Register the XSIAM Tenant in Behavior Threats.
Currently, the registration process requires an SRE or
Engineering team member to interact with the BT support service. Provide TSG
ID, URL, and region details to the support service.
After
configuration, BT will push incidents to XSIAM. The payload uses the
ba_incident_event log type.
Incident Attribute
Reference
| Attribute | Description |
| asv_tenant_id | Internal BT-specific tenant identifier. |
| tsg_id | The Tenant Service Group identifier. |
| log_type | Hardcoded to ba_incident_event. |
| description | Detailed narrative of the detected behavior (for example,
"Impossible Travel"). |
| incident_id | Unique identifier for the incident in the BT
system. |
| severity | Numerical value (0–5). |
| severity_label | Qualitative value (Very Low, Low, Medium, High,
Critical). |
| user_email | The email address of the user associated with the
activity. |
| timestamp | The time the incident was published to the syslog. |
The following is a sample of the data packet sent from BT to the
XSIAM HTTP Log Collector:
JSON
{ "asv_tenant_id":
"lclnetsecprism6992",
"tsg_id": "12345",
"incident_id": "1234567",
"log_type": "ba_incident_event",
"description": "ChainLink accessed the
application ms-office365-base from different locations which are too far
apart to travel...",
"date":
"2025-08-11T12:00Z",
"severity": 3,
"severity_label": "Medium",
"policy_id": 101,
"policy_name": "policy_name",
"user_email": "abc@example.com",
"timestamp": "2025-12-02T11:06Z"
}
