassive => AttrValue::Bool($event.data_passive),
+                FtpAttr::DataOrigAddr => AttrValue::Addr($event.data_orig_addr),
+                FtpAttr::DataRespAddr => AttrValue::Addr($event.data_resp_addr),
+                FtpAttr::DataRespPort => AttrValue::UInt($event.data_resp_port.into()),
+                FtpAttr::File => AttrValue::String(&$event.file),
+                FtpAttr::FileSize => AttrValue::UInt($event.file_size),
+                FtpAttr::FileId => AttrValue::String(&$event.file_id),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct FtpBruteForceFields {
@@ -128,8 +158,19 @@ impl Match for FtpBruteForce {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Ftp(attr) = raw_event_attr {
+            match attr {
+                FtpAttr::SrcAddr => Some(AttrValue::Addr(self.src_addr)),
+                FtpAttr::DstAddr => Some(AttrValue::Addr(self.dst_addr)),
+                FtpAttr::DstPort => Some(AttrValue::UInt(self.dst_port.into())),
+                FtpAttr::Proto => Some(AttrValue::UInt(self.proto.into())),
+                FtpAttr::User => Some(AttrValue::VecString(&self.user_list)),
+                _ => None,
+            }
+        } else {
+            None
+        }
     }
 }
 
@@ -310,8 +351,8 @@ impl Match for FtpPlainText {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        ftp_target_attr!(self, raw_event_attr)
     }
 }
 
@@ -440,7 +481,7 @@ impl Match for BlockListFtp {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        ftp_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/http.rs b/src/event/http.rs
index 4ae1f3f..b20e458 100644
--- a/src/event/http.rs
+++ b/src/event/http.rs
@@ -1,14 +1,52 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
 use aho_corasick::AhoCorasickBuilder;
+use attrievent::attribute::{HttpAttr, RawEventKind};
 use chrono::{serde::ts_nanoseconds, DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{
-    common::Match, EventCategory, EventFilter, HttpEventFields, TriagePolicy, TriageScore, LOW,
-    MEDIUM,
-};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, EventFilter, TriageScore, LOW, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! http_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {
+        if let RawEventKind::Http(attr) = $raw_event_attr {
+            match attr {
+                HttpAttr::SrcAddr => Some(AttrValue::Addr($event.src_addr)),
+                HttpAttr::SrcPort => Some(AttrValue::UInt($event.src_port.into())),
+                HttpAttr::DstAddr => Some(AttrValue::Addr($event.dst_addr)),
+                HttpAttr::DstPort => Some(AttrValue::UInt($event.dst_port.into())),
+                HttpAttr::Proto => Some(AttrValue::UInt($event.proto.into())),
+                HttpAttr::Method => Some(AttrValue::String(&$event.method)),
+                HttpAttr::Host => Some(AttrValue::String(&$event.host)),
+                HttpAttr::Uri => Some(AttrValue::String(&$event.uri)),
+                HttpAttr::Referrer => Some(AttrValue::String(&$event.referrer)),
+                HttpAttr::Version => Some(AttrValue::String(&$event.version)),
+                HttpAttr::UserAgent => Some(AttrValue::String(&$event.user_agent)),
+                HttpAttr::RequestLen => u64::try_from($event.request_len).ok().map(AttrValue::UInt),
+                HttpAttr::ResponseLen => {
+                    u64::try_from($event.response_len).ok().map(AttrValue::UInt)
+                }
+                HttpAttr::StatusCode => Some(AttrValue::UInt($event.status_code.into())),
+                HttpAttr::StatusMsg => Some(AttrValue::String(&$event.status_msg)),
+                HttpAttr::Username => Some(AttrValue::String(&$event.username)),
+                HttpAttr::Password => Some(AttrValue::String(&$event.password)),
+                HttpAttr::Cookie => Some(AttrValue::String(&$event.cookie)),
+                HttpAttr::ContentEncoding => Some(AttrValue::String(&$event.content_encoding)),
+                HttpAttr::ContentType => Some(AttrValue::String(&$event.content_type)),
+                HttpAttr::CacheControl => Some(AttrValue::String(&$event.cache_control)),
+                HttpAttr::OrigFilenames => Some(AttrValue::VecString(&$event.orig_filenames)),
+                HttpAttr::OrigMimeTypes => Some(AttrValue::VecString(&$event.orig_mime_types)),
+                HttpAttr::RespFilenames => Some(AttrValue::VecString(&$event.resp_filenames)),
+                HttpAttr::RespMimeTypes => Some(AttrValue::VecString(&$event.resp_mime_types)),
+                HttpAttr::PostBody => Some(AttrValue::String(&$event.post_body)),
+                HttpAttr::State => Some(AttrValue::String(&$event.state)),
+            }
+        } else {
+            None
+        }
+    };
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct RepeatedHttpSessionsFields {
@@ -121,9 +159,19 @@ impl Match for RepeatedHttpSessions {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        // TODO: implement
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Http(attr) = raw_event_attr {
+            match attr {
+                HttpAttr::SrcAddr => Some(AttrValue::Addr(self.src_addr)),
+                HttpAttr::SrcPort => Some(AttrValue::UInt(self.src_port.into())),
+                HttpAttr::DstAddr => Some(AttrValue::Addr(self.dst_addr)),
+                HttpAttr::DstPort => Some(AttrValue::UInt(self.dst_port.into())),
+                HttpAttr::Proto => Some(AttrValue::UInt(self.proto.into())),
+                _ => None,
+            }
+        } else {
+            None
+        }
     }
 }
 
@@ -142,7 +190,7 @@ pub struct HttpThreatFields {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -174,7 +222,7 @@ impl fmt::Display for HttpThreatFields {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} db_name={:?} rule_id={:?} matched_to={:?} cluster_id={:?} attack_kind={:?} confidence={:?}",
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referrer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} db_name={:?} rule_id={:?} matched_to={:?} cluster_id={:?} attack_kind={:?} confidence={:?}",
             self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
@@ -185,7 +233,7 @@ impl fmt::Display for HttpThreatFields {
             self.method,
             self.host,
             self.uri,
-            self.referer,
+            self.referrer,
             self.version,
             self.user_agent,
             self.request_len.to_string(),
@@ -244,7 +292,7 @@ pub struct HttpThreat {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -261,7 +309,7 @@ pub struct HttpThreat {
     pub orig_mime_types: Vec<String>,
     pub resp_filenames: Vec<String>,
     pub resp_mime_types: Vec<String>,
-    pub post_body: Vec<u8>,
+    pub post_body: String,
     pub state: String,
     pub db_name: String,
     pub rule_id: u32,
@@ -277,7 +325,7 @@ impl fmt::Display for HttpThreat {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} db_name={:?} rule_id={:?} matched_to={:?} cluster_id={:?} attack_kind={:?} confidence={:?} triage_scores={:?}",
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referrer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} db_name={:?} rule_id={:?} matched_to={:?} cluster_id={:?} attack_kind={:?} confidence={:?} triage_scores={:?}",
             self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
@@ -288,7 +336,7 @@ impl fmt::Display for HttpThreat {
             self.method,
             self.host,
             self.uri,
-            self.referer,
+            self.referrer,
             self.version,
             self.user_agent,
             self.request_len.to_string(),
@@ -305,7 +353,7 @@ impl fmt::Display for HttpThreat {
             self.orig_mime_types.join(","),
             self.resp_filenames.join(","),
             self.resp_mime_types.join(","),
-            get_post_body(&self.post_body),
+            self.post_body,
             self.state,
             self.db_name,
             self.rule_id.to_string(),
@@ -332,7 +380,7 @@ impl HttpThreat {
             method: fields.method,
             host: fields.host,
             uri: fields.uri,
-            referer: fields.referer,
+            referrer: fields.referrer,
             version: fields.version,
             user_agent: fields.user_agent,
             request_len: fields.request_len,
@@ -349,7 +397,7 @@ impl HttpThreat {
             orig_mime_types: fields.orig_mime_types,
             resp_filenames: fields.resp_filenames,
             resp_mime_types: fields.resp_mime_types,
-            post_body: fields.post_body,
+            post_body: get_post_body(&fields.post_body),
             state: fields.state,
             db_name: fields.db_name,
             rule_id: fields.rule_id,
@@ -404,8 +452,8 @@ impl Match for HttpThreat {
         Some(self.confidence)
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        http_target_attr!(self, raw_event_attr)
     }
 
     fn kind_matches(&self, filter: &EventFilter) -> bool {
@@ -444,7 +492,7 @@ pub struct DgaFields {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -471,7 +519,7 @@ impl fmt::Display for DgaFields {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} confidence={:?}",
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referrer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} confidence={:?}",
             self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
@@ -482,7 +530,7 @@ impl fmt::Display for DgaFields {
             self.method,
             self.host,
             self.uri,
-            self.referer,
+            self.referrer,
             self.version,
             self.user_agent,
             self.request_len.to_string(),
@@ -520,7 +568,7 @@ pub struct DomainGenerationAlgorithm {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -537,7 +585,7 @@ pub struct DomainGenerationAlgorithm {
     pub orig_mime_types: Vec<String>,
     pub resp_filenames: Vec<String>,
     pub resp_mime_types: Vec<String>,
-    pub post_body: Vec<u8>,
+    pub post_body: String,
     pub state: String,
     pub confidence: f32,
     pub category: EventCategory,
@@ -548,7 +596,7 @@ impl fmt::Display for DomainGenerationAlgorithm {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} confidence={:?} triage_scores={:?}",
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} duration={:?} method={:?} host={:?} uri={:?} referrer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} confidence={:?} triage_scores={:?}",
             self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
@@ -559,7 +607,7 @@ impl fmt::Display for DomainGenerationAlgorithm {
             self.method,
             self.host,
             self.uri,
-            self.referer,
+            self.referrer,
             self.version,
             self.user_agent,
             self.request_len.to_string(),
@@ -576,7 +624,7 @@ impl fmt::Display for DomainGenerationAlgorithm {
             self.orig_mime_types.join(","),
             self.resp_filenames.join(","),
             self.resp_mime_types.join(","),
-            get_post_body(&self.post_body),
+            self.post_body,
             self.state,
             self.confidence.to_string(),
             triage_scores_to_string(self.triage_scores.as_ref()),
@@ -598,7 +646,7 @@ impl DomainGenerationAlgorithm {
             host: fields.host,
             method: fields.method,
             uri: fields.uri,
-            referer: fields.referer,
+            referrer: fields.referrer,
             version: fields.version,
             user_agent: fields.user_agent,
             request_len: fields.request_len,
@@ -615,7 +663,7 @@ impl DomainGenerationAlgorithm {
             orig_mime_types: fields.orig_mime_types,
             resp_filenames: fields.resp_filenames,
             resp_mime_types: fields.resp_mime_types,
-            post_body: fields.post_body,
+            post_body: get_post_body(&fields.post_body),
             state: fields.state,
             confidence: fields.confidence,
             category: fields.category,
@@ -665,8 +713,82 @@ impl Match for DomainGenerationAlgorithm {
         Some(self.confidence)
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        http_target_attr!(self, raw_event_attr)
+    }
+}
+
+#[derive(Deserialize, Serialize)]
+#[allow(clippy::module_name_repetitions)]
+pub struct HttpEventFields {
+    pub sensor: String,
+    #[serde(with = "ts_nanoseconds")]
+    pub session_end_time: DateTime<Utc>,
+    pub src_addr: IpAddr,
+    pub src_port: u16,
+    pub dst_addr: IpAddr,
+    pub dst_port: u16,
+    pub proto: u8,
+    pub method: String,
+    pub host: String,
+    pub uri: String,
+    pub referrer: String,
+    pub version: String,
+    pub user_agent: String,
+    pub request_len: usize,
+    pub response_len: usize,
+    pub status_code: u16,
+    pub status_msg: String,
+    pub username: String,
+    pub password: String,
+    pub cookie: String,
+    pub content_encoding: String,
+    pub content_type: String,
+    pub cache_control: String,
+    pub orig_filenames: Vec<String>,
+    pub orig_mime_types: Vec<String>,
+    pub resp_filenames: Vec<String>,
+    pub resp_mime_types: Vec<String>,
+    pub post_body: Vec<u8>,
+    pub state: String,
+    pub category: EventCategory,
+}
+
+impl fmt::Display for HttpEventFields {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(
+            f,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} session_end_time={:?} method={:?} host={:?} uri={:?} referrer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?}",
+            self.sensor,
+            self.src_addr.to_string(),
+            self.src_port.to_string(),
+            self.dst_addr.to_string(),
+            self.dst_port.to_string(),
+            self.proto.to_string(),
+            self.session_end_time.to_rfc3339(),
+            self.method,
+            self.host,
+            self.uri,
+            self.referrer,
+            self.version,
+            self.user_agent,
+            self.request_len.to_string(),
+            self.response_len.to_string(),
+            self.status_code.to_string(),
+            self.status_msg,
+            self.username,
+            self.password,
+            self.cookie,
+            self.content_encoding,
+            self.content_type,
+            self.cache_control,
+            self.orig_filenames.join(","),
+            self.orig_mime_types.join(","),
+            self.resp_filenames.join(","),
+            self.resp_mime_types.join(","),
+            get_post_body(&self.post_body),
+            self.state
+        )
     }
 }
 
@@ -700,7 +822,7 @@ pub struct NonBrowser {
     pub orig_mime_types: Vec<String>,
     pub resp_filenames: Vec<String>,
     pub resp_mime_types: Vec<String>,
-    pub post_body: Vec<u8>,
+    pub post_body: String,
     pub state: String,
     pub category: EventCategory,
     pub triage_scores: Option<Vec<TriageScore>>,
@@ -738,7 +860,7 @@ impl fmt::Display for NonBrowser {
             self.orig_mime_types.join(","),
             self.resp_filenames.join(","),
             self.resp_mime_types.join(","),
-            get_post_body(&self.post_body),
+            self.post_body,
             self.state,
             triage_scores_to_string(self.triage_scores.as_ref()),
         )
@@ -776,7 +898,7 @@ impl NonBrowser {
             orig_mime_types: fields.orig_mime_types.clone(),
             resp_filenames: fields.resp_filenames.clone(),
             resp_mime_types: fields.resp_mime_types.clone(),
-            post_body: fields.post_body.clone(),
+            post_body: get_post_body(&fields.post_body),
             state: fields.state.clone(),
             category: fields.category,
             triage_scores: None,
@@ -825,8 +947,168 @@ impl Match for NonBrowser {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        http_target_attr!(self, raw_event_attr)
+    }
+}
+
+#[allow(clippy::module_name_repetitions)]
+pub struct TorConnection {
+    pub time: DateTime<Utc>,
+    pub sensor: String,
+    pub session_end_time: DateTime<Utc>,
+    pub src_addr: IpAddr,
+    pub src_port: u16,
+    pub dst_addr: IpAddr,
+    pub dst_port: u16,
+    pub proto: u8,
+    pub method: String,
+    pub host: String,
+    pub uri: String,
+    pub referrer: String,
+    pub version: String,
+    pub user_agent: String,
+    pub request_len: usize,
+    pub response_len: usize,
+    pub status_code: u16,
+    pub status_msg: String,
+    pub username: String,
+    pub password: String,
+    pub cookie: String,
+    pub content_encoding: String,
+    pub content_type: String,
+    pub cache_control: String,
+    pub orig_filenames: Vec<String>,
+    pub orig_mime_types: Vec<String>,
+    pub resp_filenames: Vec<String>,
+    pub resp_mime_types: Vec<String>,
+    pub post_body: String,
+    pub state: String,
+    pub category: EventCategory,
+    pub triage_scores: Option<Vec<TriageScore>>,
+}
+
+impl fmt::Display for TorConnection {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(
+            f,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} session_end_time={:?} method={:?} host={:?} uri={:?} referrer={:?} version={:?} user_agent={:?} request_len={:?} response_len={:?} status_code={:?} status_msg={:?} username={:?} password={:?} cookie={:?} content_encoding={:?} content_type={:?} cache_control={:?} orig_filenames={:?} orig_mime_types={:?} resp_filenames={:?} resp_mime_types={:?} post_body={:?} state={:?} triage_scores={:?}",
+            self.sensor,
+            self.src_addr.to_string(),
+            self.src_port.to_string(),
+            self.dst_addr.to_string(),
+            self.dst_port.to_string(),
+            self.proto.to_string(),
+            self.session_end_time.to_rfc3339(),
+            self.method,
+            self.host,
+            self.uri,
+            self.referrer,
+            self.version,
+            self.user_agent,
+            self.request_len.to_string(),
+            self.response_len.to_string(),
+            self.status_code.to_string(),
+            self.status_msg,
+            self.username,
+            self.password,
+            self.cookie,
+            self.content_encoding,
+            self.content_type,
+            self.cache_control,
+            self.orig_filenames.join(","),
+            self.orig_mime_types.join(","),
+            self.resp_filenames.join(","),
+            self.resp_mime_types.join(","),
+            self.post_body,
+            self.state,
+            triage_scores_to_string(self.triage_scores.as_ref())
+        )
+    }
+}
+
+impl TorConnection {
+    pub(super) fn new(time: DateTime<Utc>, fields: &HttpEventFields) -> Self {
+        TorConnection {
+            time,
+            sensor: fields.sensor.clone(),
+            session_end_time: fields.session_end_time,
+            src_addr: fields.src_addr,
+            src_port: fields.src_port,
+            dst_addr: fields.dst_addr,
+            dst_port: fields.dst_port,
+            proto: fields.proto,
+            method: fields.method.clone(),
+            host: fields.host.clone(),
+            uri: fields.uri.clone(),
+            referrer: fields.referrer.clone(),
+            version: fields.version.clone(),
+            user_agent: fields.user_agent.clone(),
+            request_len: fields.request_len,
+            response_len: fields.response_len,
+            status_code: fields.status_code,
+            status_msg: fields.status_msg.clone(),
+            username: fields.username.clone(),
+            password: fields.password.clone(),
+            cookie: fields.cookie.clone(),
+            content_encoding: fields.content_encoding.clone(),
+            content_type: fields.content_type.clone(),
+            cache_control: fields.cache_control.clone(),
+            orig_filenames: fields.orig_filenames.clone(),
+            orig_mime_types: fields.orig_mime_types.clone(),
+            resp_filenames: fields.resp_filenames.clone(),
+            resp_mime_types: fields.resp_mime_types.clone(),
+            post_body: get_post_body(&fields.post_body),
+            state: fields.state.clone(),
+            category: fields.category,
+            triage_scores: None,
+        }
+    }
+}
+
+impl Match for TorConnection {
+    fn src_addr(&self) -> IpAddr {
+        self.src_addr
+    }
+
+    fn src_port(&self) -> u16 {
+        self.src_port
+    }
+
+    fn dst_addr(&self) -> IpAddr {
+        self.dst_addr
+    }
+
+    fn dst_port(&self) -> u16 {
+        self.dst_port
+    }
+
+    fn proto(&self) -> u8 {
+        self.proto
+    }
+
+    fn category(&self) -> EventCategory {
+        self.category
+    }
+
+    fn level(&self) -> NonZeroU8 {
+        MEDIUM
+    }
+
+    fn kind(&self) -> &str {
+        "tor exit nodes"
+    }
+
+    fn sensor(&self) -> &str {
+        self.sensor.as_str()
+    }
+
+    fn confidence(&self) -> Option<f32> {
+        None
+    }
+
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        http_target_attr!(self, raw_event_attr)
     }
 }
 
@@ -933,7 +1215,7 @@ pub struct BlockListHttp {
     pub orig_mime_types: Vec<String>,
     pub resp_filenames: Vec<String>,
     pub resp_mime_types: Vec<String>,
-    pub post_body: Vec<u8>,
+    pub post_body: String,
     pub state: String,
     pub category: EventCategory,
     pub triage_scores: Option<Vec<TriageScore>>,
@@ -971,7 +1253,7 @@ impl fmt::Display for BlockListHttp {
             self.orig_mime_types.join(","),
             self.resp_filenames.join(","),
             self.resp_mime_types.join(","),
-            get_post_body(&self.post_body),
+            self.post_body,
             self.state,
             triage_scores_to_string(self.triage_scores.as_ref()),
         )
@@ -1009,7 +1291,7 @@ impl BlockListHttp {
             orig_mime_types: fields.orig_mime_types.clone(),
             resp_filenames: fields.resp_filenames.clone(),
             resp_mime_types: fields.resp_mime_types.clone(),
-            post_body: fields.post_body.clone(),
+            post_body: get_post_body(&fields.post_body),
             state: fields.state.clone(),
             category: fields.category,
             triage_scores: None,
@@ -1058,7 +1340,7 @@ impl Match for BlockListHttp {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        http_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/kerberos.rs b/src/event/kerberos.rs
index f585bf9..d962d82 100644
--- a/src/event/kerberos.rs
+++ b/src/event/kerberos.rs
@@ -1,10 +1,37 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{KerberosAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! kerberos_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Kerberos(attr) = $raw_event_attr {
+            let target_value = match attr {
+                KerberosAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                KerberosAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                KerberosAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                KerberosAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                KerberosAttr::Proto => AttrValue::UInt($event.proto.into()),
+                KerberosAttr::ClientTime => AttrValue::SInt($event.client_time),
+                KerberosAttr::ServerTime => AttrValue::SInt($event.server_time),
+                KerberosAttr::ErrorCode => AttrValue::UInt($event.error_code.into()),
+                KerberosAttr::ClientRealm => AttrValue::String(&$event.client_realm),
+                KerberosAttr::CnameType => AttrValue::UInt($event.cname_type.into()),
+                KerberosAttr::ClientName => AttrValue::VecString(&$event.client_name),
+                KerberosAttr::Realm => AttrValue::String(&$event.realm),
+                KerberosAttr::SnameType => AttrValue::UInt($event.sname_type.into()),
+                KerberosAttr::ServiceName => AttrValue::VecString(&$event.service_name),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListKerberosFields {
@@ -168,7 +195,7 @@ impl Match for BlockListKerberos {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        kerberos_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/ldap.rs b/src/event/ldap.rs
index 6a3625c..0742ba6 100644
--- a/src/event/ldap.rs
+++ b/src/event/ldap.rs
@@ -1,11 +1,36 @@
 #![allow(clippy::module_name_repetitions)]
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{LdapAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! ldap_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Ldap(attr) = $raw_event_attr {
+            let target_value = match attr {
+                LdapAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                LdapAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                LdapAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                LdapAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                LdapAttr::Proto => AttrValue::UInt($event.proto.into()),
+                LdapAttr::MessageId => AttrValue::UInt($event.message_id.into()),
+                LdapAttr::Version => AttrValue::UInt($event.version.into()),
+                LdapAttr::Opcode => AttrValue::VecString(&$event.opcode),
+                LdapAttr::Result => AttrValue::VecString(&$event.result),
+                LdapAttr::DiagnosticMessage => AttrValue::VecString(&$event.diagnostic_message),
+                LdapAttr::Object => AttrValue::VecString(&$event.object),
+                LdapAttr::Argument => AttrValue::VecString(&$event.argument),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct LdapBruteForceFields {
@@ -135,8 +160,18 @@ impl Match for LdapBruteForce {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Ldap(attr) = raw_event_attr {
+            match attr {
+                LdapAttr::SrcAddr => Some(AttrValue::Addr(self.src_addr)),
+                LdapAttr::DstAddr => Some(AttrValue::Addr(self.dst_addr)),
+                LdapAttr::DstPort => Some(AttrValue::UInt(self.dst_port.into())),
+                LdapAttr::Proto => Some(AttrValue::UInt(self.proto.into())),
+                _ => None,
+            }
+        } else {
+            None
+        }
     }
 }
 
@@ -292,8 +327,8 @@ impl Match for LdapPlainText {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        ldap_target_attr!(self, raw_event_attr)
     }
 }
 
@@ -407,7 +442,7 @@ impl Match for BlockListLdap {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        ldap_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/log.rs b/src/event/log.rs
index 78b0de0..5ed1dc4 100644
--- a/src/event/log.rs
+++ b/src/event/log.rs
@@ -5,11 +5,12 @@ use std::{
     num::NonZeroU8,
 };
 
+use attrievent::attribute::{LogAttr, RawEventKind};
 use chrono::{serde::ts_nanoseconds, DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
 
 #[derive(Serialize, Deserialize)]
 pub struct ExtraThreat {
@@ -87,7 +88,10 @@ impl Match for ExtraThreat {
         Some(self.confidence)
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Log(LogAttr::Content) = raw_event_attr {
+            return Some(AttrValue::String(&self.content));
+        }
+        None
     }
 }
diff --git a/src/event/mqtt.rs b/src/event/mqtt.rs
index 915fc00..6330e98 100644
--- a/src/event/mqtt.rs
+++ b/src/event/mqtt.rs
@@ -1,10 +1,40 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{MqttAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! mqtt_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Mqtt(attr) = $raw_event_attr {
+            let target_value = match attr {
+                MqttAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                MqttAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                MqttAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                MqttAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                MqttAttr::Proto => AttrValue::UInt($event.proto.into()),
+                MqttAttr::Protocol => AttrValue::String(&$event.protocol),
+                MqttAttr::Version => AttrValue::UInt($event.version.into()),
+                MqttAttr::ClientId => AttrValue::String(&$event.client_id),
+                MqttAttr::ConnackReason => AttrValue::UInt($event.connack_reason.into()),
+                MqttAttr::Subscribe => AttrValue::VecString(&$event.subscribe),
+                MqttAttr::SubackReason => AttrValue::VecUInt(
+                    $event
+                        .suback_reason
+                        .iter()
+                        .map(|val| u64::from(*val))
+                        .collect(),
+                ),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListMqttFields {
@@ -152,7 +182,7 @@ impl Match for BlockListMqtt {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        mqtt_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/network.rs b/src/event/network.rs
index 32108c8..c649d02 100644
--- a/src/event/network.rs
+++ b/src/event/network.rs
@@ -1,11 +1,32 @@
 #![allow(clippy::module_name_repetitions)]
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{NetworkAttr, RawEventKind};
 use chrono::{serde::ts_nanoseconds, DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+// TODO: We plan to implement the triage feature after detection events from other network
+// protocols are consolidated into `NetworkThreat` events.
+macro_rules! network_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {
+        if let RawEventKind::Network(attr) = $raw_event_attr {
+            let target_value = match attr {
+                NetworkAttr::SrcAddr => AttrValue::Addr($event.orig_addr),
+                NetworkAttr::SrcPort => AttrValue::UInt($event.orig_port.into()),
+                NetworkAttr::DstAddr => AttrValue::Addr($event.resp_addr),
+                NetworkAttr::DstPort => AttrValue::UInt($event.resp_port.into()),
+                NetworkAttr::Proto => AttrValue::UInt($event.proto.into()),
+                NetworkAttr::Content => AttrValue::String(&$event.content),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    };
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct NetworkThreat {
@@ -96,7 +117,7 @@ impl Match for NetworkThreat {
         Some(self.confidence)
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        network_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/nfs.rs b/src/event/nfs.rs
index c37ec1c..6a8784b 100644
--- a/src/event/nfs.rs
+++ b/src/event/nfs.rs
@@ -1,10 +1,30 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{NfsAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! nfs_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Nfs(attr) = $raw_event_attr {
+            let target_value = match attr {
+                NfsAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                NfsAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                NfsAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                NfsAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                NfsAttr::Proto => AttrValue::UInt($event.proto.into()),
+                NfsAttr::ReadFiles => AttrValue::VecString(&$event.read_files),
+                NfsAttr::WriteFiles => AttrValue::VecString(&$event.write_files),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListNfsFields {
@@ -131,7 +151,7 @@ impl Match for BlockListNfs {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        nfs_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/ntlm.rs b/src/event/ntlm.rs
index e609bb6..41a5425 100644
--- a/src/event/ntlm.rs
+++ b/src/event/ntlm.rs
@@ -1,10 +1,33 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{NtlmAttr, RawEventKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! ntlm_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Ntlm(attr) = $raw_event_attr {
+            let target_value = match attr {
+                NtlmAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                NtlmAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                NtlmAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                NtlmAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                NtlmAttr::Proto => AttrValue::UInt($event.proto.into()),
+                NtlmAttr::Protocol => AttrValue::String(&$event.protocol),
+                NtlmAttr::Username => AttrValue::String(&$event.username),
+                NtlmAttr::Hostname => AttrValue::String(&$event.hostname),
+                NtlmAttr::Domainname => AttrValue::String(&$event.domainname),
+                NtlmAttr::Success => AttrValue::String(&$event.success),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListNtlmFields {
@@ -144,7 +167,7 @@ impl Match for BlockListNtlm {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        ntlm_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/rdp.rs b/src/event/rdp.rs
index 9d1e31f..e427135 100644
--- a/src/event/rdp.rs
+++ b/src/event/rdp.rs
@@ -6,15 +6,33 @@ use std::{
     num::NonZeroU8,
 };
 
+use attrievent::attribute::{RawEventKind, RdpAttr};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
 use super::{
     common::{vector_to_string, Match},
-    EventCategory, TriagePolicy, TriageScore, MEDIUM,
+    EventCategory, TriageScore, MEDIUM,
 };
-use crate::event::common::triage_scores_to_string;
-
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! rdp_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Rdp(attr) = $raw_event_attr {
+            let target_value = match attr {
+                RdpAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                RdpAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                RdpAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                RdpAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                RdpAttr::Proto => AttrValue::UInt($event.proto.into()),
+                RdpAttr::Cookie => AttrValue::String(&$event.cookie),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 #[derive(Serialize, Deserialize)]
 pub struct RdpBruteForceFields {
     pub src_addr: IpAddr,
@@ -121,8 +139,17 @@ impl Match for RdpBruteForce {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        if let RawEventKind::Rdp(attr) = raw_event_attr {
+            match attr {
+                RdpAttr::SrcAddr => Some(AttrValue::Addr(self.src_addr)),
+                RdpAttr::DstAddr => Some(AttrValue::VecAddr(&self.dst_addrs)),
+                RdpAttr::Proto => Some(AttrValue::UInt(self.proto.into())),
+                _ => None,
+            }
+        } else {
+            None
+        }
     }
 }
 
@@ -245,7 +272,7 @@ impl Match for BlockListRdp {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        rdp_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/smb.rs b/src/event/smb.rs
index 2fed020..a896ff8 100644
--- a/src/event/smb.rs
+++ b/src/event/smb.rs
@@ -1,10 +1,39 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{RawEventKind, SmbAttr};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! smb_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Smb(attr) = $raw_event_attr {
+            let target_value = match attr {
+                SmbAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                SmbAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                SmbAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                SmbAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                SmbAttr::Proto => AttrValue::UInt($event.proto.into()),
+                SmbAttr::Command => AttrValue::UInt($event.command.into()),
+                SmbAttr::Path => AttrValue::String(&$event.path),
+                SmbAttr::Service => AttrValue::String(&$event.service),
+                SmbAttr::FileName => AttrValue::String(&$event.file_name),
+                SmbAttr::FileSize => AttrValue::UInt($event.file_size),
+                SmbAttr::ResourceType => AttrValue::UInt($event.resource_type.into()),
+                SmbAttr::Fid => AttrValue::UInt($event.fid.into()),
+                SmbAttr::CreateTime => AttrValue::SInt($event.create_time),
+                SmbAttr::AccessTime => AttrValue::SInt($event.access_time),
+                SmbAttr::WriteTime => AttrValue::SInt($event.write_time),
+                SmbAttr::ChangeTime => AttrValue::SInt($event.change_time),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListSmbFields {
@@ -175,7 +204,7 @@ impl Match for BlockListSmb {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        smb_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/smtp.rs b/src/event/smtp.rs
index 0b5489b..3f2a0d4 100644
--- a/src/event/smtp.rs
+++ b/src/event/smtp.rs
@@ -1,10 +1,35 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{RawEventKind, SmtpAttr};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! smtp_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Smtp(attr) = $raw_event_attr {
+            let target_value = match attr {
+                SmtpAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                SmtpAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                SmtpAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                SmtpAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                SmtpAttr::Proto => AttrValue::UInt($event.proto.into()),
+                SmtpAttr::MailFrom => AttrValue::String(&$event.mailfrom),
+                SmtpAttr::Date => AttrValue::String(&$event.date),
+                SmtpAttr::From => AttrValue::String(&$event.from),
+                SmtpAttr::To => AttrValue::String(&$event.to),
+                SmtpAttr::Subject => AttrValue::String(&$event.subject),
+                SmtpAttr::Agent => AttrValue::String(&$event.agent),
+                SmtpAttr::State => AttrValue::String(&$event.state),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListSmtpFields {
@@ -157,7 +182,7 @@ impl Match for BlockListSmtp {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        smtp_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/ssh.rs b/src/event/ssh.rs
index 967c0d1..90abaf3 100644
--- a/src/event/ssh.rs
+++ b/src/event/ssh.rs
@@ -1,10 +1,43 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{RawEventKind, SshAttr};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+macro_rules! ssh_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Ssh(attr) = $raw_event_attr {
+            let target_value = match attr {
+                SshAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                SshAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                SshAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                SshAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                SshAttr::Proto => AttrValue::UInt($event.proto.into()),
+                SshAttr::Client => AttrValue::String(&$event.client),
+                SshAttr::Server => AttrValue::String(&$event.server),
+                SshAttr::CipherAlg => AttrValue::String(&$event.cipher_alg),
+                SshAttr::MacAlg => AttrValue::String(&$event.mac_alg),
+                SshAttr::CompressionAlg => AttrValue::String(&$event.compression_alg),
+                SshAttr::KexAlg => AttrValue::String(&$event.kex_alg),
+                SshAttr::HostKeyAlg => AttrValue::String(&$event.host_key_alg),
+                SshAttr::HasshAlgorithms => AttrValue::String(&$event.hassh_algorithms),
+                SshAttr::Hassh => AttrValue::String(&$event.hassh),
+                SshAttr::HasshServerAlgorithms => {
+                    AttrValue::String(&$event.hassh_server_algorithms)
+                }
+                SshAttr::HasshServer => AttrValue::String(&$event.hassh_server),
+                SshAttr::ClientShka => AttrValue::String(&$event.client_shka),
+                SshAttr::ServerShka => AttrValue::String(&$event.server_shka),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListSshFields {
@@ -186,7 +219,7 @@ impl Match for BlockListSsh {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        ssh_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/sysmon.rs b/src/event/sysmon.rs
index 9b4f3f0..ee916fd 100644
--- a/src/event/sysmon.rs
+++ b/src/event/sysmon.rs
@@ -5,11 +5,34 @@ use std::{
     num::NonZeroU8,
 };
 
+use attrievent::attribute::{RawEventKind, WindowAttr};
 use chrono::{serde::ts_nanoseconds, DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::triage_scores_to_string;
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, AttrValue};
+
+// TODO: We plan to implement the triage feature only after we have cleaned up the range of
+// values for the properties for each sysmon service.
+macro_rules! window_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {
+        if let RawEventKind::Window(attr) = $raw_event_attr {
+            let target_value = match attr {
+                WindowAttr::Service => AttrValue::String(&$event.service),
+                WindowAttr::AgentName => AttrValue::String(&$event.agent_name),
+                WindowAttr::AgentId => AttrValue::String(&$event.agent_id),
+                WindowAttr::ProcessGuid => AttrValue::String(&$event.process_guid),
+                WindowAttr::ProcessId => AttrValue::UInt($event.process_id.into()),
+                WindowAttr::Image => AttrValue::String(&$event.image),
+                WindowAttr::User => AttrValue::String(&$event.user),
+                WindowAttr::Content => AttrValue::String(&$event.content),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    };
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct WindowsThreat {
@@ -102,7 +125,7 @@ impl Match for WindowsThreat {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        window_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/event/tls.rs b/src/event/tls.rs
index d434415..131fc5d 100644
--- a/src/event/tls.rs
+++ b/src/event/tls.rs
@@ -1,10 +1,67 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{RawEventKind, TlsAttr};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::{triage_scores_to_string, vector_to_string};
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{triage_scores_to_string, vector_to_string, AttrValue};
+
+macro_rules! tls_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventKind::Tls(attr) = $raw_event_attr {
+            let target_value = match attr {
+                TlsAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                TlsAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                TlsAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                TlsAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                TlsAttr::Proto => AttrValue::UInt($event.proto.into()),
+                TlsAttr::ServerName => AttrValue::String(&$event.server_name),
+                TlsAttr::AlpnProtocol => AttrValue::String(&$event.server_name),
+                TlsAttr::Ja3 => AttrValue::String(&$event.ja3),
+                TlsAttr::Version => AttrValue::String(&$event.version),
+                TlsAttr::ClientCipherSuites => AttrValue::VecUInt(
+                    $event
+                        .client_cipher_suites
+                        .iter()
+                        .map(|val| u64::from(*val))
+                        .collect(),
+                ),
+                TlsAttr::ClientExtensions => AttrValue::VecUInt(
+                    $event
+                        .client_extensions
+                        .iter()
+                        .map(|val| u64::from(*val))
+                        .collect(),
+                ),
+                TlsAttr::Cipher => AttrValue::UInt($event.cipher.into()),
+                TlsAttr::Extensions => AttrValue::VecUInt(
+                    $event
+                        .extensions
+                        .iter()
+                        .map(|val| u64::from(*val))
+                        .collect(),
+                ),
+                TlsAttr::Ja3s => AttrValue::String(&$event.ja3s),
+                TlsAttr::Serial => AttrValue::String(&$event.serial),
+                TlsAttr::SubjectCountry => AttrValue::String(&$event.subject_country),
+                TlsAttr::SubjectOrgName => AttrValue::String(&$event.subject_org_name),
+                TlsAttr::SubjectCommonName => AttrValue::String(&$event.subject_common_name),
+                TlsAttr::ValidityNotBefore => AttrValue::SInt($event.validity_not_before.into()),
+                TlsAttr::ValidityNotAfter => AttrValue::SInt($event.validity_not_after.into()),
+                TlsAttr::SubjectAltName => AttrValue::String(&$event.subject_alt_name),
+                TlsAttr::IssuerCountry => AttrValue::String(&$event.issuer_country),
+                TlsAttr::IssuerOrgName => AttrValue::String(&$event.issuer_org_name),
+                TlsAttr::IssuerOrgUnitName => AttrValue::String(&$event.issuer_org_unit_name),
+                TlsAttr::IssuerCommonName => AttrValue::String(&$event.issuer_common_name),
+                TlsAttr::LastAlert => AttrValue::UInt($event.last_alert.into()),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListTlsFields {
@@ -227,8 +284,8 @@ impl Match for BlockListTls {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        tls_target_attr!(self, raw_event_attr)
     }
 }
 
@@ -382,7 +439,7 @@ impl Match for SuspiciousTlsTraffic {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn target_attribute(&self, raw_event_attr: RawEventKind) -> Option<AttrValue> {
+        tls_target_attr!(self, raw_event_attr)
     }
 }
diff --git a/src/migration.rs b/src/migration.rs
index d0ad939..7e120c6 100644
--- a/src/migration.rs
+++ b/src/migration.rs
@@ -1953,7 +1953,7 @@ mod tests {
             method: "POST".to_string(),
             host: "cluml".to_string(),
             uri: "/cluml.gif".to_string(),
-            referer: "cluml.com".to_string(),
+            referrer: "cluml.com".to_string(),
             version: "version".to_string(),
             user_agent: "review-database".to_string(),
             request_len: 0,
@@ -2033,7 +2033,7 @@ mod tests {
             method: "POST".to_string(),
             host: "cluml".to_string(),
             uri: "/cluml.gif".to_string(),
-            referer: "cluml.com".to_string(),
+            referrer: "cluml.com".to_string(),
             version: "version".to_string(),
             user_agent: "review-database".to_string(),
             request_len: 0,
diff --git a/src/migration/migration_structures.rs b/src/migration/migration_structures.rs
index f87bcc3..25516a2 100644
--- a/src/migration/migration_structures.rs
+++ b/src/migration/migration_structures.rs
@@ -111,7 +111,7 @@ pub struct HttpThreatBeforeV29 {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -146,7 +146,7 @@ impl From<HttpThreatBeforeV29> for HttpThreatBeforeV30 {
             method: input.method,
             host: input.host,
             uri: input.uri,
-            referer: input.referer,
+            referrer: input.referrer,
             version: input.version,
             user_agent: input.user_agent,
             request_len: input.request_len,
@@ -190,7 +190,7 @@ pub struct HttpThreatBeforeV30 {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -231,7 +231,7 @@ impl From<HttpThreatBeforeV30> for HttpThreatFields {
             method: input.method,
             host: input.host,
             uri: input.uri,
-            referer: input.referer,
+            referrer: input.referrer,
             version: input.version,
             user_agent: input.user_agent,
             request_len: input.request_len,
@@ -273,7 +273,7 @@ pub struct DgaBeforeV29 {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -302,7 +302,7 @@ impl From<DgaBeforeV29> for DgaBeforeV30 {
             method: input.method,
             host: input.host,
             uri: input.uri,
-            referer: input.referer,
+            referrer: input.referrer,
             version: input.version,
             user_agent: input.user_agent,
             request_len: input.request_len,
@@ -338,7 +338,7 @@ pub struct DgaBeforeV30 {
     pub method: String,
     pub host: String,
     pub uri: String,
-    pub referer: String,
+    pub referrer: String,
     pub version: String,
     pub user_agent: String,
     pub request_len: usize,
@@ -373,7 +373,7 @@ impl From<DgaBeforeV30> for DgaFields {
             method: input.method,
             host: input.host,
             uri: input.uri,
-            referer: input.referer,
+            referrer: input.referrer,
             version: input.version,
             user_agent: input.user_agent,
             request_len: input.request_len,
diff --git a/src/tables/triage_policy.rs b/src/tables/triage_policy.rs
index 0c17419..b477e95 100644
--- a/src/tables/triage_policy.rs
+++ b/src/tables/triage_policy.rs
@@ -68,8 +68,11 @@ pub enum TiCmpKind {
 #[derive(Clone, Copy, Eq, PartialEq, Ord, PartialOrd, Deserialize, Serialize)]
 pub enum ValueKind {
     String,
-    Integer,
+    SInteger,
+    UInteger,
     Float,
+    IpAddr,
+    Bool,
 }
 
 #[derive(Clone, Copy, Eq, PartialEq, Ord, PartialOrd, Deserialize, Serialize)]
@@ -135,6 +138,7 @@ impl Ord for Ti {
 
 #[derive(Clone, PartialEq, Deserialize, Serialize)]
 pub struct PacketAttr {
+    pub raw_event_type: String,
     pub attr_name: String,
     pub value_kind: ValueKind,
     pub cmp_kind: AttrCmpKind,