Prisma Cloud - Webhook Custom Payload JSON - Custom fields not being displayed

• Customer has set up a Webhooks integration with a custom payload, but custom fields are not displayed in Webhook
  • Currently custom fields are only supported for 'Config' alerts and any other type requires a manual Custom Payload template to be created and provided by the customer on the case.
  • This manual template will need to be submitted to engineering to be added to a customer's tenant.

• Prisma Cloud
  • Webhook Integration
    • Custom Templates
      • Dashboard > Settings > Integrations > Add Integration button > Webhooks > Custom Payload set to Enabled > Click Next

• Custom Payload can be edited on this screen. See example with "custom field" on row 42

• Currently, custom fields entered in Prisma Cloud are only supported with the Config alert type. They are not supported with any other type at this time.
  • While the customer can edit the Custom Payload template in Prisma Cloud it will only be applied to Config queries - for any other alert type, a manual request needs to be submitted by RFE.

1. The customer can open a support case and request engineering manually add the template. Below is the required information. 

• Policy types that require the Webhooks custom payload template. 
  • List each individually - do not write 'All'
    • Examples: 
      • Anomaly
      • Attack Path
      • Audit Event
      • Config
      • Data
      • IAM
      • Network
      • Workload Incident
      • Workload Vulnerability
• Custom payload templates
  • If the customer has a single template for each policy type, they can provide just the one.
  • If they have multiple templates, the customer should note which policy type(s) to which they need it applied.
• Webhook integration names
  • The Webhook integration should exist on the UI for the templates to be applied.

[{
    "resourceId": "${ResourceId}", check
    "alertRuleName": "${AlertRuleName}", check
    "anomaly": ${Anomaly}, check
    "accountName": "${AccountName}", check
    "hasFinding": ${HasFinding}, check
    "resourceRegionId": "${ResourceRegionId}", check
    "alertRemediationCli": "${RemediationCli}", check/blank
    "alertRemediationCliDescription": "${PolicyRemediationCliDesc}", check/blank
    "alertRemediationImpact": "${PolicyRemediationImpact}", check/blank
    "source": "Prisma Cloud", check
    "cloudType": "${CloudType}", check
    "complianceMetadata": ${ComplianceMetadata}, check/blank
    "callbackUrl": "${CallbackUrl}", check
    "alertId": "${AlertId}", check
    "policyLabels": ${PolicyLabels}, check
    "alertAttribution": ${UserAttributionData}, check/blank
    "severity": "${Severity}", check
    "policyName": "${PolicyName}", check
    "resource": ${ResourceData}, check <some of this is duplicated below>
    "resourceName": "${ResourceName}", check
    "resourceRegion": "${ResourceRegion}", check
    "policyDescription": "${PolicyDescription}", check
    "policyRecommendation": "${PolicyRecommendation}", check
    "accountId": "${AccountId}", check
    "policyId": "${PolicyId}", check
    "resourceCloudService": "${ResourceCloudService}", check
    "alertTs": ${AlertTime},
    "firstSeen": ${FirstSeen},
    "lastSeen": ${LastSeen},
    "resourceType": "${ResourceType}",
    "additionalInfo": ${AdditionalInfo},
    "reason": "${Reason}",
    "alertStatus": "${Status}",
    "alertDismissalNote": "${AlertDismissalNote}",
    "alertRuleId": "${AlertRuleId}",
    "tags": ${ResourceTags},
    "findingSummary": ${FindingSummary},
    "policyType": "${PolicyType}",
    "accountOwners": "${AccountOwners}",
    "accountAncestors": "${AccountAncestors}",
    "[custom field]": "$[insert custom data]"
  }
  ]

• The above information is critical for Engineering teams to be able to manually apply the Custom Template to the customer's tenant. 
•  Each policy type requires a separate custom payload, and then each type of alert must be tested to ensure the template is compatible with the data returned in the alert.