{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Incident",
  "description": "A Cortex XSOAR incident representing a security event under investigation.",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xsoar-api-incident-schema.json",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "Unique incident identifier.",
      "readOnly": true
    },
    "name": {
      "type": "string",
      "description": "Incident name or title."
    },
    "type": {
      "type": "string",
      "description": "Incident type (maps to an incident type definition)."
    },
    "status": {
      "type": "integer",
      "description": "Incident status code: 0 (Pending), 1 (Active), 2 (Done), 3 (Archive).",
      "enum": [
        0,
        1,
        2,
        3
      ]
    },
    "severity": {
      "type": "integer",
      "description": "Severity level: 0 (Unknown), 1 (Informational), 2 (Low), 3 (Medium), 4 (High), 5 (Critical).",
      "enum": [
        0,
        1,
        2,
        3,
        4,
        5
      ]
    },
    "owner": {
      "type": "string",
      "description": "Username of the analyst assigned to this incident."
    },
    "created": {
      "type": "string",
      "format": "date-time",
      "description": "Incident creation timestamp.",
      "readOnly": true
    },
    "modified": {
      "type": "string",
      "format": "date-time",
      "description": "Last modification timestamp.",
      "readOnly": true
    },
    "occurred": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the security event occurred."
    },
    "closed": {
      "type": "string",
      "format": "date-time",
      "description": "Incident closure timestamp."
    },
    "closeReason": {
      "type": "string",
      "description": "Reason for closing the incident."
    },
    "closeNotes": {
      "type": "string",
      "description": "Notes added when closing the incident."
    },
    "labels": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "type": {
            "type": "string"
          },
          "value": {
            "type": "string"
          }
        }
      },
      "description": "Key-value label pairs attached to the incident."
    },
    "details": {
      "type": "string",
      "description": "Incident details or description."
    },
    "investigationId": {
      "type": "string",
      "description": "Associated investigation ID.",
      "readOnly": true
    },
    "playbookId": {
      "type": "string",
      "description": "Playbook assigned to this incident."
    },
    "sourceInstance": {
      "type": "string",
      "description": "Integration instance that created this incident."
    },
    "sourceBrand": {
      "type": "string",
      "description": "Integration brand that created this incident."
    },
    "rawJson": {
      "type": "string",
      "description": "Raw JSON payload from the originating event."
    },
    "CustomFields": {
      "type": "object",
      "description": "Custom field values specific to the incident type.",
      "additionalProperties": true
    }
  }
}