Palo Alto Networks SASE (Secure Access Service Edge) delivers real-time notifications for security incidents, platform announcements, dataplane upgrades, and certificate expiration warnings across multitenant deployments. Notifications are sent as HTTP POST requests to registered webhook endpoints configured at the tenant or tenant service group (TSG) level. Each notification includes a tenant context identifier (tsg_id) for routing in multitenant environments. Notification subscriptions are managed through the SASE Multitenant Notification Service API, allowing administrators to select notification types, severity thresholds, and delivery endpoints for each tenant.
View SpecView on GitHubCloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDRAsyncAPIWebhooksEvents
Channels
/notification/incident
subscribeonIncidentNotification
Security incident notification
Channel for security incident notifications. Triggered when SASE detects a security incident such as a policy breach, threat detection, or anomalous activity within a tenant's network perimeter. Incident notifications include severity classification, affected tenant context, and descriptive details for triage and response.
/notification/announcement
subscribeonAnnouncementNotification
Platform announcement notification
Channel for platform announcement notifications. Delivered when Palo Alto Networks publishes service announcements including scheduled maintenance windows, feature releases, deprecation notices, and service status updates that affect SASE tenants.
/notification/dataplane-upgrade
subscribeonDataplaneUpgradeNotification
Dataplane upgrade notification
Channel for dataplane upgrade notifications. Triggered when a SASE dataplane upgrade is scheduled, in progress, or completed for a specific region. Notifications include the current and target software versions, scheduled maintenance window, and upgrade status transitions.
/notification/certificate-expiry
subscribeonCertificateExpiryNotification
Certificate expiration warning notification
Channel for certificate expiration warning notifications. Triggered when TLS/SSL certificates used by SASE service connections, GlobalProtect portals, or custom domains are approaching their expiration date. Warnings are sent at configurable intervals (e.g., 90, 60, 30, 14, 7 days before expiry) to allow administrators to renew certificates before service disruption.
Messages
✉
IncidentNotification
SASE Security Incident Notification
Webhook payload sent when a security incident is detected within a SASE tenant. Contains the incident classification, severity, affected tenant context, and descriptive information for triage.
✉
AnnouncementNotification
SASE Platform Announcement Notification
Webhook payload sent for platform announcements including maintenance windows, feature releases, deprecation notices, and service status updates.
✉
DataplaneUpgradeNotification
SASE Dataplane Upgrade Notification
Webhook payload sent when a SASE dataplane upgrade is scheduled, in progress, or completed for a region.
✉
CertificateExpiryNotification
Certificate Expiration Warning Notification
Webhook payload sent when a TLS/SSL certificate used by SASE services is approaching its expiration date.
Servers
https
webhook{notificationEndpoint}
Your notification endpoint URL registered with the SASE Multitenant Notification Service. Configure notification subscriptions via the SASE API to specify which notification types are delivered to this endpoint. The endpoint must accept POST requests with JSON payloads and return a 2xx response within 30 seconds.
asyncapi: 2.6.0
info:
title: SASE Multitenant Notifications
version: '1.0'
description: >-
Palo Alto Networks SASE (Secure Access Service Edge) delivers real-time
notifications for security incidents, platform announcements, dataplane
upgrades, and certificate expiration warnings across multitenant
deployments. Notifications are sent as HTTP POST requests to registered
webhook endpoints configured at the tenant or tenant service group (TSG)
level. Each notification includes a tenant context identifier (tsg_id)
for routing in multitenant environments. Notification subscriptions are
managed through the SASE Multitenant Notification Service API, allowing
administrators to select notification types, severity thresholds, and
delivery endpoints for each tenant.
contact:
name: Palo Alto Networks Developer Support
url: https://pan.dev/
license:
name: Proprietary
url: https://www.paloaltonetworks.com/legal
servers:
webhook:
url: '{notificationEndpoint}'
protocol: https
description: >-
Your notification endpoint URL registered with the SASE Multitenant
Notification Service. Configure notification subscriptions via the
SASE API to specify which notification types are delivered to this
endpoint. The endpoint must accept POST requests with JSON payloads
and return a 2xx response within 30 seconds.
variables:
notificationEndpoint:
description: The URL of your registered notification endpoint.
channels:
/notification/incident:
description: >-
Channel for security incident notifications. Triggered when SASE
detects a security incident such as a policy breach, threat detection,
or anomalous activity within a tenant's network perimeter. Incident
notifications include severity classification, affected tenant
context, and descriptive details for triage and response.
subscribe:
operationId: onIncidentNotification
summary: Security incident notification
message:
$ref: '#/components/messages/IncidentNotification'
/notification/announcement:
description: >-
Channel for platform announcement notifications. Delivered when
Palo Alto Networks publishes service announcements including
scheduled maintenance windows, feature releases, deprecation
notices, and service status updates that affect SASE tenants.
subscribe:
operationId: onAnnouncementNotification
summary: Platform announcement notification
message:
$ref: '#/components/messages/AnnouncementNotification'
/notification/dataplane-upgrade:
description: >-
Channel for dataplane upgrade notifications. Triggered when a SASE
dataplane upgrade is scheduled, in progress, or completed for a
specific region. Notifications include the current and target software
versions, scheduled maintenance window, and upgrade status transitions.
subscribe:
operationId: onDataplaneUpgradeNotification
summary: Dataplane upgrade notification
message:
$ref: '#/components/messages/DataplaneUpgradeNotification'
/notification/certificate-expiry:
description: >-
Channel for certificate expiration warning notifications. Triggered
when TLS/SSL certificates used by SASE service connections, GlobalProtect
portals, or custom domains are approaching their expiration date.
Warnings are sent at configurable intervals (e.g., 90, 60, 30, 14, 7
days before expiry) to allow administrators to renew certificates
before service disruption.
subscribe:
operationId: onCertificateExpiryNotification
summary: Certificate expiration warning notification
message:
$ref: '#/components/messages/CertificateExpiryNotification'
components:
messages:
IncidentNotification:
name: IncidentNotification
title: SASE Security Incident Notification
summary: >-
Webhook payload sent when a security incident is detected within a
SASE tenant. Contains the incident classification, severity, affected
tenant context, and descriptive information for triage.
contentType: application/json
payload:
type: object
properties:
notificationId:
type: string
description: Unique identifier for this notification delivery.
example: '794757'
type:
type: string
enum:
- incident
description: Notification type identifier.
example: incident
tsg_id:
type: string
description: >-
Tenant Service Group identifier indicating which tenant
context the incident belongs to.
example: '912769'
severity:
type: string
enum:
- informational
- low
- medium
- high
- critical
description: Severity classification of the security incident.
example: medium
title:
type: string
description: Brief title summarizing the incident.
example: Production Agent 89
description:
type: string
description: >-
Detailed description of the incident including affected
resources, detection context, and recommended actions.
example: Activity malware threat Security blocked configured network traffic alert activity.
timestamp:
type: string
format: date-time
description: Timestamp when the incident was detected.
example: '2024-07-20T06:56:43Z'
category:
type: string
description: >-
Incident category such as threat, policy_violation, anomaly,
or data_loss.
example: standard
affectedResources:
type: array
description: List of resources affected by the incident.
items:
type: object
properties:
resourceType:
type: string
description: Type of affected resource.
example: custom
resourceId:
type: string
description: Identifier of the affected resource.
example: '991933'
example:
- resourceType: advanced
resourceId: '274661'
- resourceType: standard
resourceId: '513811'
callbackUrl:
type: string
format: uri
description: Direct link to the incident in the SASE management console.
example: https://portal.example.com/087340
examples:
- name: IncidentNotificationDefaultExample
summary: Default IncidentNotification example payload
x-microcks-default: true
payload:
notificationId: '869591'
type: incident
tsg_id: '714248'
severity: low
title: Staging Gateway 01
description: Applied incident network malware Security investigation malware monitoring malware firewall.
timestamp: '2026-02-01T00:03:22Z'
category: advanced
affectedResources:
- resourceType: custom
resourceId: '626533'
callbackUrl: https://portal.example.com/7f3823
AnnouncementNotification:
name: AnnouncementNotification
title: SASE Platform Announcement Notification
summary: >-
Webhook payload sent for platform announcements including maintenance
windows, feature releases, deprecation notices, and service status
updates.
contentType: application/json
payload:
type: object
properties:
notificationId:
type: string
description: Unique identifier for this notification delivery.
example: '120038'
type:
type: string
enum:
- announcement
description: Notification type identifier.
example: announcement
title:
type: string
description: Announcement title.
example: Branch Agent 43
body:
type: string
description: >-
Full announcement body with details about the platform change,
maintenance window, or service update.
example: example-body
category:
type: string
enum:
- maintenance
- feature_release
- deprecation
- service_status
- security_advisory
description: Category of the announcement.
example: maintenance
affectedServices:
type: array
description: >-
List of SASE services affected by the announcement, such as
Prisma Access, GlobalProtect, ADEM, SWG, or ZTNA.
items:
type: string
example:
- example-affectedServices_item
- example-affectedServices_item
effectiveDate:
type: string
format: date-time
description: >-
Date and time when the announced change takes effect.
example: '2024-08-26T11:19:41Z'
timestamp:
type: string
format: date-time
description: Timestamp when the announcement was published.
example: '2025-05-20T21:35:18Z'
tsg_id:
type: string
description: >-
Tenant Service Group identifier if the announcement is
tenant-specific. Omitted for global announcements.
example: '610576'
examples:
- name: AnnouncementNotificationDefaultExample
summary: Default AnnouncementNotification example payload
x-microcks-default: true
payload:
notificationId: '844637'
type: announcement
title: Production Agent 06
body: example-body
category: maintenance
affectedServices:
- example-affectedServices_item
effectiveDate: '2024-10-27T22:08:12Z'
timestamp: '2026-04-21T09:59:11Z'
tsg_id: '211008'
DataplaneUpgradeNotification:
name: DataplaneUpgradeNotification
title: SASE Dataplane Upgrade Notification
summary: >-
Webhook payload sent when a SASE dataplane upgrade is scheduled,
in progress, or completed for a region.
contentType: application/json
payload:
type: object
properties:
notificationId:
type: string
description: Unique identifier for this notification delivery.
example: '769945'
type:
type: string
enum:
- dataplane_upgrade
description: Notification type identifier.
example: dataplane_upgrade
tsg_id:
type: string
description: Tenant Service Group identifier for the affected tenant.
example: '320093'
region:
type: string
description: >-
SASE compute region where the dataplane upgrade is occurring,
such as us-east-1, eu-west-1, or ap-southeast-1.
example: us-east-1
currentVersion:
type: string
description: >-
Current dataplane software version before the upgrade.
example: 3.6.9
targetVersion:
type: string
description: >-
Target dataplane software version after the upgrade completes.
example: 7.4.8
scheduledTime:
type: string
format: date-time
description: >-
Scheduled start time for the dataplane upgrade maintenance
window.
example: '2026-01-25T00:46:59Z'
estimatedEndTime:
type: string
format: date-time
description: >-
Estimated end time for the dataplane upgrade maintenance window.
example: '2024-06-27T02:44:04Z'
status:
type: string
enum:
- scheduled
- in_progress
- completed
- failed
- rolled_back
description: Current status of the dataplane upgrade.
example: rolled_back
timestamp:
type: string
format: date-time
description: Timestamp when this notification was generated.
example: '2026-01-16T03:28:54Z'
examples:
- name: DataplaneUpgradeNotificationDefaultExample
summary: Default DataplaneUpgradeNotification example payload
x-microcks-default: true
payload:
notificationId: '328452'
type: dataplane_upgrade
tsg_id: '786196'
region: us-west-2
currentVersion: 1.3.2
targetVersion: 6.7.5
scheduledTime: '2024-04-13T16:54:37Z'
estimatedEndTime: '2024-05-12T01:15:45Z'
status: in_progress
timestamp: '2026-02-13T04:24:11Z'
CertificateExpiryNotification:
name: CertificateExpiryNotification
title: Certificate Expiration Warning Notification
summary: >-
Webhook payload sent when a TLS/SSL certificate used by SASE services
is approaching its expiration date.
contentType: application/json
payload:
type: object
properties:
notificationId:
type: string
description: Unique identifier for this notification delivery.
example: '619771'
type:
type: string
enum:
- certificate_expiry
description: Notification type identifier.
example: certificate_expiry
tsg_id:
type: string
description: Tenant Service Group identifier for the affected tenant.
example: '822011'
certificateName:
type: string
description: Name of the certificate approaching expiration.
example: Primary Policy 24
serialNumber:
type: string
description: Certificate serial number.
example: example-serialNumber
issuer:
type: string
description: Certificate issuer distinguished name.
example: example-issuer
subject:
type: string
description: Certificate subject distinguished name.
example: example-subject
expirationDate:
type: string
format: date-time
description: Certificate expiration date and time.
example: '2026-04-24T03:06:26Z'
daysUntilExpiry:
type: integer
description: Number of days remaining until the certificate expires.
example: 743
usedBy:
type: array
description: >-
List of SASE services or configurations using this certificate.
items:
type: string
example:
- example-usedBy_item
timestamp:
type: string
format: date-time
description: Timestamp when this notification was generated.
example: '2026-06-26T05:21:54Z'
examples:
- name: CertificateExpiryNotificationDefaultExample
summary: Default CertificateExpiryNotification example payload
x-microcks-default: true
payload:
notificationId: '100470'
type: certificate_expiry
tsg_id: '798044'
certificateName: Production Policy 42
serialNumber: example-serialNumber
issuer: example-issuer
subject: example-subject
expirationDate: '2024-10-16T09:06:17Z'
daysUntilExpiry: 995
usedBy:
- example-usedBy_item
timestamp: '2026-06-06T22:23:29Z'
schemas:
IncidentDetail:
type: object
description: >-
Detailed information about a SASE security incident for enrichment
and correlation.
properties:
incidentId:
type: string
description: Unique incident identifier.
example: '241159'
type:
type: string
description: Incident type classification.
example: advanced
severity:
type: string
enum:
- informational
- low
- medium
- high
- critical
example: low
title:
type: string
description: Incident title.
example: Corporate Policy 57
description:
type: string
description: Incident description.
example: Alert alert rule incident violation violation endpoint.
tsg_id:
type: string
description: Tenant Service Group identifier.
example: '794912'
category:
type: string
description: Incident category.
example: standard
detectionSource:
type: string
description: Source of the incident detection.
example: example-detectionSource
timestamp:
type: string
format: date-time
example: '2026-11-26T07:09:03Z'
ServiceInfo:
type: object
description: >-
Information about a SASE service affected by a notification.
properties:
serviceName:
type: string
description: Name of the SASE service.
example: Corporate Agent 77
serviceStatus:
type: string
enum:
- operational
- degraded
- maintenance
- outage
description: Current operational status of the service.
example: degraded
region:
type: string
description: Region where the service is deployed.
example: us-west-2
TenantContext:
type: object
description: >-
Tenant context information for multitenant notification routing.
properties:
tsg_id:
type: string
description: Tenant Service Group identifier.
example: '560610'
tenantName:
type: string
description: Human-readable tenant name.
example: Staging Sensor 21
parentTsgId:
type: string
description: >-
Parent Tenant Service Group identifier for hierarchical
tenant structures.
example: '498954'