Palo Alto Networks · JSON Structure

Threat Vault Api Threat Signature Structure

Threat signature metadata record.

Type: object Properties: 16
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

ThreatSignature is a JSON Structure definition published by Palo Alto Networks, describing 16 properties. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

id name type subtype severity description cve default_action min_version max_version status ori_release_version latest_release_version first_release_time latest_release_time sha256

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/threat-vault-api-threat-signature-structure.json",
  "name": "ThreatSignature",
  "description": "Threat signature metadata record.",
  "type": "object",
  "properties": {
    "id": {
      "type": "int32",
      "description": "Unique signature identifier."
    },
    "name": {
      "type": "string",
      "description": "Signature name."
    },
    "type": {
      "type": "string",
      "description": "Signature type category.",
      "enum": [
        "antivirus",
        "antispyware",
        "vulnerability",
        "dns",
        "fileformat"
      ]
    },
    "subtype": {
      "type": "string",
      "description": "Signature subtype (e.g., virus, trojan, exploit)."
    },
    "severity": {
      "type": "string",
      "enum": [
        "critical",
        "high",
        "medium",
        "low",
        "informational"
      ]
    },
    "description": {
      "type": "string",
      "description": "Human-readable description of the threat."
    },
    "cve": {
      "type": "array",
      "description": "Associated CVE identifiers.",
      "items": {
        "type": "string"
      }
    },
    "default_action": {
      "type": "string",
      "description": "Default action applied to traffic matching this signature.",
      "enum": [
        "alert",
        "allow",
        "drop",
        "reset-both",
        "reset-client",
        "reset-server",
        "block-ip",
        "sinkhole"
      ]
    },
    "min_version": {
      "type": "string",
      "description": "Minimum PAN-OS version supporting this signature."
    },
    "max_version": {
      "type": "string",
      "description": "Maximum PAN-OS version supporting this signature (empty if still active)."
    },
    "status": {
      "type": "string",
      "enum": [
        "released",
        "deprecated",
        "disabled"
      ]
    },
    "ori_release_version": {
      "type": "string",
      "description": "Content version in which this signature was first released."
    },
    "latest_release_version": {
      "type": "string",
      "description": "Most recent content version that updated this signature."
    },
    "first_release_time": {
      "type": "datetime",
      "description": "Timestamp when the signature was first released."
    },
    "latest_release_time": {
      "type": "datetime",
      "description": "Timestamp of the most recent signature update."
    },
    "sha256": {
      "type": "array",
      "description": "SHA-256 hashes associated with this signature (antivirus).",
      "items": {
        "type": "string"
      }
    }
  }
}