Palo Alto Networks

Threat Vault API

A REST API for querying Palo Alto Networks threat signature metadata, content release notes, and threat intelligence data. The API provides access to antivirus signatures, anti-spyware signatures, vulnerability protection (IPS) signatures, and file type identification data. Supports queries by signature ID, CVE, threat name, and content release version. Replaces the deprecated AutoFocus API for threat intelligence lookups. Requires an Advanced Threat Prevention or Threat Prevention subscription.

Documentation GitHub OpenAPI

Documentation

https://pan.dev/threat-vault/api/

https://pan.dev/cdss/docs/getstarted/

https://pan.dev/cdss/docs/authentication/

https://pan.dev/cdss/docs/api-call/

Specifications

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-threat-vault-api-openapi-original.yml

Examples

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-api-stats-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-atp-report-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-atp-report-list-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-release-note-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-release-notes-list-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-threat-history-entry-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-threat-history-list-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-threat-list-example.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/threat-vault-api-threat-signature-example.json

Schemas & Data

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-api-stats-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-atp-report-list-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-atp-report-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-release-note-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-release-notes-list-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-threat-history-entry-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-threat-history-list-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-threat-list-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-threat-signature-schema.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-api-stats-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-atp-report-list-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-atp-report-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-release-note-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-release-notes-list-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-threat-history-entry-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-threat-history-list-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-threat-list-structure.json

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-threat-signature-structure.json

Other Resources

https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-threat-vault-api-context.jsonld

OpenAPI Specification

openapi: 3.1.0
info:
  title: Palo Alto Networks Threat Vault API
  description: >-
    REST API for querying Palo Alto Networks threat intelligence including
    threat signature metadata, ATP (Advanced Threat Prevention) analysis
    reports, content release notes, and API usage statistics. The Threat
    Vault provides access to the full catalog of antivirus, anti-spyware,
    vulnerability protection, and DNS Security signatures used by PAN-OS
    firewalls. Enables security operations teams to look up specific threats
    by ID, CVE, SHA-256, or name and retrieve historical signature data for
    threat hunting and incident response. Authentication uses an API key
    passed in the X-API-KEY header.
  version: '1.0'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/threat-vault/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://api.threatvault.paloaltonetworks.com/service/v1
  description: Threat Vault API production endpoint.
security:
- apiKey: []
tags:
- name: ATP
  description: Advanced Threat Prevention detailed analysis reports and PCAP files.
- name: ReleaseNotes
  description: Content release notes for PAN-OS content updates.
- name: Stats
  description: API usage statistics.
- name: Threats
  description: Threat signature lookup and metadata retrieval.
paths:
  /threats:
    get:
      operationId: getThreats
      summary: Palo Alto Networks Get Threat Signatures
      description: >-
        Retrieves threat signature metadata from the Threat Vault. Supports
        filtering by signature type, ID, SHA-256 hash, name, CVE identifier,
        and date range. Returns antivirus, anti-spyware, vulnerability
        protection, DNS security, and file type signature records.
      tags:
      - Threats
      parameters:
      - name: type
        in: query
        description: Signature type to filter results.
        schema:
          type: string
          enum:
          - antivirus
          - antispyware
          - vulnerability
          - dns
          - fileformat
        example: dns
      - name: id
        in: query
        description: Specific signature ID to retrieve.
        schema:
          type: integer
        example: 942
      - name: sha256
        in: query
        description: SHA-256 hash to look up associated threat signatures.
        schema:
          type: string
        example: fb3a5e00a1b4048bd5ae9bfe7fb263550abc9ecd5ae4876459215b04129e655d
      - name: name
        in: query
        description: Partial or exact signature name to search.
        schema:
          type: string
        example: Branch Gateway 77
      - name: cve
        in: query
        description: CVE identifier to find associated vulnerability signatures.
        schema:
          type: string
          example: CVE-2021-44228
        example: CVE-2021-44228
      - name: from
        in: query
        description: >-
          Start date for filtering signatures by release date
          (YYYY-MM-DD format).
        schema:
          type: string
          format: date
        example: '2026-05-06'
      - name: to
        in: query
        description: >-
          End date for filtering signatures by release date
          (YYYY-MM-DD format).
        schema:
          type: string
          format: date
        example: '2025-05-01'
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of signatures to return.
        schema:
          type: integer
          default: 10
          maximum: 100
        example: 10
      responses:
        '200':
          description: Threat signatures returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ThreatList'
              examples:
                GetThreats200Example:
                  summary: Default getThreats 200 response
                  x-microcks-default: true
                  value:
                    success: true
                    data: &id003
                      zingbox:
                      - id: 675
                        name: Primary Sensor 96
                        type: fileformat
                        subtype: custom
                        severity: informational
                        description: Suspicious detected Security policy applied network network applied firewall.
                        cve: &id001
                        - example-cve_item
                        - example-cve_item
                        default_action: reset-client
                        min_version: 10.0.1
                        max_version: 5.1.5
                        status: released
                        ori_release_version: 3.0.5
                        latest_release_version: 5.7.0
                        first_release_time: '2025-11-23T03:19:43Z'
                        latest_release_time: '2024-07-12T01:32:30Z'
                        sha256: &id002
                        - example-sha256_item
                        - example-sha256_item
                    count: 508
                    total: 403
                    offset: 515
                    limit: 625
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /threats/history:
    get:
      operationId: getThreatHistory
      summary: Palo Alto Networks Get Signature History
      description: >-
        Retrieves the version history of a specific threat signature including
        all previous releases, modifications, and associated content versions.
        Useful for tracking signature changes over time.
      tags:
      - Threats
      parameters:
      - name: id
        in: query
        required: true
        description: Signature ID to retrieve version history for.
        schema:
          type: integer
        example: 514
      - name: type
        in: query
        required: true
        description: Signature type.
        schema:
          type: string
          enum:
          - antivirus
          - antispyware
          - vulnerability
          - dns
          - fileformat
        example: dns
      - name: offset
        in: query
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        schema:
          type: integer
          default: 10
          maximum: 100
        example: 10
      responses:
        '200':
          description: Signature history returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ThreatHistoryList'
              examples:
                GetThreatHistory200Example:
                  summary: Default getThreatHistory 200 response
                  x-microcks-default: true
                  value:
                    success: false
                    data: &id004
                    - id: 915
                      name: Branch Agent 35
                      version: 4.1.4
                      release_time: '2026-12-25T01:36:47Z'
                      action: deprecated
                    - id: 915
                      name: Branch Agent 35
                      version: 4.1.4
                      release_time: '2026-12-25T01:36:47Z'
                      action: deprecated
                    total: 799
                    offset: 559
                    limit: 217
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /atp/reports:
    get:
      operationId: getAtpReports
      summary: Palo Alto Networks Get ATP Detailed Reports
      description: >-
        Retrieves Advanced Threat Prevention (ATP) detailed analysis reports
        for threats detected by inline cloud analysis. Reports include
        behavioral analysis data, indicators of compromise, and threat context.
      tags:
      - ATP
      parameters:
      - name: sha256
        in: query
        description: SHA-256 hash to retrieve the ATP report for.
        schema:
          type: string
        example: 27b1ace2ba8ec988728e1f6429d2bb4c3316c556210d409aedd8f059615c6121
      - name: id
        in: query
        description: ATP report ID.
        schema:
          type: string
        example: example-id
      - name: offset
        in: query
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        schema:
          type: integer
          default: 10
          maximum: 100
        example: 10
      responses:
        '200':
          description: ATP reports returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AtpReportList'
              examples:
                GetAtpReports200Example:
                  summary: Default getAtpReports 200 response
                  x-microcks-default: true
                  value:
                    success: true
                    data: &id006
                    - id: example-id
                      sha256: 1a0cc0aab37304dfb1801ee9999fdc70e10dcffd0bff8e3cc12d14e696abe57a
                      status: pending
                      verdict: grayware
                      create_time: '2024-11-24T09:15:12Z'
                      report: &id005
                        file_type: advanced
                        size: 452
                        behaviors:
                        - name: Staging Sensor 59
                          description: Rule rule policy rule policy endpoint endpoint on.
                          severity: low
                        - name: Production Sensor 84
                          description: Policy suspicious configured network firewall violation endpoint threat traffic blocked.
                          severity: low
                        network:
                          dns_queries:
                          - example-dns_queries_item
                          http_requests:
                          - example-http_requests_item
                          connections:
                          - dst_ip: 51.157.178.113
                            dst_port: 664
                            protocol: HTTPS
                          - dst_ip: 122.11.127.230
                            dst_port: 171
                            protocol: HTTPS
                    total: 264
                    offset: 161
                    limit: 795
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /atp/reports/pcaps:
    get:
      operationId: getAtpReportPcaps
      summary: Palo Alto Networks Get ATP PCAP Files
      description: >-
        Downloads network packet capture (PCAP) files associated with Advanced
        Threat Prevention reports. PCAPs contain the network traffic recorded
        during threat analysis and are useful for incident investigation.
      tags:
      - ATP
      parameters:
      - name: sha256
        in: query
        required: true
        description: SHA-256 hash of the threat sample.
        schema:
          type: string
        example: 79965ebec5847a5aca98f3bbe037fb10e0e808b83dd8637c5bda3f2514623f33
      - name: id
        in: query
        description: ATP report ID.
        schema:
          type: string
        example: example-id
      responses:
        '200':
          description: PCAP file returned successfully.
          content:
            application/octet-stream:
              schema:
                type: string
                format: binary
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /release-notes:
    get:
      operationId: getReleaseNotes
      summary: Palo Alto Networks Get Content Release Notes
      description: >-
        Retrieves content release notes for PAN-OS content updates including
        Applications and Threats, Antivirus, and WildFire content packages.
        Release notes describe new signatures, modified signatures, and
        deprecated signatures included in each content version.
      tags:
      - ReleaseNotes
      parameters:
      - name: type
        in: query
        required: true
        description: Content release type.
        schema:
          type: string
          enum:
          - content
          - antivirus
          - wildfire
        example: antivirus
      - name: version
        in: query
        description: Specific content version to retrieve notes for (e.g., 8000-7000).
        schema:
          type: string
        example: 1.5.2
      - name: offset
        in: query
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        schema:
          type: integer
          default: 10
          maximum: 100
        example: 10
      responses:
        '200':
          description: Release notes returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ReleaseNotesList'
              examples:
                GetReleaseNotes200Example:
                  summary: Default getReleaseNotes 200 response
                  x-microcks-default: true
                  value:
                    success: true
                    data: &id007
                    - version: 10.5.6
                      type: wildfire
                      release_date: '2024-11-03'
                      new_signatures: 835
                      modified_signatures: 48
                      deprecated_signatures: 698
                      notes: Traffic threat Security applied network alert violation.
                    total: 124
                    offset: 201
                    limit: 455
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /stats:
    get:
      operationId: getStats
      summary: Palo Alto Networks Get API Usage Statistics
      description: >-
        Returns API usage statistics for the authenticated API key, including
        the number of requests made, quota limits, and usage breakdown by
        endpoint. Use this endpoint to monitor consumption against subscription
        limits.
      tags:
      - Stats
      responses:
        '200':
          description: API usage statistics returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiStats'
              examples:
                GetStats200Example:
                  summary: Default getStats 200 response
                  x-microcks-default: true
                  value:
                    success: true
                    data: &id008
                      api_key: c0132cd88805a182d0438741905d074c
                      quota: 721
                      remaining: 197
                      used: 718
                      reset_time: '2025-11-13T16:19:53Z'
                      endpoint_usage: {}
        '401':
          $ref: '#/components/responses/Unauthorized'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  securitySchemes:
    apiKey:
      type: apiKey
      in: header
      name: X-API-KEY
      description: >-
        Threat Vault API key. Generate your API key from the Palo Alto
        Networks customer support portal or the Developer Portal at
        pan.dev. The API key controls access level and daily quota limits.
  responses:
    BadRequest:
      description: Malformed request or invalid query parameters.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: Missing or invalid API key.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Forbidden:
      description: Insufficient API key permissions or quota exceeded.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: The requested resource was not found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError:
      description: An internal server error occurred.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  schemas:
    ThreatSignature:
      type: object
      description: Threat signature metadata record.
      properties:
        id:
          type: integer
          description: Unique signature identifier.
          example: 675
        name:
          type: string
          description: Signature name.
          example: Primary Sensor 96
        type:
          type: string
          enum:
          - antivirus
          - antispyware
          - vulnerability
          - dns
          - fileformat
          description: Signature type category.
          example: fileformat
        subtype:
          type: string
          description: Signature subtype (e.g., virus, trojan, exploit).
          example: custom
        severity:
          type: string
          enum:
          - critical
          - high
          - medium
          - low
          - informational
          example: informational
        description:
          type: string
          description: Human-readable description of the threat.
          example: Suspicious detected Security policy applied network network applied firewall.
        cve:
          type: array
          items:
            type: string
          description: Associated CVE identifiers.
          example: *id001
        default_action:
          type: string
          enum:
          - alert
          - allow
          - drop
          - reset-both
          - reset-client
          - reset-server
          - block-ip
          - sinkhole
          description: Default action applied to traffic matching this signature.
          example: reset-client
        min_version:
          type: string
          description: Minimum PAN-OS version supporting this signature.
          example: 10.0.1
        max_version:
          type: string
          description: Maximum PAN-OS version supporting this signature (empty if still active).
          example: 5.1.5
        status:
          type: string
          enum:
          - released
          - deprecated
          - disabled
          example: released
        ori_release_version:
          type: string
          description: Content version in which this signature was first released.
          example: 3.0.5
        latest_release_version:
          type: string
          description: Most recent content version that updated this signature.
          example: 5.7.0
        first_release_time:
          type: string
          format: date-time
          description: Timestamp when the signature was first released.
          example: '2025-11-23T03:19:43Z'
        latest_release_time:
          type: string
          format: date-time
          description: Timestamp of the most recent signature update.
          example: '2024-07-12T01:32:30Z'
        sha256:
          type: array
          items:
            type: string
          description: SHA-256 hashes associated with this signature (antivirus).
          example: *id002
    ThreatList:
      type: object
      properties:
        success:
          type: boolean
          example: true
        data:
          type: object
          properties:
            zingbox:
              type: array
              items:
                $ref: '#/components/schemas/ThreatSignature'
              example:
              - id: 675
                name: Primary Sensor 96
                type: fileformat
                subtype: custom
                severity: informational
                description: Suspicious detected Security policy applied network network applied firewall.
                cve: *id001
                default_action: reset-client
                min_version: 10.0.1
                max_version: 5.1.5
                status: released
                ori_release_version: 3.0.5
                latest_release_version: 5.7.0
                first_release_time: '2025-11-23T03:19:43Z'
                latest_release_time: '2024-07-12T01:32:30Z'
                sha256: *id002
              - id: 675
                name: Primary Sensor 96
                type: fileformat
                subtype: custom
                severity: informational
                description: Suspicious detected Security policy applied network network applied firewall.
                cve: *id001
                default_action: reset-client
                min_version: 10.0.1
                max_version: 5.1.5
                status: released
                ori_release_version: 3.0.5
                latest_release_version: 5.7.0
                first_release_time: '2025-11-23T03:19:43Z'
                latest_release_time: '2024-07-12T01:32:30Z'
                sha256: *id002
          example: *id003
        count:
          type: integer
          description: Total number of matching signatures.
          example: 508
        total:
          type: integer
          example: 403
        offset:
          type: integer
          example: 515
        limit:
          type: integer
          example: 625
    ThreatHistoryEntry:
      type: object
      description: A historical record of a signature version.
      properties:
        id:
          type: integer
          example: 915
        name:
          type: string
          example: Branch Agent 35
        version:
          type: string
          description: Content version number for this history entry.
          example: 4.1.4
        release_time:
          type: string
          format: date-time
          example: '2026-12-25T01:36:47Z'
        action:
          type: string
          enum:
          - added
          - modified
          - deprecated
          example: deprecated
    ThreatHistoryList:
      type: object
      properties:
        success:
          type: boolean
          example: false
        data:
          type: array
          items:
            $ref: '#/components/schemas/ThreatHistoryEntry'
          example: *id004
        total:
          type: integer
          example: 799
        offset:
          type: integer
          example: 559
        limit:
          type: integer
          example: 217
    AtpReport:
      type: object
      description: Advanced Threat Prevention inline analysis report.
      properties:
        id:
          type: string
          description: Unique report identifier.
          example: example-id
        sha256:
          type: string
          description: SHA-256 hash of the analyzed sample.
          example: 1a0cc0aab37304dfb1801ee9999fdc70e10dcffd0bff8e3cc12d14e696abe57a
        status:
          type: string
          enum:
          - pending
          - complete
          - error
          example: pending
        verdict:
          type: string
          enum:
          - benign
          - malware
          - grayware
          - phishing
          - unknown
          example: grayware
        create_time:
          type: string
          format: date-time
          example: '2024-11-24T09:15:12Z'
        report:
          type: object
          description: Detailed behavioral analysis data.
          properties:
            file_type:
              type: string
              example: custom
            size:
              type: integer
              example: 219
            behaviors:
              type: array
              items:
                type: object
                properties:
                  name:
                    type: string
                    example: Production Sensor 79
                  description:
                    type: string
                    example: Network threat traffic configured policy policy on activity.
                  severity:
                    type: string
                    example: high
              example:
              - name: Staging Sensor 16
                description: Rule firewall network alert rule suspicious network investigation detected network violation.
                severity: low
              - name: Production Agent 81
                description: Applied violation violation traffic detected detected on threat.
                severity: critical
            network:
              type: object
              properties:
                dns_queries:
                  type: array
                  items:
                    type: string
                  example:
                  - example-dns_queries_item
                  - example-dns_queries_item
                http_requests:
                  type: array
                  items:
                    type: string
                  example:
                  - example-http_requests_item
                  - example-http_requests_item
                connections:
                  type: array
                  items:
                    type: object
                    properties:
                      dst_ip:
                        type: string
                        example: 122.232.51.18
                      dst_port:
                        type: integer
                        example: 580
                      protocol:
                        type: string
                        example: TCP
                  example:
                  - dst_ip: 71.44.154.98
                    dst_port: 777
                    protocol: UDP
                  - dst_ip: 207.65.92.163
                    dst_port: 708
                    protocol: HTTPS
              example:
                dns_queries:
                - example-dns_queries_item
                - example-dns_queries_item
                http_requests:
                - example-http_requests_item
                - example-http_requests_item
                connections:
                - dst_ip: 172.115.44.22
                  dst_port: 78
                  protocol: UDP
          example: *id005
    AtpReportList:
      type: object
      properties:
        success:
          type: boolean
          example: true
        data:
          type: array
          items:
            $ref: '#/components/schemas/AtpReport'
          example: *id006
        total:
          type: integer
          example: 264
        offset:
          type: integer
          example: 161
        limit:
          type: integer
          example: 795
    ReleaseNote:
      type: object
      description: Content release notes for a specific PAN-OS content version.
      properties:
        version:
          type: string
          description: Content version identifier (e.g., 8000-7000).
          example: 10.5.6
        type:
          type: string
          enum:
          - content
          - antivirus
          - wildfire
          example: wildfire
        release_date:
          type: string
          format: date
          example: '2024-11-03'
        new_signatures:
          type: integer
          description: Number of new signatures in this release.
          example: 835
        modified_signatures:
          type: integer
          description: Number of modified signatures in this release.
          example: 48
        deprecated_signatures:
          type: integer
          description: Number of deprecated signatures in this release.
          example: 698
        notes:
          type: string
          description: Release notes text.
          example: Traffic threat Security applied network alert violation.
    ReleaseNotesList:
      type: object
      properties:
        success:
          type: boolean
          example: true
        data:
          type: array
          items:
            $ref: '#/components/schemas/ReleaseNote'
          example: *id007
        total:
          type: integer
          example: 124
        offset:
          type: integer
          example: 201
        limit:
          type: integer
          example: 455
    ApiStats:
      type: object
      description: API usage statistics for the authenticated API key.
      properties:
        success:
          type: boolean
          example: true
        data:
          type: object
          properties:
            api_key:
              type: string
              description: Redacted API key identifier.
              example: 7f0aeb83312442613acf974dba5e853c
            quota:
              type: integer
              description: Daily request quota.
              example: 719
            remaining:
              type: integer
              description: Remaining requests in the current day.
              example: 93
            used:
              type: integer
              description: Number of requests used today.
              example: 810
            reset_time:
              type: string
              format: date-time
              description: Timestamp when the quota resets.
              example: '2026-08-06T23:19:12Z'
            endpoint_usage:
              type: object
              description: Request counts broken down by endpoint.
              additionalProperties:
                type: integer
              example: {}
          example: *id008
    ErrorResponse:
      type: object
      properties:
        success:
          type: boolean
          example: false
        message:
          type: string
          description: Human-readable error message.
          example: Threat applied violation endpoint activity violation activity incident applied.
        error_code:
          type: string
          description: Machine-readable error code.
          example: example-error_code