Contents
Alert data model
The structure of an alert is represented by fields that contain values (see the table below). Some fields are objects or arrays of objects with their own set of fields (for example, the Assignee and Assets fields).
Alert
Field |
Value type |
Is required |
Description |
|
String |
Yes |
Internal alert ID, in the UUID format. The field value may match the |
|
Integer |
Yes |
Short internal alert ID. |
|
String |
Yes |
ID of the tenant that the alert is associated with, in the UUID format. |
|
String |
Yes |
Date and time of the alert generation, in the RFC 3339 format. |
|
String |
Yes |
Date and time of the last alert change, in the RFC 3339 format. |
|
String |
No |
Date and time of the last alert status change, in the RFC 3339 format. |
|
String |
Yes |
Severity of the alert. Possible values:
|
|
String |
Yes |
ID of the Kaspersky application management plug-in that is integrated in OSMP. |
|
String |
Yes |
Version of the Kaspersky application management plug-in that is integrated in OSMP. |
|
String |
No |
Unique alert identifier in the integrated component. |
|
String |
No |
Date and time of the alert generation in the integrated component, in the RFC 3339 format. |
|
String |
Yes |
Date and time of the first telemetry event related to the alert, in the RFC 3339 format. |
|
String |
Yes |
Date and time of the last telemetry event related to the alert, in the RFC 3339 format. |
|
String |
No |
Component that detects and generates the alert. |
|
Array of strings |
No |
Triggered detection technology. |
|
String |
Yes |
Alert status. Possible values:
|
|
String |
No |
Resolution of the alert status. Possible values:
|
|
String |
No |
Internal ID of the incident associated with the alert. |
|
String |
No |
Way to add an alert to an incident. Possible values:
|
|
|
No |
Operator to whom the alert is assigned. |
|
Array of |
No |
MITRE tactics related to all triggered IOA rules in the alert. |
|
Array of |
No |
MITRE techniques related to all triggered IOA rules in the alert. |
|
Array of |
No |
Observables related to the alert. |
|
Array of |
No |
Assets affected by the alert. |
|
Array of |
No |
Triggered correlation rules, on the basis of which the alert is generated. |
|
Array of objects |
No |
Events, on the basis of which the alert is generated. |
|
String |
Yes |
Link to an entity in an external system (for example, a link to a Jira ticket). |
|
Object |
No |
Data related to the alert, in the JSON format. This data is obtained from managed Kaspersky applications when events are transformed into alerts. This field is not used in the interface. |
|
Object |
No |
Additional information about the alert, in the JSON format. This information can be filled in by a user or a playbook. |
|
String |
Yes |
Alert name. |
|
Array of |
No |
Attachments related to the incident. |
Assignee
Field |
Value type |
Is required |
Description |
|
String |
Yes |
User account ID of the operator to whom the alert is assigned. |
|
String |
Yes |
Name of the operator to whom the alert is assigned. |
MITRETactic
Field |
Value type |
Is required |
Description |
|
String |
Yes |
ID of the MITRE tactic related to all triggered IOA rules in the alert. |
|
String |
Yes |
Name of the MITRE tactic related to all triggered IOA rules in the alert. |
MITRETechnique
Field |
Value type |
Is required |
Description |
|
String |
Yes |
ID of the MITRE technique related to all triggered IOA rules in the alert. |
|
String |
Yes |
Name of the MITRE technique related to all triggered IOA rules in the alert. |
Observable
Field |
Value type |
Is required |
Description |
|
String |
Yes |
Type of the observable object. Possible values:
|
|
String |
Yes |
Value of the observable object. |
|
String |
No |
Additional information about the observable object. |
Rule
Field |
Value type |
Is required |
Description |
|
String |
Yes |
ID of the triggered rule. |
|
String |
No |
Name of the triggered rule. |
|
String |
No |
Severity of the triggered rule. Possible values:
|
|
String |
No |
Confidence level of the triggered rule. Possible values:
|
|
Boolean |
No |
Indicator that the alert is based on custom rules. |
Asset
Field |
Value type |
Is required |
Description |
|
String |
Yes |
Type of the affected asset (a device or an account). Possible values:
|
|
String |
Yes |
ID of the affected asset (a device or an account). |
|
String |
No |
The name of the affected device that the alert is associated with (if The user name of the affected user account associated with events, on the basis of which the alert is generated (if |
|
Boolean |
No |
Indicator that the affected asset (a device or an account) is an attacker. |
|
Boolean |
No |
Indicator that the affected asset (a device or an account) is a victim. |
UnkeyedAttachment
Field |
Value type |
Is required |
Description |
|
String |
Yes |
Attachment ID, in the UUID format. |
|
String |
Yes |
Attachment name. |
|
String |
Yes |
Date and time of the attachment creation, in the UTC format. |
|
String |
Yes |
Date and time of the last attachment change, in the UTC format. |
|
String |
Yes |
Indicator that the affected asset (a device or an account) is a victim. |
|
Integer |
Yes |
Attachment size, specified in bytes. |
|
String |
Yes |
Attachment status that indicates whether the attachment upload is in progress, completed, or aborted with an error. Possible values:
|
|
String |
No |
Attachment description. |
|
String |
No |
Text of the status that is displayed to a user (for example, an error message that is displayed when the attachment upload fails). |