Prisma Cloud DSPM API

openapi: 3.1.0
info:
  title: Palo Alto Networks Prisma Cloud DSPM API
  description: >-
    REST API for Prisma Cloud Data Security Posture Management (DSPM) providing
    programmatic access to data asset discovery, risk assessment, data store
    inventory, data classification results, DSPM policies, and data security
    alerts across multi-cloud environments. The API enables visibility into
    where sensitive data resides, how it is classified, what risks are
    associated with it, and whether it complies with data governance policies.
    DSPM automatically discovers data stores in AWS, Azure, and GCP including
    databases, object storage, file shares, and data warehouses. Authentication
    requires a JWT token obtained from the Prisma Cloud /login endpoint.
  version: '1.0'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://api.prismacloud.io
  description: Prisma Cloud API (US region 1).
- url: https://api2.prismacloud.io
  description: Prisma Cloud API (US region 2).
- url: https://api3.prismacloud.io
  description: Prisma Cloud API (US region 3).
- url: https://api.eu.prismacloud.io
  description: Prisma Cloud API (EU).
- url: https://api.anz.prismacloud.io
  description: Prisma Cloud API (ANZ).
- url: https://api.sg.prismacloud.io
  description: Prisma Cloud API (Singapore).
- url: https://api.ca.prismacloud.io
  description: Prisma Cloud API (Canada).
security:
- bearerAuth: []
tags:
- name: Alerts
  description: Data security alert management operations.
- name: Classifications
  description: Data classification results and taxonomy operations.
- name: DataAssets
  description: Data asset discovery and inventory operations.
- name: DataStores
  description: Data store inventory and discovery operations.
- name: Policies
  description: DSPM policy management operations.
- name: Risks
  description: Data security risk identification and management.
paths:
  /dspm/api/v1/data-assets:
    get:
      operationId: listDataAssets
      summary: Palo Alto Networks List Data Assets
      description: >-
        Returns a list of individual data assets discovered within cloud data
        stores. Data assets represent granular data objects such as database
        tables, columns containing sensitive data, S3 object prefixes, and
        file share directories. Each asset includes its classification labels
        and sensitivity level.
      tags:
      - DataAssets
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 25
        example: 25
      - name: dataStoreId
        in: query
        description: Filter assets by parent data store ID.
        schema:
          type: string
        example: '459046'
      - name: classificationLabel
        in: query
        description: Filter by classification label (e.g., PII, PHI, PCI).
        schema:
          type: string
        example: example-classificationLabel
      - name: sensitivityLevel
        in: query
        description: Filter by sensitivity level.
        schema:
          type: string
          enum:
          - public
          - internal
          - confidential
          - restricted
        example: restricted
      - name: search
        in: query
        description: Search term to filter by asset name or path.
        schema:
          type: string
        example: example-search
      - name: sortBy
        in: query
        description: Field to sort results by.
        schema:
          type: string
          enum:
          - name
          - sensitivityLevel
          - discoveredAt
        example: sensitivityLevel
      - name: sortOrder
        in: query
        description: Sort order direction.
        schema:
          type: string
          enum:
          - asc
          - desc
          default: desc
        example: desc
      responses:
        '200':
          description: Data assets returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  totalCount:
                    type: integer
                    description: Total number of data assets matching filters.
                  dataAssets:
                    type: array
                    items:
                      $ref: '#/components/schemas/DataAsset'
              examples:
                ListDataAssets200Example:
                  summary: Default listDataAssets 200 response
                  x-microcks-default: true
                  value:
                    totalCount: 416
                    dataAssets:
                    - id: example-id
                      dataStoreId: '875945'
                      dataStoreName: Corporate Gateway 15
                      name: Branch Agent 83
                      assetType: file
                      path: /api/v1/2a87d6
                      classificationLabels: &id001
                      - example-classificationLabels_item
                      sensitivityLevel: internal
                      sampleFindings: &id002
                      - classificationLabel: example-classificationLabel
                        pattern: example-pattern
                        count: 445
                        sampleValue: example-sampleValue
                      recordCount: 706
                      discoveredAt: '2026-12-08T04:17:43Z'
                      lastScannedAt: '2024-11-10T12:02:32Z'
                    - id: example-id
                      dataStoreId: '875945'
                      dataStoreName: Corporate Gateway 15
                      name: Branch Agent 83
                      assetType: file
                      path: /api/v1/2a87d6
                      classificationLabels: *id001
                      sensitivityLevel: internal
                      sampleFindings: *id002
                      recordCount: 706
                      discoveredAt: '2026-12-08T04:17:43Z'
                      lastScannedAt: '2024-11-10T12:02:32Z'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/data-assets/{id}:
    get:
      operationId: getDataAsset
      summary: Palo Alto Networks Get Data Asset Details
      description: >-
        Returns detailed information about a specific data asset including
        its full classification summary, sample findings, associated data
        store details, and risk posture.
      tags:
      - DataAssets
      parameters:
      - name: id
        in: path
        required: true
        description: Unique data asset identifier.
        schema:
          type: string
        example: example-id
      responses:
        '200':
          description: Data asset details returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DataAsset'
              examples:
                GetDataAsset200Example:
                  summary: Default getDataAsset 200 response
                  x-microcks-default: true
                  value:
                    id: example-id
                    dataStoreId: '875945'
                    dataStoreName: Corporate Gateway 15
                    name: Branch Agent 83
                    assetType: file
                    path: /api/v1/2a87d6
                    classificationLabels: *id001
                    sensitivityLevel: internal
                    sampleFindings: *id002
                    recordCount: 706
                    discoveredAt: '2026-12-08T04:17:43Z'
                    lastScannedAt: '2024-11-10T12:02:32Z'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/risks:
    get:
      operationId: listRisks
      summary: Palo Alto Networks List Data Risks
      description: >-
        Returns data security risks identified across all monitored data stores
        and assets. Risks are generated when sensitive data is found in data
        stores with insecure configurations such as public access, missing
        encryption, or excessive permissions.
      tags:
      - Risks
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 25
        example: 25
      - name: riskLevel
        in: query
        description: Filter by risk severity level.
        schema:
          type: string
          enum:
          - critical
          - high
          - medium
          - low
        example: medium
      - name: status
        in: query
        description: Filter by risk status.
        schema:
          type: string
          enum:
          - open
          - remediated
          - suppressed
          - acknowledged
        example: acknowledged
      - name: cloudProvider
        in: query
        description: Filter by cloud provider.
        schema:
          type: string
          enum:
          - aws
          - azure
          - gcp
        example: azure
      - name: search
        in: query
        description: Search term to filter by risk title or data store name.
        schema:
          type: string
        example: example-search
      - name: sortBy
        in: query
        description: Field to sort results by.
        schema:
          type: string
          enum:
          - riskLevel
          - detectedAt
        example: detectedAt
      - name: sortOrder
        in: query
        description: Sort order direction.
        schema:
          type: string
          enum:
          - asc
          - desc
          default: desc
        example: desc
      responses:
        '200':
          description: Data risks returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  totalCount:
                    type: integer
                    description: Total number of data risks matching filters.
                  risks:
                    type: array
                    items:
                      $ref: '#/components/schemas/DataRisk'
              examples:
                ListRisks200Example:
                  summary: Default listRisks 200 response
                  x-microcks-default: true
                  value:
                    totalCount: 464
                    risks:
                    - id: example-id
                      title: Branch Sensor 28
                      description: Endpoint applied threat investigation violation Security traffic detected.
                      riskLevel: medium
                      riskCategory: backupMissing
                      status: open
                      dataStoreId: '132179'
                      dataStoreName: Staging Agent 64
                      cloudProvider: gcp
                      cloudAccountId: '452369'
                      region: us-east-1
                      affectedClassifications: &id003
                      - example-affectedClassifications_item
                      affectedDataAssetCount: 700
                      remediation: &id004
                        description: Firewall rule violation applied endpoint detected endpoint alert rule suspicious.
                        steps:
                        - example-steps_item
                        automatedRemediationAvailable: true
                      detectedAt: '2026-10-09T08:11:21Z'
                      lastEvaluatedAt: '2024-12-04T00:05:27Z'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/risks/{id}:
    get:
      operationId: getRisk
      summary: Palo Alto Networks Get Risk Details
      description: >-
        Returns detailed information for a specific data security risk including
        full risk description, affected data store details, impacted data
        assets, and step-by-step remediation guidance.
      tags:
      - Risks
      parameters:
      - name: id
        in: path
        required: true
        description: Unique risk identifier.
        schema:
          type: string
        example: example-id
      responses:
        '200':
          description: Risk details returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DataRisk'
              examples:
                GetRisk200Example:
                  summary: Default getRisk 200 response
                  x-microcks-default: true
                  value:
                    id: example-id
                    title: Branch Sensor 28
                    description: Endpoint applied threat investigation violation Security traffic detected.
                    riskLevel: medium
                    riskCategory: backupMissing
                    status: open
                    dataStoreId: '132179'
                    dataStoreName: Staging Agent 64
                    cloudProvider: gcp
                    cloudAccountId: '452369'
                    region: us-east-1
                    affectedClassifications: *id003
                    affectedDataAssetCount: 700
                    remediation: *id004
                    detectedAt: '2026-10-09T08:11:21Z'
                    lastEvaluatedAt: '2024-12-04T00:05:27Z'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/risks/{id}/status:
    put:
      operationId: updateRiskStatus
      summary: Palo Alto Networks Update Risk Status
      description: >-
        Updates the status of a specific data security risk. Use this endpoint
        to acknowledge, suppress, or mark a risk as remediated after applying
        corrective actions to the affected data store.
      tags:
      - Risks
      parameters:
      - name: id
        in: path
        required: true
        description: Unique risk identifier.
        schema:
          type: string
        example: example-id
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
              - status
              properties:
                status:
                  type: string
                  enum:
                  - open
                  - remediated
                  - suppressed
                  - acknowledged
                  description: New status for the risk.
                comment:
                  type: string
                  description: Comment explaining the status change.
            examples:
              UpdateRiskStatusRequestExample:
                summary: Default updateRiskStatus request
                x-microcks-default: true
                value:
                  status: open
                  comment: Detected detected policy investigation threat incident policy Security violation firewall network.
      responses:
        '200':
          description: Risk status updated successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DataRisk'
              examples:
                UpdateRiskStatus200Example:
                  summary: Default updateRiskStatus 200 response
                  x-microcks-default: true
                  value:
                    id: example-id
                    title: Branch Sensor 28
                    description: Endpoint applied threat investigation violation Security traffic detected.
                    riskLevel: medium
                    riskCategory: backupMissing
                    status: open
                    dataStoreId: '132179'
                    dataStoreName: Staging Agent 64
                    cloudProvider: gcp
                    cloudAccountId: '452369'
                    region: us-east-1
                    affectedClassifications: *id003
                    affectedDataAssetCount: 700
                    remediation: *id004
                    detectedAt: '2026-10-09T08:11:21Z'
                    lastEvaluatedAt: '2024-12-04T00:05:27Z'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/data-stores:
    get:
      operationId: listDataStores
      summary: Palo Alto Networks List Data Stores Inventory
      description: >-
        Returns a list of all cloud data stores discovered by Prisma Cloud
        DSPM. Includes relational databases, NoSQL databases, object storage,
        file shares, data warehouses, and other cloud-native data services.
        Supports filtering by cloud provider, region, service type, and risk
        level.
      tags:
      - DataStores
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 25
        example: 25
      - name: cloudProvider
        in: query
        description: Filter by cloud provider.
        schema:
          type: string
          enum:
          - aws
          - azure
          - gcp
        example: gcp
      - name: region
        in: query
        description: Filter by cloud region.
        schema:
          type: string
        example: eu-west-1
      - name: serviceType
        in: query
        description: Filter by data store service type.
        schema:
          type: string
          enum:
          - relationalDatabase
          - noSqlDatabase
          - objectStorage
          - fileShare
          - dataWarehouse
          - dataLake
          - cache
          - messageQueue
        example: objectStorage
      - name: riskLevel
        in: query
        description: Filter by assigned risk level.
        schema:
          type: string
          enum:
          - critical
          - high
          - medium
          - low
        example: critical
      - name: hasSensitiveData
        in: query
        description: Filter to only data stores containing classified sensitive data.
        schema:
          type: boolean
        example: false
      - name: search
        in: query
        description: Search term to filter by data store name or identifier.
        schema:
          type: string
        example: example-search
      - name: sortBy
        in: query
        description: Field to sort results by.
        schema:
          type: string
          enum:
          - name
          - riskLevel
          - sensitiveDataCount
          - discoveredAt
        example: riskLevel
      - name: sortOrder
        in: query
        description: Sort order direction.
        schema:
          type: string
          enum:
          - asc
          - desc
          default: desc
        example: desc
      responses:
        '200':
          description: Data stores returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  totalCount:
                    type: integer
                    description: Total number of discovered data stores matching filters.
                  dataStores:
                    type: array
                    items:
                      $ref: '#/components/schemas/DataStore'
              examples:
                ListDataStores200Example:
                  summary: Default listDataStores 200 response
                  x-microcks-default: true
                  value:
                    totalCount: 423
                    dataStores:
                    - id: example-id
                      name: Branch Sensor 82
                      cloudProvider: gcp
                      cloudAccountId: '191154'
                      region: us-west-2
                      serviceType: fileShare
                      serviceName: Corporate Agent 94
                      encryptionEnabled: true
                      isPubliclyAccessible: true
                      riskLevel: critical
                      sensitiveDataCount: 866
                      classificationLabels: &id005
                      - example-classificationLabels_item
                      - example-classificationLabels_item
                      dataAssetCount: 315
                      discoveredAt: '2026-05-16T02:34:09Z'
                      lastScannedAt: '2026-06-05T18:50:04Z'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/classifications:
    get:
      operationId: listClassifications
      summary: Palo Alto Networks List Data Classification Results
      description: >-
        Returns the data classification taxonomy used by Prisma Cloud DSPM,
        including built-in and custom classification labels. Each classification
        includes the label name, description, detection patterns, associated
        regulatory frameworks, and the sensitivity level assigned to matching
        data.
      tags:
      - Classifications
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 25
        example: 25
      - name: category
        in: query
        description: Filter by classification category.
        schema:
          type: string
          enum:
          - PII
          - PHI
          - PCI
          - Financial
          - Credentials
          - Intellectual Property
          - Custom
        example: Custom
      - name: isBuiltIn
        in: query
        description: Filter by built-in vs custom classifications.
        schema:
          type: boolean
        example: true
      - name: search
        in: query
        description: Search term to filter by classification name.
        schema:
          type: string
        example: example-search
      responses:
        '200':
          description: Data classifications returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  totalCount:
                    type: integer
                    description: Total number of classifications.
                  classifications:
                    type: array
                    items:
                      $ref: '#/components/schemas/Classification'
              examples:
                ListClassifications200Example:
                  summary: Default listClassifications 200 response
                  x-microcks-default: true
                  value:
                    totalCount: 213
                    classifications:
                    - id: example-id
                      name: Staging Gateway 14
                      description: Violation monitoring configured configured activity network.
                      category: Intellectual Property
                      sensitivityLevel: internal
                      isBuiltIn: false
                      regulatoryFrameworks: &id006
                      - GLBA
                      - HIPAA
                      dataStoreCount: 931
                      dataAssetCount: 760
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/policies:
    get:
      operationId: listDSPMPolicies
      summary: Palo Alto Networks List DSPM Policies
      description: >-
        Returns a list of DSPM policies that define data security requirements
        and governance rules. Policies specify which data classification labels
        and sensitivity levels require specific security controls such as
        encryption, access restrictions, and audit logging.
      tags:
      - Policies
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 25
        example: 25
      - name: enabled
        in: query
        description: Filter by policy enabled status.
        schema:
          type: boolean
        example: false
      - name: search
        in: query
        description: Search term to filter by policy name.
        schema:
          type: string
        example: example-search
      responses:
        '200':
          description: DSPM policies returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  totalCount:
                    type: integer
                    description: Total number of DSPM policies.
                  policies:
                    type: array
                    items:
                      $ref: '#/components/schemas/DSPMPolicy'
              examples:
                ListDspmpolicies200Example:
                  summary: Default listDSPMPolicies 200 response
                  x-microcks-default: true
                  value:
                    totalCount: 302
                    policies:
                    - id: example-id
                      name: Corporate Agent 18
                      description: Threat network applied traffic network threat network activity Security investigation.
                      enabled: false
                      severity: medium
                      classification: example-classification
                      requiredControls: &id007
                      - accessRestriction
                      cloudProviders: &id008
                      - gcp
                      - aws
                      createdAt: '2024-03-06T08:41:09Z'
                      updatedAt: '2026-12-26T20:52:00Z'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /dspm/api/v1/alerts:
    get:
      operationId: listDataSecurityAlerts
      summary: Palo Alto Networks List Data Security Alerts
      description: >-
        Returns data security alerts generated when sensitive data exposure
        conditions are detected. Alerts are triggered by new public data
        store discoveries, anomalous data access patterns, policy violations,
        and newly identified sensitive data in previously clean data stores.
      tags:
      - Alerts
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 25
        example: 25
      - name: severity
        in: query
        description: Filter alerts by severity level.
        schema:
          type: string
          enum:
          - critical
          - high
          - medium
          - low
        example: critical
      - name: status
        in: query
        description: Filter by alert status.
        schema:
          type: string
          enum:
          - open
          - dismissed
          - resolved
        example: dismissed
      - name: cloudProvider
        in: query
        description: Filter by cloud provider.
        schema:
          type: string
          enum:
          - aws
          - azure
          - gcp
        example: azure
      - name: start_time
        in: query
        description: Start of time range filter (ISO 8601 format).
        schema:
          type: string
          format: date-time
        example: '2025-05-15T20:05:55Z'
      - name: end_time
        in: query
        description: End of time range filter (ISO 8601 format).
        schema:
          type: string
          format: date-time
        example: '2024-06-25T20:37:39Z'
      responses:
        '200':
          description: Data security alerts returned successfully.
          content:
            application/json:
              schema:
                type: object
                properties:
                  totalCount:
                    type: integer
                    description: Total number of alerts matching filters.
                  alerts:
                    type: array
                    items:
                      $ref: '#/components/schemas/DataSecurityAlert'
              examples:
                ListDataSecurityAlerts200Example:
                  summary: Default listDataSecurityAlerts 200 response
                  x-microcks-default: true
                  value:
                    totalCount: 663
                    alerts:
                    - id: example-id
                      title: Staging Gateway 49
                      description: Applied Security suspicious Security activity incident endpoint rule violation monitoring configured policy.
                      severity: high
                      status: dismissed
                      alertType: accessAnomaly
                      dataStoreId: '172843'
                      dataStoreName: Primary Gateway 98
                      cloudProvider: aws
                      cloudAccountId: '796638'
                      region: us-west-2
                      affectedClassifications: &id009
                      - example-affectedClassifications_item
                      - example-affectedClassifications_item
                      detectedAt: '2026-06-24T13:35:39Z'
                      resolvedAt: '2025-06-12T03:49:03Z'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthor

# --- truncated at 32 KB (49 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-prisma-cloud-dspm-api-openapi-original.yml