From 0fb53050e47cd9ef2ad2fb1a6266742228282f54 Mon Sep 17 00:00:00 2001 From: sra Date: Mon, 2 Feb 2026 22:24:46 +0530 Subject: [PATCH 1/5] DOCS-9020 Added Incident APIs as part of SCM Monitoring and SASE. Ready for review --- docusaurus.config.ts | 10 + .../incident-scm/Unified_SCM_Incident.yaml | 420 ++++++++++++++++++ .../sase/api/incident-scm/incident-scm.md | 15 + products/sase/sidebars.ts | 5 +- src/pages/strata-cloud-manager/index.js | 5 + 5 files changed, 454 insertions(+), 1 deletion(-) create mode 100644 openapi-specs/sase/incident-scm/Unified_SCM_Incident.yaml create mode 100644 products/sase/api/incident-scm/incident-scm.md diff --git a/docusaurus.config.ts b/docusaurus.config.ts index add45c9ce..96efd24f4 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -488,6 +488,11 @@ const config = { label: "Aggregate Monitoring", icon: "api-doc", }, + { + to: "sase/api/incident-scm", + label: "Unified Incident Framework APIs", + icon: "api-doc", + }, { to: "sase/api/mt-notifications", label: "Multitenant Notifications", @@ -991,6 +996,11 @@ const config = { outputDir: "products/scm/api/config/ciedss", sidebarOptions: { groupPathsBy: "tag" }, }, + incidentscm: { + specPath: "openapi-specs/sase/incident-scm", + outputDir: "products/sase/api/incident-scm", + sidebarOptions: { groupPathsBy: "tag" }, + }, sdwan: { specPath: "openapi-specs/sdwan/unified", outputDir: "products/sdwan/api", diff --git a/openapi-specs/sase/incident-scm/Unified_SCM_Incident.yaml b/openapi-specs/sase/incident-scm/Unified_SCM_Incident.yaml new file mode 100644 index 000000000..717037982 --- /dev/null +++ b/openapi-specs/sase/incident-scm/Unified_SCM_Incident.yaml @@ -0,0 +1,420 @@ +openapi: 3.0.0 +info: + title: Unified Incident Framework APIs + version: 3.0.0 + description: "Consolidates security and operational incidents from multiple Palo\ + \ Alto Networks products into a unified management interface. \nProvides read-only\ + \ access to search, filter, and analyze incident data across the Strata Cloud\ + \ Manager ecosystem. This Open API spec file was created on February 02, 2026.\ + \ \xA9 2026 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark\ + \ of Palo Alto Networks. A list of our trademarks can be found at [https://www.paloaltonetworks.com/company/trademarks.html](https://www.paloaltonetworks.com/company/trademarks.html).\ + \ All other marks mentioned herein may be trademarks of their respective companies." +servers: +- url: https://api.sase.paloaltonetworks.com + description: Production Server +security: +- JWT: [] +components: + securitySchemes: + JWT: + type: http + description: JWT authentication with bearer token + scheme: bearer + bearerFormat: Bearer [token] + parameters: + PrismaTenantHeader: + in: header + name: prisma-tenant + description: The tenant and sub-tenant ID identifier (e.g., tenant_id:sub_tenant_id). + required: true + schema: + type: string + PrismaRegionHeader: + in: header + name: X-PANW-Region + description: The region for request(e.g., americas, europe, uk, au etc). + required: true + schema: + type: string + schemas: + FilterRule: + type: object + properties: + property: + type: string + example: incident_id + operator: + type: string + values: + type: array + items: + type: string + FilterObject: + type: object + properties: + rules: + type: array + items: + $ref: '#/components/schemas/FilterRule' + PaginationObject: + type: object + properties: + page_size: + type: integer + page_number: + type: integer + order_by: + type: array + items: + type: object + properties: + property: + type: string + order: + type: string + enum: + - asc + - desc +ExternalTags: + Incidents APIs: + title: Incidents APIs + description: Operations related to listing, querying, and managing specific incidents. + tags: + - Incidents APIs +paths: + /incidents/search: + post: + summary: Search Incident List + description: "Retrieves a paginated list of security incidents using advanced\ + \ filtering criteria. \nFilters data by product type, release state, and severity\ + \ to streamline incident discovery across the security fabric." + operationId: PostIncidentsSearch + responses: + '200': + description: List of incidents + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + type: object + properties: + updated_time: + type: integer + format: int64 + example: 1765468859684 + severity: + type: string + example: Informational + severity_id: + type: integer + example: 200 + status: + type: string + example: Raised + title: + type: string + example: Tenant has 14 raised alerts + priority: + type: string + example: Not Set + product: + type: string + example: Prisma Access + category: + type: string + example: Network + sub_category: + type: string + example: '' + code: + type: string + example: INC_AOA_TENANT_ALERTS_NOTIFICATION + incident_id: + type: string + example: 21818c4a-8353-4d9c-ae3e-ae90004d4662 + raised_time: + type: integer + format: int64 + example: 1765468859684 + release_state: + type: string + example: Released + incident_type: + type: string + example: SOURCE_AGGREGATION_INCIDENT + designation: + type: string + example: root + primary_impacted_objects: + type: object + description: Comprehensive list of impacted objects associated + with the incident. + properties: + site_names: + type: array + items: + type: string + roles: + type: array + items: + type: string + tunnel_names: + type: array + items: + type: string + host_names: + type: array + items: + type: string + locations: + type: array + items: + type: string + bgp_peer_names: + type: array + items: + type: string + certificate_names: + type: array + items: + type: string + device_ids: + type: array + items: + type: string + packages: + type: array + items: + type: string + licenses: + type: array + items: + type: string + cves: + type: array + items: + type: string + security_objects: + type: array + items: + type: string + security_checks: + type: array + items: + type: string + security_types: + type: array + items: + type: string + aggr_locations: + type: array + items: + type: string + spn_names: + type: array + items: + type: string + agent_ids: + type: array + items: + type: string + directory_ids: + type: array + items: + type: string + theaters: + type: array + items: + type: string + gp_versions: + type: array + items: + type: string + auth_servers: + type: array + items: + type: string + dns_servers: + type: array + items: + type: string + app_names: + type: array + items: + type: string + ike_gateway_names: + type: array + items: + type: string + gre_tunnel_names: + type: array + items: + type: string + asn_org_names: + type: array + items: + type: string + user_locations: + type: array + items: + type: string + parameters: + - $ref: '#/components/parameters/PrismaTenantHeader' + - $ref: '#/components/parameters/PrismaRegionHeader' + tags: + - Incidents APIs + requestBody: + content: + application/json: + schema: + type: object + properties: + filter: + $ref: '#/components/schemas/FilterObject' + pagination: + $ref: '#/components/schemas/PaginationObject' + examples: + FilterWithPagination: + summary: Filter by Product/Status with Pagination + value: + filter: + rules: + - property: release_state + operator: in + values: + - Released + - property: product + operator: in + values: + - NGFW + - Prisma Access + - Posture + - property: status + operator: in + values: + - Raised + pagination: + page_size: 50 + page_number: 1 + order_by: + - property: updated_time + order: desc + /incidents/{incident_id}: + get: + summary: Get Incident Details + description: "Provides comprehensive metadata and alert-level data for a specific\ + \ security incident. \nReturns detailed impact objects, resource contexts,\ + \ and the underlying alerts that triggered the incident." + operationId: GetIncidentsbyincident_id + responses: + '200': + description: Detailed incident information + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + type: object + properties: + incident_id: + type: string + example: 21818c4a-8353-4d9c-ae3e-ae90004d4662 + title: + type: string + example: Tenant has 14 raised alerts + raised_time: + type: integer + format: int64 + example: 1765468859684 + updated_time: + type: integer + format: int64 + example: 1765468859684 + resource_keys: + type: string + description: JSON string containing resource identifiers. + example: '{"tenant_id": "24072002", "sub_tenant_id": "24072002"}' + status: + type: string + example: Raised + detail: + type: string + description: Stringified JSON array containing detailed + alert information. + alerts: + type: array + items: + type: object + properties: + alert_id: + type: string + severity: + type: string + state: + type: string + title: + type: string + updated_time: + type: integer + format: int64 + domain: + type: string + inc_prop: + type: integer + ctx_only_alert: + type: boolean + code: + type: string + incident_type: + type: string + example: SOURCE_AGGREGATION_INCIDENT + incident_code: + type: string + example: INC_AOA_TENANT_ALERTS_NOTIFICATION + severity_id: + type: integer + example: 200 + severity: + type: string + example: Informational + priority: + type: string + example: Not Set + release_state: + type: string + example: Released + product: + type: string + example: Prisma Access + resource_context: + type: string + example: '{}' + category: + type: string + example: Network + sub_category: + type: string + example: '' + designation: + type: string + example: root + acknowledged: + type: boolean + example: false + parameters: + - $ref: '#/components/parameters/PrismaTenantHeader' + - $ref: '#/components/parameters/PrismaRegionHeader' + - name: incident_id + in: path + required: true + schema: + type: string + tags: + - Incidents APIs diff --git a/products/sase/api/incident-scm/incident-scm.md b/products/sase/api/incident-scm/incident-scm.md new file mode 100644 index 000000000..299c86ed7 --- /dev/null +++ b/products/sase/api/incident-scm/incident-scm.md @@ -0,0 +1,15 @@ +--- +id: incident-scm +title: Unified Incident Framework APIs +sidebar_label: Incident Framework APIs +keywords: + - SASE + - Reference + - API +--- + +The Unified Incidents framework consolidates incident management across multiple Palo Alto Networks security products into a single, cohesive interface within Strata Cloud Manager. This unified approach brings all incidents into one view, streamlining incident response workflows and providing consistent visibility across your entire security infrastructure. + +The Unified Incidents APIs enable you to monitor and manage security and operational incidents across all Palo Alto Networks products managed by Strata Cloud Manager. Use these APIs to retrieve incident lists, access detailed incident information. + +These APIs use the [common SASE authentication](/sase/docs/getstarted) for service access and authorization. diff --git a/products/sase/sidebars.ts b/products/sase/sidebars.ts index 6d6362306..a86a3c00f 100644 --- a/products/sase/sidebars.ts +++ b/products/sase/sidebars.ts @@ -330,5 +330,8 @@ module.exports = { "sase/api/tenancy/tenancy-api", require("./api/tenancy/sidebar"), ], - + saseincident: [ + "sase/api/incident-scm/incident-scm", + require("./api/incident-scm/sidebar"), + ], }; diff --git a/src/pages/strata-cloud-manager/index.js b/src/pages/strata-cloud-manager/index.js index 216edc9dc..fab992091 100644 --- a/src/pages/strata-cloud-manager/index.js +++ b/src/pages/strata-cloud-manager/index.js @@ -253,6 +253,11 @@ export default function SCMLandingPage() { label: "Prisma Access Insights", icon: "api-doc", }, + { + to: "sase/api/incident-scm", + label: "Unified Incident Framework APIs", + icon: "api-doc", + }, ], }, ]; From 80c7ce3c7ff7baafcb58ac2a7300065500bc86c2 Mon Sep 17 00:00:00 2001 From: sra Date: Fri, 20 Feb 2026 20:23:06 +0530 Subject: [PATCH 2/5] DOCS-9020 Moving Incidents as an independent configuration under SCM --- docusaurus.config.ts | 9 ++------- .../config/incidents}/Unified_SCM_Incident.yaml | 2 +- products/sase/sidebars.ts | 4 ---- .../api/config/Incidents}/incident-scm.md | 4 +++- products/scm/sidebars.ts | 11 +++++++++++ src/pages/strata-cloud-manager/index.js | 12 +++++++----- 6 files changed, 24 insertions(+), 18 deletions(-) rename openapi-specs/{sase/incident-scm => scm/config/incidents}/Unified_SCM_Incident.yaml (99%) rename products/{sase/api/incident-scm => scm/api/config/Incidents}/incident-scm.md (93%) diff --git a/docusaurus.config.ts b/docusaurus.config.ts index 96efd24f4..5d3223b37 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -488,11 +488,6 @@ const config = { label: "Aggregate Monitoring", icon: "api-doc", }, - { - to: "sase/api/incident-scm", - label: "Unified Incident Framework APIs", - icon: "api-doc", - }, { to: "sase/api/mt-notifications", label: "Multitenant Notifications", @@ -997,8 +992,8 @@ const config = { sidebarOptions: { groupPathsBy: "tag" }, }, incidentscm: { - specPath: "openapi-specs/sase/incident-scm", - outputDir: "products/sase/api/incident-scm", + specPath: "openapi-specs/scm/config/incidents", + outputDir: "products/scm/api/config/incidents/incident-scm", sidebarOptions: { groupPathsBy: "tag" }, }, sdwan: { diff --git a/openapi-specs/sase/incident-scm/Unified_SCM_Incident.yaml b/openapi-specs/scm/config/incidents/Unified_SCM_Incident.yaml similarity index 99% rename from openapi-specs/sase/incident-scm/Unified_SCM_Incident.yaml rename to openapi-specs/scm/config/incidents/Unified_SCM_Incident.yaml index 717037982..e6e51770c 100644 --- a/openapi-specs/sase/incident-scm/Unified_SCM_Incident.yaml +++ b/openapi-specs/scm/config/incidents/Unified_SCM_Incident.yaml @@ -5,7 +5,7 @@ info: description: "Consolidates security and operational incidents from multiple Palo\ \ Alto Networks products into a unified management interface. \nProvides read-only\ \ access to search, filter, and analyze incident data across the Strata Cloud\ - \ Manager ecosystem. This Open API spec file was created on February 02, 2026.\ + \ Manager ecosystem. This Open API spec file was created on February 20, 2026.\ \ \xA9 2026 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark\ \ of Palo Alto Networks. A list of our trademarks can be found at [https://www.paloaltonetworks.com/company/trademarks.html](https://www.paloaltonetworks.com/company/trademarks.html).\ \ All other marks mentioned herein may be trademarks of their respective companies." diff --git a/products/sase/sidebars.ts b/products/sase/sidebars.ts index a86a3c00f..ef4126597 100644 --- a/products/sase/sidebars.ts +++ b/products/sase/sidebars.ts @@ -330,8 +330,4 @@ module.exports = { "sase/api/tenancy/tenancy-api", require("./api/tenancy/sidebar"), ], - saseincident: [ - "sase/api/incident-scm/incident-scm", - require("./api/incident-scm/sidebar"), - ], }; diff --git a/products/sase/api/incident-scm/incident-scm.md b/products/scm/api/config/Incidents/incident-scm.md similarity index 93% rename from products/sase/api/incident-scm/incident-scm.md rename to products/scm/api/config/Incidents/incident-scm.md index 299c86ed7..e33d6156c 100644 --- a/products/sase/api/incident-scm/incident-scm.md +++ b/products/scm/api/config/Incidents/incident-scm.md @@ -3,7 +3,9 @@ id: incident-scm title: Unified Incident Framework APIs sidebar_label: Incident Framework APIs keywords: - - SASE + - Strata Cloud Manager + - Configuration + - Objects - Reference - API --- diff --git a/products/scm/sidebars.ts b/products/scm/sidebars.ts index 0d71d60e0..75bbdc96f 100644 --- a/products/scm/sidebars.ts +++ b/products/scm/sidebars.ts @@ -336,6 +336,17 @@ module.exports = { require("./api/config/cloudngfw/objects/sidebar"), ], }, + { + type: "category", + label: "Incidents", + items: [ + { + type: "doc", + id: "scm/api/config/incidents/incident-scm", + }, + require("./api/config/incidents/sidebar"), + ], + }, { type: "category", label: "Security Services", diff --git a/src/pages/strata-cloud-manager/index.js b/src/pages/strata-cloud-manager/index.js index fab992091..d0099c2e9 100644 --- a/src/pages/strata-cloud-manager/index.js +++ b/src/pages/strata-cloud-manager/index.js @@ -185,6 +185,13 @@ export default function SCMLandingPage() { icon: "api-doc", }, ], + Incidents: [ + { + to: "scm/api/config/Incidents/incident-scm.md", + label: "Incidents", + icon: "api-doc", + }, + ], "Other Configuration": [ { to: "/access/api/browser-mgmt/browser-mgmt-api", @@ -253,11 +260,6 @@ export default function SCMLandingPage() { label: "Prisma Access Insights", icon: "api-doc", }, - { - to: "sase/api/incident-scm", - label: "Unified Incident Framework APIs", - icon: "api-doc", - }, ], }, ]; From 8de1d497315d5ac0ec7ec8de7bf875efacd321df Mon Sep 17 00:00:00 2001 From: sra Date: Fri, 20 Feb 2026 20:33:18 +0530 Subject: [PATCH 3/5] DOCS-9020 fixed 404 error. --- src/pages/strata-cloud-manager/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/strata-cloud-manager/index.js b/src/pages/strata-cloud-manager/index.js index d0099c2e9..8c400d3ca 100644 --- a/src/pages/strata-cloud-manager/index.js +++ b/src/pages/strata-cloud-manager/index.js @@ -187,7 +187,7 @@ export default function SCMLandingPage() { ], Incidents: [ { - to: "scm/api/config/Incidents/incident-scm.md", + to: "scm/api/config/incidents/incident-scm", label: "Incidents", icon: "api-doc", }, From 0b72d49a045e3049d2eed315d0b769b08a59a606 Mon Sep 17 00:00:00 2001 From: sra Date: Fri, 20 Feb 2026 21:34:22 +0530 Subject: [PATCH 4/5] DOCS-9020 Pull request failed. Building again --- docusaurus.config.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docusaurus.config.ts b/docusaurus.config.ts index 5d3223b37..b811cd244 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -1187,14 +1187,14 @@ const config = { sidebarOptions: { groupPathsBy: "tag", categoryLinkSource: "tag" }, baseUrl: "/compute/api/34-00/", }, - compute_3401: { + compute_3401: { specPath: "openapi-specs/compute/34-01", outputDir: "products/compute/api/34-01", showExtensions: true, sidebarOptions: { groupPathsBy: "tag", categoryLinkSource: "tag" }, baseUrl: "/compute/api/34-01/", }, - compute_3402: { + compute_3402: { specPath: "openapi-specs/compute/34-02", outputDir: "products/compute/api/34-02", showExtensions: true, From 8c9596fe04e08fed21fc4a8a555b0b330d1901a9 Mon Sep 17 00:00:00 2001 From: sra Date: Mon, 23 Feb 2026 18:08:46 +0530 Subject: [PATCH 5/5] DOCS-9020 Updated changelog and made changes in docusaurus.config.ts file and the sidebar.ts --- docusaurus.config.ts | 2 +- products/scm/docs/release-notes/changelog.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docusaurus.config.ts b/docusaurus.config.ts index b811cd244..26a1ba9d7 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -993,7 +993,7 @@ const config = { }, incidentscm: { specPath: "openapi-specs/scm/config/incidents", - outputDir: "products/scm/api/config/incidents/incident-scm", + outputDir: "products/scm/api/config/incidents", sidebarOptions: { groupPathsBy: "tag" }, }, sdwan: { diff --git a/products/scm/docs/release-notes/changelog.md b/products/scm/docs/release-notes/changelog.md index 31adbbf2e..b295b31fc 100644 --- a/products/scm/docs/release-notes/changelog.md +++ b/products/scm/docs/release-notes/changelog.md @@ -12,6 +12,7 @@ keywords: | Date | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| February 23rd, 2026 | Added [Incidents APIs](/scm/api/config/incidents/incidents-scm/). | January 29, 2026 | Added [Strata Cloud Manager Best Practices](/scm/docs/api-best-practices/). | October 21, 2025 | Added [CIE Directory Sync Service APIs](/scm/api/config/ciedss/ciedss/). | June 27, 2025 | Added [Snippet Sharing APIs](/scm/api/config/sase/setup/snippet-sharing/).