Varonis · Schema
Alert
Alert schema from Varonis DatAlert API
Cloud SecurityComplianceData AnalyticsData GovernanceData SecurityThreat Detection
Properties
| Name | Type | Description |
|---|---|---|
| id | string | Unique identifier for the alert. |
| name | string | Name of the alert, typically derived from the threat model. |
| time | string | Timestamp when the alert was triggered. |
| severity | string | Severity level of the alert. |
| category | string | MITRE ATT&CK-aligned category of the alert. |
| status | string | Current status of the alert. |
| closeReason | string | Reason for closing the alert, populated only when status is Closed. |
| country | string | Country associated with the alert activity. |
| state | string | State or region associated with the alert activity. |
| userName | string | Name of the user whose activity triggered the alert. |
| userAccountType | string | Type of user account such as service account, admin, or regular user. |
| userDepartment | string | Department of the user whose activity triggered the alert. |
| deviceName | string | Name of the device involved in the alert. |
| isMaliciousIP | boolean | Indicates whether the IP address associated with the alert is known to be malicious. |
| assetPath | string | File system or resource path of the affected asset. |
| platform | string | Platform or data source where the alert was generated. |
| eventCount | integer | Number of events associated with the alert. |
| isFlagged | boolean | Whether the alert has been flagged for special attention. |
| containsSensitiveData | boolean | Whether the affected resource contains classified sensitive data. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/varonis/refs/heads/main/json-schema/varonis-datalert-alert-schema.json",
"title": "Alert",
"description": "Alert schema from Varonis DatAlert API",
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the alert."
},
"name": {
"type": "string",
"description": "Name of the alert, typically derived from the threat model."
},
"time": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the alert was triggered."
},
"severity": {
"type": "string",
"enum": [
"Low",
"Medium",
"High"
],
"description": "Severity level of the alert."
},
"category": {
"type": "string",
"enum": [
"Reconnaissance",
"Intrusion",
"Exploitation",
"Privilege Escalation",
"Lateral Movement"
],
"description": "MITRE ATT&CK-aligned category of the alert."
},
"status": {
"type": "string",
"enum": [
"Open",
"Under Investigation",
"Closed"
],
"description": "Current status of the alert."
},
"closeReason": {
"type": "string",
"enum": [
"Resolved",
"Misconfiguration",
"Threat model disabled or deleted",
"Account misclassification",
"Legitimate activity",
"Other"
],
"description": "Reason for closing the alert, populated only when status is Closed."
},
"country": {
"type": "string",
"description": "Country associated with the alert activity."
},
"state": {
"type": "string",
"description": "State or region associated with the alert activity."
},
"userName": {
"type": "string",
"description": "Name of the user whose activity triggered the alert."
},
"userAccountType": {
"type": "string",
"description": "Type of user account such as service account, admin, or regular user."
},
"userDepartment": {
"type": "string",
"description": "Department of the user whose activity triggered the alert."
},
"deviceName": {
"type": "string",
"description": "Name of the device involved in the alert."
},
"isMaliciousIP": {
"type": "boolean",
"description": "Indicates whether the IP address associated with the alert is known to be malicious."
},
"assetPath": {
"type": "string",
"description": "File system or resource path of the affected asset."
},
"platform": {
"type": "string",
"enum": [
"Windows",
"Exchange",
"SharePoint",
"DNS",
"Active Directory",
"Azure AD",
"Microsoft 365"
],
"description": "Platform or data source where the alert was generated."
},
"eventCount": {
"type": "integer",
"description": "Number of events associated with the alert."
},
"isFlagged": {
"type": "boolean",
"description": "Whether the alert has been flagged for special attention."
},
"containsSensitiveData": {
"type": "boolean",
"description": "Whether the affected resource contains classified sensitive data."
}
}
}