openapi: 3.1.0 info: title: Palo Alto Networks Cortex XSIAM REST API description: >- REST API for the Cortex XSIAM (Extended Security Intelligence and Automation Management) AI-driven security operations platform. Provides programmatic access to incidents, alerts, endpoints, XQL queries, assets, audit logs, and data source ingestion. XSIAM extends Cortex XDR with a full SOC platform including SIEM, SOAR, and threat intelligence capabilities. Authentication uses a custom HMAC-SHA256 scheme: generate an API key ID and secret from the XSIAM settings, then include x-xdr-auth-id, x-xdr-nonce, x-xdr-timestamp, and x-xdr-hmac-v2 headers on every request. All endpoints use POST with JSON request bodies. version: '1.0' contact: name: Palo Alto Networks Developer Support url: https://pan.dev/cortex/docs/xsiam/ license: name: Proprietary url: https://www.paloaltonetworks.com/legal servers: - url: https://api-{fqdn}/public_api/v1 description: Cortex XSIAM tenant API endpoint. variables: fqdn: description: >- Tenant FQDN from the XSIAM settings page (e.g., example.xsiam.paloaltonetworks.com). default: example.xsiam.paloaltonetworks.com security: - xsiamAuth: [] tags: - name: Alerts description: Alert retrieval and filtering. - name: Assets description: Asset inventory management. - name: Audit description: Audit and management log retrieval. - name: Endpoints description: Endpoint inventory management. - name: Incidents description: Incident retrieval and management. - name: Ingestion description: Data source configuration for log ingestion. - name: XQL description: XQL query execution against the XSIAM data lake. paths: /incidents/get_incidents: post: operationId: getIncidents summary: Palo Alto Networks List Incidents description: >- Returns a list of incidents matching the specified filter criteria. XSIAM incidents correlate alerts from endpoint, network, cloud, and SIEM data sources using AI-powered analytics. Supports filtering by status, severity, and time range. tags: - Incidents requestBody: required: true content: application/json: schema: type: object properties: request_data: type: object properties: filters: type: array items: $ref: '#/components/schemas/Filter' description: Filter criteria for incident list. search_from: type: integer default: 0 search_to: type: integer default: 100 sort: $ref: '#/components/schemas/SortOrder' examples: GetIncidentsRequestExample: summary: Default getIncidents request x-microcks-default: true value: request_data: filters: - field: example-field operator: eq value: example-value - field: example-field operator: eq value: example-value search_from: 0 search_to: 100 sort: field: example-field keyword: desc responses: '200': description: Incidents returned successfully. content: application/json: schema: type: object properties: reply: type: object properties: total_count: type: integer result_count: type: integer incidents: type: array items: $ref: '#/components/schemas/Incident' examples: GetIncidents200Example: summary: Default getIncidents 200 response x-microcks-default: true value: reply: total_count: 193 result_count: 967 incidents: - incident_id: '930948' incident_name: Staging Gateway 69 description: Malware endpoint configured on threat detected violation blocked rule violation suspicious. status: resolved_false_positive severity: medium assigned_user_mail: security-ops@example.com assigned_user_pretty_name: Carlos Smith alert_count: 102 creation_time: 1747691175363 modification_time: 1703382684754 detection_time: 1724626599746 starred: true xdr_url: https://vpn.test-corp.net/d6af6d mitre_tactics_ids_and_names: &id001 - '100279' - '498972' mitre_techniques_ids_and_names: &id002 - '186119' - '416278' - incident_id: '930948' incident_name: Staging Gateway 69 description: Malware endpoint configured on threat detected violation blocked rule violation suspicious. status: resolved_false_positive severity: medium assigned_user_mail: security-ops@example.com assigned_user_pretty_name: Carlos Smith alert_count: 102 creation_time: 1747691175363 modification_time: 1703382684754 detection_time: 1724626599746 starred: true xdr_url: https://vpn.test-corp.net/d6af6d mitre_tactics_ids_and_names: *id001 mitre_techniques_ids_and_names: *id002 '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /alerts/get_alerts: post: operationId: getAlerts summary: Palo Alto Networks Get Alerts description: >- Returns alerts matching the specified filter criteria. XSIAM ingests and normalizes alerts from endpoint agents, network sensors, cloud providers, and third-party SIEM sources. Supports filtering by alert category, severity, source, and time range. tags: - Alerts requestBody: required: true content: application/json: schema: type: object properties: request_data: type: object properties: filters: type: array items: $ref: '#/components/schemas/Filter' search_from: type: integer default: 0 search_to: type: integer default: 100 sort: $ref: '#/components/schemas/SortOrder' examples: GetAlertsRequestExample: summary: Default getAlerts request x-microcks-default: true value: request_data: filters: - field: example-field operator: eq value: example-value search_from: 0 search_to: 100 sort: field: example-field keyword: desc responses: '200': description: Alerts returned successfully. content: application/json: schema: type: object properties: reply: type: object properties: total_count: type: integer result_count: type: integer alerts: type: array items: $ref: '#/components/schemas/Alert' examples: GetAlerts200Example: summary: Default getAlerts 200 response x-microcks-default: true value: reply: total_count: 527 result_count: 162 alerts: - alert_id: '590285' detection_timestamp: 1743676235635 name: Corporate Sensor 11 category: advanced description: Policy detected configured violation monitoring violation activity activity traffic. severity: medium source: example-source host_name: Primary Sensor 69 user_name: jsmith action: deny alert_type: standard resolution_status: enabled '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' x-microcks-operation: delay: 0 dispatcher: FALLBACK /xql/start_xql_query: post: operationId: startXqlQuery summary: Palo Alto Networks Execute XQL Query description: >- Initiates an XQL (Extended Query Language) query against the XSIAM data lake which includes endpoint telemetry, network logs, cloud activity, and ingested SIEM data. Returns a query ID for retrieving results asynchronously. tags: - XQL requestBody: required: true content: application/json: schema: type: object required: - request_data properties: request_data: type: object required: - query properties: query: type: string description: XQL query string to execute. timeframe: type: object properties: relativeTime: type: string description: >- Relative time range (e.g., last_24_hours, last_7_days, last_30_days). startTime: type: integer description: Absolute start time as Unix epoch milliseconds. endTime: type: integer description: Absolute end time as Unix epoch milliseconds. max_results: type: integer default: 1000 maximum: 10000 examples: StartXqlQueryRequestExample: summary: Default startXqlQuery request x-microcks-default: true value: request_data: query: example-query timeframe: relativeTime: example-relativeTime startTime: 1731765538775 endTime: 1741778638340 max_results: 1000 responses: '200': description: XQL query initiated successfully. content: application/json: schema: type: object properties: reply: type: string description: Query execution ID for retrieving results. examples: StartXqlQuery200Example: summary: Default startXqlQuery 200 response x-microcks-default: true value: reply: example-reply '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' x-microcks-operation: delay: 0 dispatcher: FALLBACK /xql/get_query_results: post: operationId: getXqlQueryResults summary: Palo Alto Networks Get XQL Query Results description: >- Retrieves the results of an XQL query previously initiated via start_xql_query. Poll until status is SUCCESS or FAILED. tags: - XQL requestBody: required: true content: application/json: schema: type: object required: - request_data properties: request_data: type: object required: - query_id properties: query_id: type: string description: Query ID returned by start_xql_query. pending_duration: type: integer description: Seconds to wait for query completion before returning. default: 0 max_results: type: integer default: 1000 format: type: string enum: - json - json_simple examples: GetXqlQueryResultsRequestExample: summary: Default getXqlQueryResults request x-microcks-default: true value: request_data: query_id: '568519' pending_duration: 0 max_results: 1000 format: json responses: '200': description: XQL query results returned successfully. content: application/json: schema: type: object properties: reply: type: object properties: status: type: string enum: - PENDING - SUCCESS - FAILED - CANCELED number_of_results: type: integer query_cost: type: object additionalProperties: type: number remaining_quota: type: number results: type: object properties: data: type: array items: type: object additionalProperties: true examples: GetXqlQueryResults200Example: summary: Default getXqlQueryResults 200 response x-microcks-default: true value: reply: status: SUCCESS number_of_results: 530 query_cost: {} remaining_quota: 45.6 results: data: - {} '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' x-microcks-operation: delay: 0 dispatcher: FALLBACK /assets/list_assets: post: operationId: listAssets summary: Palo Alto Networks List Assets description: >- Returns a list of assets discovered and tracked by XSIAM. Assets represent devices, cloud resources, users, and service accounts observed in the environment. Supports filtering by asset type, operating system, and risk score. tags: - Assets requestBody: required: true content: application/json: schema: type: object properties: request_data: type: object properties: filters: type: array items: $ref: '#/components/schemas/Filter' search_from: type: integer default: 0 search_to: type: integer default: 100 sort: $ref: '#/components/schemas/SortOrder' examples: ListAssetsRequestExample: summary: Default listAssets request x-microcks-default: true value: request_data: filters: - field: example-field operator: eq value: example-value - field: example-field operator: eq value: example-value search_from: 0 search_to: 100 sort: field: example-field keyword: desc responses: '200': description: Assets returned successfully. content: application/json: schema: type: object properties: reply: type: object properties: total_count: type: integer result_count: type: integer assets: type: array items: $ref: '#/components/schemas/Asset' examples: ListAssets200Example: summary: Default listAssets 200 response x-microcks-default: true value: reply: total_count: 379 result_count: 575 assets: - asset_id: '172266' asset_name: Production Policy 57 asset_type: DEVICE operating_system: Ubuntu 22.04 ip_addresses: &id005 - 10.89.140.152 risk_score: 6.34 first_seen: 751 last_seen: 24 tags: &id006 - critical-asset sources: &id007 - example-sources_item - example-sources_item '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' x-microcks-operation: delay: 0 dispatcher: FALLBACK /endpoints/get_endpoints: post: operationId: getEndpoints summary: Palo Alto Networks List Endpoints description: >- Returns a list of endpoints enrolled in XSIAM protection. Supports filtering by endpoint ID, hostname, IP address, operating system, and agent connection status. tags: - Endpoints requestBody: required: true content: application/json: schema: type: object properties: request_data: type: object properties: filters: type: array items: $ref: '#/components/schemas/Filter' search_from: type: integer default: 0 search_to: type: integer default: 100 sort: $ref: '#/components/schemas/SortOrder' examples: GetEndpointsRequestExample: summary: Default getEndpoints request x-microcks-default: true value: request_data: filters: - field: example-field operator: eq value: example-value - field: example-field operator: eq value: example-value search_from: 0 search_to: 100 sort: field: example-field keyword: desc responses: '200': description: Endpoints returned successfully. content: application/json: schema: type: object properties: reply: type: object properties: total_count: type: integer result_count: type: integer endpoints: type: array items: $ref: '#/components/schemas/Endpoint' examples: GetEndpoints200Example: summary: Default getEndpoints 200 response x-microcks-default: true value: reply: total_count: 837 result_count: 336 endpoints: - endpoint_id: '305959' endpoint_name: Primary Firewall 16 endpoint_type: WORKSTATION endpoint_status: UNINSTALLED os_type: AGENT_OS_LINUX ip: &id003 - example-ip_item - example-ip_item users: &id004 - example-users_item - example-users_item domain: api.acme-systems.org first_seen: 351 last_seen: 449 endpoint_version: 4.6.8 content_version: 7.3.2 is_isolated: AGENT_UNISOLATED scan_status: running '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' x-microcks-operation: delay: 0 dispatcher: FALLBACK /audits/management_logs/get_management_logs: post: operationId: getManagementLogs summary: Palo Alto Networks Get Audit Management Logs description: >- Retrieves audit management logs recording administrative actions performed in the XSIAM console, including user logins, policy changes, data source configuration, and API key management. tags: - Audit requestBody: required: true content: application/json: schema: type: object properties: request_data: type: object properties: filters: type: array items: $ref: '#/components/schemas/Filter' search_from: type: integer default: 0 search_to: type: integer default: 100 sort: $ref: '#/components/schemas/SortOrder' examples: GetManagementLogsRequestExample: summary: Default getManagementLogs request x-microcks-default: true value: request_data: filters: - field: example-field operator: eq value: example-value search_from: 0 search_to: 100 sort: field: example-field keyword: desc responses: '200': description: Management logs returned successfully. content: application/json: schema: type: object properties: reply: type: object properties: total_count: type: integer result_count: type: integer data: type: array items: $ref: '#/components/schemas/AuditLog' examples: GetManagementLogs200Example: summary: Default getManagementLogs 200 response x-microcks-default: true value: reply: total_count: 883 result_count: 794 data: - timestamp: 1744173019855 actor_primary_username: soc-analyst actor_email: example-actor_email actor_type: User sub_type: custom result: FAIL reason: Suspicious investigation alert traffic detected violation alert configured threat Security. ip: 10.224.166.122 description: Violation firewall firewall detected incident endpoint policy. - timestamp: 1744173019855 actor_primary_username: soc-analyst actor_email: example-actor_email actor_type: User sub_type: custom result: FAIL reason: Suspicious investigation alert traffic detected violation alert configured threat Security. ip: 10.224.166.122 description: Violation firewall firewall detected incident endpoint policy. '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' x-microcks-operation: delay: 0 dispatcher: FALLBACK /ingestion/datasources: post: operationId: configureDatasource summary: Palo Alto Networks Configure Data Source description: >- Configures a new data source for log ingestion into XSIAM. Data sources define the schema, parsing rules, and normalization mappings for third-party log formats. Enables XSIAM to ingest and correlate data from firewalls, cloud platforms, SaaS applications, and custom sources. tags: - Ingestion requestBody: required: true content: application/json: schema: type: object required: - request_data properties: request_data: type: object required: - name - vendor - product properties: name: type: string description: Unique name for this data source configuration. vendor: type: string description: Vendor name of the data source (e.g., Palo Alto Networks). product: type: string description: Product name (e.g., PAN-OS, Prisma Access). type: type: string enum: - syslog - https - api - file description: Ingestion method for this data source. parsing_rule: type: string description: >- XDL (XSIAM Definition Language) parsing rule for extracting fields from raw log data. mapping_fields: type: object description: Field name mapping from source fields to XSIAM schema fields. additionalProperties: type: string enabled: type: boolean default: true examples: ConfigureDatasourceRequestExample: summary: Default configureDatasource request x-microcks-default: true value: request_data: name: Staging Policy 70 vendor: Palo Alto Networks product: example-product type: syslog parsing_rule: example-parsing_rule mapping_fields: {} enabled: true responses: '200': description: Data source configured successfully. content: application/json: schema: type: object properties: reply: type: object properties: datasource_id: type: string description: Unique identifier assigned to the new data source. name: type: string status: type: string enum: - ACTIVE - PENDING - ERROR examples: ConfigureDatasource200Example: summary: Default configureDatasource 200 response x-microcks-default: true value: reply: datasource_id: '995974' name: Corporate Policy 49 status: PENDING '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '409': $ref: '#/components/responses/Conflict' x-microcks-operation: delay: 0 dispatcher: FALLBACK components: securitySchemes: xsiamAuth: type: apiKey in: header name: x-xdr-hmac-v2 description: >- Cortex XSIAM uses a custom HMAC-SHA256 authentication scheme. Include four headers on each request: x-xdr-auth-id (API key ID number), x-xdr-nonce (64-character random string), x-xdr-timestamp (Unix epoch milliseconds as a string), and x-xdr-hmac-v2 (SHA-256 hash of api_key + nonce + timestamp). Standard and Advanced API key types are supported; Advanced keys provide additional security through IP allowlisting. Generate API keys from XSIAM Settings > Configurations > API Keys. responses: BadRequest: description: Malformed request body or invalid parameters. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Unauthorized: description: Missing or invalid authentication headers. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Forbidden: description: Insufficient permissions for the requested operation. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Conflict: description: A resource with the specified name already exists. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' InternalServerError: description: An internal server error occurred. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' schemas: Filter: type: object description: A filter criterion for querying XSIAM resources. required: - field - operator - value properties: field: type: string description: Field name to filter on. example: example-field operator: type: string enum: - in - contains - gte - lte - eq - neq example: eq value: description: Filter value (string, integer, or array for the "in" operator). oneOf: - type: string - type: integer - type: array items: oneOf: - type: string - type: integer example: example-value SortOrder: type: object description: Sorting specification for result sets. properties: field: type: string example: example-field keyword: type: string enum: - asc - desc example: desc Incident: type: object description: A XSIAM incident correlating related alerts into a unified investigation. properties: incident_id: type: string example: '930948' incident_name: type: string example: Staging Gateway 69 description: type: string example: Malware endpoint configured on threat detected violation blocked rule violation suspicious. status: type: string enum: - new - under_investigation - resolved_threat_handled - resolved_known_issue - resolved_duplicate - resolved_false_positive - resolved_other example: resolved_false_positive severity: type: string enum: - critical - high - medium - low - informational - unknown example: medium assigned_user_mail: type: string example: security-ops@example.com assigned_user_pretty_name: type: string example: Carlos Smith alert_count: type: integer example: 102 creation_time: type: integer description: Creation timestamp as Unix epoch milliseconds. example: 1747691175363 modification_time: type: integer example: 1703382684754 detection_time: type: integer example: 1724626599746 starred: type: boolean example: true xdr_url: type: string example: https://vpn.test-corp.net/d6af6d mitre_tactics_ids_and_names: type: array items: type: string example: *id001 mitre_techniques_ids_and_names: type: array items: type: string example: *id002 Alert: type: object description: A XSIAM alert representing a detection from any ingested data source. properties: alert_id: type: string example: '590285' detection_timestamp: type: integer example: 1743676235635 name: type: string example: Corporate Sensor 11 category: type: string example: advanced description: type: string example: Policy detected configured violation monitoring violation activity activity traffic. severity: type: string enum: - critical - high - medium - low - informational - unknown example: medium source: type: string description: Data source that generated this alert. example: example-source host_name: type: string example: Primary Sensor 69 user_name: type: string example: jsmith action: type: string example: deny alert_type: type: string example: standard resolution_status: type: string example: enabled Endpoint: type: object description: An endpoint enrolled in XSIAM protection. properties: endpoint_id: type: string example: '305959' endpoint_name: type: string example: Primary Firewall 16 endpoint_type: type: string enum: - SERVER - WORKSTATION - LAPTOP example: WORKSTATION endpoint_status: type: string enum: - CONNECTED - DISCONNECTED - LOST - UNINSTALLED example: UNINSTALLED os_type: type: string enum: - AGENT_OS_WINDOWS - AGENT_OS_LINUX - AGENT_OS_MAC example: AGENT_OS_LINUX ip: type: array items: type: string example: *id003 users: type: array items: type: string example: *id004 domain: type: string example: api.acme-systems.org first_seen: type: integer example: 351 last_seen: type: integer example: 449 endpoint_version: type: string example: 4.6.8 content_version: type: string example: 7.3.2 is_isolated: type: string enum: - AGENT_ISOLATED - AGENT_UNISOLATED - PENDING_ISOLATION - PENDING_UNISOLATION example: AGENT_UNISOLATED scan_status: type: string example: running Asset: type: object description: An asset tracked in the XSIAM asset inventory. properties: asset_id: type: string example: '172266' asset_name: type: string example: Production Policy 57 asset_type: type: string enum: - DEVICE - CLOUD_RESOURCE - USER - SERVICE_ACCOUNT example: DEVICE operating_system: type: string example: Ubuntu 22.04 ip_addresses: type: array items: type: string example: *id005 risk_score: type: number description: Asset risk score (0.0 to 100.0). example: 6.34 first_seen: type: integer description: First observation timestamp as Unix epoch milliseconds. example: 751 last_seen: type: integer example: 24 tags: type: array items: type: string example: *id006 sources: type: array items: type: string description: Data sources that reported this asset. example: *id007 AuditLog: type: object description: An audit management log entry recording an administrative action. properties: timestamp: type: integer description: Action timestamp as Unix epoch milliseconds. example: 1744173019855 actor_primary_username: type: string example: soc-analyst actor_email: type: string example: example-actor_email actor_type: type: string enum: - User - API example: User sub_type: type: string description: Action subtype (e.g., Login, PolicyUpdate, DatasourceCreate). example: custom result: type: string enum: - SUCCESS - FAIL example: FAIL reason: type: string example: Suspicious investigation alert traffic detected violation alert configured threat Security. ip: type: string example: 10.224.166.122 description: type: string example: Violation firewall firewall detected incident endpoint policy. ErrorResponse: type: object properties: reply: type: object properties: err_code: type: integer example: 140 err_msg: type: string example: example-err_msg err_extra: type: string example: example-err_extra example: err_code: 33 err_msg: example-err_msg err_extra: example-err_extra