Palo Alto Networks

SASE Aggregate Monitoring API

A REST API for performing aggregated monitoring queries across SASE tenants. The API supports querying application usage, threat data, URL categorization, and license utilization across all tenants in a hierarchy. Provides multi-tenant visibility for managed security service providers and enterprise administrators overseeing multiple organizational units.

GitHub OpenAPI

Documentation

📖
Documentation
https://pan.dev/sase/api/mt-monitor/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-sase-aggregate-monitoring-api-openapi-original.yml

Examples

📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/sase-aggregate-monitoring-api-aggregation-query-example.json
📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/sase-aggregate-monitoring-api-aggregation-response-example.json
📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/sase-aggregate-monitoring-api-tenant-summary-example.json

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/sase-aggregate-monitoring-api-aggregation-query-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/sase-aggregate-monitoring-api-aggregation-response-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/sase-aggregate-monitoring-api-tenant-summary-schema.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/sase-aggregate-monitoring-api-aggregation-query-structure.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/sase-aggregate-monitoring-api-aggregation-response-structure.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/sase-aggregate-monitoring-api-tenant-summary-structure.json

Other Resources

🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-sase-aggregate-monitoring-api-context.jsonld

OpenAPI Specification

palo-alto-sase-aggregate-monitoring-api-openapi-original.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Palo Alto Networks SASE Aggregate Monitoring API
  description: >-
    SASE Aggregate Monitoring API for multi-tenant visibility and telemetry.
    Provides aggregated query capabilities across threat, URL, application,
    bandwidth, and license data for SASE-managed tenants. Designed for
    managed service providers and large enterprise deployments where
    operators need cross-tenant visibility in a single query. Supports
    histogram aggregations, group-by dimensions, and flexible filtering
    to power dashboards and compliance reporting workflows.
  version: '1.0'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://api.sase.paloaltonetworks.com/mt/monitor/v1
  description: SASE Aggregate Monitoring API production server.
security:
- oauth2Bearer: []
tags:
- name: Aggregation Queries
  description: Multi-tenant aggregated data queries.
- name: Tenants
  description: Tenant hierarchy visibility.
paths:
  /agg/query/threat:
    post:
      operationId: queryThreatData
      summary: Palo Alto Networks Query Threat Data Aggregation
      description: >-
        Returns aggregated threat event data across one or more tenants
        within a Tenant Service Group hierarchy. Supports filtering by
        threat type, severity, source, and time range. Results can be
        grouped by dimensions such as tenant, threat category, or time
        bucket to support dashboard and reporting use cases.
      tags:
      - Aggregation Queries
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AggregationQuery'
            examples:
              QueryThreatDataRequestExample:
                summary: Default queryThreatData request
                x-microcks-default: true
                value:
                  tsg_id: '895182'
                  filter: &id001 {}
                  time_range: &id002
                    start: '2025-05-13T00:30:44Z'
                    end: '2025-04-10T14:11:52Z'
                    last: example-last
                  count: 100
                  histogram: &id003
                    field: example-field
                    interval: 1d
                  group_by: &id004
                  - example-group_by_item
                  - example-group_by_item
                  sort: &id005
                  - field: example-field
                    order: desc
      responses:
        '200':
          description: Threat data aggregation results returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AggregationResponse'
              examples:
                QueryThreatData200Example:
                  summary: Default queryThreatData 200 response
                  x-microcks-default: true
                  value:
                    total: 137
                    count: 29
                    time_range: &id006
                      start: '2024-05-26T23:18:49Z'
                      end: '2024-01-19T02:12:28Z'
                    data: &id007
                    - {}
                    - {}
                    histogram: &id008
                    - timestamp: '2025-05-11T15:41:12Z'
                      count: 793
                      values: {}
                    - timestamp: '2024-09-14T11:54:08Z'
                      count: 283
                      values: {}
        '400':
          description: Invalid query request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryThreatData400Example:
                  summary: Default queryThreatData 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryThreatData401Example:
                  summary: Default queryThreatData 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryThreatData403Example:
                  summary: Default queryThreatData 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryThreatData500Example:
                  summary: Default queryThreatData 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /agg/query/url:
    post:
      operationId: queryURLData
      summary: Palo Alto Networks Query URL Categorization Data
      description: >-
        Returns aggregated URL categorization and web activity data across
        tenants. Supports filtering by URL category, action, and user groups.
        Useful for generating web usage reports and identifying policy
        violations across managed tenants.
      tags:
      - Aggregation Queries
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AggregationQuery'
            examples:
              QueryUrldataRequestExample:
                summary: Default queryURLData request
                x-microcks-default: true
                value:
                  tsg_id: '895182'
                  filter: *id001
                  time_range: *id002
                  count: 100
                  histogram: *id003
                  group_by: *id004
                  sort: *id005
      responses:
        '200':
          description: URL categorization data returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AggregationResponse'
              examples:
                QueryUrldata200Example:
                  summary: Default queryURLData 200 response
                  x-microcks-default: true
                  value:
                    total: 137
                    count: 29
                    time_range: *id006
                    data: *id007
                    histogram: *id008
        '400':
          description: Invalid query request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryUrldata400Example:
                  summary: Default queryURLData 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryUrldata401Example:
                  summary: Default queryURLData 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryUrldata403Example:
                  summary: Default queryURLData 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryUrldata500Example:
                  summary: Default queryURLData 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /agg/query/application:
    post:
      operationId: queryApplicationData
      summary: Palo Alto Networks Query Application Usage Data
      description: >-
        Returns aggregated application usage data across tenants including
        session counts, bytes transferred, and user counts per application.
        Supports filtering by application name, category, and risk level.
      tags:
      - Aggregation Queries
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AggregationQuery'
            examples:
              QueryApplicationDataRequestExample:
                summary: Default queryApplicationData request
                x-microcks-default: true
                value:
                  tsg_id: '895182'
                  filter: *id001
                  time_range: *id002
                  count: 100
                  histogram: *id003
                  group_by: *id004
                  sort: *id005
      responses:
        '200':
          description: Application usage data returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AggregationResponse'
              examples:
                QueryApplicationData200Example:
                  summary: Default queryApplicationData 200 response
                  x-microcks-default: true
                  value:
                    total: 137
                    count: 29
                    time_range: *id006
                    data: *id007
                    histogram: *id008
        '400':
          description: Invalid query request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryApplicationData400Example:
                  summary: Default queryApplicationData 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryApplicationData401Example:
                  summary: Default queryApplicationData 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryApplicationData403Example:
                  summary: Default queryApplicationData 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryApplicationData500Example:
                  summary: Default queryApplicationData 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /agg/query/bandwidth:
    post:
      operationId: queryBandwidthData
      summary: Palo Alto Networks Query Bandwidth Utilization Data
      description: >-
        Returns aggregated bandwidth utilization metrics across tenants
        and SASE locations. Supports filtering by location, time range,
        and traffic direction. Useful for capacity planning and SLA
        monitoring reports.
      tags:
      - Aggregation Queries
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AggregationQuery'
            examples:
              QueryBandwidthDataRequestExample:
                summary: Default queryBandwidthData request
                x-microcks-default: true
                value:
                  tsg_id: '895182'
                  filter: *id001
                  time_range: *id002
                  count: 100
                  histogram: *id003
                  group_by: *id004
                  sort: *id005
      responses:
        '200':
          description: Bandwidth utilization data returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AggregationResponse'
              examples:
                QueryBandwidthData200Example:
                  summary: Default queryBandwidthData 200 response
                  x-microcks-default: true
                  value:
                    total: 137
                    count: 29
                    time_range: *id006
                    data: *id007
                    histogram: *id008
        '400':
          description: Invalid query request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryBandwidthData400Example:
                  summary: Default queryBandwidthData 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryBandwidthData401Example:
                  summary: Default queryBandwidthData 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryBandwidthData403Example:
                  summary: Default queryBandwidthData 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryBandwidthData500Example:
                  summary: Default queryBandwidthData 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /agg/query/license:
    post:
      operationId: queryLicenseData
      summary: Palo Alto Networks Query License Utilization Data
      description: >-
        Returns aggregated license utilization data across tenants for
        all active SASE subscriptions. Supports filtering by product,
        license type, and TSG. Useful for chargeback reporting and
        license compliance monitoring.
      tags:
      - Aggregation Queries
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AggregationQuery'
            examples:
              QueryLicenseDataRequestExample:
                summary: Default queryLicenseData request
                x-microcks-default: true
                value:
                  tsg_id: '895182'
                  filter: *id001
                  time_range: *id002
                  count: 100
                  histogram: *id003
                  group_by: *id004
                  sort: *id005
      responses:
        '200':
          description: License utilization data returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AggregationResponse'
              examples:
                QueryLicenseData200Example:
                  summary: Default queryLicenseData 200 response
                  x-microcks-default: true
                  value:
                    total: 137
                    count: 29
                    time_range: *id006
                    data: *id007
                    histogram: *id008
        '400':
          description: Invalid query request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryLicenseData400Example:
                  summary: Default queryLicenseData 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryLicenseData401Example:
                  summary: Default queryLicenseData 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryLicenseData403Example:
                  summary: Default queryLicenseData 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                QueryLicenseData500Example:
                  summary: Default queryLicenseData 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /tenants:
    get:
      operationId: listMonitoringTenants
      summary: Palo Alto Networks Get Tenant Hierarchy
      description: >-
        Returns the tenant hierarchy accessible to the authenticated
        service account within the Aggregate Monitoring scope. Use this
        endpoint to enumerate the TSG IDs available for use in aggregation
        queries.
      tags:
      - Tenants
      parameters:
      - name: tsg_id
        in: query
        description: >-
          Root TSG ID from which to return the hierarchy. Defaults to
          the TSG of the authenticated service account.
        schema:
          type: string
        example: '699512'
      responses:
        '200':
          description: Tenant hierarchy returned.
          content:
            application/json:
              schema:
                type: object
                properties:
                  total:
                    type: integer
                    description: Total number of tenants in the hierarchy.
                  items:
                    type: array
                    items:
                      $ref: '#/components/schemas/TenantSummary'
              examples:
                ListMonitoringTenants200Example:
                  summary: Default listMonitoringTenants 200 response
                  x-microcks-default: true
                  value:
                    total: 147
                    items:
                    - tsg_id: '301496'
                      display_name: Carlos Wilson
                      parent_id: '264676'
                      depth: 182
                      child_count: 779
                    - tsg_id: '301496'
                      display_name: Carlos Wilson
                      parent_id: '264676'
                      depth: 182
                      child_count: 779
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                ListMonitoringTenants401Example:
                  summary: Default listMonitoringTenants 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                ListMonitoringTenants403Example:
                  summary: Default listMonitoringTenants 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                ListMonitoringTenants500Example:
                  summary: Default listMonitoringTenants 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Endpoint blocked traffic applied blocked on threat.
                    request_id: 34be728a-625b-4e23-9e3a-12d7366cb00d
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  securitySchemes:
    oauth2Bearer:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        OAuth 2.0 Bearer token for SASE platform authentication. Obtain
        using the client_credentials grant with your SASE service account
        client ID and client secret.
  schemas:
    AggregationQuery:
      type: object
      required:
      - tsg_id
      properties:
        tsg_id:
          type: string
          description: >-
            Tenant Service Group ID to scope the query. Data from all
            descendant TSGs within this scope is included.
          example: '895182'
        filter:
          type: object
          description: >-
            Key-value filter conditions to apply to the query. Filter keys
            are data-type specific (e.g., severity, category, app_name).
          additionalProperties:
            type: string
          example: *id001
        time_range:
          type: object
          description: Time range for the query.
          properties:
            start:
              type: string
              format: date-time
              description: Query start time (ISO 8601).
              example: '2026-07-01T15:56:30Z'
            end:
              type: string
              format: date-time
              description: Query end time (ISO 8601). Defaults to current time.
              example: '2025-05-05T00:21:55Z'
            last:
              type: string
              description: >-
                Relative time range shorthand (e.g., 1h, 24h, 7d, 30d).
                Mutually exclusive with start/end.
              example: example-last
          example: *id002
        count:
          type: integer
          description: Maximum number of result rows to return.
          default: 100
          maximum: 1000
          example: 100
        histogram:
          type: object
          description: >-
            Configuration for time-series histogram output. When specified,
            results are bucketed by time.
          properties:
            field:
              type: string
              description: Timestamp field to use for bucketing.
              example: example-field
            interval:
              type: string
              enum:
              - 1m
              - 5m
              - 15m
              - 1h
              - 6h
              - 1d
              description: Time bucket interval.
              example: 1d
          example: *id003
        group_by:
          type: array
          description: >-
            Dimension fields to group results by. Supported values are
            data-type specific.
          items:
            type: string
          example: *id004
        sort:
          type: array
          description: Sort order for results.
          items:
            type: object
            properties:
              field:
                type: string
                description: Field name to sort by.
                example: example-field
              order:
                type: string
                enum:
                - asc
                - desc
                default: desc
                example: desc
          example: *id005
    AggregationResponse:
      type: object
      properties:
        total:
          type: integer
          description: Total number of matching records before count limit.
          example: 137
        count:
          type: integer
          description: Number of records returned.
          example: 29
        time_range:
          type: object
          properties:
            start:
              type: string
              format: date-time
              example: '2024-10-13T22:10:28Z'
            end:
              type: string
              format: date-time
              example: '2026-11-26T17:22:41Z'
          example: *id006
        data:
          type: array
          description: >-
            Array of result objects. Schema varies by query type and
            group_by dimensions.
          items:
            type: object
            additionalProperties: true
          example: *id007
        histogram:
          type: array
          description: >-
            Time-series histogram buckets when histogram configuration
            was specified in the query.
          items:
            type: object
            properties:
              timestamp:
                type: string
                format: date-time
                example: '2025-02-16T13:06:32Z'
              count:
                type: integer
                example: 432
              values:
                type: object
                additionalProperties: true
                example: {}
          example: *id008
    TenantSummary:
      type: object
      properties:
        tsg_id:
          type: string
          description: Tenant Service Group ID.
          example: '301496'
        display_name:
          type: string
          description: TSG display name.
          example: Carlos Wilson
        parent_id:
          type: string
          description: Parent TSG ID.
          example: '264676'
        depth:
          type: integer
          description: Depth in the hierarchy (0 for root).
          example: 182
        child_count:
          type: integer
          description: Number of direct child TSGs.
          example: 779
    ErrorResponse:
      type: object
      properties:
        error:
          type: string
          description: Error code identifying the error type.
          example: example-error
        message:
          type: string
          description: Human-readable description of the error.
          example: Endpoint blocked traffic applied blocked on threat.
        request_id:
          type: string
          description: Request identifier for support correlation.
          example: 34be728a-625b-4e23-9e3a-12d7366cb00d