Palo Alto Networks · AsyncAPI Specification
SASE Multitenant Notifications
Version 1.0
Palo Alto Networks SASE (Secure Access Service Edge) delivers real-time notifications for security incidents, platform announcements, dataplane upgrades, and certificate expiration warnings across multitenant deployments. Notifications are sent as HTTP POST requests to registered webhook endpoints configured at the tenant or tenant service group (TSG) level. Each notification includes a tenant context identifier (tsg_id) for routing in multitenant environments. Notification subscriptions are managed through the SASE Multitenant Notification Service API, allowing administrators to select notification types, severity thresholds, and delivery endpoints for each tenant.
View Spec
View on GitHub
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDRAsyncAPIWebhooksEvents
Channels
/notification/incident
Security incident notification
Channel for security incident notifications. Triggered when SASE detects a security incident such as a policy breach, threat detection, or anomalous activity within a tenant's network perimeter. Incident notifications include severity classification, affected tenant context, and descriptive details for triage and response.
/notification/announcement
Platform announcement notification
Channel for platform announcement notifications. Delivered when Palo Alto Networks publishes service announcements including scheduled maintenance windows, feature releases, deprecation notices, and service status updates that affect SASE tenants.
/notification/dataplane-upgrade
Dataplane upgrade notification
Channel for dataplane upgrade notifications. Triggered when a SASE dataplane upgrade is scheduled, in progress, or completed for a specific region. Notifications include the current and target software versions, scheduled maintenance window, and upgrade status transitions.
/notification/certificate-expiry
Certificate expiration warning notification
Channel for certificate expiration warning notifications. Triggered when TLS/SSL certificates used by SASE service connections, GlobalProtect portals, or custom domains are approaching their expiration date. Warnings are sent at configurable intervals (e.g., 90, 60, 30, 14, 7 days before expiry) to allow administrators to renew certificates before service disruption.
Messages
IncidentNotification
SASE Security Incident Notification
Webhook payload sent when a security incident is detected within a SASE tenant. Contains the incident classification, severity, affected tenant context, and descriptive information for triage.
AnnouncementNotification
SASE Platform Announcement Notification
Webhook payload sent for platform announcements including maintenance windows, feature releases, deprecation notices, and service status updates.
DataplaneUpgradeNotification
SASE Dataplane Upgrade Notification
Webhook payload sent when a SASE dataplane upgrade is scheduled, in progress, or completed for a region.
CertificateExpiryNotification
Certificate Expiration Warning Notification
Webhook payload sent when a TLS/SSL certificate used by SASE services is approaching its expiration date.
Servers
https
webhook
{notificationEndpoint}
Your notification endpoint URL registered with the SASE Multitenant Notification Service. Configure notification subscriptions via the SASE API to specify which notification types are delivered to this endpoint. The endpoint must accept POST requests with JSON payloads and return a 2xx response within 30 seconds.