Palo Alto Networks · Schema
EmailDLPIncident
EmailDLPIncident schema from Palo Alto Networks Email DLP API
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| id | string | Unique incident identifier. |
| sender | string | Email address of the message sender. |
| subject | string | Email message subject line. |
| status | string | Current status or verdict for the email message. |
| severity | string | Incident severity based on data pattern sensitivity. |
| data_patterns | array | Data patterns that matched in the email content. |
| match_count | integer | Total number of data pattern matches across all patterns. |
| timestamp | string | Timestamp when the incident was detected. |
| has_attachments | boolean | Whether the email contained attachments. |
| attachment_count | integer | Number of attachments in the email. |
| direction | string | Direction of the email message. |
| action_taken | string | Automated action taken on the message. |
| reviewed_by | string | Email address of the analyst who reviewed the incident. |
| reviewed_at | string | Timestamp when the incident was last reviewed. |
| comment | string | Comment added during verdict review. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "EmailDLPIncident",
"description": "EmailDLPIncident schema from Palo Alto Networks Email DLP API",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/email-dlp-api-email-dlp-incident-schema.json",
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique incident identifier."
},
"sender": {
"type": "string",
"description": "Email address of the message sender."
},
"subject": {
"type": "string",
"description": "Email message subject line."
},
"status": {
"type": "string",
"enum": [
"pending",
"allowed",
"blocked",
"quarantined"
],
"description": "Current status or verdict for the email message."
},
"severity": {
"type": "string",
"enum": [
"critical",
"high",
"medium",
"low",
"informational"
],
"description": "Incident severity based on data pattern sensitivity."
},
"data_patterns": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"category": {
"type": "string"
},
"match_count": {
"type": "integer"
}
}
},
"description": "Data patterns that matched in the email content."
},
"match_count": {
"type": "integer",
"description": "Total number of data pattern matches across all patterns."
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the incident was detected."
},
"has_attachments": {
"type": "boolean",
"description": "Whether the email contained attachments."
},
"attachment_count": {
"type": "integer",
"description": "Number of attachments in the email."
},
"direction": {
"type": "string",
"enum": [
"inbound",
"outbound",
"internal"
],
"description": "Direction of the email message."
},
"action_taken": {
"type": "string",
"enum": [
"alert",
"block",
"quarantine"
],
"description": "Automated action taken on the message."
},
"reviewed_by": {
"type": "string",
"description": "Email address of the analyst who reviewed the incident."
},
"reviewed_at": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the incident was last reviewed."
},
"comment": {
"type": "string",
"description": "Comment added during verdict review."
}
}
}