Kaspersky Next XDR Expert

Incident data model

Incident data model

The structure of an incident is represented by fields that contain values (see the table below). Some fields are objects or arrays of objects with their own set of fields (for example, the Assignee and Alerts fields).

Incident

Field	Value type	Is required	Description
`InternalID`	String	Yes	Internal incident ID, in the UUID format.
`ID`	Integer	Yes	Short internal incident ID.
`TenantID`	String	Yes	ID of the tenant that the incident is associated with, in the UUID format.
`IncidentType`	`IncidentType` object	Yes	Incident type.
`Name`	String	Yes	Incident name.
`WorkflowName`	String	Yes	Name of the incident workflow.
`WorkflowUUID`	String	Yes	Unique identifier of the incident workflow, in the UUID format.
`Description`	String	No	Incident description.
`CreatedAt`	String	Yes	Date and time of the incident creation, in the RFC 3339 format.
`UpdatedAt`	String	Yes	Date and time of the last incident change, in the RFC 3339 format.
`StatusChangedAt`	String	No	Date and time of the incident status change, in the RFC 3339 format.
`Severity`	String	No	Severity of the incident. Possible values: `critical` `high` `medium` `low`
`Priority`	String	Yes	Priority of the incident. Possible values: `critical` `high` `medium` `low`
`Assignee`	`Assignee` object	No	Operator to whom the incident is assigned.
`FirstEventTime`	String	No	Date and time of the first telemetry event of the alert related to the incident, in the RFC 3339 format.
`LastEventTime`	String	No	Date and time of the last telemetry event of the alert related to the incident, in the RFC 3339 format.
`Status`	String	Yes	Incident status. Possible values: `open` `inProgress` `hold` `closed`
`StatusUUID`	String	Yes	Incident status ID, in the UUID format.
`StatusResolution`	String	No	Resolution of the incident status. Possible values: `truePositive` `falsePositive` `lowPriority` `merged`
`DetectSources`	Array of strings	No	Components that detect and generate the incident.
`DetectionTechnologies`	Array of strings	No	Triggered detection technology.
`Alerts`	Array of `Alert` objects	No	Alerts included in the incident.
`AdditionalData`	Object	No	Additional information about the alert, in the JSON format. This information can be filled in by a user or a playbook.
`ExternalRef`	String	Yes	Link to an entity in an external system (for example, a link to a Jira ticket).
`SignOfCreation`	String	Yes	Method of creating an incident.
`Attachments`	Array of `UnkeyedAttachment` objects	No	Attachments related to the incident.

IncidentType

Field	Value type	Is required	Description
`ID`	String	Yes	Incident type ID, in the UUID format.
`Name`	String	Yes	Name of the incident type.
`Description`	String	Yes	Description of the incident type.

Assignee

Field	Value type	Is required	Description
`ID`	String	Yes	User account ID of the operator to whom the incident is assigned.
`Name`	String	Yes	Name of the operator to whom the incident is assigned.

UnkeyedAttachment

Field	Value type	Is required	Description
`AttachmentID`	String	Yes	Attachment ID, in the UUID format.
`Name`	String	Yes	Attachment name.
`CreatedAt`	String	Yes	Date and time of the attachment creation, in the UTC format.
`UpdatedAt`	String	Yes	Date and time of the last attachment change, in the UTC format.
`CreatedBy`	String	Yes	Indicator that the affected asset (a device or an account) is a victim.
`Size`	Integer	Yes	Attachment size, specified in bytes.
`Status`	String	Yes	Attachment status that indicates whether the attachment upload is in progress, completed, or aborted with an error. Possible values: `completed` `error` `uploading`
`Description`	String	No	Attachment description.
`StatusCode`	String	No	Text of the status that is displayed to a user (for example, an error message that is displayed when the attachment upload fails).

Page top

Contents

Incident data model