{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "XdrDataPayload",
  "description": "The payload structure for XDR data forwarding from integrated Palo Alto Networks products. Contains product identification, tenant context, event identification, and the forwarded telemetry content for correlation in the XSIAM unified data lake.\n",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xsiam-data-ingestion-xdr-data-payload-schema.json",
  "type": "object",
  "properties": {
    "dataset": {
      "type": "string",
      "description": "The target XSIAM dataset name for the forwarded XDR data.\n",
      "example": "xdr_agent_raw"
    },
    "vendor": {
      "type": "string",
      "description": "The Palo Alto Networks product vendor designation for the forwarding source. Typically 'Palo Alto Networks'.\n",
      "example": "Palo Alto Networks"
    },
    "product": {
      "type": "string",
      "description": "The specific Palo Alto Networks product forwarding XDR data, such as Cortex XDR Agent, PAN-OS, Prisma Access, or Strata Logging Service.\n",
      "example": "Cortex XDR Agent"
    },
    "log_type": {
      "type": "string",
      "description": "The XDR data type or telemetry category being forwarded (e.g., xdr_data, endpoint_event, network_event).\n",
      "example": "xdr_data"
    },
    "raw_log": {
      "type": "string",
      "description": "The raw XDR telemetry content as serialized JSON from the forwarding product. Contains all available event fields from the source product's data model.\n",
      "example": "{\"type\":\"PROCESS_EVENT\",\"hostname\":\"WORKSTATION-042\",...}"
    },
    "timestamp": {
      "type": "string",
      "format": "date-time",
      "description": "The ISO 8601 date-time string indicating when the XDR event was captured by the source product.\n",
      "example": "2024-01-15T10:35:00.000Z"
    },
    "tenant_id": {
      "type": "string",
      "description": "The XSIAM tenant identifier to which this XDR data belongs. Ensures forwarded data is routed to the correct tenant environment in multi-tenant deployments.\n",
      "example": "xsiam-tenant-001"
    },
    "event_id": {
      "type": "string",
      "description": "A unique identifier for this forwarded XDR event, used for deduplication, correlation, and audit trail tracking.\n",
      "example": "evt-20240115-103500-003"
    }
  },
  "required": [
    "dataset",
    "vendor",
    "product",
    "log_type",
    "raw_log",
    "timestamp",
    "tenant_id",
    "event_id"
  ]
}