diff --git a/openapi-specs/dlp/DLPAPI(Beta).yaml b/openapi-specs/dlp/DLPAPI(Beta).yaml
index e308e21c6..f7df21f46 100644
--- a/openapi-specs/dlp/DLPAPI(Beta).yaml
+++ b/openapi-specs/dlp/DLPAPI(Beta).yaml
@@ -75,43 +75,32 @@ components:
description: Human-readable name of the data profile.
type: string
version:
- description: Version number of the data profile configuration.
type: string
type: object
DeviceInfo:
properties:
id:
- description: Unique identifier for the device.
type: string
ip:
- description: IP address of the device.
type: string
loggedin_users:
- description: List of users currently logged into the device.
items:
type: string
type: array
name:
- description: Human-readable name or hostname of the device.
type: string
serial_number:
- description: Manufacturer serial number of the device.
type: string
type: object
EndpointOsInfo:
properties:
dlp_client_version:
- description: Version of the DLP client software installed on the endpoint.
type: string
gp_version:
- description: Version of the GlobalProtect client installed on the endpoint.
type: string
os_type:
- description: Operating system type running on the endpoint (Windows, macOS,
- Linux).
type: string
os_version:
- description: Specific version of the operating system running on the endpoint.
type: string
type: object
ErrorInfo:
@@ -132,203 +121,142 @@ components:
ExposureDetails:
properties:
cloud_url:
- description: URL where the file is stored in the cloud service.
type: string
is_exposed_by_parent_folder:
- description: Indicates whether the file is exposed due to parent folder
- sharing permissions.
type: boolean
is_public_url:
- description: Indicates whether the file is accessible via a public URL.
type: boolean
is_shared_url:
- description: Indicates whether the file is accessible via a shared URL.
type: boolean
is_sign_in_required:
- description: Indicates whether sign-in authentication is required to access
- the file.
type: boolean
public_url:
- description: Public URL that can be used to access the file without authentication.
type: string
type: object
IncidentDetailEntity:
properties:
action:
- description: Action taken by the DLP system when the incident was detected.
type: string
app_id:
- description: Palo Alto Networks assigned application identifier.
type: string
app_instance_id:
- description: Specific instance identifier of the application.
type: string
app_name:
- description: Name of the application involved in the incident.
type: string
app_tags:
- description: Tags associated with the application involved in the incident.
items:
type: string
type: array
app_type:
- description: Type or category of the application involved in the incident.
type: string
asset_hash:
- description: Cryptographic hash of the file involved in the incident.
type: string
asset_id:
- description: Unique identifier of the asset involved in the incident.
type: string
asset_name:
- description: Name of the file or asset involved in the incident.
type: string
asset_risk:
- description: Risk score calculated for the asset involved in the incident.
format: double
type: number
asset_size:
- description: Size of the file or asset involved in the incident.
type: string
assigned_to:
- description: Identifier of the person assigned to handle the incident.
type: string
assignee_email:
- description: Email address of the person assigned to handle the incident.
type: string
assignee_name:
- description: Display name of the person assigned to handle the incident.
type: string
category:
- description: Category classification of the incident.
type: string
control_point:
- description: The Palo Alto Networks control point that detected the incident.
type: string
created_date:
- description: Timestamp when the incident was first created.
format: int64
type: integer
data_patterns:
- description: List of data patterns that were detected in the incident.
items:
$ref: '#/components/schemas/DataPattern'
type: array
data_profiles:
- description: List of data profiles that were triggered by the incident.
items:
$ref: '#/components/schemas/DataProfile'
type: array
destination:
- description: Destination endpoint or location of the data transfer.
type: string
device_info:
- description: Information about devices involved in the incident.
items:
$ref: '#/components/schemas/DeviceInfo'
type: array
direction:
- description: Direction of data flow that triggered the incident (inbound,
- outbound, internal).
type: string
endpoint_os_info:
$ref: '#/components/schemas/EndpointOsInfo'
- description: Operating system information for the endpoint involved in the
- incident.
exposure:
- description: Level or type of data exposure detected in the incident.
type: string
exposure_details:
$ref: '#/components/schemas/ExposureDetails'
- description: Detailed information about how the data was exposed.
id:
- description: Unique identifier for the incident.
type: string
modified_date:
- description: Timestamp when the incident was last modified.
format: int64
type: integer
notes:
- description: Administrative notes and comments about the incident.
type: string
peripheral_info:
$ref: '#/components/schemas/PeripheralInfo'
- description: Information about peripheral devices involved in the incident.
policy:
$ref: '#/components/schemas/Policy'
- description: DLP policy information that was violated to trigger the incident.
priority:
- description: Priority level assigned for incident handling.
format: int32
type: integer
reason_for_action:
- description: Explanation of why the DLP system took the specified action.
type: string
report_date:
- description: Timestamp when the incident report was generated.
format: int64
type: integer
report_id:
- description: The Palo Alto Networks automatically assigned report identifier.
type: string
resolved_by:
- description: Name or identifier of the person who resolved the incident.
type: string
severity:
- description: Severity level of the incident based on data sensitivity.
type: string
source:
- description: The Palo Alto Networks source that identified the incident.
type: string
status:
- description: Current status of the incident.
type: string
tag:
- description: User-defined tags for categorizing the incident.
type: string
tsg_id:
- description: Tenant Services Gateway identifier for multi-tenant environments.
type: string
url:
- description: URL involved in the incident if applicable.
type: string
user_department:
- description: Department or organizational unit of the user.
type: string
user_email:
- description: Email address of the user associated with the incident.
type: string
user_id:
- description: Unique identifier of the user associated with the incident.
type: string
user_location:
- description: Geographic or organizational location of the user.
type: string
user_manager:
- description: Manager or supervisor of the user associated with the incident.
type: string
user_name:
- description: Display name of the user associated with the incident.
type: string
type: object
IncidentDetailResponse:
properties:
query_token:
- description: Token identifier for tracking the query execution.
type: string
rows:
- description: Array of detailed incident entities matching the request criteria.
items:
$ref: '#/components/schemas/IncidentDetailEntity'
type: array
status:
- description: Processing status of the incident detail request.
enum:
- READY
- PENDING
type: string
status_description:
- description: Detailed description of the current processing status.
type: string
type: object
IncidentInventoryEntity:
@@ -418,41 +346,74 @@ components:
IncidentInventoryRequest:
properties:
columns:
- description: Array of column names to include in the incident inventory
+ description: Optional array of column names to include in the incident inventory
response.
items:
type: string
+ readOnly: true
type: array
end_time:
- description: Timestamp in milliseconds(ms)
+ description: Required when time_range is CUSTOM. End time as Unix timestamp
+ in milliseconds (ms).
format: int64
+ readOnly: true
type: integer
+ x-example: false
filter:
- description: Filter criteria to narrow down incident search results.
+ description: "Filter expression string for querying incident data.\n\n
Operators\
+ \ supported: =, in, and AND\n\n
Pattern: {FilterName} = {value} or\
+ \ {FilterName} in ({value1}, {value2}, ...)\n\n
Supported FilterName\
+ \ values:\n- Action: Filter by action taken (e.g., 'block', 'allow')\n\
+ - ApplicationName: Filter by application name\n- Asset: Filter by asset\
+ \ name\n- AssigneeId: Filter by assignee user ID\n- AssigneeName: Filter\
+ \ by assignee display name\n- Channel: Filter by channel (e.g., 'PRISMA_ACCESS',\
+ \ 'NGFW')\n- DataPattern: Filter by detection types/data patterns (e.g.,\
+ \ 'SSN', 'Credit Card')\n- DataProfile: Filter by data profile ID\n- Destination:\
+ \ Filter by destination\n- IncidentId: Filter by specific incident ID\n\
+ - Priority: Filter by priority level (numeric values 1-5)\n- ReportId:\
+ \ Filter by report ID\n- Severity: Filter by severity level\n -\
+ \ 5 = Critical\n - 4 = High\n - 3 = Medium\n - 2\
+ \ = Low\n - 1 = Informational\n- Source: Filter by source\n- Region:\
+ \ Filter by region (e.g., 'US', 'EU', 'UK', 'SG', 'IN', 'AU', 'CA', 'JP')\n\
+ - Status: Filter by incident status (e.g., 'New', 'open', 'under_investigation',\
+ \ 'closed')\n- UrlDomain: Filter by URL domain\n- Tag: Filter by incident\
+ \ tags\n\nExamples:\n- \"Tag = 'Needs Escalation'\"\n- \"Status in ('New','open','under_investigation')\"\
+ \n- \"UrlDomain = 'dlptest.com'\"\n- \"Channel = 'PRISMA_ACCESS' AND DataProfile\
+ \ in ('11995030','11995033')\"\n"
example: Tag = 'Needs Escalation'
minLength: 1
type: string
max_rows:
+ description: Maximum number of rows to return in the incident inventory
+ response (optional, e.g., 1000).
+ example: 10000
format: int32
+ readOnly: true
type: integer
page_size:
- description: Number of incidents to return per page for pagination.
+ description: Number of incidents to return per page for pagination purposes.
format: int32
+ readOnly: true
type: integer
sort_by:
- description: Field name to sort the incident inventory results by.
+ description: Optional field name to sort the incident inventory results
+ by.
+ readOnly: true
type: string
sort_order:
- description: Sort order for the incident inventory results (ascending or
- descending).
+ description: Optional sort order for the results (asc for ascending, desc
+ for descending).
+ readOnly: true
type: string
start_time:
- description: Timestamp in milliseconds(ms)
+ description: Required when time_range is CUSTOM. Start time as Unix timestamp
+ in milliseconds (ms).
format: int64
type: integer
+ writeOnly: true
+ x-example: false
time_range:
- description: Time range for incident data retrieval with predefined options
- (1 hour, 3 hours, 24 hours, 7 days, 30 days, 90 days).
+ description: Predefined time range for incident data retrieval.
enum:
- HOUR_1
- HOUR_3
@@ -549,99 +510,95 @@ components:
PeripheralInfo:
properties:
group_id:
- description: Identifier of the peripheral device group.
type: string
group_name:
- description: Name of the peripheral device group.
type: string
id:
- description: Unique identifier of the peripheral device.
type: string
is_known:
- description: Indicates whether the peripheral device is recognized by the
- system.
type: boolean
manufacturer_name:
- description: Name of the peripheral device manufacturer.
type: string
name:
- description: Display name of the peripheral device.
type: string
product_id:
- description: Product identifier assigned by the manufacturer.
type: string
product_name:
- description: Product name assigned by the manufacturer.
type: string
serial_number:
- description: Serial number of the peripheral device.
type: string
type:
- description: Type or category of the peripheral device.
type: string
vendor_id:
- description: Vendor identifier for the peripheral device.
type: string
type: object
Policy:
properties:
policy_id:
- description: Unique identifier of the DLP policy.
type: string
policy_type:
- description: Type or category of the DLP policy.
type: string
policy_version:
- description: Version number of the DLP policy configuration.
type: string
type: object
ResultsDownloadRequest:
properties:
columns:
- description: Columns to include in the downloaded results file.
+ description: Optional columns to include in the downloaded results file.
items:
type: string
type: array
+ writeOnly: true
end_time:
- description: Timestamp in milliseconds(ms)
+ description: Required when time_range is CUSTOM. End time as Unix timestamp
+ in milliseconds(ms).
format: int64
type: integer
+ writeOnly: true
filter:
- description: "Filter expression string\n
Operators supported: =, in and\
- \ AND\n
Pattern: {FilterName} = {value} or {FilterName} in ({value1},\
- \ {value2}, ...)\n
Supported FilterName values:\n- Action: Filter by\
- \ action taken (e.g., 'block', 'allow')\n- ApplicationName: Filter by\
- \ application name\n- Asset: Filter by asset name\n- AssigneeId: Filter\
- \ by assignee user ID\n- AssigneeName: Filter by assignee display name\n\
- - Channel: Filter by channel (e.g., 'PRISMA_ACCESS', 'NGFW')\n- DataPattern:\
- \ Filter by detection types/data patterns (e.g., 'SSN', 'Credit Card')\n\
- - DataProfile: Filter by data profile ID\n- Destination: Filter by destination\n\
- - IncidentId: Filter by specific incident ID\n- Priority: Filter by priority\
- \ level (numeric values 1-5)\n- ReportId: Filter by report ID\n- Severity:\
- \ Filter by severity level\n - 5 = Critical\n - 4 = High\n\
- \ - 3 = Medium\n - 2 = Low\n - 1 = Informational\n\
- - Source: Filter by source\n- Region: Filter by region (e.g., 'US', 'EU',\
- \ 'UK', 'SG', 'IN', 'AU', 'CA', 'JP')\n- Status: Filter by incident status\
- \ (e.g., 'New', 'open', 'under_investigation', 'closed')\n- UrlDomain:\
- \ Filter by URL domain\n- Tag: Filter by incident tags\n\nExamples:\n\
- - \"Tag = 'Needs Escalation'\"\n- \"Status in ('New','open','under_investigation')\"\
+ description: "Filter expression string for selecting specific incident data.\n\
+
Operators supported: =, in and AND\n
Pattern: {FilterName} = {value}\
+ \ or {FilterName} in ({value1}, {value2}, ...)\n
Supported FilterName\
+ \ values:\n- Action: Filter by action taken (e.g., 'block', 'allow')\n\
+ - ApplicationName: Filter by application name\n- Asset: Filter by asset\
+ \ name\n- AssigneeId: Filter by assignee user ID\n- AssigneeName: Filter\
+ \ by assignee display name\n- Channel: Filter by channel (e.g., 'PRISMA_ACCESS',\
+ \ 'NGFW')\n- DataPattern: Filter by detection types/data patterns (e.g.,\
+ \ 'SSN', 'Credit Card')\n- DataProfile: Filter by data profile ID\n- Destination:\
+ \ Filter by destination\n- IncidentId: Filter by specific incident ID\n\
+ - Priority: Filter by priority level (numeric values 1-5)\n- ReportId:\
+ \ Filter by report ID\n- Severity: Filter by severity level\n -\
+ \ 5 = Critical\n - 4 = High\n - 3 = Medium\n - 2\
+ \ = Low\n - 1 = Informational\n- Source: Filter by source\n- Region:\
+ \ Filter by region (e.g., 'US', 'EU', 'UK', 'SG', 'IN', 'AU', 'CA', 'JP')\n\
+ - Status: Filter by incident status (e.g., 'New', 'open', 'under_investigation',\
+ \ 'closed')\n- UrlDomain: Filter by URL domain\n- Tag: Filter by incident\
+ \ tags\n\nExamples:\n- \"Tag = 'Needs Escalation'\"\n- \"Status in ('New','open','under_investigation')\"\
\n- \"UrlDomain = 'dlptest.com'\"\n- \"Channel = 'PRISMA_ACCESS' AND DataProfile\
\ in ('11995030','11995033')\"\n"
example: Tag = 'Needs Escalation'
type: string
max_rows:
+ description: Maximum number of rows to return in the download file (optional,
+ e.g., 1000).
+ example: 10000
format: int32
type: integer
+ writeOnly: true
sort_by:
- description: Field name for sorting the downloaded results.
+ description: Optional field name for sorting the downloaded results.
type: string
+ writeOnly: true
sort_order:
- description: Sort order for downloaded results (ascending or descending).
+ description: Optional sort order for downloaded results (asc/desc).
type: string
+ writeOnly: true
start_time:
- description: Timestamp in milliseconds(ms)
+ description: Required when time_range is CUSTOM. Start time as Unix timestamp
+ in milliseconds(ms).
format: int64
type: integer
+ writeOnly: true
time_range:
description: Time range for data inclusion in the download.
enum:
@@ -656,6 +613,8 @@ components:
token:
description: Authentication or session token for the download request.
type: string
+ required:
+ - time_range
type: object
ResultsDownloadResponse:
properties:
diff --git a/openapi-specs/dlp/DLPAPI.yaml b/openapi-specs/dlp/DLPAPI.yaml
index 9de88519b..00f999151 100644
--- a/openapi-specs/dlp/DLPAPI.yaml
+++ b/openapi-specs/dlp/DLPAPI.yaml
@@ -194,34 +194,34 @@ components:
- prisma-access
type: string
data_profile_id:
- description: The UUID profile descriptor used to characterize the incident.
+ description: The data profile descriptor used to characterize the incident.
format: int64
type: integer
data_profile_name:
description: The data profile descriptor used to characterize the incident.
type: string
file_name:
- description: The analyzed file name.
+ description: The name of the file analyzed.
type: string
file_sha:
- description: The analyzed file SHA hash.
+ description: The SHA hash of the file analyzed.
type: string
file_type:
- description: The analyzed file type.
+ description: The type of file analyzed.
type: string
incident_creation_time:
description: The time the incident first occurred.
example: yyyy-MMM-dd HH:mm:ss z
type: string
incident_feedback_status:
- description: Current status of the feedback assosicated with the incident.
+ description: Feedback status for the incident
type: string
incident_id:
description: The Palo Alto Networks automatically assigned incident ID.
format: uuid
type: string
incident_notes:
- description: User defined notes for the incident.
+ description: notes for the incident.
type: string
match_info:
$ref: '#/components/schemas/MatchInfo'
@@ -234,11 +234,10 @@ components:
: [\n \"credit_card_number\",\n \"social_security_number\"\
\n ]\n }\n"
report_id:
- description: The Palo Alto Networks automatically assigned report ID that
- you can use to retrieve reports.
+ description: The Palo Alto Networks automatically assigned report ID.
type: string
resolution_status:
- description: Resolution status from Enterprise DLP status.
+ description: Resolution status for the incident
type: string
session_key:
description: Specifies a session key assosciated with the incident.
@@ -254,7 +253,7 @@ components:
description: The TSG enabled tenant used to identify the Incident.
type: string
user:
- description: The user assosciated with te incident.
+ description: The user associated with the incident.
type: string
title: IncidentResponseDTO
type: object
@@ -276,9 +275,9 @@ components:
edm_columns:
description: "Exact Data Matching (EDM) is a method of detecting and protecting\
\ your most sensitive content. Unlike data patterns, EDM uses specific\
- \ data\xE2\u20AC\u201Dsuch as a patient\xE2\u20AC\u2122s first and last\
- \ name or a patient\xE2\u20AC\u2122s social security number or a customer\xE2\
- \u20AC\u2122s bank account number\xE2\u20AC\u201Dto identify matches."
+ \ data\xE2\u20AC\u201Dsuch as a patient's first and last name or a patient's\
+ \ social security number or a customer's bank account number\xE2\u20AC\
+ \u201Dto identify matches."
items:
type: string
type: array