| name |
string |
Human-readable name of the alert derived from the detection rule, analytics model, IOC match, or BIOC rule that triggered it. |
| incident_id |
string |
The unique identifier of the parent incident to which this alert has been correlated. Enables association of individual alerts with their incident context. |
| creation_time |
integer |
Unix epoch timestamp in milliseconds indicating when the alert was first generated by the detecting engine or agent. |
| modification_time |
integer |
Unix epoch timestamp in milliseconds indicating the most recent modification to the alert record. |
| status |
string |
The current status of the alert at the time this webhook notification was dispatched. |
| severity |
string |
The severity level of the individual alert as determined by the detection rule, analytics model, or IOC threat intelligence that triggered it. |
| alert_count |
integer |
The number of raw detection events aggregated into this alert. Multiple occurrences of the same detection within a time window may be consolidated into a single alert record. |
| assigned_user_mail |
string |
The email address of the analyst assigned to investigate the parent incident of this alert. Empty string when unassigned. |
| description |
string |
A detailed description of the alert providing context about the detected malicious or suspicious activity, including process details, file paths, network connections, or user context. |
| alert_sources |
array |
List of detection source identifiers that contributed to this alert. Identifies which Cortex XDR engine or module produced the detection. |