{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/email-dlp-api-email-dlp-incident-structure.json",
  "name": "EmailDLPIncident",
  "description": "EmailDLPIncident schema from Palo Alto Networks Email DLP API",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "Unique incident identifier."
    },
    "sender": {
      "type": "string",
      "description": "Email address of the message sender."
    },
    "subject": {
      "type": "string",
      "description": "Email message subject line."
    },
    "status": {
      "type": "string",
      "description": "Current status or verdict for the email message.",
      "enum": [
        "pending",
        "allowed",
        "blocked",
        "quarantined"
      ]
    },
    "severity": {
      "type": "string",
      "description": "Incident severity based on data pattern sensitivity.",
      "enum": [
        "critical",
        "high",
        "medium",
        "low",
        "informational"
      ]
    },
    "data_patterns": {
      "type": "array",
      "description": "Data patterns that matched in the email content.",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "string"
          },
          "name": {
            "type": "string"
          },
          "category": {
            "type": "string"
          },
          "match_count": {
            "type": "int32"
          }
        }
      }
    },
    "match_count": {
      "type": "int32",
      "description": "Total number of data pattern matches across all patterns."
    },
    "timestamp": {
      "type": "datetime",
      "description": "Timestamp when the incident was detected."
    },
    "has_attachments": {
      "type": "boolean",
      "description": "Whether the email contained attachments."
    },
    "attachment_count": {
      "type": "int32",
      "description": "Number of attachments in the email."
    },
    "direction": {
      "type": "string",
      "description": "Direction of the email message.",
      "enum": [
        "inbound",
        "outbound",
        "internal"
      ]
    },
    "action_taken": {
      "type": "string",
      "description": "Automated action taken on the message.",
      "enum": [
        "alert",
        "block",
        "quarantine"
      ]
    },
    "reviewed_by": {
      "type": "string",
      "description": "Email address of the analyst who reviewed the incident."
    },
    "reviewed_at": {
      "type": "datetime",
      "description": "Timestamp when the incident was last reviewed."
    },
    "comment": {
      "type": "string",
      "description": "Comment added during verdict review."
    }
  }
}