Data imported into security alerts

Additional JSON-encoded event data is imported into any field with a name that matches the fieldName of that value in the JSON data. If you have data in your third-party monitoring software (for example, Splunk) that is not common to the base system, add new fields to the Alert table. These additions accommodate the data import.

The JSON format for importing data into alerts is the same format used for creating security incidents from events and alerts:
  • { "fieldName" : "fieldValue", "fieldName" : "fieldValue" }

The only difference is that the data in the field is always overwritten with the fieldValue.

Imported security event data populates the fields in the Alert table with matching field names. If the alert is later turned into a security incident, that additional data populates matching fields in the security incident.