Incident data model

Support

Support for business applications

Kaspersky XDR Expert

Threat detection

Working with incidents

Incident data model

May 15, 2024

ID 269168

Get as PDF

The structure of an incident is represented by fields that contain values (see the table below). Fields can also contain nested structures.

Section and subsections	Incident field	Value type	Is required	Description
`Incidents`	`ID`	String	Yes	Short internal incident ID.
	`InternalID`	String	Yes	Internal incident ID.
	`TenantID`	String	Yes	ID of the tenant that the incident is associated with.
	`CreatedAt`	String	Yes	Date and time of the incident creation.
	`DetectionTechnologies`	Nested list of strings	Yes	Detection technology triggered when the alert included in the incident was detected. Possible values: `IOC` `IOA`
	`FirstEventTime`	String	Yes	Date and time of the first telemetry event of the alert related to the incident.
	`LastEventTime`	String	Yes	Date and time of the last telemetry event of the alert related to the incident.
	`Severity`	String	Yes	Severity of the incident. Possible values: `Critical` `High` `Medium` `Low`
	`ExternalRef`	String	No	Link to an entity in an external system (for example, a link to a Jira ticket).
	`Status`	String	Yes	Incident status. Possible values: `open` `inProgress` `hold` `closed`
	`StatusChangedAt`	String	No	Date and time of the incident status change.
	`StatusResolution`	String	No	Resolution of the incident status. Possible values: `truePositive` `falsePositive` `lowPriority` `merged`
	`UpdatedAt`	String	Yes	Date and time of the last incident change.
	`Description`	String	No	Incident description.
	`SignOfCreation`	String	Yes	Method of creating an incident. Possible values: `auto` `manual`
	`Priority`	String	Yes	Priority of the incident. Possible values: `Critical` `High` `Medium` `Low`
	`Extra`	String	No	Data of the application that provides the incident. Application data is presented in the JSON format.
`Incidents → Assignee`	`ID`	String	No	User account ID of the operator to whom the incident is assigned.
`Incidents → Assignee`	`Name`	String	No	Name of the operator to whom the incident is assigned.
`Incidents → MITRETactics`	`ID`	String	No	Array of tactics from MITRE related to all triggered IOA rules in the incident.
`Incidents → MITRETechniques`	`ID`	String	No	Array of techniques from MITRE related to all triggered IOA rules in the incident.
`Incidents → Observables`	`Details`	String	No	Additional information about observables.
	`Type`	String	No	Observables type. Possible values: `ip` `md5` `url` `domain` `SHA256` `UserName` `HostName`
	`Value`	String	No	Observables value.
`Incidents → Rules`	`Confidence`	String	No	Confidence level of the triggered rule. Possible values: `High` `Medium` `Low`
	`Custom`	Boolean	No	Indicator that the incident is based on custom rules.
	`ID`	String	No	ID of the triggered rule.
	`Name`	String	No	Name of the triggered rule.
	`Severity`	String	No	Severity of the triggered rule.
	`Type`	String	No	Type of the triggered rule.
`Incidents → Assets`	`ID`	String	No	ID of the affected asset (a device or an account).
	`IsAttacker`	Boolean	No	Indicator that the affected asset (a device or an account) is an attacker.
	`IsVictim`	Boolean	No	Indicator that the affected asset (a device or an account) is a victim.
	`KSCServer`	String	No	Administration Server that the affected asset (a device or an account) belongs to. This property is used to obtain the asset administration group.
	`Name`	String	No	The name of the affected device that the incident is associated with (if `Type` is set to `Host`). The user name of the affected user account that the incident associated with (if `Type` is set to `User`).
	`Type`	String	No	Type of the affected asset (a device or an account). Possible values: `Host` `User`

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.