Palo Alto Networks · JSON Structure
Cortex Xsoar Api Incident Search Response Structure
IncidentSearchResponse schema from Palo Alto Networks Cortex XSOAR REST API
Type: object
Properties: 3
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
IncidentSearchResponse is a JSON Structure definition published by Palo Alto Networks, describing 3 properties. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.
Properties
total
incidents
searchResultTotal
Meta-schema: https://json-structure.org/meta/core/v0/#
JSON Structure
{
"$schema": "https://json-structure.org/meta/core/v0/#",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cortex-xsoar-api-incident-search-response-structure.json",
"name": "IncidentSearchResponse",
"description": "IncidentSearchResponse schema from Palo Alto Networks Cortex XSOAR REST API",
"type": "object",
"properties": {
"total": {
"type": "object",
"properties": {
"value": {
"type": "int32"
},
"relation": {
"type": "string"
}
}
},
"incidents": {
"type": "array",
"items": {
"type": "object",
"description": "A Cortex XSOAR incident representing a security event under investigation.",
"properties": {
"id": {
"type": "string",
"description": "Unique incident identifier."
},
"name": {
"type": "string",
"description": "Incident name or title."
},
"type": {
"type": "string",
"description": "Incident type (maps to an incident type definition)."
},
"status": {
"type": "int32",
"description": "Incident status code: 0 (Pending), 1 (Active), 2 (Done), 3 (Archive).",
"enum": [
0,
1,
2,
3
]
},
"severity": {
"type": "int32",
"description": "Severity level: 0 (Unknown), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical).",
"enum": [
0,
1,
2,
3,
4,
5
]
},
"owner": {
"type": "string",
"description": "Username of the analyst assigned to this incident."
},
"created": {
"type": "datetime",
"description": "Incident creation timestamp."
},
"modified": {
"type": "datetime",
"description": "Last modification timestamp."
},
"occurred": {
"type": "datetime",
"description": "Timestamp when the security event occurred."
},
"closed": {
"type": "datetime",
"description": "Incident closure timestamp."
},
"closeReason": {
"type": "string",
"description": "Reason for closing the incident."
},
"closeNotes": {
"type": "string",
"description": "Notes added when closing the incident."
},
"labels": {
"type": "array",
"description": "Key-value label pairs attached to the incident.",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"value": {
"type": "string"
}
}
}
},
"details": {
"type": "string",
"description": "Incident details or description."
},
"investigationId": {
"type": "string",
"description": "Associated investigation ID."
},
"playbookId": {
"type": "string",
"description": "Playbook assigned to this incident."
},
"sourceInstance": {
"type": "string",
"description": "Integration instance that created this incident."
},
"sourceBrand": {
"type": "string",
"description": "Integration brand that created this incident."
},
"rawJson": {
"type": "string",
"description": "Raw JSON payload from the originating event."
},
"CustomFields": {
"type": "object",
"description": "Custom field values specific to the incident type.",
"additionalProperties": true
}
}
}
},
"searchResultTotal": {
"type": "int32"
}
}
}