naftiko: 1.0.0-alpha2 info: label: Palo Alto Networks Cortex XSOAR REST API — Incidents description: 'Palo Alto Networks Cortex XSOAR REST API — Incidents. 5 operations. Lead operation: Palo Alto Networks Create Incident. Self-contained Naftiko capability covering one Palo Alto Networks business surface.' tags: - Palo Alto Networks - Incidents created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: PALO_ALTO_NETWORKS_API_KEY: PALO_ALTO_NETWORKS_API_KEY capability: consumes: - type: http namespace: palo-alto-cortex-xsoar-incidents baseUri: https://{xsoar-server} description: Palo Alto Networks Cortex XSOAR REST API — Incidents business capability. Self-contained, no shared references. resources: - name: incident path: /incident operations: - name: createincident method: POST description: Palo Alto Networks Create Incident outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: incident-update path: /incident/update operations: - name: updateincident method: POST description: Palo Alto Networks Update Incident outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: incident-id path: /incident/{id} operations: - name: getincident method: GET description: Palo Alto Networks Get Incident outputRawFormat: json outputParameters: - name: result type: object value: $. - name: incidents-search path: /incidents/search operations: - name: searchincidentsget method: GET description: Palo Alto Networks Search Incidents (GET) outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: query in: query type: string description: Lucene query string to filter incidents (e.g., status:Active AND severity:High). - name: size in: query type: integer description: Maximum number of incidents to return. - name: fromdate in: query type: string description: Filter incidents created after this date (ISO 8601 format). - name: todate in: query type: string description: Filter incidents created before this date (ISO 8601 format). - name: page in: query type: integer description: Page number for pagination (zero-based). - name: searchincidentspost method: POST description: Palo Alto Networks Search Incidents (POST) outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true authentication: type: apikey key: Authorization value: '{{env.PALO_ALTO_NETWORKS_API_KEY}}' placement: header exposes: - type: rest namespace: palo-alto-cortex-xsoar-incidents-rest port: 8080 description: REST adapter for Palo Alto Networks Cortex XSOAR REST API — Incidents. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/incident name: incident description: REST surface for incident. operations: - method: POST name: createincident description: Palo Alto Networks Create Incident call: palo-alto-cortex-xsoar-incidents.createincident with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/incident/update name: incident-update description: REST surface for incident-update. operations: - method: POST name: updateincident description: Palo Alto Networks Update Incident call: palo-alto-cortex-xsoar-incidents.updateincident with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/incident/{id} name: incident-id description: REST surface for incident-id. operations: - method: GET name: getincident description: Palo Alto Networks Get Incident call: palo-alto-cortex-xsoar-incidents.getincident outputParameters: - type: object mapping: $. - path: /v1/incidents/search name: incidents-search description: REST surface for incidents-search. operations: - method: GET name: searchincidentsget description: Palo Alto Networks Search Incidents (GET) call: palo-alto-cortex-xsoar-incidents.searchincidentsget with: query: rest.query size: rest.size fromdate: rest.fromdate todate: rest.todate page: rest.page outputParameters: - type: object mapping: $. - method: POST name: searchincidentspost description: Palo Alto Networks Search Incidents (POST) call: palo-alto-cortex-xsoar-incidents.searchincidentspost with: body: rest.body outputParameters: - type: object mapping: $. - type: mcp namespace: palo-alto-cortex-xsoar-incidents-mcp port: 9090 transport: http description: MCP adapter for Palo Alto Networks Cortex XSOAR REST API — Incidents. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: palo-alto-networks-create-incident description: Palo Alto Networks Create Incident hints: readOnly: false destructive: false idempotent: false call: palo-alto-cortex-xsoar-incidents.createincident with: body: tools.body outputParameters: - type: object mapping: $. - name: palo-alto-networks-update-incident description: Palo Alto Networks Update Incident hints: readOnly: false destructive: false idempotent: false call: palo-alto-cortex-xsoar-incidents.updateincident with: body: tools.body outputParameters: - type: object mapping: $. - name: palo-alto-networks-get-incident description: Palo Alto Networks Get Incident hints: readOnly: true destructive: false idempotent: true call: palo-alto-cortex-xsoar-incidents.getincident outputParameters: - type: object mapping: $. - name: palo-alto-networks-search-incidents description: Palo Alto Networks Search Incidents (GET) hints: readOnly: true destructive: false idempotent: true call: palo-alto-cortex-xsoar-incidents.searchincidentsget with: query: tools.query size: tools.size fromdate: tools.fromdate todate: tools.todate page: tools.page outputParameters: - type: object mapping: $. - name: palo-alto-networks-search-incidents-2 description: Palo Alto Networks Search Incidents (POST) hints: readOnly: true destructive: false idempotent: false call: palo-alto-cortex-xsoar-incidents.searchincidentspost with: body: tools.body outputParameters: - type: object mapping: $.