{ "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "Incident", "description": "Incident schema from Palo Alto Networks SaaS Security API", "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/saas-security-api-incident-schema.json", "type": "object", "properties": { "id": { "type": "string", "description": "Unique incident identifier." }, "title": { "type": "string", "description": "Summary title of the incident." }, "description": { "type": "string", "description": "Detailed description of the security incident." }, "status": { "type": "string", "enum": [ "new", "in_progress", "resolved", "dismissed" ], "description": "Current incident status." }, "severity": { "type": "string", "enum": [ "low", "medium", "high", "critical" ], "description": "Incident severity level." }, "app_id": { "type": "string", "description": "ID of the SaaS application where the incident occurred." }, "app_name": { "type": "string", "description": "Name of the SaaS application." }, "policy_name": { "type": "string", "description": "Name of the policy that triggered the incident." }, "affected_assets": { "type": "array", "items": { "type": "string" }, "description": "IDs of assets involved in the incident." }, "affected_users": { "type": "array", "items": { "type": "string" }, "description": "User IDs of users involved in the incident." }, "assignee_id": { "type": "string", "description": "User ID of the assigned analyst." }, "created_at": { "type": "string", "format": "date-time", "description": "Timestamp when the incident was detected." }, "updated_at": { "type": "string", "format": "date-time", "description": "Timestamp of the most recent update." } } }