{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "IncidentDetail",
  "description": "IncidentDetail schema from Palo Alto Networks Cortex XDR REST API",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xdr-api-incident-detail-schema.json",
  "allOf": [
    {
      "type": "object",
      "description": "A Cortex XDR incident grouping related alerts.",
      "properties": {
        "incident_id": {
          "type": "string"
        },
        "incident_name": {
          "type": "string"
        },
        "description": {
          "type": "string"
        },
        "status": {
          "type": "string",
          "enum": [
            "new",
            "under_investigation",
            "resolved_threat_handled",
            "resolved_known_issue",
            "resolved_duplicate",
            "resolved_false_positive",
            "resolved_other"
          ]
        },
        "severity": {
          "type": "string",
          "enum": [
            "critical",
            "high",
            "medium",
            "low",
            "informational",
            "unknown"
          ]
        },
        "assigned_user_mail": {
          "type": "string"
        },
        "assigned_user_pretty_name": {
          "type": "string"
        },
        "alert_count": {
          "type": "integer"
        },
        "low_severity_alert_count": {
          "type": "integer"
        },
        "med_severity_alert_count": {
          "type": "integer"
        },
        "high_severity_alert_count": {
          "type": "integer"
        },
        "critical_severity_alert_count": {
          "type": "integer"
        },
        "user_count": {
          "type": "integer"
        },
        "host_count": {
          "type": "integer"
        },
        "creation_time": {
          "type": "integer",
          "description": "Incident creation timestamp as Unix epoch milliseconds."
        },
        "modification_time": {
          "type": "integer",
          "description": "Last modification timestamp as Unix epoch milliseconds."
        },
        "detection_time": {
          "type": "integer"
        },
        "starred": {
          "type": "boolean"
        },
        "xdr_url": {
          "type": "string",
          "description": "Direct URL to the incident in the XDR console."
        },
        "rule_based_score": {
          "type": "integer"
        },
        "manual_score": {
          "type": "integer"
        }
      }
    },
    {
      "type": "object",
      "properties": {
        "network_artifacts": {
          "type": "object"
        },
        "file_artifacts": {
          "type": "object"
        },
        "hosts": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "users": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "incident_sources": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "mitre_tactics_ids_and_names": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "mitre_techniques_ids_and_names": {
          "type": "array",
          "items": {
            "type": "string"
          }
        }
      }
    }
  ]
}