{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/sophos/main/json-schema/sophos-alert-schema.json",
  "title": "Sophos Alert",
  "description": "Schema for a security alert from the Sophos Central SIEM API",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "Unique identifier for the alert"
    },
    "when": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the alert was raised"
    },
    "severity": {
      "type": "string",
      "enum": ["low", "medium", "high"],
      "description": "Severity level of the alert"
    },
    "category": {
      "type": "string",
      "description": "Category of the alert"
    },
    "description": {
      "type": "string",
      "description": "Human-readable description of the alert"
    },
    "customer_id": {
      "type": "string",
      "description": "Customer identifier"
    },
    "tenant_id": {
      "type": "string",
      "description": "Tenant identifier"
    },
    "location": {
      "type": "string",
      "description": "Location or device associated with the alert"
    },
    "source": {
      "type": "string",
      "description": "Source system that generated the alert"
    },
    "threat": {
      "type": "string",
      "description": "Name of the threat if applicable"
    },
    "endpoint_id": {
      "type": "string",
      "description": "Identifier of the affected endpoint"
    },
    "endpoint_type": {
      "type": "string",
      "description": "Type of affected endpoint"
    }
  },
  "required": ["id", "when", "severity"]
}