dlp_incidents

The following methods allow for interaction with the ZWA DLP Incidents API endpoints.

Methods are accessible via zwa.dlp_incidents

Copyright (c) 2023, Zscaler Inc.

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

class DLPIncidentsAPI

Bases: APIClient

assign_labels(incident_id, labels=None)

Assigns labels (name-value pairs) to a DLP incident.

Parameters:

• incident_id (str) – The ID of the incident.

• labels (list, optional) – A list of dictionaries containing key and value pairs.

Returns:

The updated incident details.

Return type:

Tuple

Examples

Assign labels to an incident:

>>> incident, _, err = client.zwa.incidents.assign_labels(
... incident_id="123456789",
... labels=[{"key": "Confidential", "value": "Yes"}]
... )

change_history(incident_id, query_params=None)

Returns details of updates made to an incident based on the given ID and timeline.

Parameters:

incident_id (str) – The ID of the incident.

Returns:

The incident details information.

Return type:

Tuple

Examples

Return information on the application with the ID of 1-152-DFZG-17410647793298599936:

>>> incident, _, err = client.zwa.dlp_incidents.change_history('1-152-DFZG-17410647793298599936')
... if err:
...     print(f"Error listing incident history: {err}")
...     return
... for inc in incident:
...     print(inc.as_dict())

dlp_incident_search(query_params=None, fields=None, time_range=None, **kwargs)

Filters DLP incidents based on the given time range and field values.

The supported field values are:

• Severity

• Priority

• Transaction ID

• Status

• Source

• Source DLP Type

• Labels

• Incident Group

• Engine

Note

Ensure field values match API-supported parameters.

The supported time range values are:

• Start date and time

• End date and time

Parameters:

• query_params (dict, optional) –

  Map of query parameters for the request.

  • page (int, optional): Specifies the page number of the incident in a multi-paginated response.

    This field is not required if page_id is used.

  • page_size (int, optional): Specifies the page size (i.e., number of incidents per page). Max: 100.

  • page_id (str, optional): Specifies the page ID of the incident in a multi-paginated response.

    The page ID can be used instead of the page number.

• fields (list, optional) –

  A list of field filters.

  Example:

  fields = [
      {"name": "severity", "value": ["high"]},
      {"name": "status", "value": ["open", "resolved"]}
  ]
  

• time_range (dict, optional) –

  Time range for filtering incidents.

  Example:

  time_range = {
      "startTime": "2025-03-03T18:04:52.074Z",
      "endTime": "2025-03-03T18:04:52.074Z"
  }
  

Returns:

The incident search results.

Return type:

tuple

Examples

Perform an incident search with a severity filter:

search, _, error = client.zwa.incident_search.dlp_incident_search(
    fields=[{"name": "severity", "value": ["high"]}],
    time_range={"startTime": "2025-03-03T18:04:52.074Z", "endTime": "2025-03-03T18:04:52.074Z"}
)

If an error occurs:

if error:
    print(f"Error fetching incidents: {error}")
else:
    for incident in search:
        print(incident.as_dict())

get_generated_tickets(incident_id)

Returns details of of the ticket generated for the incident. For example, ticket type, ticket ID, ticket status, etc.

Parameters:

incident_id (str) – The ID of the incident.

Returns:

The information of the ticket generated.

Return type:

Tuple

Examples

Return information on the application with the ID of 1-152-LJTC-17410768107888539648:

>>> tickets, _, err = client.zwa.dlp_incidents.get_generated_tickets('1-152-LJTC-17410768107888539648')
... if err:
...     print(f"Error listing tickets: {err}")
...     return
... print("Incident Ticket Data:")
... if not tickets:
...     print("No tickets found.")
...     return
... for ticket in tickets:
...     print(ticket.as_dict())

get_incident_details(incident_id, query_params=None)

Returns information DLP incident details based on the incident ID.

Parameters:

incident_id (str) – The ID of the incident.

Keyword Arguments:

{dict} (query_params) –

Map of query parameters for the request.

[query_params.fields] {list}: The fields associated with the DLP incident.

For example, sourceActions, contentInfo, status, resolution, etc.

Returns:

The incident details information.

Return type:

Tuple

Examples

Return information on the application with the ID of SVDP-17410643229970491392:

>>> incident, _, err = client.zwa.dlp_incidents.get_incident_details('SVDP-17410643229970491392')
... if err:
...     print(f"Error listing incident: {err}")
...     return
... for inc in incident:
...    print(inc.as_dict())

get_incident_evidence(incident_id)

Gets the evidence URL of the incident. The evidence link can be used to view and download the XML file with the actual data that triggered the incident.

Parameters:

incident_id (str) – The ID of the incident.

Returns:

The incident details information.

Return type:

Tuple

Examples

>>> evidence, _, err = client.zwa.dlp_incidents.get_incident_evidence(
... '1-152-UEES-17410707180862789632')
... if err:
...      print(f"Error listing evidence: {err}")
...      return
... print(evidence.as_dict())

get_incident_transactions(transaction_id, query_params=None)

Returns information DLP incident details based on the incident ID.

Parameters:

incident_id (str) – The ID of the incident.

Keyword Arguments:

{dict} (query_params) –

Map of query parameters for the request.

[query_params.fields] {list}: The fields associated with the DLP incident.

For example, sourceActions, contentInfo, status, resolution, etc.

Returns:

The incident details information.

Return type:

Tuple

Examples

Return information on the application with the ID of SVDP-17410643229970491392:

>>> transactions, _, err = client.zwa.dlp_incidents.get_incident_transactions('SVDP-17410643229970491392')
... if err:
...     print(f"Error listing transactions: {err}")
...     return
... for incident in transactions:
...    print(incident.as_dict())

get_incident_triggers(incident_id)

Returns information DLP incident details based on the incident ID.

Parameters:

incident_id (str) – The ID of the incident.

Returns:

The incident details information.

Return type:

Tuple

Examples

Return information on the application with the ID of 1-152-UEES-17410707180862789632:

>>> triggers, _, err = client.zwa.dlp_incidents.get_incident_triggers('1-152-UEES-17410707180862789632')
... if err:
...      print(f"Error listing application: {err}")
...     return
... for trigger in triggers:
...     print(trigger.as_dict())

incident_close(incident_id, resolution_label=None, resolution_code=None, notes=None)

Updates the status of the incident to resolved and closes the incident with a resolution label and a resolution code.

Parameters:

• incident_id (str) – The ID of the incident.

• resolution_label (dict, optional) – Assigns labels (a label name and its associated value) to DLP incidents. - key (str): The name of the resolution label. - value (str): The value of the resolution label.

• resolution_code (str, optional) – The resolution code. Supported values: “FALSE_POSITIVE”

• notes (str, optional) – Additional notes related to the resolution.

Returns:

The closed incident information.

Return type:

Tuple

Examples

Close an incident with a resolution label:

>>> closed_incident, _, err = client.zwa.dlp_incidents.incident_close(
... incident_id="123456789",
... resolution_label={"key": "Review", "value": "Completed"},
... resolution_code="FALSE_POSITIVE",
... notes="Incident reviewed and closed."
... )

incident_group_search(incident_id, incident_group_ids=None)

Filters a list of DLP incident groups to which the specified incident ID belongs.

Parameters:

• incident_id (str) – The ID of the incident.

• incident_group_ids (list, optional) – The list of incident group search IDs.

Returns:

The list of incident group search information.

Return type:

Tuple

Examples

Perform a search for an incident group: >>> search, _, error = client.zwa.incident_group_search.incident_group_search( … incident_id=”123456789”, … incident_group_ids=[“16786743992009003”] … )

incident_notes(incident_id, notes=None)

Adds notes to a DLP incident.

Parameters:

• incident_id (str) – The ID of the incident.

• notes (str, optional) – The note content to be added to the incident.

Returns:

The updated incident details.

Return type:

Tuple

Examples

Add a note to an incident:

>>> incident, _, err = client.zwa.incidents.incident_notes(
... incident_id="123456789",
... notes="Investigation in progress."
... )