Palo Alto Networks · Schema
DLPIncident
DLPIncident schema from Palo Alto Networks Enterprise DLP API
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| incident_id | string | Unique incident identifier. |
| status | string | Current incident status. |
| severity | string | Incident severity level. |
| data_pattern_name | string | Name of the data pattern that triggered the incident. |
| data_pattern_id | string | Identifier of the data pattern that triggered the incident. |
| match_count | integer | Number of data pattern matches in the content. |
| channel | string | Channel where the data exposure was detected. |
| user | string | Email address or username of the user involved. |
| timestamp | string | Timestamp when the incident was detected. |
| application | string | Application associated with the incident. |
| file_name | string | Name of the file containing sensitive data. |
| file_type | string | MIME type of the file. |
| file_size | integer | Size of the file in bytes. |
| direction | string | Direction of data movement. |
| action_taken | string | Automated action taken on the incident. |
| reviewer_comments | string | Comments added by the reviewing analyst. |
| reviewed_by | string | Email address of the analyst who reviewed the incident. |
| reviewed_at | string | Timestamp when the incident was last reviewed. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "DLPIncident",
"description": "DLPIncident schema from Palo Alto Networks Enterprise DLP API",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/dlp-api-dlp-incident-schema.json",
"type": "object",
"properties": {
"incident_id": {
"type": "string",
"description": "Unique incident identifier."
},
"status": {
"type": "string",
"enum": [
"open",
"in_review",
"resolved",
"dismissed"
],
"description": "Current incident status."
},
"severity": {
"type": "string",
"enum": [
"critical",
"high",
"medium",
"low",
"informational"
],
"description": "Incident severity level."
},
"data_pattern_name": {
"type": "string",
"description": "Name of the data pattern that triggered the incident."
},
"data_pattern_id": {
"type": "string",
"description": "Identifier of the data pattern that triggered the incident."
},
"match_count": {
"type": "integer",
"description": "Number of data pattern matches in the content."
},
"channel": {
"type": "string",
"enum": [
"web",
"ssl",
"saas",
"email",
"endpoint"
],
"description": "Channel where the data exposure was detected."
},
"user": {
"type": "string",
"description": "Email address or username of the user involved."
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the incident was detected."
},
"application": {
"type": "string",
"description": "Application associated with the incident."
},
"file_name": {
"type": "string",
"description": "Name of the file containing sensitive data."
},
"file_type": {
"type": "string",
"description": "MIME type of the file."
},
"file_size": {
"type": "integer",
"description": "Size of the file in bytes."
},
"direction": {
"type": "string",
"enum": [
"upload",
"download",
"internal"
],
"description": "Direction of data movement."
},
"action_taken": {
"type": "string",
"enum": [
"alert",
"block",
"quarantine",
"encrypt"
],
"description": "Automated action taken on the incident."
},
"reviewer_comments": {
"type": "string",
"description": "Comments added by the reviewing analyst."
},
"reviewed_by": {
"type": "string",
"description": "Email address of the analyst who reviewed the incident."
},
"reviewed_at": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the incident was last reviewed."
}
}
}