>
    Strata Copilot
    Webhook Data Schema for Incidents
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. NGFW Health and Software Management
    4. Create Notification Profiles for Incidents
    5. Webhook Data Schema for Incidents
    Download PDF
    Strata Cloud Manager

    Webhook Data Schema for Incidents

    Table of Contents

    Webhook Data Schema for Incidents

    Learn about the webhook data schema for incidents along with an example.
    Where Can I Use This?What Do I Need?
    The following table shows the data model for incidents. Not all fields listed are applicable to all incident types.
    RuleDescription
    #kind
    Incident.
    #incident_id
    Unique incident ID.
    title
    Incident description to be used for display purposes only.
    #severity
    Incident severity, such as High, Medium, or Low.
    #status
    Incident status. Valid values are Raised, Cleared, RaisedChild, and ClearPending
    #clear_reason
    Reason the incident is cleared. Valid values are Auto, Manual, and No Data Timeout
    #code
    Unique code. It is in a flat namespace; for example, INC_CIE_AGENT_DISCONNECT.
    #category
    Category, such as RN (remote networks) or SC (service connection).
    #sub_category
    Subcategory.
    #tenant_id
    Tenant ID.
    #sub_tenant_id
    Subtenant ID.
    #sub_tenant_name
    Subtenant name.
    #resource_keys
    These keys identify an unique resource. These fields vary depending on the incident code.
    #resource_data
    Resource data fields vary depending on the code state, whether Up or Down.
    #version
    Incident model version.
    #raised_time
    Time the incident was raised.
    #updated_time
    Time the incident was updated.
    #cleared_time
    Time the incident was cleared.

    Incident Webhook Example

    {
  "kind": "incident",
  "data": {
    "incident_id": "", #UUID to uniquely identify an incident. Unique across all the incidents generated by Cosmos
	"event_type":"", INC_CREATED, INC_CLEARED, INC_AL_ASSOCIATE, INC_HAS_PARENT
    "title": "", #Incident description. Should be used for only display purposes
    "severity":  "", #Valid values High/Medium/Low
    "status": "", #Valid values are Raised/Cleared/RaisedChild/ClearPending
    "clear_reason": "", #Valid values are Auto/Manual/No Data Timeout
    "code": "", #Unique code across incidents. It is in a flat namespace (ex: AL_SC_PRIMARY_TUNNEL_DOWN, etc)
    "category": "", #category (Example: RN, SC, etc)
    "sub_category": "", #sub category
    "tenant_id": "",
    "sub_tenant_id": "",
    "sub_tenant_name": "",
    "resource_keys": { # json string These keys identify an unique resource. These fields vary depending on the alert code
      "tenant_id": "",
      "sub_tenant_id": "",
      "tunnel_name": "SanJoseTunnel",
      "node_type": "51",
      "site_name": "SanJose",
	  "bgp_peer_name": "",
    },
    "resource_data": { # json string These fields vary depending on the incident code
        "state": "Down"
    },
	"correlated_alerts" : {
	[{"alert_id":"", "state":"", "updated_time":"", "message":""}],
	},
	"parent_incidents" : {
	[{"incident_id":""}],
	},
 	"child_incidents" : {
	[{"incident_id":""}],
	},
    "version": "1.0", #incident model version. It will be 1.0
    "raised_time": "2021-07-02 23:12:13 UTC",
    "updated_time": "2021-07-03 23:12:13 UTC",
    "cleared_time": "2021-07-03 23:12:13 UTC"  
  }
}

    © 2026 Palo Alto Networks, Inc. All rights reserved.