SaaS Alerts · Schema
SaaS Alerts Security Event
Schema for a SaaS Alerts security event detected across monitored SaaS applications
MSPSaaS SecuritySecurity MonitoringThreat DetectionMicrosoft 365Google WorkspaceMSSP
Properties
| Name | Type | Description |
|---|---|---|
| eventId | string | Unique event identifier |
| eventType | string | Machine-readable event type classification |
| jointDesc | string | Human-readable event description |
| alertStatus | string | Event severity level |
| application | string | SaaS application where the event occurred |
| customerId | string | MSP customer/tenant identifier |
| customerName | string | Customer organization name |
| userId | string | Affected user identifier (email address) |
| sourceIp | string | Source IP address of the event |
| timestamp | string | Event timestamp in ISO 8601 format |
| details | object | Additional event-specific details |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/saas-alerts/refs/heads/main/json-schema/saas-alerts-security-event-schema.json",
"title": "SaaS Alerts Security Event",
"description": "Schema for a SaaS Alerts security event detected across monitored SaaS applications",
"type": "object",
"properties": {
"eventId": {
"type": "string",
"description": "Unique event identifier",
"example": "evt_1234567890abcdef"
},
"eventType": {
"type": "string",
"description": "Machine-readable event type classification",
"enum": [
"login.success",
"login.failure",
"cross.ip.connections",
"file.sharing.external",
"oauth.granted.permission",
"oauth.revoked.permission",
"admin.new.admin",
"admin.removed.admin",
"mfa.disable",
"mfa.new.device",
"account.suspended",
"account.password.changed",
"policy.security.changed",
"mail.forwarding.added",
"mail.forwarding.removed",
"mail.rule.created",
"mail.rule.deleted",
"file.deleted",
"file.downloaded",
"file.uploaded",
"data.exfiltration",
"impossible.travel",
"brute.force.attack",
"api.access.granted",
"api.access.revoked"
],
"example": "login.failure"
},
"jointDesc": {
"type": "string",
"description": "Human-readable event description",
"example": "IAM Event - Authentication Failure"
},
"alertStatus": {
"type": "string",
"description": "Event severity level",
"enum": ["low", "medium", "critical"],
"example": "critical"
},
"application": {
"type": "string",
"description": "SaaS application where the event occurred",
"enum": [
"microsoft365",
"google_workspace",
"salesforce",
"slack",
"dropbox"
],
"example": "microsoft365"
},
"customerId": {
"type": "string",
"description": "MSP customer/tenant identifier",
"example": "cust_abc123"
},
"customerName": {
"type": "string",
"description": "Customer organization name",
"example": "Acme Corporation"
},
"userId": {
"type": "string",
"description": "Affected user identifier (email address)",
"example": "[email protected]"
},
"sourceIp": {
"type": "string",
"format": "ipv4",
"description": "Source IP address of the event",
"example": "198.51.100.42"
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Event timestamp in ISO 8601 format",
"example": "2024-01-15T14:23:11Z"
},
"details": {
"type": "object",
"description": "Additional event-specific details",
"additionalProperties": true
}
},
"required": ["eventId", "eventType", "alertStatus", "application", "customerId", "userId", "timestamp"]
}