Alert Payload
Learn about the detailed information contained in the Prisma™ Cloud alert payload.
A Prisma™ Cloud alert payload is a JSON data object that contains detailed information about an alert, such as the cloud account, resource, compliance standard, and policy.
Alert Payload Field | Description |
Account Ancestors | The GCP cloud account ancestry owner information is available directly in the alert payload on the L2 page and also in the notification payload. |
Account ID | The ID of the cloud account where the violation that triggered the alert occurred. |
Account Name | Name of the cloud account where Prisma Cloud detected the policy violation. |
Alert ID | Identification number of the alert. |
Alert Rule Name | Name of the alert rule that triggered this alert. |
Callback URL | The URL for the alert in Prisma Cloud. |
Cloud Type | Type of cloud account: AWS, Azure, or GCP. |
Policy Description | Description of the policy as shown within Prisma Cloud. |
Policy ID | Universally unique identification (UUID) number of the policy. |
Policy Labels | Labels associated with the policy. |
Policy Name | Name of the policy. |
Policy Recommendation | Remediation recommendations for the policy. |
Saved Search UUID | Universally unique identification (UUID) number of the saved search. |
Remediation CLI | The CLI commands that you can use to resolve the policy violation. |
Compliance Standard name | Name of the compliance standard. |
Compliance Standard description | Description of the compliance standard. |
Compliance Metadata | Detailed information regarding a compliance standard. Includes the child nodes Standard Name , for instance "AWS Foundational Security Best Practices standard", and Requirement ID and Requirement Name . |
Requirement ID | Identification number of the requirement in the compliance standard. |
Requirement Name | Name of the requirement in the compliance standard. |
Section ID | Identification number of the section in the compliance standard. |
Section Description | Description of the section in the compliance standard. |
Compliance ID | ID number of the compliance standard. |
System Default | Indicates whether the compliance standard is Prisma Cloud System Default. |
Custom assigned | Indicates if the compliance standard is assigned to a policy. |
Resource Cloud Service | Cloud service provider of the resource that triggered the alert. |
Resource Data | The JSON data of the resource. |
Resource ID | ID of the resource that triggered the alert. |
Resource Name | Name of the resource that triggered the alert. |
Resource Region | Name of the cloud region to which the resource belongs. |
Resource Region ID | ID of the region to which the cloud resource belongs. |
Resource Type | Type of resource that triggered the alert (for example, EC2 instance or S3 bucket). |
Severity | Severity of the alert: High, Medium, or Low. |
User Attribution data | Data about the user who created or modified the resource and caused the alert. For alert notifications to include user attribution data, you must Populate User Attribution In Alerts Notifications ( ). Including user attribution data may delay alert notifications because the information may not be available from the cloud provider when Prisma Cloud is ready to generate the alert. |
If you want to send alert notifications to external integrations, Prisma Cloud provides an option to customize the alert payload for Email, Jira, ServiceNow, and Webhook integrations only. See Configure External Integrations on Prisma Cloud for more details.
Alert Payloads for Workload Vulnerabilities
Alert Payload Field | Description |
metadata.cveCritical | Number of critical vulnerabilities found for a given alert. |
metadata.cveHigh | Number of high vulnerabilities found for a given alert |
metadata.cveLow | Number of low vulnerabilities found for a given alert |
metadata.cveMedium | Number of medium vulnerabilities found for a given alert |
metadata.source | Defender |
Alert Payloads for Workload Incidents
Alert Payload Field | Description |
metadata.auditCount | Total Count of alerts |
metadata.auditMessage | Audit message defined in Compute for the specific runtime rule |
metadata.auditRuleName | Name of the Audit rule defined in Compute |
metadata.auditTime | Time when the event occured |
metadata.auditType | Filesystem |
metadata.auditUser | User name of the host, container. For example, ubuntu |
metadata .cveCritical, cveHigh , cveLow , cveMedium | Not applicable |
metadata .incidentCategory | Custom Rule , Processes , Network-outgoing , or Kubernetes-audit |
metadata. incidentCountUri | URL to check the resource associated with this alert in Compute |
metadata.incidentCustomRuleName | Incident custom rule name |
metadata.lastIncidentTime | Last time when the incident occurred |
metadata.source | Defender |
