Alert linked to incident or unlinked from incident

Event field name

Field value

DeviceAction

link alert to incident or unlink alert from incident

EventOutcome

succeeded or failed

SourceTranslatedAddress

This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty.

SourceAddress

The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address.

SourcePort

Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side.

SourceUserName

User name of the user that linked the alert to the incident or unlinked the alert from the incident.

SourceUserID

ID of the user that linked the alert to the incident or unlinked the alert from the incident.

ExternalID

ID of the incident.

Name

Name of the incident.

DeviceFacility

Action: link or unlink.

DeviceCustomString1

ID of the alert that was linked or unlinked.

DeviceCustomString2Label

alert ID

DeviceCustomString1

Name of the alert that was linked or unlinked.

DeviceCustomString2Label

alert name

Message

If EventOutcome = failed, an error message is written to this field.

DeviceCustomString5

Tenant ID.

DeviceCustomString5Label

tenant ID

DeviceCustomString6

Tenant name.

DeviceCustomString6Label

tenant name

Page top