{
  "name": "SaaS Alerts Security Event",
  "description": "Structure of a security event detected by the SaaS Alerts platform",
  "fields": [
    {
      "name": "eventId",
      "type": "string",
      "required": true,
      "description": "Unique event identifier"
    },
    {
      "name": "eventType",
      "type": "string",
      "required": true,
      "description": "Machine-readable event type (e.g., login.failure, data.exfiltration)"
    },
    {
      "name": "jointDesc",
      "type": "string",
      "required": false,
      "description": "Human-readable event description"
    },
    {
      "name": "alertStatus",
      "type": "string",
      "required": true,
      "description": "Severity: low, medium, or critical"
    },
    {
      "name": "application",
      "type": "string",
      "required": true,
      "description": "SaaS application (microsoft365, google_workspace, salesforce, slack, dropbox)"
    },
    {
      "name": "customerId",
      "type": "string",
      "required": true,
      "description": "MSP customer/tenant identifier"
    },
    {
      "name": "customerName",
      "type": "string",
      "required": false,
      "description": "Customer organization name"
    },
    {
      "name": "userId",
      "type": "string",
      "required": true,
      "description": "Affected user email address"
    },
    {
      "name": "sourceIp",
      "type": "string",
      "required": false,
      "description": "Source IPv4 address"
    },
    {
      "name": "timestamp",
      "type": "date-time",
      "required": true,
      "description": "ISO 8601 event timestamp"
    },
    {
      "name": "details",
      "type": "object",
      "required": false,
      "description": "Additional event-specific key-value details"
    }
  ]
}