Palo Alto Networks · AsyncAPI Specification

Cortex XDR Webhooks

Version 1.0.0

Cortex XDR Webhooks provide real-time incident and alert notifications for security events detected across endpoints, networks, and cloud workloads. Webhooks are configured in Cortex XDR Settings > Notifications > External Applications and deliver HTTP POST requests with JSON payloads to registered HTTPS endpoints whenever incident and alert lifecycle events occur. Events include incident creation, status changes, severity changes, and new alert generation. Webhook notifications enable integration with SOAR platforms, ticketing systems, and custom automation workflows for accelerated incident response.

View Spec View on GitHub Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDRAsyncAPIWebhooksEvents

Channels

incident/created
subscribe onIncidentCreated
New incident created
Triggered when a new incident is created in Cortex XDR. Incidents are automatically created by correlating one or more related alerts that share common attributes such as affected endpoints, users, or attack patterns. This event signals the beginning of a new investigation context.
incident/status_changed
subscribe onIncidentStatusChanged
Incident investigation status changed
Triggered when an existing incident's investigation status changes. Status transitions include moving from new to under_investigation, or from under_investigation to any resolved state. This event enables downstream systems to track investigation lifecycle progress.
incident/severity_changed
subscribe onIncidentSeverityChanged
Incident severity level changed
Triggered when an incident's severity level is elevated or reduced, either automatically due to new correlated alerts or manually by an analyst overriding the calculated severity.
alert/created
subscribe onAlertCreated
New alert generated
Triggered when a new alert is generated by Cortex XDR analytics engines, BIOC (Behavioral Indicator of Compromise) rules, IOC matches, endpoint agents, or third-party integrated data sources. Alerts represent individual suspicious or malicious activities detected across the protected environment.

Messages

IncidentCreated
Incident Created
A new Cortex XDR incident has been created
IncidentUpdated
Incident Updated
A Cortex XDR incident status or severity has changed
AlertCreated
Alert Created
A new Cortex XDR alert has been generated

Servers

https
customer-webhook {webhookUrl}
Customer-configured HTTPS endpoint to receive Cortex XDR webhook notifications. The endpoint must accept POST requests with JSON payloads and return a 2xx HTTP response. Configure the webhook URL in Cortex XDR Settings > Notifications > External Applications and assign it to one or more notification profiles.