| name |
string |
Human-readable name of the incident, either auto-generated by Cortex XDR from the correlated alert details or manually assigned by an analyst during investigation. |
| incident_id |
string |
The unique numeric identifier for the incident, assigned by Cortex XDR upon creation. Used to reference the incident in all subsequent API operations and webhook events. |
| creation_time |
integer |
Unix epoch timestamp in milliseconds indicating when the incident was first created by Cortex XDR's correlation engine. |
| modification_time |
integer |
Unix epoch timestamp in milliseconds indicating the most recent modification to the incident, including status changes, severity updates, alert additions, and analyst assignments. |
| status |
string |
The current investigation status of the incident at the time this webhook notification was dispatched. |
| severity |
string |
The current severity level of the incident, determined by the highest-severity correlated alert or manually overridden by an analyst. Drives prioritization in incident queues and escalation workflows. |
| alert_count |
integer |
The total number of individual alerts that have been correlated and grouped into this incident at the time of this notification. |
| assigned_user_mail |
string |
The email address of the analyst currently assigned to investigate this incident. Empty string when the incident is unassigned. |
| description |
string |
A detailed description of the incident providing context about the detected threat activity, affected assets, and attack scope. May be auto-generated from correlated alert content or manually authored |
| alert_sources |
array |
List of detection source identifiers that contributed alerts to this incident. Identifies which Cortex XDR engines, modules, or integrated third-party products generated the underlying alerts. |