Palo Alto Networks · JSON Structure

Cortex Xdr Api Incident Structure

A Cortex XDR incident grouping related alerts.

Type: object Properties: 21
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Incident is a JSON Structure definition published by Palo Alto Networks, describing 21 properties. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

incident_id incident_name description status severity assigned_user_mail assigned_user_pretty_name alert_count low_severity_alert_count med_severity_alert_count high_severity_alert_count critical_severity_alert_count user_count host_count creation_time modification_time detection_time starred xdr_url rule_based_score manual_score

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cortex-xdr-api-incident-structure.json",
  "name": "Incident",
  "description": "A Cortex XDR incident grouping related alerts.",
  "type": "object",
  "properties": {
    "incident_id": {
      "type": "string"
    },
    "incident_name": {
      "type": "string"
    },
    "description": {
      "type": "string"
    },
    "status": {
      "type": "string",
      "enum": [
        "new",
        "under_investigation",
        "resolved_threat_handled",
        "resolved_known_issue",
        "resolved_duplicate",
        "resolved_false_positive",
        "resolved_other"
      ]
    },
    "severity": {
      "type": "string",
      "enum": [
        "critical",
        "high",
        "medium",
        "low",
        "informational",
        "unknown"
      ]
    },
    "assigned_user_mail": {
      "type": "string"
    },
    "assigned_user_pretty_name": {
      "type": "string"
    },
    "alert_count": {
      "type": "int32"
    },
    "low_severity_alert_count": {
      "type": "int32"
    },
    "med_severity_alert_count": {
      "type": "int32"
    },
    "high_severity_alert_count": {
      "type": "int32"
    },
    "critical_severity_alert_count": {
      "type": "int32"
    },
    "user_count": {
      "type": "int32"
    },
    "host_count": {
      "type": "int32"
    },
    "creation_time": {
      "type": "int32",
      "description": "Incident creation timestamp as Unix epoch milliseconds."
    },
    "modification_time": {
      "type": "int32",
      "description": "Last modification timestamp as Unix epoch milliseconds."
    },
    "detection_time": {
      "type": "int32"
    },
    "starred": {
      "type": "boolean"
    },
    "xdr_url": {
      "type": "string",
      "description": "Direct URL to the incident in the XDR console."
    },
    "rule_based_score": {
      "type": "int32"
    },
    "manual_score": {
      "type": "int32"
    }
  }
}