Data Loss Prevention

 View Only

 API Syntax help - BooleanLogicFilter

Ben Watt's profile image
Ben Watt posted Nov 22, 2021 11:45 AM
I'm struggling to get the Filter syntax correct for creating an IncidentQueryRequest. I'm following the documentation available here: Symantec Data Loss Prevention 15.7 REST API Guide

I cannot correctly create a combination of filters. Page 21 of that document gives the breakdown of the IncidentQueryRequest and advises that the BooleanLogicFilter can be used to combine multiple filters.

I'm doing this in Python, and below is the closest I got. The API works with this, but the filters are ignored. I would HUGELY appreciate guidance on the filter syntax to I can extract incidents within a specific date range.

body = {
    'select': [
        {'name': 'incidentId'},
        {'name': 'creationDate'}
        ],
    'booleanOperator': 'AND', 'filters': [
        {'filter':{'filterType':'localDateTime','operandOne':{'name':'creationDate'},'operandTwoValues':['2021-11-02T00:00:00Z'],'operator':'LT'}},
        {'filter':{'filterType':'localDateTime','operandOne':{'name':'creationDate'},'operandTwoValues':['2021-11-01T23:00:00Z'],'operator':'GT'}}
        ], 'operator':'AND'
     ,
    'orderby':[
        {'field': {'name': 'messageDate'},'order':'DESC'}
        ], 
    'limit': 10}​
Ben Watt's profile image
Ben Watt posted Nov 23, 2021 05:00 PM
I managed to get the filter syntax working. I have pasted the result below, in case anyone else is looking to do the same.

body = {
    'select': [
        {'name': 'incidentId'},
        {'name': 'creationDate'}
        ],
    'filter':{
        'filterType':'booleanLogic',
        'booleanOperator':'AND','filters':
            [
            {'filterType':'localDateTime','operandOne':{'name':'creationDate'},'operandTwoValues':['2021-11-02T00:00:00Z'],'operator':'LT'},
            {'filterType':'localDateTime','operandOne':{'name':'creationDate'},'operandTwoValues':['2021-11-01T00:00:00Z'],'operator':'GTE'}
            ],
        'operator':'AND'},
    'orderby':[
        {'field': {'name': 'messageDate'},'order':'DESC'}
        ], 
    'limit': 10}​