The payload delivered to the webhook endpoint for every Prisma Cloud CSPM alert lifecycle event. Contains all contextual information about the event type, the alert, the violated policy, and the affected cloud resource.
AlertPayload is a JSON Structure definition published by Palo Alto Networks, describing 11 properties, of which 11 are required. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.
{
"$schema": "https://json-structure.org/meta/core/v0/#",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/prisma-cloud-webhooks-alert-payload-structure.json",
"name": "AlertPayload",
"description": "The payload delivered to the webhook endpoint for every Prisma Cloud CSPM alert lifecycle event. Contains all contextual information about the event type, the alert, the violated policy, and the affected cloud resource.\n",
"type": "object",
"properties": {
"notification_type": {
"type": "string",
"description": "The type of alert lifecycle event that triggered this webhook notification. Identifies whether this is a creation, update, resolution, or dismissal event.\n",
"enum": [
"alert.created",
"alert.updated",
"alert.resolved",
"alert.dismissed"
]
},
"alert_id": {
"type": "string",
"description": "The unique identifier for the Prisma Cloud alert. Alert IDs are prefixed with 'P-' followed by a numeric sequence, used to reference the alert in Prisma Cloud API operations and the management console.\n"
},
"alert_status": {
"type": "string",
"description": "The current lifecycle status of the alert at the time this webhook notification was dispatched.\n",
"enum": [
"open",
"resolved",
"dismissed",
"snoozed"
]
},
"policy_id": {
"type": "uuid",
"description": "The unique UUID identifier of the Prisma Cloud security policy that was violated and triggered this alert. Can be used to retrieve full policy details via the Prisma Cloud API.\n"
},
"policy_name": {
"type": "string",
"description": "The human-readable display name of the Prisma Cloud security policy that was violated. Provides immediate context about the nature of the misconfiguration or compliance gap detected.\n"
},
"cloud_type": {
"type": "string",
"description": "The cloud service provider where the violating resource resides. Identifies which cloud environment requires investigation and remediation.\n",
"enum": [
"aws",
"azure",
"gcp",
"oci",
"alibaba_cloud"
]
},
"account_id": {
"type": "string",
"description": "The cloud provider account ID, subscription ID, or project ID where the violating resource is deployed. Used to identify the specific cloud account requiring remediation.\n"
},
"resource_id": {
"type": "string",
"description": "The unique identifier of the cloud resource that violated the policy. For AWS resources this is typically an ARN. For Azure resources this is the resource ID path. For GCP resources this is the full resource name.\n"
},
"resource_type": {
"type": "string",
"description": "The cloud provider service or resource type of the violating resource (e.g., s3, ec2, azure_storage_account, google_storage_bucket). Used to identify the type of infrastructure requiring remediation.\n"
},
"severity": {
"type": "string",
"description": "The severity level of the policy violation as defined by the Prisma Cloud security policy. Drives alert prioritization and notification routing in downstream systems.\n",
"enum": [
"informational",
"low",
"medium",
"high",
"critical"
]
},
"timestamp": {
"type": "datetime",
"description": "The ISO 8601 date-time string indicating when this alert event occurred. For created events this is the alert creation time. For resolved or dismissed events this is the time of the status change.\n"
}
},
"required": [
"notification_type",
"alert_id",
"alert_status",
"policy_id",
"policy_name",
"cloud_type",
"account_id",
"resource_id",
"resource_type",
"severity",
"timestamp"
]
}