{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cortex-xdr-webhooks-alert-payload-structure.json",
  "name": "AlertPayload",
  "description": "The payload delivered to the webhook endpoint for Cortex XDR alert creation events. Contains alert identification, incident association, timing metadata, status, severity, alert aggregation counts, assignee information, description, and contributing data sources.\n",
  "type": "object",
  "properties": {
    "name": {
      "type": "string",
      "description": "Human-readable name of the alert derived from the detection rule, analytics model, IOC match, or BIOC rule that triggered it.\n"
    },
    "incident_id": {
      "type": "string",
      "description": "The unique identifier of the parent incident to which this alert has been correlated. Enables association of individual alerts with their incident context.\n"
    },
    "creation_time": {
      "type": "int32",
      "description": "Unix epoch timestamp in milliseconds indicating when the alert was first generated by the detecting engine or agent.\n"
    },
    "modification_time": {
      "type": "int32",
      "description": "Unix epoch timestamp in milliseconds indicating the most recent modification to the alert record.\n"
    },
    "status": {
      "type": "string",
      "description": "The current status of the alert at the time this webhook notification was dispatched.\n",
      "enum": [
        "new",
        "under_investigation",
        "resolved_threat_handled",
        "resolved_known_issue",
        "resolved_duplicate",
        "resolved_false_positive",
        "resolved_auto"
      ]
    },
    "severity": {
      "type": "string",
      "description": "The severity level of the individual alert as determined by the detection rule, analytics model, or IOC threat intelligence that triggered it.\n",
      "enum": [
        "low",
        "medium",
        "high",
        "critical"
      ]
    },
    "alert_count": {
      "type": "int32",
      "description": "The number of raw detection events aggregated into this alert. Multiple occurrences of the same detection within a time window may be consolidated into a single alert record.\n",
      "minimum": 1
    },
    "assigned_user_mail": {
      "type": "string",
      "description": "The email address of the analyst assigned to investigate the parent incident of this alert. Empty string when unassigned.\n"
    },
    "description": {
      "type": "string",
      "description": "A detailed description of the alert providing context about the detected malicious or suspicious activity, including process details, file paths, network connections, or user context.\n"
    },
    "alert_sources": {
      "type": "array",
      "description": "List of detection source identifiers that contributed to this alert. Identifies which Cortex XDR engine or module produced the detection.\n",
      "items": {
        "type": "string",
        "description": "Name of the detection source (e.g., XDR Agent, XDR Analytics, XDR Analytics BIOC, XDR BIOC, Cortex XDR - IOC).\n"
      }
    }
  },
  "required": [
    "name",
    "incident_id",
    "creation_time",
    "modification_time",
    "status",
    "severity",
    "alert_count",
    "alert_sources"
  ]
}