{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "ThreatSignature",
  "description": "Threat signature metadata record.",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/threat-vault-api-threat-signature-schema.json",
  "type": "object",
  "properties": {
    "id": {
      "type": "integer",
      "description": "Unique signature identifier."
    },
    "name": {
      "type": "string",
      "description": "Signature name."
    },
    "type": {
      "type": "string",
      "enum": [
        "antivirus",
        "antispyware",
        "vulnerability",
        "dns",
        "fileformat"
      ],
      "description": "Signature type category."
    },
    "subtype": {
      "type": "string",
      "description": "Signature subtype (e.g., virus, trojan, exploit)."
    },
    "severity": {
      "type": "string",
      "enum": [
        "critical",
        "high",
        "medium",
        "low",
        "informational"
      ]
    },
    "description": {
      "type": "string",
      "description": "Human-readable description of the threat."
    },
    "cve": {
      "type": "array",
      "items": {
        "type": "string"
      },
      "description": "Associated CVE identifiers."
    },
    "default_action": {
      "type": "string",
      "enum": [
        "alert",
        "allow",
        "drop",
        "reset-both",
        "reset-client",
        "reset-server",
        "block-ip",
        "sinkhole"
      ],
      "description": "Default action applied to traffic matching this signature."
    },
    "min_version": {
      "type": "string",
      "description": "Minimum PAN-OS version supporting this signature."
    },
    "max_version": {
      "type": "string",
      "description": "Maximum PAN-OS version supporting this signature (empty if still active)."
    },
    "status": {
      "type": "string",
      "enum": [
        "released",
        "deprecated",
        "disabled"
      ]
    },
    "ori_release_version": {
      "type": "string",
      "description": "Content version in which this signature was first released."
    },
    "latest_release_version": {
      "type": "string",
      "description": "Most recent content version that updated this signature."
    },
    "first_release_time": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the signature was first released."
    },
    "latest_release_time": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp of the most recent signature update."
    },
    "sha256": {
      "type": "array",
      "items": {
        "type": "string"
      },
      "description": "SHA-256 hashes associated with this signature (antivirus)."
    }
  }
}