Incident data model
The structure of an incident is represented by fields that contain values (see the table below). Fields can also contain nested structures.
Section and subsections | Incident field | Value type | Is required | Description |
|
| String | Yes | Short internal incident ID. |
| String | Yes | Internal incident ID. | |
| String | Yes | ID of the tenant that the incident is associated with. | |
| String | Yes | Date and time of the incident creation. | |
| Nested list of strings | Yes | Detection technology triggered when the alert included in the incident was detected. Possible values:
| |
| String | Yes | Date and time of the first telemetry event of the alert related to the incident. | |
| String | Yes | Date and time of the last telemetry event of the alert related to the incident. | |
| String | Yes | Severity of the incident. Possible values:
| |
| String | No | Link to an entity in an external system (for example, a link to a Jira ticket). | |
| String | Yes | Incident status. Possible values:
| |
| String | No | Date and time of the incident status change. | |
| String | No | Resolution of the incident status. Possible values:
| |
| String | Yes | Date and time of the last incident change. | |
| String | No | Incident description. | |
| String | Yes | Method of creating an incident. Possible values:
| |
| String | Yes | Priority of the incident. Possible values:
| |
| String | No | Data of the application that provides the incident. Application data is presented in the JSON format. | |
|
| String | No | User account ID of the operator to whom the incident is assigned. |
| String | No | Name of the operator to whom the incident is assigned. | |
|
| String | No | Array of tactics from MITRE related to all triggered IOA rules in the incident. |
|
| String | No | Array of techniques from MITRE related to all triggered IOA rules in the incident. |
|
| String | No | Additional information about observables. |
| String | No | Observables type. Possible values:
| |
| String | No | Observables value. | |
|
| String | No | Confidence level of the triggered rule. Possible values:
|
| Boolean | No | Indicator that the incident is based on custom rules. | |
| String | No | ID of the triggered rule. | |
| String | No | Name of the triggered rule. | |
| String | No | Severity of the triggered rule. | |
| String | No | Type of the triggered rule. | |
|
| String | No | ID of the affected asset (a device or an account). |
| Boolean | No | Indicator that the affected asset (a device or an account) is an attacker. | |
| Boolean | No | Indicator that the affected asset (a device or an account) is a victim. | |
| String | No | Administration Server that the affected asset (a device or an account) belongs to. This property is used to obtain the asset administration group. | |
| String | No | The name of the affected device that the incident is associated with (if The user name of the affected user account that the incident associated with (if | |
| String | No | Type of the affected asset (a device or an account). Possible values:
|