threatgrid · devn · Feb 10, 2026 · Feb 9, 2026 · Feb 9, 2026
@@ -416,7 +416,7 @@
     },
     "severity" : "Critical",
     "short_description" : "string",
-    "short_id" : 10,
+    "short_id" : "string",
     "source" : "string",
     "source_uri" : "string",
     "status" : "Closed",

@@ -417,7 +417,7 @@
       },
       "severity" : "Critical",
       "short_description" : "string",
-      "short_id" : 10,
+      "short_id" : "string",
       "source" : "string",
       "source_uri" : "string",
       "status" : "Closed",

@@ -36,7 +36,7 @@
   },
   "severity" : "Critical",
   "short_description" : "string",
-  "short_id" : 10,
+  "short_id" : "string",
   "source" : "string",
   "source_uri" : "string",
   "status" : "Closed",

@@ -4467,7 +4467,7 @@ A URL reference to an external resource.
 |[scores](#propertyscores-incidentscoresobject)|*IncidentScores* Object|Used to indicate the severity or impact score of the threat represented by the incident.||
 |[severity](#propertyseverity-severitystring)|SeverityString|Represents the potential impact of an incident on an organization's security posture and business operations. It helps organizations prioritize and allocate resources for incident response based on the severity level of the incident  It helps analysts and incident handlers prioritize incidents by indicating the level of risk and potential impact associated with the incident. This enables organizations to allocate resources efficiently and address the most critical incidents first. Can also be used to generate reports and metrics for measuring the effectiveness of the incident response process and to identify trends and patterns in the threat landscape. It is important to note that the `severity` field is subjective and can be interpreted differently by different organizations or analysts. Therefore, it should be used in conjunction with other intelligence attributes, such as the `confidence` field, to provide a more comprehensive view of the incident.||
 |[short_description](#propertyshort_description-medstringstring)|MedStringString|A single line, short summary of the object.||
-|[short_id](#propertyshort_id-integer)|Integer|A sequential, human-readable identifier for the incident, unique within an organization.||
+|[short_id](#propertyshort_id-shortstringstring)|ShortStringString|A human-readable, short identifier for the incident, unique within an organization.||
 |[source](#propertysource-medstringstring)|MedStringString|Represents the source of the intelligence that led to the creation of the entity.||
 |[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
 |[tactics](#propertytactics-shortstringstringlist)|ShortStringString List|Represents the offensive techniques, approaches, or procedures that an adversary may use to achieve their objectives during an attack. It helps in understanding the intent and capabilities of the adversary and can be used to identify indicators of attack (IoAs) or indicators of compromise (IoCs) that are associated with the adversary's tactics.||
@@ -4777,15 +4777,15 @@ A single line, short summary of the object.
 
   * *MedString* String with at most 2048 characters.
 
-<a id="propertyshort_id-integer"></a>
-## Property short_id ∷ Integer
+<a id="propertyshort_id-shortstringstring"></a>
+## Property short_id ∷ ShortStringString
 
-A sequential, human-readable identifier for the incident, unique within an organization.
+A human-readable, short identifier for the incident, unique within an organization.
 
 * This entry is optional
 
 
-  * Zero, or a positive integer.
+  * *ShortString* String with at most 1024 characters.
 
 <a id="propertysource-medstringstring"></a>
 ## Property source ∷ MedStringString

@@ -11414,7 +11414,7 @@ A URL reference to an external resource.
 |[scores](#propertyscores-incidentscoresobject)|*IncidentScores* Object|Used to indicate the severity or impact score of the threat represented by the incident.||
 |[severity](#propertyseverity-severitystring)|SeverityString|Represents the potential impact of an incident on an organization's security posture and business operations. It helps organizations prioritize and allocate resources for incident response based on the severity level of the incident  It helps analysts and incident handlers prioritize incidents by indicating the level of risk and potential impact associated with the incident. This enables organizations to allocate resources efficiently and address the most critical incidents first. Can also be used to generate reports and metrics for measuring the effectiveness of the incident response process and to identify trends and patterns in the threat landscape. It is important to note that the `severity` field is subjective and can be interpreted differently by different organizations or analysts. Therefore, it should be used in conjunction with other intelligence attributes, such as the `confidence` field, to provide a more comprehensive view of the incident.||
 |[short_description](#propertyshort_description-medstringstring)|MedStringString|A single line, short summary of the object.||
-|[short_id](#propertyshort_id-integer)|Integer|A sequential, human-readable identifier for the incident, unique within an organization.||
+|[short_id](#propertyshort_id-shortstringstring)|ShortStringString|A human-readable, short identifier for the incident, unique within an organization.||
 |[source](#propertysource-medstringstring)|MedStringString|Represents the source of the intelligence that led to the creation of the entity.||
 |[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
 |[tactics](#propertytactics-shortstringstringlist)|ShortStringString List|Represents the offensive techniques, approaches, or procedures that an adversary may use to achieve their objectives during an attack. It helps in understanding the intent and capabilities of the adversary and can be used to identify indicators of attack (IoAs) or indicators of compromise (IoCs) that are associated with the adversary's tactics.||
@@ -11724,15 +11724,15 @@ A single line, short summary of the object.
 
   * *MedString* String with at most 2048 characters.
 
-<a id="propertyshort_id-integer"></a>
-## Property short_id ∷ Integer
+<a id="propertyshort_id-shortstringstring"></a>
+## Property short_id ∷ ShortStringString
 
-A sequential, human-readable identifier for the incident, unique within an organization.
+A human-readable, short identifier for the incident, unique within an organization.
 
 * This entry is optional
 
 
-  * Zero, or a positive integer.
+  * *ShortString* String with at most 1024 characters.
 
 <a id="propertysource-medstringstring"></a>
 ## Property source ∷ MedStringString

@@ -30,7 +30,7 @@
 |[scores](#propertyscores-incidentscoresobject)|*IncidentScores* Object|Used to indicate the severity or impact score of the threat represented by the incident.||
 |[severity](#propertyseverity-severitystring)|SeverityString|Represents the potential impact of an incident on an organization's security posture and business operations. It helps organizations prioritize and allocate resources for incident response based on the severity level of the incident  It helps analysts and incident handlers prioritize incidents by indicating the level of risk and potential impact associated with the incident. This enables organizations to allocate resources efficiently and address the most critical incidents first. Can also be used to generate reports and metrics for measuring the effectiveness of the incident response process and to identify trends and patterns in the threat landscape. It is important to note that the `severity` field is subjective and can be interpreted differently by different organizations or analysts. Therefore, it should be used in conjunction with other intelligence attributes, such as the `confidence` field, to provide a more comprehensive view of the incident.||
 |[short_description](#propertyshort_description-medstringstring)|MedStringString|A single line, short summary of the object.||
-|[short_id](#propertyshort_id-integer)|Integer|A sequential, human-readable identifier for the incident, unique within an organization.||
+|[short_id](#propertyshort_id-shortstringstring)|ShortStringString|A human-readable, short identifier for the incident, unique within an organization.||
 |[source](#propertysource-medstringstring)|MedStringString|Represents the source of the intelligence that led to the creation of the entity.||
 |[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
 |[tactics](#propertytactics-shortstringstringlist)|ShortStringString List|Represents the offensive techniques, approaches, or procedures that an adversary may use to achieve their objectives during an attack. It helps in understanding the intent and capabilities of the adversary and can be used to identify indicators of attack (IoAs) or indicators of compromise (IoCs) that are associated with the adversary's tactics.||
@@ -340,15 +340,15 @@ A single line, short summary of the object.
 
   * *MedString* String with at most 2048 characters.
 
-<a id="propertyshort_id-integer"></a>
-## Property short_id ∷ Integer
+<a id="propertyshort_id-shortstringstring"></a>
+## Property short_id ∷ ShortStringString
 
-A sequential, human-readable identifier for the incident, unique within an organization.
+A human-readable, short identifier for the incident, unique within an organization.
 
 * This entry is optional
 
 
-  * Zero, or a positive integer.
+  * *ShortString* String with at most 1024 characters.
 
 <a id="propertysource-medstringstring"></a>
 ## Property source ∷ MedStringString

@@ -42,7 +42,7 @@
    :discovery_method "Log Review"
    :promotion_method "Manual"
    :intended_effect "Extortion"
-   :short_id 1
+   :short_id "1"
    :scores {:asset 5
             :ttp 98}
    :meta {:string "this description was generated by a very smart algorithm"

@@ -169,8 +169,8 @@
    (f/entry :techniques [c/ShortString]
             :description (str "Represents the specific methods or actions used by an attacker "
                               "to carry out an offensive maneuver or achieve their goals."))
-   (f/entry :short_id c/PosInt
-            :description "A sequential, human-readable identifier for the incident, unique within an organization.")))
+   (f/entry :short_id c/ShortString
+            :description "A human-readable, short identifier for the incident, unique within an organization.")))
 
 (def-entity-type NewIncident
   "For submitting a new Incident."