Alert data model
The structure of an alert is represented by fields that contain values (see the table below). Fields can also contain nested structures.
Section and subsections | Alert field | Value type | Is required | Description |
|
| String | Yes | Short internal alert ID. |
| String | Yes | Internal alert ID. | |
| String | Yes | ID of the tenant that the alert is associated with. | |
| String | Yes | Date and time of the alert creation. | |
| Nested list of strings | Yes | Triggered detection technology. Possible values:
| |
| String | No | Internal ID of the incident associated with the alert. | |
| String | No | Way to add an alert to an incident. Possible values:
| |
| String | Yes | Date and time of the first telemetry event related to the alert. | |
| String | Yes | Date and time of the last telemetry event related to the alert. | |
| String | Yes | Severity of the alert. Possible values:
| |
| String | Yes | Date and time of the alert creation in the integrated component. | |
| String | Yes | Unique alert identifier in the integrated component. | |
| String | No | Link to an entity in an external system (for example, a link to a Jira ticket). | |
| String | Yes | Alert status. Possible values:
| |
| String | No | Resolution of the alert status. Possible values:
| |
| String | No | Date and time of the last alert status change | |
| String | Yes | Date and time of the last alert change. | |
| String | No | Data of the application that provides the alert. Application data is presented in the JSON format. | |
| String | No | Events on the basis of which the alert is generated. | |
|
| String | No | User account ID of the operator to whom the incident is assigned. |
| String | No | Name of the operator to whom the incident is assigned. | |
|
| String | No | Array of tactics from MITRE related to all triggered IOA rules in the alert. |
|
| String | No | Array of techniques from MITRE related to all triggered IOA rules in the alert. |
|
| String | No | Additional information about observables. |
| String | No | Observables type. Possible values:
| |
| String | No | Observables value. | |
|
| String | No | Confidence level of the triggered rule. Possible values:
|
| Boolean | No | Indicator that the alert is based on custom rules. | |
| String | No | ID of the triggered rule. | |
| String | No | Name of the triggered rule. | |
| String | No | Severity of the triggered rule. Possible values:
| |
| String | No | Type of the triggered rule. | |
|
| String | No | ID of the affected asset (a device or an account). |
| Boolean | No | Indicator that the affected asset (a device or an account) is an attacker. | |
| Boolean | No | Indicator that the affected asset (a device or an account) is a victim. | |
| String | No | Administration Server that the affected asset (a device or an account) belongs to. This property is used to obtain the asset administration group. | |
| String | No | The name of the affected device that the alert is associated with (if The user name of the affected user account associated with events on the basis of which the alert is generated (if | |
| String | No | Type of the affected asset (a device or an account). Possible values:
|