{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "DLPIncident",
  "description": "DLPIncident schema from Palo Alto Networks Enterprise DLP API",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/dlp-api-dlp-incident-schema.json",
  "type": "object",
  "properties": {
    "incident_id": {
      "type": "string",
      "description": "Unique incident identifier."
    },
    "status": {
      "type": "string",
      "enum": [
        "open",
        "in_review",
        "resolved",
        "dismissed"
      ],
      "description": "Current incident status."
    },
    "severity": {
      "type": "string",
      "enum": [
        "critical",
        "high",
        "medium",
        "low",
        "informational"
      ],
      "description": "Incident severity level."
    },
    "data_pattern_name": {
      "type": "string",
      "description": "Name of the data pattern that triggered the incident."
    },
    "data_pattern_id": {
      "type": "string",
      "description": "Identifier of the data pattern that triggered the incident."
    },
    "match_count": {
      "type": "integer",
      "description": "Number of data pattern matches in the content."
    },
    "channel": {
      "type": "string",
      "enum": [
        "web",
        "ssl",
        "saas",
        "email",
        "endpoint"
      ],
      "description": "Channel where the data exposure was detected."
    },
    "user": {
      "type": "string",
      "description": "Email address or username of the user involved."
    },
    "timestamp": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the incident was detected."
    },
    "application": {
      "type": "string",
      "description": "Application associated with the incident."
    },
    "file_name": {
      "type": "string",
      "description": "Name of the file containing sensitive data."
    },
    "file_type": {
      "type": "string",
      "description": "MIME type of the file."
    },
    "file_size": {
      "type": "integer",
      "description": "Size of the file in bytes."
    },
    "direction": {
      "type": "string",
      "enum": [
        "upload",
        "download",
        "internal"
      ],
      "description": "Direction of data movement."
    },
    "action_taken": {
      "type": "string",
      "enum": [
        "alert",
        "block",
        "quarantine",
        "encrypt"
      ],
      "description": "Automated action taken on the incident."
    },
    "reviewer_comments": {
      "type": "string",
      "description": "Comments added by the reviewing analyst."
    },
    "reviewed_by": {
      "type": "string",
      "description": "Email address of the analyst who reviewed the incident."
    },
    "reviewed_at": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the incident was last reviewed."
    }
  }
}