Three new fields are unique to SNS and WebHook Integration notifications. These fields are used to identify why the alert ended and what alert is now in its place.
ended_reason
Explains why the alert ended. Possible values:
from_api
new_alert
from_scan
not_present_after_scan
signature_deleted
custom_signature_deleted
suppression_created
suppression_deactivated
custom_risk_level_created
custom_risk_level_deleted
replaced_by_id
ID of the new alert that replaced this alert
replaced_by_status
Status of the new alert that replaced this alert
Note: The above is written on 5/17/2017. It is subject to change.