Palo Alto Networks · Schema

Incident

Incident schema from Palo Alto Networks SaaS Security API

Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Properties

Name Type Description
id string Unique incident identifier.
title string Summary title of the incident.
description string Detailed description of the security incident.
status string Current incident status.
severity string Incident severity level.
app_id string ID of the SaaS application where the incident occurred.
app_name string Name of the SaaS application.
policy_name string Name of the policy that triggered the incident.
affected_assets array IDs of assets involved in the incident.
affected_users array User IDs of users involved in the incident.
assignee_id string User ID of the assigned analyst.
created_at string Timestamp when the incident was detected.
updated_at string Timestamp of the most recent update.
View JSON Schema on GitHub

JSON Schema

saas-security-api-incident-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Incident",
  "description": "Incident schema from Palo Alto Networks SaaS Security API",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/saas-security-api-incident-schema.json",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "Unique incident identifier."
    },
    "title": {
      "type": "string",
      "description": "Summary title of the incident."
    },
    "description": {
      "type": "string",
      "description": "Detailed description of the security incident."
    },
    "status": {
      "type": "string",
      "enum": [
        "new",
        "in_progress",
        "resolved",
        "dismissed"
      ],
      "description": "Current incident status."
    },
    "severity": {
      "type": "string",
      "enum": [
        "low",
        "medium",
        "high",
        "critical"
      ],
      "description": "Incident severity level."
    },
    "app_id": {
      "type": "string",
      "description": "ID of the SaaS application where the incident occurred."
    },
    "app_name": {
      "type": "string",
      "description": "Name of the SaaS application."
    },
    "policy_name": {
      "type": "string",
      "description": "Name of the policy that triggered the incident."
    },
    "affected_assets": {
      "type": "array",
      "items": {
        "type": "string"
      },
      "description": "IDs of assets involved in the incident."
    },
    "affected_users": {
      "type": "array",
      "items": {
        "type": "string"
      },
      "description": "User IDs of users involved in the incident."
    },
    "assignee_id": {
      "type": "string",
      "description": "User ID of the assigned analyst."
    },
    "created_at": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the incident was detected."
    },
    "updated_at": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp of the most recent update."
    }
  }
}