{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "IncidentPayload",
  "description": "The payload delivered to the webhook endpoint for Cortex XDR incident lifecycle events including creation, status changes, and severity changes. Contains incident metadata, alert aggregation counts, assignment information, and data source attribution.\n",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xdr-webhooks-incident-payload-schema.json",
  "type": "object",
  "properties": {
    "name": {
      "type": "string",
      "description": "Human-readable name of the incident, either auto-generated by Cortex XDR from the correlated alert details or manually assigned by an analyst during investigation.\n",
      "example": "Ransomware Activity Detected on WORKSTATION-042"
    },
    "incident_id": {
      "type": "string",
      "description": "The unique numeric identifier for the incident, assigned by Cortex XDR upon creation. Used to reference the incident in all subsequent API operations and webhook events.\n",
      "example": "5001"
    },
    "creation_time": {
      "type": "integer",
      "description": "Unix epoch timestamp in milliseconds indicating when the incident was first created by Cortex XDR's correlation engine.\n",
      "example": 1705312200000
    },
    "modification_time": {
      "type": "integer",
      "description": "Unix epoch timestamp in milliseconds indicating the most recent modification to the incident, including status changes, severity updates, alert additions, and analyst assignments.\n",
      "example": 1705315800000
    },
    "status": {
      "type": "string",
      "description": "The current investigation status of the incident at the time this webhook notification was dispatched.\n",
      "enum": [
        "new",
        "under_investigation",
        "resolved_threat_handled",
        "resolved_known_issue",
        "resolved_duplicate",
        "resolved_false_positive",
        "resolved_auto"
      ],
      "example": "new"
    },
    "severity": {
      "type": "string",
      "description": "The current severity level of the incident, determined by the highest-severity correlated alert or manually overridden by an analyst. Drives prioritization in incident queues and escalation workflows.\n",
      "enum": [
        "low",
        "medium",
        "high",
        "critical"
      ],
      "example": "high"
    },
    "alert_count": {
      "type": "integer",
      "description": "The total number of individual alerts that have been correlated and grouped into this incident at the time of this notification.\n",
      "minimum": 1,
      "example": 3
    },
    "assigned_user_mail": {
      "type": "string",
      "description": "The email address of the analyst currently assigned to investigate this incident. Empty string when the incident is unassigned.\n",
      "format": "email",
      "example": "analyst@example.com"
    },
    "description": {
      "type": "string",
      "description": "A detailed description of the incident providing context about the detected threat activity, affected assets, and attack scope. May be auto-generated from correlated alert content or manually authored by an analyst.\n",
      "example": "Multiple alerts indicating ransomware behavior on endpoint"
    },
    "alert_sources": {
      "type": "array",
      "description": "List of detection source identifiers that contributed alerts to this incident. Identifies which Cortex XDR engines, modules, or integrated third-party products generated the underlying alerts.\n",
      "items": {
        "type": "string",
        "description": "Name of a detection source that contributed at least one alert to this incident.\n"
      },
      "example": [
        "XDR Agent",
        "XDR Analytics BIOC"
      ]
    }
  },
  "required": [
    "name",
    "incident_id",
    "creation_time",
    "modification_time",
    "status",
    "severity",
    "alert_count",
    "alert_sources"
  ]
}