Palo Alto Networks · Schema

Alert

A Cortex XDR alert representing a single detection event.

Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Properties

Name Type Description
alert_id string
detection_timestamp integer Detection timestamp as Unix epoch milliseconds.
name string Alert name or rule name that triggered this alert.
category string Alert category (e.g., Malware, Exploit, Lateral Movement).
description string
host_ip array
host_name string
user_name string
mac array
source string Data source that generated the alert.
action string Action taken on the alert.
action_pretty string
severity string
matching_status string
alert_type string
resolution_status string
resolution_comment string
View JSON Schema on GitHub

JSON Schema

cortex-xdr-api-alert-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Alert",
  "description": "A Cortex XDR alert representing a single detection event.",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xdr-api-alert-schema.json",
  "type": "object",
  "properties": {
    "alert_id": {
      "type": "string"
    },
    "detection_timestamp": {
      "type": "integer",
      "description": "Detection timestamp as Unix epoch milliseconds."
    },
    "name": {
      "type": "string",
      "description": "Alert name or rule name that triggered this alert."
    },
    "category": {
      "type": "string",
      "description": "Alert category (e.g., Malware, Exploit, Lateral Movement)."
    },
    "description": {
      "type": "string"
    },
    "host_ip": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "host_name": {
      "type": "string"
    },
    "user_name": {
      "type": "string"
    },
    "mac": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "source": {
      "type": "string",
      "description": "Data source that generated the alert."
    },
    "action": {
      "type": "string",
      "description": "Action taken on the alert."
    },
    "action_pretty": {
      "type": "string"
    },
    "severity": {
      "type": "string",
      "enum": [
        "critical",
        "high",
        "medium",
        "low",
        "informational",
        "unknown"
      ]
    },
    "matching_status": {
      "type": "string"
    },
    "alert_type": {
      "type": "string"
    },
    "resolution_status": {
      "type": "string"
    },
    "resolution_comment": {
      "type": "string"
    }
  }
}