Palo Alto Networks · AsyncAPI Specification

Prisma Cloud CSPM Webhooks

Version 1.0.0

Prisma Cloud Cloud Security Posture Management (CSPM) Webhooks deliver real-time event notifications for policy violations and security alerts across multi-cloud environments including AWS, Azure, GCP, OCI, and Alibaba Cloud. Webhooks are configured as notification channels in Prisma Cloud Settings > Integrations and dispatch HTTP POST requests with JSON payloads to registered HTTPS endpoints whenever alert lifecycle events occur. Supported events include alert creation, update, resolution, and dismissal. Webhooks enable integration with SIEM platforms, SOAR systems, ticketing tools, and custom security automation workflows.

View Spec View on GitHub Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDRAsyncAPIWebhooksEvents

Channels

alert/created
subscribe onAlertCreated
New policy-violation alert created
Triggered when Prisma Cloud generates a new alert due to a policy violation detected during a cloud resource scan. The alert payload contains full context about the violated policy, the affected cloud resource, and its account.
alert/updated
subscribe onAlertUpdated
Existing alert updated
Triggered when an existing Prisma Cloud alert is updated, typically when the underlying resource configuration changes after the initial policy violation was detected, causing a re-evaluation.
alert/resolved
subscribe onAlertResolved
Alert automatically resolved
Triggered when a Prisma Cloud alert is automatically resolved because the underlying cloud resource configuration has been brought back into compliance with the policy.
alert/dismissed
subscribe onAlertDismissed
Alert manually dismissed or snoozed
Triggered when a Prisma Cloud alert is manually dismissed by a user or suppressed by a configured snooze or suppression rule.

Messages

AlertCreated
Alert Created
A new Prisma Cloud policy-violation alert has been created
AlertUpdated
Alert Updated
An existing Prisma Cloud policy-violation alert has been updated
AlertResolved
Alert Resolved
A Prisma Cloud policy-violation alert has been automatically resolved
AlertDismissed
Alert Dismissed
A Prisma Cloud policy-violation alert has been dismissed

Servers

https
customer-webhook {webhookUrl}
Customer-configured HTTPS endpoint to receive Prisma Cloud webhook notifications. The endpoint must be publicly accessible, accept HTTP POST requests with a JSON body, and return a 2xx HTTP status code. Configure the endpoint URL in Prisma Cloud Settings > Integrations > Add Integration > Webhook.