Palo Alto Networks

Channels

• /notification/announcement
  Channel for platform announcement notifications. Delivered when Palo Alto Networks publishes service announcements including scheduled maintenance windows, feature releases, deprecation notices, and s
  SASE Multitenant Notifications
• /notification/certificate-expiry
  Channel for certificate expiration warning notifications. Triggered when TLS/SSL certificates used by SASE service connections, GlobalProtect portals, or custom domains are approaching their expiratio
  SASE Multitenant Notifications
• /notification/dataplane-upgrade
  Channel for dataplane upgrade notifications. Triggered when a SASE dataplane upgrade is scheduled, in progress, or completed for a specific region. Notifications include the current and target softwar
  SASE Multitenant Notifications
• /notification/incident
  Channel for security incident notifications. Triggered when SASE detects a security incident such as a policy breach, threat detection, or anomalous activity within a tenant's network perimeter. Incid
  SASE Multitenant Notifications
• alert/created
  Triggered when a new alert is generated by Cortex XDR analytics engines, BIOC (Behavioral Indicator of Compromise) rules, IOC matches, endpoint agents, or third-party integrated data sources. Alerts r
  Cortex XDR Webhooks
• alert/created
  Triggered when Prisma Cloud generates a new alert due to a policy violation detected during a cloud resource scan. The alert payload contains full context about the violated policy, the affected cloud
  Prisma Cloud CSPM Webhooks
• alert/dismissed
  Triggered when a Prisma Cloud alert is manually dismissed by a user or suppressed by a configured snooze or suppression rule.
  Prisma Cloud CSPM Webhooks
• alert/resolved
  Triggered when a Prisma Cloud alert is automatically resolved because the underlying cloud resource configuration has been brought back into compliance with the policy.
  Prisma Cloud CSPM Webhooks
• alert/updated
  Triggered when an existing Prisma Cloud alert is updated, typically when the underlying resource configuration changes after the initial policy violation was detected, causing a re-evaluation.
  Prisma Cloud CSPM Webhooks
• event_data/ingested
  Event channel for structured event data ingestion. Pre-parsed events with normalized field mappings are submitted directly to the XSIAM data lake, bypassing the raw log parsing pipeline. Each event mu
  Cortex XSIAM Data Ingestion
• incident/created
  Triggered when a new incident is created in Cortex XDR. Incidents are automatically created by correlating one or more related alerts that share common attributes such as affected endpoints, users, or
  Cortex XDR Webhooks
• incident/severity_changed
  Triggered when an incident's severity level is elevated or reduced, either automatically due to new correlated alerts or manually by an analyst overriding the calculated severity.
  Cortex XDR Webhooks
• incident/status_changed
  Triggered when an existing incident's investigation status changes. Status transitions include moving from new to under_investigation, or from under_investigation to any resolved state. This event ena
  Cortex XDR Webhooks
• log/auth
  Channel for forwarded authentication logs. Authentication logs record user authentication events processed by the firewall's Authentication Policy, including SAML assertions, Kerberos ticket validatio
  Strata Logging Service Log Forwarding
• log/threat
  Channel for forwarded threat logs. Threat logs record security events detected by the firewall's threat prevention engines including antivirus, anti-spyware, vulnerability protection, DNS security, an
  Strata Logging Service Log Forwarding
• log/traffic
  Channel for forwarded traffic logs. Traffic logs record the start and end of every network session passing through the firewall, including source and destination addresses, ports, protocols, applicati
  Strata Logging Service Log Forwarding
• log/url
  Channel for forwarded URL filtering logs. URL filtering logs record web access events evaluated by the URL Filtering security profile. Each entry includes the requested URL, URL category, action taken
  Strata Logging Service Log Forwarding
• log/wildfire
  Channel for forwarded WildFire submission logs. WildFire logs record file analysis results from the WildFire cloud-based sandbox analysis service. Each entry includes the file name, type, SHA-256 hash
  Strata Logging Service Log Forwarding
• log_data/ingested
  Event channel for raw log data ingestion. Logs are submitted to the XSIAM HTTP collector endpoint as structured JSON batches. Each log entry must include dataset, vendor, product, log_type, and raw_lo
  Cortex XSIAM Data Ingestion
• xdr_data/forwarded
  Event channel for XDR data forwarding from integrated Palo Alto Networks products including PAN-OS firewalls, Prisma Access, Cortex XDR agents, and other Strata products. Forwarded XDR data is automat
  Cortex XSIAM Data Ingestion