Alert data model

This section describes the KUMA alert data model. Alerts are created by correlators whenever information security threats are detected using correlation rules. Alerts must be investigated to eliminate these threats.

Alert field

Data type

Description

ID

String

Unique ID of the alert.

TenantID

String

ID of the tenant that owns the alert. The value is inherited from the correlator that generated the alert.

TenantName

String

Tenant name.

CorrelationRuleID

String

ID of the rule used as the basis for generating the alert.

CorrelationRuleName

String

Name of the correlation rule used as the basis for generating the alert.

Status

String

Alert status. Possible values:

  • New—new alert.
  • Assigned—the alert is assigned to a user.
  • Closed—the alert was closed.
  • Exported to IRP—the alert was exported to the IRP system for further investigation.
  • Escalated—an incident was generated based on this alert.

Priority

Number

Alert severity. Possible values:

  • 1–4 — Low.
  • 5–8 — Medium.
  • 9–12 — High.
  • 13–16 — Critical.

ManualPriority

TRUE/FALSE string

Parameter showing how the alert severity level was determined. Possible values:

  • true—defined by the user.
  • false (default value)—calculated automatically.

FirstSeen

Number

Time when the first correlation event was created from the alert.

LastSeen

Number

Time when the last correlation event was created from the alert.

UpdatedAt           

Number

Date of the last modification to the alert parameters.

UserID               

String

ID of the KUMA user assigned to examine the alert.

UserName 

String

Name of the KUMA user assigned to examine the alert.
 

GroupedBy

Nested list of strings

List of event fields used to group events in the correlation rule.

ClosingReason

String

Reason for closing the alert. Possible values:

  • Incorrect Correlation Rule—the alert was a false positive and the received events do not indicate a real security threat. The correlation rule may need to be updated.
  • Incorrect Data—the alert was a false positive and the received events do not indicate a real security threat.
  • Responded—the appropriate measures were taken to eliminate the security threat.

Overflow             

TRUE/FALSE string

Indicator that the alert is overflowed, which means that the size of the alert and the events associated with it exceeds 16 MB. Possible values:

  • true
  • false

MaxAssetsWeightStr   

String

Maximum severity of the asset categories associated with the alert.

IntegrationID

String

ID of the alert in the IRP / SOAR application, if integration with such an application is configured in KUMA.

ExternalReference

String

Link to a section in the IRP / SOAR application that displays information about an alert imported from KUMA.

IncidentID 

String

ID of the incident to which the alert is linked.

IncidentName

String

Name of the incident to which the alert is linked.

SegmentationRuleName

String

Name of the segmentation rule used to group correlation events in the alert.

BranchID      

String

ID of the hierarchy branch in which the alert was generated. Indicated for a hierarchical deployment of KUMA.

BranchName  

String

Name of the hierarchy branch in which the alert was generated. Indicated for a hierarchical deployment of KUMA.

Actions

Nested [Action] structure

Nested structure with lines indicating changes to alert statuses and assignments, and user comments.

Events

Nested [EventWrapper] structure

Nested structure from which you can query the correlation events associated with the alert.

Assets

Nested [Asset] structure

Nested structure from which you can query assets associated with the alert.

Accounts

Nested [Account] structure

Nested structure from which you can query the user accounts associated with the alert.

AffectedAssets

Nested [Affected] structure

Nested structure from which you can query alert-related assets and user accounts, and find out the number of times they appear in alert events.

Nested Affected structure

Field

Data type

Description

Assets

Nested [AffectedRecord] list

List and number of assets associated with the alert.

Accounts

Nested [AffectedRecord] list

List and number of user accounts associated with the alert.

Nested AffectedRecord structure

Field

Data type

Description

Value

String

ID of the asset or user account.

Count

Number

The number of times an asset or user account appears in alert-related events.

Nested EventWrapper structure

Field

Data type

Description

Event

Nested [Event] structure

Event fields.

Comment

String

Comment added when events were added to the alert.

LinkedAt

Number

Date when events were added to the alert.

Nested Action structure

Field

Data type

Description

CreatedAt

Number

Date when the action was taken on the alert.

UserID

String

User ID.

Kind

String

Type of action.

Value

String

Value.

Event

Nested [Event] structure

Event fields.

ClusterID

String

Cluster ID.

Page top