Palo Alto Networks

Email DLP API

A REST API for programmatically reviewing and managing Email DLP incidents detected across enterprise email channels. The API supports retrieving incident details, updating verdicts on flagged emails, and managing remediation workflows for data loss prevention violations in email traffic. Uses region-specific endpoints and requires SOC_Admin, Superuser, or Data Security Administrator roles for access.

GitHub OpenAPI

Documentation

📖
Documentation
https://pan.dev/email-dlp/api/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-email-dlp-api-openapi-original.yml

Examples

📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/email-dlp-api-email-attachment-example.json
📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/email-dlp-api-email-dlp-incident-example.json
📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/email-dlp-api-email-recipient-example.json

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/email-dlp-api-email-attachment-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/email-dlp-api-email-dlp-incident-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/email-dlp-api-email-recipient-schema.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/email-dlp-api-email-attachment-structure.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/email-dlp-api-email-dlp-incident-structure.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/email-dlp-api-email-recipient-structure.json

Other Resources

🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-email-dlp-api-context.jsonld

OpenAPI Specification

palo-alto-email-dlp-api-openapi-original.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Palo Alto Networks Email DLP API
  description: >-
    REST API for managing email-specific Data Loss Prevention (DLP)
    incidents through Palo Alto Networks cloud-delivered security
    services. Provides detection, investigation, and verdict management
    for sensitive data found in email messages and attachments. Enables
    security teams to review email DLP violations, update verdicts to
    allow or block message delivery, and retrieve detailed incident
    context including sender, recipient, and data pattern match
    information. Requires an active Enterprise DLP subscription with
    email channel monitoring enabled. Requires SOC_Admin, Superuser,
    or Data_Security_Admin role for access.
  version: '1.0'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://api.{region}.dlp.paloaltonetworks.com/v1
  description: Email DLP API production server.
  variables:
    region:
      description: >-
        Deployment region for the Email DLP service. Choose the
        region matching your tenant data residency.
      default: us
      enum:
      - us
      - eu
      - in
      - apac
      - uk
      - jp
      - au
security:
- bearerAuth: []
tags:
- name: Attachments
  description: Email attachment retrieval operations.
- name: Incidents
  description: Email DLP incident management operations.
- name: Recipients
  description: Email recipient retrieval operations.
paths:
  /email-incidents:
    get:
      operationId: listEmailIncidents
      summary: Palo Alto Networks List Email Incidents
      description: >-
        Returns a paginated list of email DLP incidents where sensitive
        data was detected in email messages or attachments. Supports
        filtering by status, time range, and pagination. Each incident
        represents a single email message that triggered one or more
        data pattern matches.
      tags:
      - Incidents
      parameters:
      - name: offset
        in: query
        description: Pagination offset.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of incidents to return.
        schema:
          type: integer
          default: 100
          maximum: 500
        example: 100
      - name: status
        in: query
        description: Filter incidents by current status.
        schema:
          type: string
          enum:
          - pending
          - allowed
          - blocked
          - quarantined
        example: pending
      - name: start_time
        in: query
        description: Start of time range filter (ISO 8601 format).
        schema:
          type: string
          format: date-time
        example: '2025-03-04T07:46:01Z'
      - name: end_time
        in: query
        description: End of time range filter (ISO 8601 format).
        schema:
          type: string
          format: date-time
        example: '2024-04-23T13:33:45Z'
      responses:
        '200':
          description: Email DLP incidents returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  total:
                    type: integer
                    description: Total number of incidents matching the query.
                  offset:
                    type: integer
                  limit:
                    type: integer
                  incidents:
                    type: array
                    items:
                      $ref: '#/components/schemas/EmailDLPIncident'
              examples:
                ListEmailIncidents200Example:
                  summary: Default listEmailIncidents 200 response
                  x-microcks-default: true
                  value:
                    total: 952
                    offset: 886
                    limit: 211
                    incidents:
                    - id: example-id
                      sender: example-sender
                      subject: example-subject
                      status: quarantined
                      severity: high
                      data_patterns: &id001
                      - id: example-id
                        name: Corporate Gateway 08
                        category: advanced
                        match_count: 213
                      - id: example-id
                        name: Branch Firewall 50
                        category: custom
                        match_count: 866
                      match_count: 977
                      timestamp: '2026-05-12T04:25:43Z'
                      has_attachments: true
                      attachment_count: 524
                      direction: inbound
                      action_taken: block
                      reviewed_by: example-reviewed_by
                      reviewed_at: '2026-08-04T23:58:33Z'
                      comment: Alert investigation configured detected investigation network network threat.
                    - id: example-id
                      sender: example-sender
                      subject: example-subject
                      status: quarantined
                      severity: high
                      data_patterns: *id001
                      match_count: 977
                      timestamp: '2026-05-12T04:25:43Z'
                      has_attachments: true
                      attachment_count: 524
                      direction: inbound
                      action_taken: block
                      reviewed_by: example-reviewed_by
                      reviewed_at: '2026-08-04T23:58:33Z'
                      comment: Alert investigation configured detected investigation network network threat.
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /email-incidents/{id}:
    get:
      operationId: getEmailIncident
      summary: Palo Alto Networks Get Email Incident Details
      description: >-
        Returns detailed information for a specific email DLP incident
        including sender, recipients, subject, verdict, and data pattern
        matches. Provides full incident context for investigation and
        triage.
      tags:
      - Incidents
      parameters:
      - name: id
        in: path
        required: true
        description: Unique incident identifier.
        schema:
          type: string
        example: example-id
      responses:
        '200':
          description: Email DLP incident returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EmailDLPIncident'
              examples:
                GetEmailIncident200Example:
                  summary: Default getEmailIncident 200 response
                  x-microcks-default: true
                  value:
                    id: example-id
                    sender: example-sender
                    subject: example-subject
                    status: quarantined
                    severity: high
                    data_patterns: *id001
                    match_count: 977
                    timestamp: '2026-05-12T04:25:43Z'
                    has_attachments: true
                    attachment_count: 524
                    direction: inbound
                    action_taken: block
                    reviewed_by: example-reviewed_by
                    reviewed_at: '2026-08-04T23:58:33Z'
                    comment: Alert investigation configured detected investigation network network threat.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /email-incidents/{id}/verdict:
    put:
      operationId: updateEmailIncidentVerdict
      summary: Palo Alto Networks Update Email Incident Verdict
      description: >-
        Updates the verdict for a specific email DLP incident. Allows
        security analysts to override the automated verdict by approving
        blocked messages (allow) or blocking previously allowed messages
        (block). Supports adding a comment to document the decision.
      tags:
      - Incidents
      parameters:
      - name: id
        in: path
        required: true
        description: Unique incident identifier.
        schema:
          type: string
        example: example-id
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
              - verdict
              properties:
                verdict:
                  type: string
                  enum:
                  - allow
                  - block
                  description: >-
                    New verdict for the email message. Setting to allow
                    releases a quarantined or blocked message for delivery.
                    Setting to block prevents delivery of a pending message.
                comment:
                  type: string
                  description: Comment explaining the verdict decision.
            examples:
              UpdateEmailIncidentVerdictRequestExample:
                summary: Default updateEmailIncidentVerdict request
                x-microcks-default: true
                value:
                  verdict: allow
                  comment: Firewall suspicious endpoint alert policy traffic.
      responses:
        '200':
          description: Verdict updated successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  success:
                    type: boolean
                    description: Whether the update was successful.
                  incident:
                    $ref: '#/components/schemas/EmailDLPIncident'
              examples:
                UpdateEmailIncidentVerdict200Example:
                  summary: Default updateEmailIncidentVerdict 200 response
                  x-microcks-default: true
                  value:
                    success: false
                    incident:
                      id: example-id
                      sender: example-sender
                      subject: example-subject
                      status: quarantined
                      severity: high
                      data_patterns: *id001
                      match_count: 977
                      timestamp: '2026-05-12T04:25:43Z'
                      has_attachments: true
                      attachment_count: 524
                      direction: inbound
                      action_taken: block
                      reviewed_by: example-reviewed_by
                      reviewed_at: '2026-08-04T23:58:33Z'
                      comment: Alert investigation configured detected investigation network network threat.
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /email-incidents/{id}/attachments:
    get:
      operationId: getEmailIncidentAttachments
      summary: Palo Alto Networks Get Email Incident Attachments
      description: >-
        Returns metadata for all attachments associated with a specific
        email DLP incident. Includes attachment filename, content type,
        size, and data pattern match information for each attachment that
        contributed to the incident.
      tags:
      - Attachments
      parameters:
      - name: id
        in: path
        required: true
        description: Unique incident identifier.
        schema:
          type: string
        example: example-id
      responses:
        '200':
          description: Email attachments returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  incident_id:
                    type: string
                    description: Identifier of the parent incident.
                  attachments:
                    type: array
                    items:
                      $ref: '#/components/schemas/EmailAttachment'
              examples:
                GetEmailIncidentAttachments200Example:
                  summary: Default getEmailIncidentAttachments 200 response
                  x-microcks-default: true
                  value:
                    incident_id: '290598'
                    attachments:
                    - filename: Corporate Policy 38
                      content_type: advanced
                      size: 438
                      has_matches: false
                      match_count: 158
                      patterns_matched: &id002
                      - example-patterns_matched_item
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /email-incidents/{id}/recipients:
    get:
      operationId: getEmailIncidentRecipients
      summary: Palo Alto Networks Get Email Incident Recipients
      description: >-
        Returns the list of recipients for the email message associated
        with a specific DLP incident. Includes To, CC, and BCC
        recipients along with their delivery status.
      tags:
      - Recipients
      parameters:
      - name: id
        in: path
        required: true
        description: Unique incident identifier.
        schema:
          type: string
        example: example-id
      responses:
        '200':
          description: Email recipients returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  incident_id:
                    type: string
                    description: Identifier of the parent incident.
                  recipients:
                    type: array
                    items:
                      $ref: '#/components/schemas/EmailRecipient'
              examples:
                GetEmailIncidentRecipients200Example:
                  summary: Default getEmailIncidentRecipients 200 response
                  x-microcks-default: true
                  value:
                    incident_id: '965151'
                    recipients:
                    - email: [email protected]
                      type: cc
                      delivery_status: pending
                    - email: [email protected]
                      type: cc
                      delivery_status: pending
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        Bearer token for authentication. Requires SOC_Admin, Superuser,
        or Data_Security_Admin role assigned in the Palo Alto Networks
        tenant.
  responses:
    BadRequest:
      description: Invalid request parameters or body.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: Invalid or expired bearer token.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Forbidden:
      description: Insufficient role permissions for this operation.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: The requested resource was not found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError:
      description: Internal server error.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  schemas:
    EmailDLPIncident:
      type: object
      properties:
        id:
          type: string
          description: Unique incident identifier.
          example: example-id
        sender:
          type: string
          description: Email address of the message sender.
          example: example-sender
        subject:
          type: string
          description: Email message subject line.
          example: example-subject
        status:
          type: string
          enum:
          - pending
          - allowed
          - blocked
          - quarantined
          description: Current status or verdict for the email message.
          example: quarantined
        severity:
          type: string
          enum:
          - critical
          - high
          - medium
          - low
          - informational
          description: Incident severity based on data pattern sensitivity.
          example: high
        data_patterns:
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                example: example-id
              name:
                type: string
                example: Primary Agent 95
              category:
                type: string
                example: advanced
              match_count:
                type: integer
                example: 353
          description: Data patterns that matched in the email content.
          example: *id001
        match_count:
          type: integer
          description: Total number of data pattern matches across all patterns.
          example: 977
        timestamp:
          type: string
          format: date-time
          description: Timestamp when the incident was detected.
          example: '2026-05-12T04:25:43Z'
        has_attachments:
          type: boolean
          description: Whether the email contained attachments.
          example: true
        attachment_count:
          type: integer
          description: Number of attachments in the email.
          example: 524
        direction:
          type: string
          enum:
          - inbound
          - outbound
          - internal
          description: Direction of the email message.
          example: inbound
        action_taken:
          type: string
          enum:
          - alert
          - block
          - quarantine
          description: Automated action taken on the message.
          example: block
        reviewed_by:
          type: string
          description: Email address of the analyst who reviewed the incident.
          example: example-reviewed_by
        reviewed_at:
          type: string
          format: date-time
          description: Timestamp when the incident was last reviewed.
          example: '2026-08-04T23:58:33Z'
        comment:
          type: string
          description: Comment added during verdict review.
          example: Alert investigation configured detected investigation network network threat.
    EmailAttachment:
      type: object
      properties:
        filename:
          type: string
          description: Attachment filename.
          example: Corporate Policy 38
        content_type:
          type: string
          description: MIME content type of the attachment.
          example: advanced
        size:
          type: integer
          description: Attachment size in bytes.
          example: 438
        has_matches:
          type: boolean
          description: Whether the attachment contained data pattern matches.
          example: false
        match_count:
          type: integer
          description: Number of data pattern matches in the attachment.
          example: 158
        patterns_matched:
          type: array
          items:
            type: string
          description: Names of data patterns that matched in the attachment.
          example: *id002
    EmailRecipient:
      type: object
      properties:
        email:
          type: string
          description: Recipient email address.
          example: [email protected]
        type:
          type: string
          enum:
          - to
          - cc
          - bcc
          description: Recipient type indicating address field.
          example: cc
        delivery_status:
          type: string
          enum:
          - delivered
          - blocked
          - quarantined
          - pending
          description: Delivery status of the message to this recipient.
          example: pending
    ErrorResponse:
      type: object
      properties:
        error:
          type: string
          description: Error code or type.
          example: example-error
        message:
          type: string
          description: Human-readable error message.
          example: Policy network malware on detected configured on incident blocked violation.