In [5]:
import prisma_sase
import cloudgenix

In [6]:

#
# Authenticate using Service Account - SASE Portal
#

CLIENT_ID = "paste client ID"
CLIENT_SECRET = "paste client secret"
TSG = "paste TSG ID"


sdk = prisma_sase.API(ssl_verify=False)
sdk.interactive.login_secret(client_id=CLIENT_ID, client_secret=CLIENT_SECRET, tsg_id=TSG)

True

# EVENTS

## Event Query Data Structure


**limit:** 
- Max count is 100. API response contains "total_count" and "included_count". 
- If "total_count" is greater than "included_count", use "_offset" in API response to get delta events

**type:** 
- Allowed values are alarm and alert

**site:**
- List of site IDs
- Retrieves alarms specific to the site IDs provided

**category:**
- Allowed values are network, device, application, policy, spokeha, authentication
- Retrieves category specific alarms

**code:**
- Filter on event code.
- Review document for list of allowed codes
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-incidents-and-alerts/incident-and-alert-events/incident-and-alert-event-codes

**correlation_id:**
- Retrieve alarms specific to a correlation ID
- Alarms raised and cleared for the same condition are associated with each other via the correlation_id
- Can be used to determine when a condition was raised & cleared


**severity:**
- Filter on alarm severity
- Allowed values: critical, major, minor

**priority:**
- Filter on alarm priority
- Allowed values: p1, p2, p3, p4, p5

**acknowledged:**
- To include alarms acknowledged by operators, set this flag to True


**suppressed:**
- To include alarms suppressed by the Event Correlation & Suppression engine, set this flag to True

**suppressed_info:** 
- Used to retrieve alarms suppressed due to the summary event
- Dict expects attribute "summary_event_ids" (list)


**start_time & end_time:**
- Supported timestamp ISO8601 UTC only i.e. YYYY-MM-DDThh:mm:ssZ or YYYY-MM-DDThh:mm:ss.sssZ 
- To retrieve standing alarms, set **both** start_time and end_time to None/null
- Setting either start_time or end_time to a non-null value will only return alarms raised and cleared in that time range



## Retrieve Standing Events

In [39]:
data = {
    "limit":{
        "count":100,
        "sort_on":"time",
        "sort_order":"descending"
    },
    "query":{
        "type":["alarm"],
        "site": [],
        "category":[],
        "code":[],
        "correlation_id": []
    },
    "start_time": None,
    "end_time": None,
    "severity":[],
    "priority":[],
    "acknowledged":False,
    "suppressed":False,
    "suppressed_info":None,
    
}

resp = sdk.post.events_query(data=data)
print("*******************\n{}\n*******************\n\n".format(resp.cgx_content.get("total_count")))
events = resp.cgx_content.get("items", None)
for event in events:
    print(event["time"])

*******************
56
*******************


2023-12-07T13:54:10.327000Z
2023-12-07T13:52:23.298000Z
2023-12-07T13:50:32.139000Z
2023-12-07T08:49:15.869000Z
2023-12-06T20:22:32.153000Z
2023-12-06T19:33:39.952000Z
2023-11-29T17:43:18.489000Z
2023-11-06T05:22:52.229000Z
2023-11-06T05:21:42.398000Z
2023-10-18T22:25:02.142000Z
2023-10-18T22:25:02.142000Z
2023-10-18T22:15:00.376000Z
2023-10-18T22:07:21.168000Z
2023-10-18T21:46:18.385000Z
2023-10-18T21:20:47.023000Z
2023-10-18T21:20:46.773000Z
2023-10-15T22:35:02.688000Z
2023-10-15T22:35:02.688000Z
2023-10-15T22:25:00.285000Z
2023-10-15T22:15:37.113000Z
2023-10-12T18:12:25.905000Z
2023-10-12T18:12:25.859000Z
2023-10-12T18:12:25.800000Z
2023-10-05T21:58:31.010000Z
2023-10-05T05:02:24.078000Z
2023-10-04T20:15:02.430000Z
2023-10-04T20:15:02.430000Z
2023-10-04T20:05:00.393000Z
2023-10-04T19:53:52.427000Z
2023-10-03T23:47:52.714000Z
2023-10-03T23:37:10.648000Z
2023-10-03T23:36:05.704000Z
2023-10-03T23:36:05.387000Z
2023-10-03T23:36:03.559000Z
202

## Retrieve Cleared Events

In [38]:
data = {
    "limit":{
        "count":100,
        "sort_on":"time",
        "sort_order":"descending"
    },
    "query":{
        "type":["alarm"],
        "site": [],
        "category":[],
        "code":[],
        "correlation_id": []
    },
    "start_time": "2023-12-01T00:00:00Z",
    "end_time": None,
    "severity":[],
    "priority":[],
    "acknowledged":False,
    "suppressed":False,
    "suppressed_info":None
}

resp = sdk.post.events_query(data=data)
print("*******************\n{}\n*******************\n\n".format(resp.cgx_content.get("total_count")))
print("*******************\n{}\n*******************\n\n".format(resp.cgx_content.get("included_count")))

#prisma_sase.jd_detailed(resp)
events = resp.cgx_content.get("items", None)
for event in events:
    print(event["code"],event["correlation_id"], event["time"], event["cleared"])

*******************
29119
*******************


*******************
100
*******************


NETWORK_ANYNETLINK_DOWN t0wNYWhy 2023-12-07T13:54:10.327000Z False
SITE_CONNECTIVITY_DEGRADED VcDYX0OX 2023-12-07T13:52:24.747000Z True
NETWORK_ANYNETLINK_DOWN oiH40Gdg 2023-12-07T13:52:23.298000Z False
SITE_CONNECTIVITY_DEGRADED zda8MpIm 2023-12-07T13:50:33.770000Z True
NETWORK_ANYNETLINK_DOWN 3RSgbbmC 2023-12-07T13:50:32.139000Z False
NETWORK_ANYNETLINK_DEGRADED sVKxXL1v 2023-12-07T13:45:52.067000Z True
NETWORK_ANYNETLINK_DEGRADED 7UrNZ8PY 2023-12-07T13:45:50.681000Z True
NETWORK_ANYNETLINK_DEGRADED 7UrNZ8PY 2023-12-07T13:45:49.759000Z False
NETWORK_ANYNETLINK_DEGRADED sVKxXL1v 2023-12-07T13:45:49.690000Z False
USER_ID_DIRECTORY_SYNC_FAILED None 2023-12-07T13:45:01.961000Z True
USER_ID_DIRECTORY_SYNC_FAILED None 2023-12-07T13:45:01.474000Z True
USER_ID_DIRECTORY_SYNC_FAILED None 2023-12-07T13:45:01.252000Z True
SITE_CONNECTIVITY_DEGRADED rnS2qUHH 2023-12-07T13:40:33.708000Z True
SITE_CONNECT

## Use of Temporal Scope

The legacy events API design made it imperative to query events API at least twice to get the entire picture in regards to active and events that are resolved in a given time frame.
<br>

To improve this behavior in retrieving all events at the same time, we introduced the attribute **temporal_scope**.


Any time the **start_time** and **end_time** are **non-null** values, the endpoint would only return events raised and cleared in thet time frame. To also or only retrieve events standing (currently active) in that duration, the *temporal_scope* attribute can be used. 

The allowed values are:
- **include_standing**: When **start_time** and **end_time** are **non-null** values, and temporal_scope is set to include_standing, the API endpoint will include alarms **currently standing** that were raised in between the time period mentioned in the request and also alarms **raised and cleared**. 


- **standing_only**: When **start_time** and **end_time** are **non-null** values, and temporal_scope is set to standing_only, the API endpoint will return **alarms currently standing only** that were raised in between the time period mentioned in the request.


### temporal_scope: include_standing

In [45]:
data = {
    "limit":{
        "count":100,
        "sort_on":"time",
        "sort_order":"descending"
    },
    "query":{
        "type":["alarm"],
        "site": [],
        "category":[],
        "code":[],
        "correlation_id": []
    },
    "start_time": "2023-12-07T09:05:00Z",
    "end_time": None,
    "severity":[],
    "priority":[],
    "acknowledged":False,
    "suppressed":False,
    "temporal_scope": "include_standing"
}

resp = sdk.post.events_query(data=data)
print("*******************\n{}\n*******************\n\n".format(resp.cgx_content.get("total_count")))
prisma_sase.jd_detailed(resp)

*******************
902
*******************


REQUEST: POST /sdwan/v3.6/api/events/query
REQUEST HEADERS:
	User-Agent: python-requests/2.28.1
	Accept-Encoding: gzip, deflate, br
	Accept: */*
	Connection: keep-alive
	authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiOiJyc2Etc2lnbi1wa2NzMS0yMDQ4LXNoYTI1Ni8xIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkNmM2YTNmNS05MDMyLTRlMTMtOTZjOS1lZjc5MTM2ODM5OGUiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZTAzMmYwZGEtZDUyOS00M2Y3LWJlZDYtMTg0MDBlNWFiOWMxLTM1MzEzNjYiLCJzdWJuYW1lIjoiZDZjNmEzZjUtOTAzMi00ZTEzLTk2YzktZWY3OTEzNjgzOThlIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmFwcHMucGFsb2FsdG9uZXR3b3Jrcy5jb206NDQzL2FtL29hdXRoMiIsInRva2VuTmFtZSI6ImFjY2Vzc190b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6Il9RSEFuWEE2c0w4N0UyVDVYM0hnOVdRRVdqMCIsImF1ZCI6ImNzYXNlMnRrYW1hdGhAMTIyODU4NDg2OC5pYW0ucGFuc2VydmljZWFjY291bnQuY29tIiwibmJmIjoxNzAxOTU3ODIzLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwic2NvcGUiOlsidHNnX2lkOjEyMjg1ODQ4NjgiLCJwcm9maWxlIiwiZW1haWwiXSwiYXV

### temporal_scope: standing_only

In [42]:
data = {
    "limit":{
        "count":100,
        "sort_on":"time",
        "sort_order":"descending"
    },
    "query":{
        "type":["alarm"],
        "site": [],
        "category":[],
        "code":[],
        "correlation_id": []
    },
    "start_time": "2023-12-01T00:00:00Z",
    "end_time": None,
    "severity":[],
    "priority":[],
    "acknowledged":False,
    "suppressed":False,
    "temporal_scope": "standing_only"
}

resp = sdk.post.events_query(data=data)
print("*******************\n{}\n*******************\n\n".format(resp.cgx_content.get("total_count")))
#prisma_sase.jd_detailed(resp)
events = resp.cgx_content.get("items", None)
for event in events:
    print(event["time"], event["cleared"])

*******************
6
*******************


2023-12-07T13:54:10.327000Z False
2023-12-07T13:52:23.298000Z False
2023-12-07T13:50:32.139000Z False
2023-12-07T08:49:15.869000Z False
2023-12-06T20:22:32.153000Z False
2023-12-06T19:33:39.952000Z False


## Retrieve Related Faults - Summary Events

In [5]:
data ={
    "severity":[],
    "suppressed_info":{
        "summary_event_ids":["649de3c48e1b8100085ae594"]
    }
}

resp = sdk.post.events_query(data=data)
prisma_sase.jd_detailed(resp)

REQUEST: POST /sdwan/v3.5/api/events/query
REQUEST HEADERS:
	User-Agent: python-requests/2.28.1 (PRISMA SASE SDK v6.1.2b1)
	Accept-Encoding: gzip, deflate, br
	Accept: application/json
	Connection: keep-alive
	authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiOiJyc2Etc2lnbi1wa2NzMS0yMDQ4LXNoYTI1Ni8xIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkNmM2YTNmNS05MDMyLTRlMTMtOTZjOS1lZjc5MTM2ODM5OGUiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiMjVmN2Q0ZTEtNDY3ZC00ODkxLTgzOTUtMWNlMTM0Y2U3N2ViLTUyNjYxMjEiLCJzdWJuYW1lIjoiZDZjNmEzZjUtOTAzMi00ZTEzLTk2YzktZWY3OTEzNjgzOThlIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmFwcHMucGFsb2FsdG9uZXR3b3Jrcy5jb206NDQzL2FtL29hdXRoMiIsInRva2VuTmFtZSI6ImFjY2Vzc190b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6ImM5ck9oMlEwTmNQd1FsSU0zVHFpZVk4TEFwdyIsImF1ZCI6ImNzYXNlMnRrYW1hdGhAMTIyODU4NDg2OC5pYW0ucGFuc2VydmljZWFjY291bnQuY29tIiwibmJmIjoxNjg4NjQ2OTcxLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwic2NvcGUiOlsidHNnX2lkOjEyMjg1ODQ4NjgiLCJwcm9maWxlIiwiZW1haWwiXSwiYXV0aF90a

## Retrieve Faults Suppressed due to Policy

In [6]:
data ={
    "severity":[],
    "policy_info":{
        "policyrule_id":["1667225543475011896"]
    }
}

resp = sdk.post.events_query(data=data)
prisma_sase.jd_detailed(resp)

REQUEST: POST /sdwan/v3.5/api/events/query
REQUEST HEADERS:
	User-Agent: python-requests/2.28.1 (PRISMA SASE SDK v6.1.2b1)
	Accept-Encoding: gzip, deflate, br
	Accept: application/json
	Connection: keep-alive
	authorization: Bearer eyJ0eXAiOiJKV1QiLCJraWQiOiJyc2Etc2lnbi1wa2NzMS0yMDQ4LXNoYTI1Ni8xIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkNmM2YTNmNS05MDMyLTRlMTMtOTZjOS1lZjc5MTM2ODM5OGUiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiMjVmN2Q0ZTEtNDY3ZC00ODkxLTgzOTUtMWNlMTM0Y2U3N2ViLTUyNjYxMjEiLCJzdWJuYW1lIjoiZDZjNmEzZjUtOTAzMi00ZTEzLTk2YzktZWY3OTEzNjgzOThlIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmFwcHMucGFsb2FsdG9uZXR3b3Jrcy5jb206NDQzL2FtL29hdXRoMiIsInRva2VuTmFtZSI6ImFjY2Vzc190b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6ImM5ck9oMlEwTmNQd1FsSU0zVHFpZVk4TEFwdyIsImF1ZCI6ImNzYXNlMnRrYW1hdGhAMTIyODU4NDg2OC5pYW0ucGFuc2VydmljZWFjY291bnQuY29tIiwibmJmIjoxNjg4NjQ2OTcxLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwic2NvcGUiOlsidHNnX2lkOjEyMjg1ODQ4NjgiLCJwcm9maWxlIiwiZW1haWwiXSwiYXV0aF90a