Palo Alto Networks · Schema

Incident

A Cortex XSOAR incident representing a security event under investigation.

Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Properties

Name Type Description
id string Unique incident identifier.
name string Incident name or title.
type string Incident type (maps to an incident type definition).
status integer Incident status code: 0 (Pending), 1 (Active), 2 (Done), 3 (Archive).
severity integer Severity level: 0 (Unknown), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical).
owner string Username of the analyst assigned to this incident.
created string Incident creation timestamp.
modified string Last modification timestamp.
occurred string Timestamp when the security event occurred.
closed string Incident closure timestamp.
closeReason string Reason for closing the incident.
closeNotes string Notes added when closing the incident.
labels array Key-value label pairs attached to the incident.
details string Incident details or description.
investigationId string Associated investigation ID.
playbookId string Playbook assigned to this incident.
sourceInstance string Integration instance that created this incident.
sourceBrand string Integration brand that created this incident.
rawJson string Raw JSON payload from the originating event.
CustomFields object Custom field values specific to the incident type.
View JSON Schema on GitHub

JSON Schema

cortex-xsoar-api-incident-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Incident",
  "description": "A Cortex XSOAR incident representing a security event under investigation.",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xsoar-api-incident-schema.json",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "Unique incident identifier.",
      "readOnly": true
    },
    "name": {
      "type": "string",
      "description": "Incident name or title."
    },
    "type": {
      "type": "string",
      "description": "Incident type (maps to an incident type definition)."
    },
    "status": {
      "type": "integer",
      "description": "Incident status code: 0 (Pending), 1 (Active), 2 (Done), 3 (Archive).",
      "enum": [
        0,
        1,
        2,
        3
      ]
    },
    "severity": {
      "type": "integer",
      "description": "Severity level: 0 (Unknown), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical).",
      "enum": [
        0,
        1,
        2,
        3,
        4,
        5
      ]
    },
    "owner": {
      "type": "string",
      "description": "Username of the analyst assigned to this incident."
    },
    "created": {
      "type": "string",
      "format": "date-time",
      "description": "Incident creation timestamp.",
      "readOnly": true
    },
    "modified": {
      "type": "string",
      "format": "date-time",
      "description": "Last modification timestamp.",
      "readOnly": true
    },
    "occurred": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the security event occurred."
    },
    "closed": {
      "type": "string",
      "format": "date-time",
      "description": "Incident closure timestamp."
    },
    "closeReason": {
      "type": "string",
      "description": "Reason for closing the incident."
    },
    "closeNotes": {
      "type": "string",
      "description": "Notes added when closing the incident."
    },
    "labels": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "type": {
            "type": "string"
          },
          "value": {
            "type": "string"
          }
        }
      },
      "description": "Key-value label pairs attached to the incident."
    },
    "details": {
      "type": "string",
      "description": "Incident details or description."
    },
    "investigationId": {
      "type": "string",
      "description": "Associated investigation ID.",
      "readOnly": true
    },
    "playbookId": {
      "type": "string",
      "description": "Playbook assigned to this incident."
    },
    "sourceInstance": {
      "type": "string",
      "description": "Integration instance that created this incident."
    },
    "sourceBrand": {
      "type": "string",
      "description": "Integration brand that created this incident."
    },
    "rawJson": {
      "type": "string",
      "description": "Raw JSON payload from the originating event."
    },
    "CustomFields": {
      "type": "object",
      "description": "Custom field values specific to the incident type.",
      "additionalProperties": true
    }
  }
}