{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/sophos/main/json-schema/sophos-event-schema.json",
  "title": "Sophos Event",
  "description": "Schema for a security event from the Sophos Central SIEM API",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "Unique identifier for the event"
    },
    "when": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the event occurred"
    },
    "type": {
      "type": "string",
      "description": "Type of security event"
    },
    "category": {
      "type": "string",
      "description": "Category of the event"
    },
    "description": {
      "type": "string",
      "description": "Human-readable description of the event"
    },
    "customer_id": {
      "type": "string",
      "description": "Customer identifier"
    },
    "tenant_id": {
      "type": "string",
      "description": "Tenant identifier"
    },
    "location": {
      "type": "string",
      "description": "Location or device associated with the event"
    },
    "source": {
      "type": "string",
      "description": "Source system that generated the event"
    },
    "endpoint_id": {
      "type": "string",
      "description": "Identifier of the affected endpoint"
    },
    "endpoint_type": {
      "type": "string",
      "description": "Type of affected endpoint"
    },
    "severity": {
      "type": "string",
      "enum": ["low", "medium", "high"],
      "description": "Severity level"
    }
  },
  "required": ["id", "when", "type"]
}