Alert data model

Support

Support for business applications

Kaspersky XDR Expert

Threat detection

Working with alerts

Alert data model

May 15, 2024

ID 269125

Get as PDF

The structure of an alert is represented by fields that contain values (see the table below). Fields can also contain nested structures.

Section and subsections	Alert field	Value type	Is required	Description
`Alerts`	`ID`	String	Yes	Short internal alert ID.
	`InternalID`	String	Yes	Internal alert ID.
	`TenantID`	String	Yes	ID of the tenant that the alert is associated with.
	`CreatedAt`	String	Yes	Date and time of the alert creation.
	`DetectionTechnologies`	Nested list of strings	Yes	Triggered detection technology. Possible values: `IOC` `IOA`
	`IncidentID`	String	No	Internal ID of the incident associated with the alert.
	`IncidentLinkType`	String	No	Way to add an alert to an incident. Possible values: `Manual` `Auto`
	`FirstEventTime`	String	Yes	Date and time of the first telemetry event related to the alert.
	`LastEventTime`	String	Yes	Date and time of the last telemetry event related to the alert.
	`Severity`	String	Yes	Severity of the alert. Possible values: `Critical` `High` `Medium` `Low`
	`SourceCreatedAt`	String	Yes	Date and time of the alert creation in the integrated component.
	`SourceID`	String	Yes	Unique alert identifier in the integrated component.
	`ExternalRef`	String	No	Link to an entity in an external system (for example, a link to a Jira ticket).
	`Status`	String	Yes	Alert status. Possible values: `new` `inProgress` `inIncident` `closed`
	`StatusResolution`	String	No	Resolution of the alert status. Possible values: `truePositive` `falsePositive` `lowPriority`
	`StatusChangedAt`	String	No	Date and time of the last alert status change
	`UpdatedAt`	String	Yes	Date and time of the last alert change.
	`Extra`	String	No	Data of the application that provides the alert. Application data is presented in the JSON format.
	`OriginalEvents`	String	No	Events on the basis of which the alert is generated.
`Alerts → Assignee`	`ID`	String	No	User account ID of the operator to whom the incident is assigned.
`Alerts → Assignee`	`Name`	String	No	Name of the operator to whom the incident is assigned.
`Alerts → MITRETactics`	`ID`	String	No	Array of tactics from MITRE related to all triggered IOA rules in the alert.
`Alerts → MITRETechniques`	`ID`	String	No	Array of techniques from MITRE related to all triggered IOA rules in the alert.
`Alerts → Observables`	`Details`	String	No	Additional information about observables.
	`Type`	String	No	Observables type. Possible values: `ip` `md5` `url` `domain` `SHA256` `UserName` `HostName`
	`Value`	String	No	Observables value.
`Alerts → Rules`	`Confidence`	String	No	Confidence level of the triggered rule. Possible values: `High` `Medium` `Low`
	`Custom`	Boolean	No	Indicator that the alert is based on custom rules.
	`ID`	String	No	ID of the triggered rule.
	`Name`	String	No	Name of the triggered rule.
	`Severity`	String	No	Severity of the triggered rule. Possible values: `Critical` `High` `Medium` `Low`
	`Type`	String	No	Type of the triggered rule.
`Alerts → Assets`	`ID`	String	No	ID of the affected asset (a device or an account).
	`IsAttacker`	Boolean	No	Indicator that the affected asset (a device or an account) is an attacker.
	`IsVictim`	Boolean	No	Indicator that the affected asset (a device or an account) is a victim.
	`KSCServer`	String	No	Administration Server that the affected asset (a device or an account) belongs to. This property is used to obtain the asset administration group.
	`Name`	String	No	The name of the affected device that the alert is associated with (if `Type` is set to `Host`). The user name of the affected user account associated with events on the basis of which the alert is generated (if `Type` is set to `User`).
	`Type`	String	No	Type of the affected asset (a device or an account). Possible values: `Host` `User`

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.