>
    Strata Copilot
    Webhook Data Schema for Incidents
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. NGFW Health and Software Management
    4. Create Notification Profiles for Incidents
    5. Webhook Data Schema for Incidents
    Download PDF
    Strata Cloud Manager

    Webhook Data Schema for Incidents

    Table of Contents

    Webhook Data Schema for Incidents

    Learn about the webhook data schema for incidents along with an example.
    Where Can I Use This?What Do I Need?
    The following table shows the data model for incidents. Not all fields listed are applicable to all incident types.
    FieldDescription
    incident_idUnique incident ID.
    titleTitle of the incident.
    severityIncident severity, such as High, Medium, Low, Critical, Warning, and Informational.
    statusIncident status. Valid values are Raised, Cleared, RaisedChild, and ClearPending.
    raised_timeTime the incident was raised in the UTC format.
    updated_timeTime the incident was updated in the UTC format.
    tenant_service_groupTenant Service Group (TSG).
    sub_tenant_name Subtenant name.
    codeUnique code. It is in a flat namespace; for example, INC_CIE_AGENT_DISCONNECT.
    categoryCategory, such as RN (remote networks) or SC (service connection).
    sub_categorySubcategory
    details_linkURL link to the incident details page in Strata Cloud Manager.
    primary_impacted_objectsPrimary impacted entity or entities associated with the incident. Each object contains key-value pairs identifying the impacted resource.
    related_objects Additional impacted entities related to the incident. Provides supplementary context beyond the primary impacted objects.
    descriptionDescription of the incident.
    priorityPriority of the incident.
    product Product associated with the incident, such as NGFW, Prisma Access, or Posture.
    clear_reasonReason for clearing the incident.
    resource_keysThese keys identify a unique resource. These fields vary depending on the incident code.
    correlated_alertsAlerts related to the incident. Each alert contains the alert_id, severity, state, title, updated_time, code, and resource_keys.
    parent_incidentsParent incidents associated with the current incident. Each object contains the incident_id, status, title, updated_time, raised_time, code, and resource_keys of the parent incidents.
    child_incidentsChild incidents associated with the current incident. Each object contains the incident_id, status, title, updated_time, raised_time, code, and resource_keys of the child incidents.
    tenant_idTenant ID.
    sub_tenant_idSubtenant ID.
    versionPayload version identifier. It will always be V2 for incidents.
    cleared_timeTime the incident was cleared in the UTC format.

    Incident Webhook Example

     {                                                                                                                                                                                                           
    "kind": "incident",
    "data": {                                                                                                                                                                                                 
      "version": "2.0",                                     
      "incident_id": "test_incident_id",                                                                                                                                                                      
      "title": "Test Webhook",                                                                                                                                                                                
      "severity": "test_severity",                                                                                                                                                                            
      "status": "test_status",                                                                                                                                                                                
      "raised_time": "2026-04-20 12:34:56.123456 UTC",                                                                                                                                                        
      "updated_time": "2026-04-20 12:34:56.123456 UTC",                                                                                                                                                       
      "tenant_service_group": "test_tenant_service_group",                                                                                                                                                    
      "sub_tenant_name": "test_sub_tenant_name",                                                                                                                                                              
      "category": "test_category",                                                                                                                                                                            
      "sub_category": "test_sub_category",                                                                                                                                                                    
      "code": "test_code",                                  
      "details_link": "test_details_link",                                                                                                                                                                    
      "primary_impacted_objects": "test_key1=test_value1, test_key2=test_value2",                                                                                                                             
      "related_objects": "test_key1=test_value1, test_key2=test_value2",                                                                                                                                      
      "description": "test_description",                                                                                                                                                                      
      "priority": "test_priority",                                                                                                                                                                            
      "product": "test_product",                                                                                                                                                                              
      "clear_reason": "test_clear_reason",                                                                                                                                                                    
      "resource_keys": {
        "test_key1": "test_value1",                                                                                                                                                                           
        "test_key2": "test_value2"                                                                                                                                                                            
      },
      "correlated_alerts": [                                                                                                                                                                                  
        {                                                                                                                                                                                                     
          "alert_id": "test_alert_id",
          "severity": "test_severity",                                                                                                                                                                        
          "state": "test_state",                            
          "title": "test_title",                                                                                                                                                                              
          "updated_time": "2026-04-20 12:34:56.123456 UTC",
          "code": "test_code",                                                                                                                                                                                
          "resource_keys": {                                                                                                                                                                                  
            "test_key1": "test_value1",                                                                                                                                                                       
            "test_key2": "test_value2"                                                                                                                                                                        
          },                                                                                                                                                                                                  
          "resource_context": "test_resource_context"       
        }                                                                                                                                                                                                     
      ],
      "parent_incidents": [                                                                                                                                                                                   
        {                                                   
          "incident_id": "test_incident_id",
          "status": "test_status",                                                                                                                                                                            
          "title": "test_title",
          "updated_time": "2026-04-20 12:34:56.123456 UTC",                                                                                                                                                   
          "raised_time": "2026-04-20 12:34:56.123456 UTC",  
          "code": "test_code",                                                                                                                                                                                
          "resource_keys": {                                                                                                                                                                                  
            "test_key1": "test_value1",                                                                                                                                                                       
            "test_key2": "test_value2"                                                                                                                                                                        
          }                                                 
        }                                                                                                                                                                                                     
      ],
      "child_incidents": [                                                                                                                                                                                    
        {                                                   
          "incident_id": "test_incident_id",
          "status": "test_status",
          "title": "test_title",                                                                                                                                                                              
          "updated_time": "2026-04-20 12:34:56.123456 UTC",
          "raised_time": "2026-04-20 12:34:56.123456 UTC",                                                                                                                                                    
          "code": "test_code",                                                                                                                                                                                
          "resource_keys": {                                                                                                                                                                                  
            "test_key1": "test_value1",                                                                                                                                                                       
            "test_key2": "test_value2"                                                                                                                                                                        
          }
        }                                                                                                                                                                                                     
      ],                                                    
      "tenant_id": "test_tenant_id",
      "sub_tenant_id": "test_sub_tenant_id",                                                                                                                                                                  
      "cleared_time": "2026-04-20 12:34:56.123456 UTC"                                                                                                                                                        
    }                                                                                                                                                                                                         
  }

    © 2026 Palo Alto Networks, Inc. All rights reserved.