Palo Alto Networks · JSON Structure

Saas Security Api Incident Structure

Incident schema from Palo Alto Networks SaaS Security API

Type: object Properties: 13
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Incident is a JSON Structure definition published by Palo Alto Networks, describing 13 properties. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

id title description status severity app_id app_name policy_name affected_assets affected_users assignee_id created_at updated_at

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/saas-security-api-incident-structure.json",
  "name": "Incident",
  "description": "Incident schema from Palo Alto Networks SaaS Security API",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "Unique incident identifier."
    },
    "title": {
      "type": "string",
      "description": "Summary title of the incident."
    },
    "description": {
      "type": "string",
      "description": "Detailed description of the security incident."
    },
    "status": {
      "type": "string",
      "description": "Current incident status.",
      "enum": [
        "new",
        "in_progress",
        "resolved",
        "dismissed"
      ]
    },
    "severity": {
      "type": "string",
      "description": "Incident severity level.",
      "enum": [
        "low",
        "medium",
        "high",
        "critical"
      ]
    },
    "app_id": {
      "type": "string",
      "description": "ID of the SaaS application where the incident occurred."
    },
    "app_name": {
      "type": "string",
      "description": "Name of the SaaS application."
    },
    "policy_name": {
      "type": "string",
      "description": "Name of the policy that triggered the incident."
    },
    "affected_assets": {
      "type": "array",
      "description": "IDs of assets involved in the incident.",
      "items": {
        "type": "string"
      }
    },
    "affected_users": {
      "type": "array",
      "description": "User IDs of users involved in the incident.",
      "items": {
        "type": "string"
      }
    },
    "assignee_id": {
      "type": "string",
      "description": "User ID of the assigned analyst."
    },
    "created_at": {
      "type": "datetime",
      "description": "Timestamp when the incident was detected."
    },
    "updated_at": {
      "type": "datetime",
      "description": "Timestamp of the most recent update."
    }
  }
}