Palo Alto Networks · Schema

AlertPayload

The payload delivered to the webhook endpoint for Cortex XDR alert creation events. Contains alert identification, incident association, timing metadata, status, severity, alert aggregation counts, assignee information, description, and contributing data sources.

Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Properties

Name Type Description
name string Human-readable name of the alert derived from the detection rule, analytics model, IOC match, or BIOC rule that triggered it.
incident_id string The unique identifier of the parent incident to which this alert has been correlated. Enables association of individual alerts with their incident context.
creation_time integer Unix epoch timestamp in milliseconds indicating when the alert was first generated by the detecting engine or agent.
modification_time integer Unix epoch timestamp in milliseconds indicating the most recent modification to the alert record.
status string The current status of the alert at the time this webhook notification was dispatched.
severity string The severity level of the individual alert as determined by the detection rule, analytics model, or IOC threat intelligence that triggered it.
alert_count integer The number of raw detection events aggregated into this alert. Multiple occurrences of the same detection within a time window may be consolidated into a single alert record.
assigned_user_mail string The email address of the analyst assigned to investigate the parent incident of this alert. Empty string when unassigned.
description string A detailed description of the alert providing context about the detected malicious or suspicious activity, including process details, file paths, network connections, or user context.
alert_sources array List of detection source identifiers that contributed to this alert. Identifies which Cortex XDR engine or module produced the detection.
View JSON Schema on GitHub