Alert Payload

Learn about the detailed information contained in the Prisma™ Cloud alert payload.
A Prisma™ Cloud alert payload is a JSON data object that contains detailed information about an alert, such as the cloud account, resource, compliance standard, and policy.
Alert Payload Field
Description
Account Ancestors
The GCP cloud account ancestry owner information is available directly in the alert payload on the L2 page and also in the notification payload.
Account ID
The ID of the cloud account where the violation that triggered the alert occurred.
Account Name
Name of the cloud account where Prisma Cloud detected the policy violation.
Alert ID
Identification number of the alert.
Alert Rule Name
Name of the alert rule that triggered this alert.
Callback URL
The URL for the alert in Prisma Cloud.
Cloud Type
Type of cloud account: AWS, Azure, or GCP.
Policy Description
Description of the policy as shown within Prisma Cloud.
Policy ID
Universally unique identification (UUID) number of the policy.
Policy Labels
Labels associated with the policy.
Policy Name
Name of the policy.
Policy Recommendation
Remediation recommendations for the policy.
Saved Search UUID
Universally unique identification (UUID) number of the saved search.
Remediation CLI
The CLI commands that you can use to resolve the policy violation.
Compliance Standard name
Name of the compliance standard.
Compliance Standard description
Description of the compliance standard.
Compliance Metadata
Detailed information regarding a compliance standard. Includes the child nodes
Standard Name
, for instance "AWS Foundational Security Best Practices standard", and
Requirement ID
and
Requirement Name
.
Requirement ID
Identification number of the requirement in the compliance standard.
Requirement Name
Name of the requirement in the compliance standard.
Section ID
Identification number of the section in the compliance standard.
Section Description
Description of the section in the compliance standard.
Compliance ID
ID number of the compliance standard.
System Default
Indicates whether the compliance standard is Prisma Cloud System Default.
Custom assigned
Indicates if the compliance standard is assigned to a policy.
Resource Cloud Service
Cloud service provider of the resource that triggered the alert.
Resource Data
The JSON data of the resource.
Resource ID
ID of the resource that triggered the alert.
Resource Name
Name of the resource that triggered the alert.
Resource Region
Name of the cloud region to which the resource belongs.
Resource Region ID
ID of the region to which the cloud resource belongs.
Resource Type
Type of resource that triggered the alert (for example, EC2 instance or S3 bucket).
Severity
Severity of the alert: High, Medium, or Low.
User Attribution data
Data about the user who created or modified the resource and caused the alert.
For alert notifications to include user attribution data, you must
Populate User Attribution In Alerts Notifications
(
Settings
Enterprise Settings
). Including user attribution data may delay alert notifications because the information may not be available from the cloud provider when Prisma Cloud is ready to generate the alert.
If you want to send alert notifications to external integrations, Prisma Cloud provides an option to customize the alert payload for Email, Jira, ServiceNow, and Webhook integrations only. See Configure External Integrations on Prisma Cloud for more details.

Alert Payloads for Workload Vulnerabilities

Alert Payload Field
Description
metadata.cveCritical
Number of critical vulnerabilities found for a given alert.
metadata.cveHigh
Number of high vulnerabilities found for a given alert
metadata.cveLow
Number of low vulnerabilities found for a given alert
metadata.cveMedium
Number of medium vulnerabilities found for a given alert
metadata.source
Defender

Alert Payloads for Workload Incidents

Alert Payload Field
Description
metadata.auditCount
Total Count of alerts
metadata.auditMessage
Audit message defined in Compute for the specific runtime rule
metadata.auditRuleName
Name of the Audit rule defined in Compute
metadata.auditTime
Time when the event occured
metadata.auditType
Filesystem
metadata.auditUser
User name of the host, container. For example, ubuntu
metadata .cveCritical, cveHigh , cveLow , cveMedium
Not applicable
metadata .incidentCategory
Custom Rule , Processes , Network-outgoing , or Kubernetes-audit
metadata. incidentCountUri
URL to check the resource associated with this alert in Compute
metadata.incidentCustomRuleName
Incident custom rule name
metadata.lastIncidentTime
Last time when the incident occurred
metadata.source
Defender

Recommended For You