Palo Alto Networks · Schema
Cortex XDR Incident
Schema for a Cortex XDR security incident object returned by the Cortex XDR API. Incidents are aggregated collections of related alerts representing a potential security threat or attack campaign. They are automatically created by Cortex XDR's analytics engine when correlated alerts meet grouping criteria based on shared endpoints, users, or behavioral patterns, or manually created by analysts. The incident object provides a unified attack story view including affected hosts, users, alert severity breakdown, investigation status, and source data attribution.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| incident_id | string | Unique numeric identifier for the incident assigned by Cortex XDR upon creation. Used to reference the incident in all API operations including status updates, alert associations, and webhook event co |
| incident_name | string | Human-readable name of the incident, either auto-generated by Cortex XDR from the highest-severity correlated alert or manually assigned by an analyst. Provides a concise summary of the detected threa |
| creation_time | integer | Unix epoch timestamp in milliseconds indicating when the incident was first created by Cortex XDR's correlation engine. Corresponds to the time the first correlated alert triggered incident creation. |
| modification_time | integer | Unix epoch timestamp in milliseconds indicating the most recent modification to the incident record. Updated when incident properties change, new alerts are correlated, status is updated, or analyst a |
| status | string | Current investigation status of the incident. 'new' indicates an untriaged incident awaiting analyst review. 'under_investigation' means an analyst is actively working the incident. The resolved statu |
| severity | string | Overall severity of the incident, determined by the highest-severity correlated alert or manually overridden by an analyst. Drives prioritization in the incident queue and can trigger automated escala |
| assigned_user_mail | string | Email address of the analyst or user currently assigned to investigate this incident. Null or absent when the incident is unassigned. |
| assigned_user_pretty_name | string | Display name of the assigned analyst as configured in their Cortex XDR user profile. Provides a human-friendly label for the assignee alongside the email address. |
| description | string | Detailed description of the incident providing context about the detected threat, affected systems, and attack techniques. May be auto-generated from correlated alert content or manually authored by a |
| alert_count | integer | Total number of individual alerts correlated and grouped into this incident. Includes alerts of all severity levels from all contributing detection sources. |
| low_severity_alert_count | integer | Number of alerts within the incident rated at low severity. Low severity alerts typically indicate suspicious but low-risk activity that provides supporting context for the overall investigation. |
| med_severity_alert_count | integer | Number of alerts within the incident rated at medium severity. Medium severity alerts indicate potentially harmful activity warranting investigation and may indicate early-stage attack activity. |
| high_severity_alert_count | integer | Number of alerts within the incident rated at high severity. High severity alerts indicate likely malicious activity requiring prompt analyst response and may indicate active compromise. |
| user_count | integer | Total number of distinct user accounts associated with alerts in this incident. Provides a quick measure of the identity blast radius of the detected threat activity. |
| host_count | integer | Total number of distinct endpoints or hosts involved in alerts in this incident. Provides a quick measure of the infrastructure blast radius of the detected threat activity. |
| notes | string | Free-form analyst notes attached to the incident during investigation. Used to document investigation findings, timeline reconstruction, and context that is not captured in the structured alert data. |
| resolve_comment | string | Analyst-provided comment explaining the resolution decision when closing the incident. Documents the investigation conclusion, root cause determination, and any remediation actions taken. |
| alert_sources | array | List of detection source identifiers that contributed alerts to this incident. Identifies which Cortex XDR engines, modules, or integrated third-party products generated the underlying detection event |
| network_artifacts | array | List of network-based indicators of compromise associated with this incident, such as malicious IP addresses, domains, and URLs observed across the correlated alerts. |
| file_artifacts | array | List of file-based indicators of compromise associated with this incident, such as malicious files, executables, and scripts identified across the correlated alerts. |
| xdr_url | string | Direct URL link to the incident detail and investigation page in the Cortex XDR management console. Provides single-click access to the full incident timeline, alert list, and forensic investigation i |