{ "$schema": "https://json-structure.org/meta/core/v0/#", "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cortex-xdr-api-incident-structure.json", "name": "Incident", "description": "A Cortex XDR incident grouping related alerts.", "type": "object", "properties": { "incident_id": { "type": "string" }, "incident_name": { "type": "string" }, "description": { "type": "string" }, "status": { "type": "string", "enum": [ "new", "under_investigation", "resolved_threat_handled", "resolved_known_issue", "resolved_duplicate", "resolved_false_positive", "resolved_other" ] }, "severity": { "type": "string", "enum": [ "critical", "high", "medium", "low", "informational", "unknown" ] }, "assigned_user_mail": { "type": "string" }, "assigned_user_pretty_name": { "type": "string" }, "alert_count": { "type": "int32" }, "low_severity_alert_count": { "type": "int32" }, "med_severity_alert_count": { "type": "int32" }, "high_severity_alert_count": { "type": "int32" }, "critical_severity_alert_count": { "type": "int32" }, "user_count": { "type": "int32" }, "host_count": { "type": "int32" }, "creation_time": { "type": "int32", "description": "Incident creation timestamp as Unix epoch milliseconds." }, "modification_time": { "type": "int32", "description": "Last modification timestamp as Unix epoch milliseconds." }, "detection_time": { "type": "int32" }, "starred": { "type": "boolean" }, "xdr_url": { "type": "string", "description": "Direct URL to the incident in the XDR console." }, "rule_based_score": { "type": "int32" }, "manual_score": { "type": "int32" } } }