Kaspersky Next XDR Expert
1.1.9

Contents

Alert data model

The structure of an alert is represented by fields that contain values (see the table below). Some fields are objects or arrays of objects with their own set of fields (for example, the Assignee and Assets fields).

Alert

Field

Value type

Is required

Description

InternalID

String

Yes

Internal alert ID, in the UUID format. The field value may match the SourceID value.

ID

Integer

Yes

Short internal alert ID.

TenantID

String

Yes

ID of the tenant that the alert is associated with, in the UUID format.

CreatedAt

String

Yes

Date and time of the alert generation, in the RFC 3339 format.

UpdatedAt

String

Yes

Date and time of the last alert change, in the RFC 3339 format.

StatusChangedAt

String

No

Date and time of the last alert status change, in the RFC 3339 format.

Severity

String

Yes

Severity of the alert.

Possible values:

  • critical
  • high
  • medium
  • low

IntegrationID

String

Yes

ID of the Kaspersky application management plug-in that is integrated in OSMP.

IntegrationCompatibilityVersion

String

Yes

Version of the Kaspersky application management plug-in that is integrated in OSMP.

SourceID

String

No

Unique alert identifier in the integrated component.

SourceCreatedAt

String

No

Date and time of the alert generation in the integrated component, in the RFC 3339 format.

FirstEventTime

String

Yes

Date and time of the first telemetry event related to the alert, in the RFC 3339 format.

LastEventTime

String

Yes

Date and time of the last telemetry event related to the alert, in the RFC 3339 format.

DetectSource

String

No

Component that detects and generates the alert.

Status

String

Yes

Alert status.

Possible values:

  • new
  • inProgress
  • inIncident
  • closed

StatusResolution

String

No

Resolution of the alert status.

Possible values:

  • truePositive
  • falsePositive
  • lowPriority
  • merged

IncidentID

String

No

Internal ID of the incident associated with the alert.

IncidentLinkType

String

No

Way to add an alert to an incident.

Possible values:

  • manual
  • auto

Assignee

Assignee object

No

Operator to whom the alert is assigned.

MITRETactics

Array of MITRETactic objects

No

MITRE tactics related to all triggered IOA rules in the alert.

MITRETechniques

Array of MITRETechnique objects

No

MITRE techniques related to all triggered IOA rules in the alert.

Observables

Array of Observable objects

No

Observables related to the alert.

Assets

Array of Asset objects

No

Assets affected by the alert.

Rules

Array of Rule objects

No

Triggered correlation rules, on the basis of which the alert is generated.

OriginalEvents

Array of objects

No

Events, on the basis of which the alert is generated.

Assignee

Field

Value type

Is required

Description

ID

String

Yes

User account ID of the operator to whom the alert is assigned.

Name

String

Yes

Name of the operator to whom the alert is assigned.

MITRETactic

Field

Value type

Is required

Description

ID

String

Yes

ID of the MITRE tactic related to all triggered IOA rules in the alert.

Name

String

Yes

Name of the MITRE tactic related to all triggered IOA rules in the alert.

MITRETechnique

Field

Value type

Is required

Description

ID

String

Yes

ID of the MITRE technique related to all triggered IOA rules in the alert.

Name

String

Yes

Name of the MITRE technique related to all triggered IOA rules in the alert.

Observable

Field

Value type

Is required

Description

Type

String

Yes

Type of the observable object.

Possible values:

  • ip
  • md5
  • sha256
  • url
  • domain
  • userName
  • hostName

Value

String

Yes

Value of the observable object.

Details

String

No

Additional information about the observable object.

Rule

Field

Value type

Is required

Description

ID

String

Yes

ID of the triggered rule.

Name

String

No

Name of the triggered rule.

Severity

String

No

Severity of the triggered rule.

Possible values:

  • critical
  • high
  • medium
  • low

Confidence

String

No

Confidence level of the triggered rule.

Possible values:

  • high
  • medium
  • low

Custom

Boolean

No

Indicator that the alert is based on custom rules.

Asset

Field

Value type

Is required

Description

Type

String

Yes

Type of the affected asset (a device or an account).

Possible values:

  • host
  • user

ID

String

Yes

ID of the affected asset (a device or an account).

Name

String

No

The name of the affected device that the alert is associated with (if Type is set to host).

The user name of the affected user account associated with events, on the basis of which the alert is generated (if Type is set to user).

IsAttacker

Boolean

No

Indicator that the affected asset (a device or an account) is an attacker.

IsVictim

Boolean

No

Indicator that the affected asset (a device or an account) is a victim.

Page top
[Topic 269125]