Cloud DLP v2 Incidents API does not work as expected when using filters
search cancel

Cloud DLP v2 Incidents API does not work as expected when using filters

book

Article ID: 402003

calendar_today

Updated On:

Products

CASB Securlet SAAS Data Loss Prevention Cloud Package Data Loss Prevention Cloud Detection Service

Issue/Introduction

Symantec CloudSOC offers a set of public RESTful Cloud DLP APIs.

API: Cloud DLP 

A new version (v2) of the Incident APIs has been introduced since v1 is being deprecated. However, some filters that work in v1 do not behave as expected in v2.

Here's an example of a working JSON request in v1

{
  "filters": [
    {
      "name": "policyName",
      "operator": "in",
      "values": [
        "Social Security Numbers policy"
      ]
    },
    {
      "name": "matchCount",
      "operator": "greater-than-or-equal",
      "value": 100
    }
  ],
  "sort": {
    "name": "insertedDateTimeUtc",
    "direction": "asc"
  },
  "pagePointer": [
    1715955650000,
    2789988
  ],
 "limit": 100
}

This correctly returns only incidents for "Social Security Numbers policy" with a match count equal to or greater than 100.

In v2, a select parameter is mandatory, but using the same filters as in v1 does not work as expected: it returns incidents with any match count.

 

Environment

CASB with Cloud DLP

Cause

The supported filterType values and operators have changed.

Resolution

The Incident API v2 guide is expected in the July 2025 update and will include further details.

Supported filterType values are now: boolean, booleanLogic, int, localDateTime, long, and string.

Supported operators are: NOT_IN, IN, IS_NOT_NULL, IS_NULL, LTE, NOT_EQ, EQ, LT, GTE, and GT.

Select parametr is mandatory and at least one name must be selected from: 'incidentHistories', 'incidentNotes', 'recipientInfo', 'components', 'incidentType', 'incidentTypeLabel', 'incidentTypeDetailedLabel', 'monitorChannelType', 'preventOrProtectStatusId', 'preventOrProtectStatusName', 'actionTakenId', 'actionTakenLabel', 'incidentId', 'creationDate', 'detectionDate', 'restCommonApplication', 'rCommonApplicationReportName', 'restCommonDatatype', 'restCommonDatatypeLabel', 'restCommonUserActivityType', 'restCommonUserActivityCount', 'restCommonUserId', 'restCommonUserName', 'restCommonUserIsInternal', 'restHttpMethod', 'restHttpBrowser', 'restHttpUserAgent', 'restDeviceOS', 'restDeviceType', 'restNetworkDirection', 'restNetworkProtocol', 'restCommonDocID', 'messageSubject', 'networkSenderIdentifier', 'networkSenderPort', 'senderIPAddress', 'senderDomain', 'severityId', 'severityName', 'incidentStatusId', 'incidentStatusName', 'matchCount', 'profileId', 'profileName', 'profileVersion', 'messageTypeId', 'messageType', 'messageTypeName', 'protocolId', 'protocolLabel', 'protectPolicyNames', 'conditionNames', 'originalSize', 'messageComponentName', 'detectionServerId', 'rCommonDocExposuresAllInternal', 'restClientDomain', 'restClientUserId', 'restCommonCreated', 'restCommonDocActivityCount', 'restCommonDocExposed', 'restCommonDocExposuresPublic', 'restCommonDocIsInternal', 'restCommonDocParentFolderId', 'restCommonDocType', 'restCommonFilter', 'restCommonLastModified', 'restCommonMessageSource', 'restCommonOwner', 'restCommonSharedWith', 'restCommonSharepoint', 'restCommonSharingUrl', 'restCommonTransactionId', 'restCommonUserThreatScore', 'restFileFolder', 'restHttpUrl', 'restLinkDocExposure', 'restLinkUserExposures', 'restRequestId', 'relatedIncidentCommonId', 'restAwsAccountID', 'restAwsAccountName', 'restAwsRegion', 'restAwsBucketName', 'restAwsPrincipalID', 'restCommonDocCreatorId', 'restLocationLatitude', 'restLocationLongitude', 'restCommonRoom', 'restLocationRegion', 'restLocationRegionCountry', 'isBlockedStatusSuperseded', 'endpointApplicationName', 'endpointApplicationPath', 'endpointSourceAppWindowTitle', 'endpointPrinterName', 'endpointPrinterType', 'endpointPrintJobTitle', 'domainUserName', 'endpointMachineName', 'endpointFileName', 'endpointFilePath', 'endpointSourceFilePath', 'endpointSourceFileName', 'senderEmail', 'senderFirstName', 'senderLastName', 'senderTitle', 'senderAddress', 'senderCountry', 'senderCompany', 'senderDepartment', 'senderOrgUnit', 'managerEmail', 'managerFirstName', 'managerLastName', 'managerTitle', 'managerAddress', 'managerCountry', 'managerCompany', 'managerDepartment', 'managerOrgUnit'."

Example JSON body for API query (v2):

{
  "select": [
    { "name": "incidentId" },
    { "name": "incidentTypeLabel" },
    { "name": "incidentStatusName" },
    { "name": "detectionDate" },
    { "name": "monitorChannelType" },
    { "name": "matchCount" },
    { "name": "networkSenderIdentifier" },
    { "name": "actionTakenLabel" }
  ],
  "filter": {
    "filterType": "booleanLogic",
    "booleanOperator": "AND",
    "filters": [
      {
        "filterType": "string",
        "operandOne": { "name": "actionTakenLabel" },
        "operator": "NOT_IN",
        "operandTwoValues": ["No Action Taken"]
      },
      {
        "filterType": "localDateTime",
        "operandOne": { "name": "detectionDate" },
        "operator": "GT",
        "operandTwoValues": ["2025-06-16T09:10:07.000"]
      },
      {
        "filterType": "int",
        "operandOne": { "name": "matchCount" },
        "operator": "LT",
        "operandTwoValues": [100]
      },
      {
        "filterType": "string",
        "operandOne": { "name": "networkSenderIdentifier" },
        "operator": "EQ",
        "operandTwoValues": ["[email protected]"]
      }
    ]
  },
  "limit": 100
}

 

Powered by Wolken Software