Palo Alto Networks · Schema
Incident
A Cortex XSOAR incident representing a security event under investigation.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| id | string | Unique incident identifier. |
| name | string | Incident name or title. |
| type | string | Incident type (maps to an incident type definition). |
| status | integer | Incident status code: 0 (Pending), 1 (Active), 2 (Done), 3 (Archive). |
| severity | integer | Severity level: 0 (Unknown), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical). |
| owner | string | Username of the analyst assigned to this incident. |
| created | string | Incident creation timestamp. |
| modified | string | Last modification timestamp. |
| occurred | string | Timestamp when the security event occurred. |
| closed | string | Incident closure timestamp. |
| closeReason | string | Reason for closing the incident. |
| closeNotes | string | Notes added when closing the incident. |
| labels | array | Key-value label pairs attached to the incident. |
| details | string | Incident details or description. |
| investigationId | string | Associated investigation ID. |
| playbookId | string | Playbook assigned to this incident. |
| sourceInstance | string | Integration instance that created this incident. |
| sourceBrand | string | Integration brand that created this incident. |
| rawJson | string | Raw JSON payload from the originating event. |
| CustomFields | object | Custom field values specific to the incident type. |