Palo Alto Networks · Schema

AggregationQuery

AggregationQuery schema from Palo Alto Networks SASE Aggregate Monitoring API

Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

Properties

Name Type Description
tsg_id string Tenant Service Group ID to scope the query. Data from all descendant TSGs within this scope is included.
filter object Key-value filter conditions to apply to the query. Filter keys are data-type specific (e.g., severity, category, app_name).
time_range object Time range for the query.
count integer Maximum number of result rows to return.
histogram object Configuration for time-series histogram output. When specified, results are bucketed by time.
group_by array Dimension fields to group results by. Supported values are data-type specific.
sort array Sort order for results.
View JSON Schema on GitHub

JSON Schema

sase-aggregate-monitoring-api-aggregation-query-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "AggregationQuery",
  "description": "AggregationQuery schema from Palo Alto Networks SASE Aggregate Monitoring API",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/sase-aggregate-monitoring-api-aggregation-query-schema.json",
  "type": "object",
  "properties": {
    "tsg_id": {
      "type": "string",
      "description": "Tenant Service Group ID to scope the query. Data from all descendant TSGs within this scope is included."
    },
    "filter": {
      "type": "object",
      "description": "Key-value filter conditions to apply to the query. Filter keys are data-type specific (e.g., severity, category, app_name).",
      "additionalProperties": {
        "type": "string"
      }
    },
    "time_range": {
      "type": "object",
      "description": "Time range for the query.",
      "properties": {
        "start": {
          "type": "string",
          "format": "date-time",
          "description": "Query start time (ISO 8601)."
        },
        "end": {
          "type": "string",
          "format": "date-time",
          "description": "Query end time (ISO 8601). Defaults to current time."
        },
        "last": {
          "type": "string",
          "description": "Relative time range shorthand (e.g., 1h, 24h, 7d, 30d). Mutually exclusive with start/end."
        }
      }
    },
    "count": {
      "type": "integer",
      "description": "Maximum number of result rows to return.",
      "default": 100,
      "maximum": 1000
    },
    "histogram": {
      "type": "object",
      "description": "Configuration for time-series histogram output. When specified, results are bucketed by time.",
      "properties": {
        "field": {
          "type": "string",
          "description": "Timestamp field to use for bucketing."
        },
        "interval": {
          "type": "string",
          "enum": [
            "1m",
            "5m",
            "15m",
            "1h",
            "6h",
            "1d"
          ],
          "description": "Time bucket interval."
        }
      }
    },
    "group_by": {
      "type": "array",
      "description": "Dimension fields to group results by. Supported values are data-type specific.",
      "items": {
        "type": "string"
      }
    },
    "sort": {
      "type": "array",
      "description": "Sort order for results.",
      "items": {
        "type": "object",
        "properties": {
          "field": {
            "type": "string",
            "description": "Field name to sort by."
          },
          "order": {
            "type": "string",
            "enum": [
              "asc",
              "desc"
            ],
            "default": "desc"
          }
        }
      }
    }
  },
  "required": [
    "tsg_id"
  ]
}