Palo Alto Networks · Schema
IncidentSearchResponse
IncidentSearchResponse schema from Palo Alto Networks Cortex XSOAR REST API
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| total | object | |
| incidents | array | |
| searchResultTotal | integer |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "IncidentSearchResponse",
"description": "IncidentSearchResponse schema from Palo Alto Networks Cortex XSOAR REST API",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xsoar-api-incident-search-response-schema.json",
"type": "object",
"properties": {
"total": {
"type": "object",
"properties": {
"value": {
"type": "integer"
},
"relation": {
"type": "string"
}
}
},
"incidents": {
"type": "array",
"items": {
"type": "object",
"description": "A Cortex XSOAR incident representing a security event under investigation.",
"properties": {
"id": {
"type": "string",
"description": "Unique incident identifier.",
"readOnly": true
},
"name": {
"type": "string",
"description": "Incident name or title."
},
"type": {
"type": "string",
"description": "Incident type (maps to an incident type definition)."
},
"status": {
"type": "integer",
"description": "Incident status code: 0 (Pending), 1 (Active), 2 (Done), 3 (Archive).",
"enum": [
0,
1,
2,
3
]
},
"severity": {
"type": "integer",
"description": "Severity level: 0 (Unknown), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical).",
"enum": [
0,
1,
2,
3,
4,
5
]
},
"owner": {
"type": "string",
"description": "Username of the analyst assigned to this incident."
},
"created": {
"type": "string",
"format": "date-time",
"description": "Incident creation timestamp.",
"readOnly": true
},
"modified": {
"type": "string",
"format": "date-time",
"description": "Last modification timestamp.",
"readOnly": true
},
"occurred": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the security event occurred."
},
"closed": {
"type": "string",
"format": "date-time",
"description": "Incident closure timestamp."
},
"closeReason": {
"type": "string",
"description": "Reason for closing the incident."
},
"closeNotes": {
"type": "string",
"description": "Notes added when closing the incident."
},
"labels": {
"type": "array",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"value": {
"type": "string"
}
}
},
"description": "Key-value label pairs attached to the incident."
},
"details": {
"type": "string",
"description": "Incident details or description."
},
"investigationId": {
"type": "string",
"description": "Associated investigation ID.",
"readOnly": true
},
"playbookId": {
"type": "string",
"description": "Playbook assigned to this incident."
},
"sourceInstance": {
"type": "string",
"description": "Integration instance that created this incident."
},
"sourceBrand": {
"type": "string",
"description": "Integration brand that created this incident."
},
"rawJson": {
"type": "string",
"description": "Raw JSON payload from the originating event."
},
"CustomFields": {
"type": "object",
"description": "Custom field values specific to the incident type.",
"additionalProperties": true
}
}
}
},
"searchResultTotal": {
"type": "integer"
}
}
}