Palo Alto Networks

Security Advisory API

A REST API (currently in beta) for programmatically querying Palo Alto Networks security advisories published by the Product Security Incident Response Team (PSIRT). The API supports filtering advisories by CVE ID, severity, product, and date range. Returns advisory details including vulnerability descriptions, affected versions, CVSS scores, and remediation guidance. Also available as an RSS feed for continuous monitoring of new security advisories.

Documentation GitHub OpenAPI

Documentation

https://security.paloaltonetworks.com/api

Specifications

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-security-advisory-api-openapi-original.yml

Examples

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/palo-alto-security-advisory-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/security-advisory-api-advisory-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/security-advisory-api-affected-product-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/security-advisory-api-product-example.json

Schemas & Data

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/palo-alto-security-advisory-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/security-advisory-api-advisory-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/security-advisory-api-affected-product-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/security-advisory-api-product-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/palo-alto-security-advisory-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/security-advisory-api-advisory-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/security-advisory-api-affected-product-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/security-advisory-api-product-structure.json

Other Resources

https://security.paloaltonetworks.com/rss.xml

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-security-advisory-api-context.jsonld

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-security-advisory-context.jsonld

OpenAPI Specification

openapi: 3.1.0
info:
  title: Palo Alto Networks Security Advisory API
  description: >-
    Public REST API for querying Palo Alto Networks Product Security Incident
    Response Team (PSIRT) security advisories. Beta release. Provides access
    to published vulnerability advisories including CVE identifiers, severity
    ratings, CVSS scores, affected products and versions, fixed versions, and
    remediation guidance. No authentication is required. Advisory data covers
    PAN-OS, Cortex XDR, Prisma Cloud, GlobalProtect, and other Palo Alto
    Networks products.
  version: '1.0-beta'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://security.paloaltonetworks.com/api
  description: Palo Alto Networks Security Advisory API (public beta).
security: []
tags:
- name: Advisories
  description: Query and retrieve PSIRT security advisories.
- name: Products
  description: Query affected products referenced in security advisories.
paths:
  /advisories:
    get:
      operationId: listAdvisories
      summary: Palo Alto Networks List All Security Advisories
      description: >-
        Returns a paginated list of published PSIRT security advisories.
        Supports filtering by severity, affected product, and sorting by
        publication date or CVSS score. This endpoint is publicly accessible
        and does not require authentication. Results include advisory metadata,
        CVE identifiers, severity ratings, and affected product summaries.
      tags:
      - Advisories
      parameters:
      - name: severity
        in: query
        description: Filter advisories by severity level.
        schema:
          type: string
          enum:
          - NONE
          - LOW
          - MEDIUM
          - HIGH
          - CRITICAL
        example: MEDIUM
      - name: affected_product
        in: query
        description: >-
          Filter by affected product name. Examples: PAN-OS, Cortex XDR
          Agent, Prisma Cloud, GlobalProtect, Cortex XSOAR.
        schema:
          type: string
        example: example-affected_product
      - name: sort
        in: query
        description: Field and direction to sort results by.
        schema:
          type: string
          enum:
          - -publishedDate
          - publishedDate
          - -cvssScore
          - cvssScore
          default: -publishedDate
        example: -publishedDate
      - name: limit
        in: query
        description: Maximum number of advisories to return per page.
        schema:
          type: integer
          default: 50
          maximum: 200
        example: 50
      - name: offset
        in: query
        description: Number of results to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      responses:
        '200':
          description: Security advisories returned.
          content:
            application/json:
              schema:
                type: object
                properties:
                  total:
                    type: integer
                    description: Total number of advisories matching the query.
                  offset:
                    type: integer
                    description: Current pagination offset.
                  limit:
                    type: integer
                    description: Number of results per page.
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Advisory'
              examples:
                ListAdvisories200Example:
                  summary: Default listAdvisories 200 response
                  x-microcks-default: true
                  value:
                    total: 156
                    offset: 236
                    limit: 422
                    data:
                    - advisory_id: '234493'
                      cve_id: '128548'
                      title: Corporate Agent 18
                      description: Rule suspicious endpoint investigation firewall suspicious blocked configured.
                      severity: CRITICAL
                      cvss_score: 7.06
                      cvss_vector: example-cvss_vector
                      cwe: example-cwe
                      affected_products: &id001
                      - product: example-product
                        versions:
                        - version: 3.0.0
                          status: Unaffected
                      - product: example-product
                        versions:
                        - version: 5.7.5
                          status: Unaffected
                        - version: 7.8.2
                          status: Fixed
                      fixed_versions: &id002
                      - 1.5.8
                      - 8.6.4
                      workarounds: example-workarounds
                      exploit_status: None
                      published_date: '2025-03-02T01:26:35Z'
                      last_modified_date: '2025-08-23T12:10:49Z'
                      references: &id003
                      - url: https://vpn.test-corp.net/3c1d96
                        description: Traffic threat blocked activity incident monitoring violation Security Security.
        '400':
          description: Invalid query parameters.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                ListAdvisories400Example:
                  summary: Default listAdvisories 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                ListAdvisories500Example:
                  summary: Default listAdvisories 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /advisories/{advisory_id}:
    get:
      operationId: getAdvisory
      summary: Palo Alto Networks Get a Single Security Advisory
      description: >-
        Returns full details for a specific security advisory by its advisory
        ID. Includes the complete description, CVSS scoring, affected product
        versions, fixed versions, available workarounds, and references to
        external resources such as NVD entries.
      tags:
      - Advisories
      parameters:
      - name: advisory_id
        in: path
        required: true
        description: >-
          Palo Alto Networks advisory identifier (e.g., PAN-SA-2024-0001).
        schema:
          type: string
        example: '759733'
      responses:
        '200':
          description: Advisory details returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Advisory'
              examples:
                GetAdvisory200Example:
                  summary: Default getAdvisory 200 response
                  x-microcks-default: true
                  value:
                    advisory_id: '234493'
                    cve_id: '128548'
                    title: Corporate Agent 18
                    description: Rule suspicious endpoint investigation firewall suspicious blocked configured.
                    severity: CRITICAL
                    cvss_score: 7.06
                    cvss_vector: example-cvss_vector
                    cwe: example-cwe
                    affected_products: *id001
                    fixed_versions: *id002
                    workarounds: example-workarounds
                    exploit_status: None
                    published_date: '2025-03-02T01:26:35Z'
                    last_modified_date: '2025-08-23T12:10:49Z'
                    references: *id003
        '400':
          description: Invalid advisory ID format.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetAdvisory400Example:
                  summary: Default getAdvisory 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
        '404':
          description: Advisory not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetAdvisory404Example:
                  summary: Default getAdvisory 404 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetAdvisory500Example:
                  summary: Default getAdvisory 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /advisories/cve/{cve_id}:
    get:
      operationId: getAdvisoryByCVE
      summary: Palo Alto Networks Get Advisories by CVE ID
      description: >-
        Returns all security advisories associated with a specific CVE
        identifier. A single CVE may be referenced in multiple advisories
        when the vulnerability affects several Palo Alto Networks products.
        Returns an array of matching advisory objects.
      tags:
      - Advisories
      parameters:
      - name: cve_id
        in: path
        required: true
        description: CVE identifier (e.g., CVE-2024-3400).
        schema:
          type: string
          pattern: '^CVE-\d{4}-\d{4,}$'
        example: '764107'
      responses:
        '200':
          description: Advisories for the CVE returned.
          content:
            application/json:
              schema:
                type: object
                properties:
                  total:
                    type: integer
                    description: Number of advisories found for the CVE.
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Advisory'
              examples:
                GetAdvisoryByCve200Example:
                  summary: Default getAdvisoryByCVE 200 response
                  x-microcks-default: true
                  value:
                    total: 539
                    data:
                    - advisory_id: '234493'
                      cve_id: '128548'
                      title: Corporate Agent 18
                      description: Rule suspicious endpoint investigation firewall suspicious blocked configured.
                      severity: CRITICAL
                      cvss_score: 7.06
                      cvss_vector: example-cvss_vector
                      cwe: example-cwe
                      affected_products: *id001
                      fixed_versions: *id002
                      workarounds: example-workarounds
                      exploit_status: None
                      published_date: '2025-03-02T01:26:35Z'
                      last_modified_date: '2025-08-23T12:10:49Z'
                      references: *id003
        '400':
          description: Invalid CVE ID format.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetAdvisoryByCve400Example:
                  summary: Default getAdvisoryByCVE 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
        '404':
          description: No advisories found for the specified CVE.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetAdvisoryByCve404Example:
                  summary: Default getAdvisoryByCVE 404 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetAdvisoryByCve500Example:
                  summary: Default getAdvisoryByCVE 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /products:
    get:
      operationId: listAffectedProducts
      summary: Palo Alto Networks List Affected Products
      description: >-
        Returns the list of Palo Alto Networks products that are referenced
        in at least one published security advisory. Use the product names
        returned by this endpoint as values for the affected_product filter
        on the /advisories endpoint.
      tags:
      - Products
      responses:
        '200':
          description: Product list returned.
          content:
            application/json:
              schema:
                type: object
                properties:
                  total:
                    type: integer
                    description: Total number of distinct products.
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Product'
              examples:
                ListAffectedProducts200Example:
                  summary: Default listAffectedProducts 200 response
                  x-microcks-default: true
                  value:
                    total: 720
                    data:
                    - name: Branch Sensor 28
                      advisory_count: 776
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                ListAffectedProducts500Example:
                  summary: Default listAffectedProducts 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Malware on activity detected policy configured investigation rule Security alert network alert.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  schemas:
    Advisory:
      type: object
      description: A PSIRT security advisory for a Palo Alto Networks product.
      properties:
        advisory_id:
          type: string
          description: Palo Alto Networks advisory identifier (e.g., PAN-SA-2024-0001).
          example: '234493'
        cve_id:
          type: string
          description: CVE identifier (e.g., CVE-2024-3400).
          example: '128548'
        title:
          type: string
          description: Advisory title summarizing the vulnerability.
          example: Corporate Agent 18
        description:
          type: string
          description: >-
            Detailed description of the vulnerability including impact and
            attack vector.
          example: Rule suspicious endpoint investigation firewall suspicious blocked configured.
        severity:
          type: string
          enum:
          - NONE
          - LOW
          - MEDIUM
          - HIGH
          - CRITICAL
          description: Severity rating based on CVSS v3.1 base score.
          example: CRITICAL
        cvss_score:
          type: number
          description: CVSS v3.1 base score (0.0 to 10.0).
          minimum: 0.0
          maximum: 10.0
          example: 7.06
        cvss_vector:
          type: string
          description: >-
            CVSS v3.1 vector string
            (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
          example: example-cvss_vector
        cwe:
          type: string
          description: CWE identifier for the vulnerability class.
          example: example-cwe
        affected_products:
          type: array
          description: Products and version ranges affected by this vulnerability.
          items:
            $ref: '#/components/schemas/AffectedProduct'
          example: *id001
        fixed_versions:
          type: array
          items:
            type: string
          description: Product versions in which the vulnerability is fixed.
          example: *id002
        workarounds:
          type: string
          description: Available workarounds or mitigations if a fix is not yet deployed.
          example: example-workarounds
        exploit_status:
          type: string
          enum:
          - None
          - Proof-of-Concept
          - Active
          description: Known exploit activity status.
          example: None
        published_date:
          type: string
          format: date-time
          description: Date and time when the advisory was first published.
          example: '2025-03-02T01:26:35Z'
        last_modified_date:
          type: string
          format: date-time
          description: Date and time of the most recent advisory update.
          example: '2025-08-23T12:10:49Z'
        references:
          type: array
          items:
            type: object
            properties:
              url:
                type: string
                format: uri
                description: Reference URL.
                example: https://vpn.example.com/5d2cff
              description:
                type: string
                description: Description of the referenced resource.
                example: Alert applied malware detected violation endpoint alert malware detected.
          description: External references and related advisories.
          example: *id003
    AffectedProduct:
      type: object
      properties:
        product:
          type: string
          description: Product name (e.g., PAN-OS, Cortex XDR Agent).
          example: example-product
        versions:
          type: array
          items:
            type: object
            properties:
              version:
                type: string
                description: Affected version or version range.
                example: 10.8.8
              status:
                type: string
                enum:
                - Affected
                - Unaffected
                - Fixed
                description: Vulnerability status for this version.
                example: Affected
          example:
          - version: 1.3.1
            status: Unaffected
          - version: 4.2.5
            status: Fixed
    Product:
      type: object
      properties:
        name:
          type: string
          description: Product name as referenced in advisories.
          example: Branch Sensor 28
        advisory_count:
          type: integer
          description: Number of published advisories referencing this product.
          example: 776
    ErrorResponse:
      type: object
      properties:
        error:
          type: string
          description: Error code identifying the error type.
          example: example-error
        message:
          type: string
          description: Human-readable description of the error.
          example: Malware on activity detected policy configured investigation rule Security alert network alert.