{ "$schema": "https://json-structure.org/meta/core/v0/#", "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/saas-security-api-incident-structure.json", "name": "Incident", "description": "Incident schema from Palo Alto Networks SaaS Security API", "type": "object", "properties": { "id": { "type": "string", "description": "Unique incident identifier." }, "title": { "type": "string", "description": "Summary title of the incident." }, "description": { "type": "string", "description": "Detailed description of the security incident." }, "status": { "type": "string", "description": "Current incident status.", "enum": [ "new", "in_progress", "resolved", "dismissed" ] }, "severity": { "type": "string", "description": "Incident severity level.", "enum": [ "low", "medium", "high", "critical" ] }, "app_id": { "type": "string", "description": "ID of the SaaS application where the incident occurred." }, "app_name": { "type": "string", "description": "Name of the SaaS application." }, "policy_name": { "type": "string", "description": "Name of the policy that triggered the incident." }, "affected_assets": { "type": "array", "description": "IDs of assets involved in the incident.", "items": { "type": "string" } }, "affected_users": { "type": "array", "description": "User IDs of users involved in the incident.", "items": { "type": "string" } }, "assignee_id": { "type": "string", "description": "User ID of the assigned analyst." }, "created_at": { "type": "datetime", "description": "Timestamp when the incident was detected." }, "updated_at": { "type": "datetime", "description": "Timestamp of the most recent update." } } }