Kaspersky Next XDR Expert
1.1.4 and earlier

Contents

Incident data model

The structure of an incident is represented by fields that contain values (see the table below). Fields can also contain nested structures.

Section and subsections

Incident field

Value type

Is required

Description

Incidents

ID

String

Yes

Short internal incident ID.

InternalID

String

Yes

Internal incident ID.

TenantID

String

Yes

ID of the tenant that the incident is associated with.

CreatedAt

String

Yes

Date and time of the incident creation.

DetectionTechnologies

Nested list of strings

Yes

Detection technology triggered when the alert included in the incident was detected.

Possible values:

  • IOC
  • IOA

FirstEventTime

String

Yes

Date and time of the first telemetry event of the alert related to the incident.

LastEventTime

String

Yes

Date and time of the last telemetry event of the alert related to the incident.

Severity

String

Yes

Severity of the incident.

Possible values:

  • Critical
  • High
  • Medium
  • Low

ExternalRef

String

No

Link to an entity in an external system (for example, a link to a Jira ticket).

Status

String

Yes

Incident status.

Possible values:

  • open
  • inProgress
  • hold
  • closed

StatusChangedAt

String

No

Date and time of the incident status change.

StatusResolution

String

No

Resolution of the incident status.

Possible values:

  • truePositive
  • falsePositive
  • lowPriority
  • merged

UpdatedAt

String

Yes

Date and time of the last incident change.

Description

String

No

Incident description.

SignOfCreation

String

Yes

Method of creating an incident.

Possible values:

  • auto
  • manual

Priority

String

Yes

Priority of the incident.

Possible values:

  • Critical
  • High
  • Medium
  • Low

Extra

String

No

Data of the application that provides the incident. Application data is presented in the JSON format.

Incidents → Assignee

 

ID

String

No

User account ID of the operator to whom the incident is assigned.

Name

String

No

Name of the operator to whom the incident is assigned.

Incidents → MITRETactics

ID

String

No

Array of tactics from MITRE related to all triggered IOA rules in the incident.

Incidents → MITRETechniques

ID

String

No

Array of techniques from MITRE related to all triggered IOA rules in the incident.

Incidents → Observables

 

Details

String

No

Additional information about observables.

Type

String

No

Observables type.

Possible values:

  • ip
  • md5
  • url
  • domain
  • SHA256
  • UserName
  • HostName

Value

String

No

Observables value.

Incidents → Rules

 

Confidence

String

No

Confidence level of the triggered rule.

Possible values:

  • High
  • Medium
  • Low

Custom

Boolean

No

Indicator that the incident is based on custom rules.

ID

String

No

ID of the triggered rule.

Name

String

No

Name of the triggered rule.

Severity

String

No

Severity of the triggered rule.

Type

String

No

Type of the triggered rule.

Incidents → Assets

 

ID

String

No

ID of the affected asset (a device or an account).

IsAttacker

Boolean

No

Indicator that the affected asset (a device or an account) is an attacker.

IsVictim

Boolean

No

Indicator that the affected asset (a device or an account) is a victim.

KSCServer

String

No

Administration Server that the affected asset (a device or an account) belongs to.

This property is used to obtain the asset administration group.

Name

String

No

The name of the affected device that the incident is associated with (if Type is set to Host).

The user name of the affected user account that the incident associated with (if Type is set to User).

Type

String

No

Type of the affected asset (a device or an account).

Possible values:

  • Host
  • User

Page top
[Topic 269168]