Palo Alto Networks · JSON Structure

Cortex Xdr Api Alert Structure

A Cortex XDR alert representing a single detection event.

Type: object Properties: 17
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Alert is a JSON Structure definition published by Palo Alto Networks, describing 17 properties. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

alert_id detection_timestamp name category description host_ip host_name user_name mac source action action_pretty severity matching_status alert_type resolution_status resolution_comment

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cortex-xdr-api-alert-structure.json",
  "name": "Alert",
  "description": "A Cortex XDR alert representing a single detection event.",
  "type": "object",
  "properties": {
    "alert_id": {
      "type": "string"
    },
    "detection_timestamp": {
      "type": "int32",
      "description": "Detection timestamp as Unix epoch milliseconds."
    },
    "name": {
      "type": "string",
      "description": "Alert name or rule name that triggered this alert."
    },
    "category": {
      "type": "string",
      "description": "Alert category (e.g., Malware, Exploit, Lateral Movement)."
    },
    "description": {
      "type": "string"
    },
    "host_ip": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "host_name": {
      "type": "string"
    },
    "user_name": {
      "type": "string"
    },
    "mac": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "source": {
      "type": "string",
      "description": "Data source that generated the alert."
    },
    "action": {
      "type": "string",
      "description": "Action taken on the alert."
    },
    "action_pretty": {
      "type": "string"
    },
    "severity": {
      "type": "string",
      "enum": [
        "critical",
        "high",
        "medium",
        "low",
        "informational",
        "unknown"
      ]
    },
    "matching_status": {
      "type": "string"
    },
    "alert_type": {
      "type": "string"
    },
    "resolution_status": {
      "type": "string"
    },
    "resolution_comment": {
      "type": "string"
    }
  }
}