Get Incidents
Returns a set of Incidents filtered by the given query parameters.
Example Requests:
| Endpoint | Description |
|---|---|
| /incidents/EIR?created_after=2019-09-24T16:40:35Z | Return Incidents closed after 2019-09-24T16:40:35Z |
| /incidents/EIR?created_after=2019-09-24T16:00:00Z&created_before=2019-09-24T17:00:00Z | Return closed Incidents created during the hour of 2019-09-24T16:00:00Z |
| /incidents/EIR?sort=closed_at | Return closed Incidents sorted by their closed date in order of newest to oldest |
| /incidents/EIR?sort=created_at&direction=asc | Return closed Incidents sorted by their created date in order of oldest to newest |
| /incidents/EIR?status=open | Return Incidents that are currently open |
External Documentation
To learn more, visit the PhishLabs Incident Data documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Message ID | Return all incidents related with given email Message-ID. |
| Status | Filter incidents that are opened or closed. Note: Open cases are not updated in real time. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Closed After | Return Incidents closed on or after the given timestampTimestamp is in RFC3339 format(2019-04-12T23:20:50Z). |
| Closed Before | Return Incidents closed on or before the given timestampTimestamp is in RFC3339 format(2019-04-12T23:20:50Z). |
| Created After | Return Incidents created on or after the given timestampTimestamp is in RFC3339 format(2019-04-12T23:20:50Z). |
| Created Before | Return Incidents created on or before the given timestampTimestamp is in RFC3339 format(2019-04-12T23:20:50Z). |
| Direction | Return Incidents sorted by the given order. This will be applied to the given sort parameter. |
| Extend Attachments | If true, the attachment list will contain the following additional attachment types (if available): screenshot & submission. By default, only payload will be included. |
| Limit | Number of records to return. |
| Offset | Number of Incidents to skip. This parameter is only useful with pagination. |
Example Output
{
"incidents": [
{
"closed": "2019-09-24T16:40:35Z",
"created": "2019-09-24T16:17:49Z",
"description": "This is a malicious phishing email.",
"details": {
"attachments": [
{
"fileName": "payroll.doc",
"malicious": true,
"md5": "f869ce1c8414a264bb11e14a2c8850ed",
"mimeType": "application/msword",
"sha256": "07c05679b1cfed895de0d838...",
"type": "payload",
"url": "http://incident-bucket.phishlabs.com/donwload/payload_file=payroll.doc"
}
],
"campaignLabel": "ecrim-202003-191",
"caseType": "Link",
"classification": "Malicious",
"emailAddresses": [
{
"address": "sender@example.com",
"bodyReplyTo": false,
"headerReplyTo": false,
"malicious": true,
"returnPath": true,
"sender": true
}
],
"emailBody": "Lorem ipsum dolor sit amet...",
"emailReceivedDate": "Sat, 17 Nov 2018 16:10:08 +0530",
"emailReportedBy": "user@phishlabs.com",
"furtherReviewReason": "Email headers required",
"messageID": "124369.69372.1552996@wb.phishlabs.com",
"offlineUponReview": false,
"payloadFamily": "WannaCry",
"sender": "marclowe@gmail.com",
"severity": "High",
"subClassification": "No Threat Detected",
"submissionMethod": "Attachment",
"urls": [
{
"malicious": false,
"maliciousDomain": false,
"url": "https://phishlabs.com"
}
]
},
"duration": 1366,
"id": "INC123456",
"modified": "2019-09-24T16:40:35Z",
"service": "SEA",
"status": "closed",
"title": "Fwd: Phishing Email"
}
],
"metadata": {
"count": 1
}
}
Workflow Library Example
Get Incidents with Phishlabs Incident Data and Send Results Via Email
Preview this Workflow on desktop