Skip to main content
Returns a set of Incidents filtered by the given query parameters.
Example Requests:
EndpointDescription
/incidents/EIR?created_after=2019-09-24T16:40:35ZReturn Incidents closed after 2019-09-24T16:40:35Z
/incidents/EIR?created_after=2019-09-24T16:00:00Z&created_before=2019-09-24T17:00:00ZReturn closed Incidents created during the hour of 2019-09-24T16:00:00Z
/incidents/EIR?sort=closed_atReturn closed Incidents sorted by their closed date in order of newest to oldest
/incidents/EIR?sort=created_at&direction=ascReturn closed Incidents sorted by their created date in order of oldest to newest
/incidents/EIR?status=openReturn Incidents that are currently open.
External DocumentationTo learn more, visit the PhishLabs Incident Data documentation.

Basic Parameters

ParameterDescription
Message IDReturn all incidents related with given email Message-ID.
StatusFilter incidents that are opened or closed. Note: Open cases are not updated in real time.

Advanced Parameters

ParameterDescription
Closed AfterReturn Incidents closed on or after the given timestamp

Timestamp is in RFC3339 format(2019-04-12T23:20:50Z).
Closed BeforeReturn Incidents closed on or before the given timestamp

Timestamp is in RFC3339 format(2019-04-12T23:20:50Z).
Created AfterReturn Incidents created on or after the given timestamp

Timestamp is in RFC3339 format(2019-04-12T23:20:50Z).
Created BeforeReturn Incidents created on or before the given timestamp

Timestamp is in RFC3339 format(2019-04-12T23:20:50Z).
DirectionReturn Incidents sorted by the given order. This will be applied to the given sort parameter.
Extend AttachmentsIf true, the attachment list will contain the following additional attachment types (if available): screenshot & submission. By default, only payload will be included.
LimitNumber of records to return.
OffsetNumber of Incidents to skip. This parameter is only useful with pagination.

Example Output

{
	"incidents": [
		{
			"closed": "2019-09-24T16:40:35Z",
			"created": "2019-09-24T16:17:49Z",
			"description": "This is a malicious phishing email.",
			"details": {
				"attachments": [
					{
						"fileName": "payroll.doc",
						"malicious": true,
						"md5": "f869ce1c8414a264bb11e14a2c8850ed",
						"mimeType": "application/msword",
						"sha256": "07c05679b1cfed895de0d838...",
						"type": "payload",
						"url": "http://incident-bucket.phishlabs.com/donwload/payload_file=payroll.doc"
					}
				],
				"campaignLabel": "ecrim-202003-191",
				"caseType": "Link",
				"classification": "Malicious",
				"emailAddresses": [
					{
						"address": "sender@example.com",
						"bodyReplyTo": false,
						"headerReplyTo": false,
						"malicious": true,
						"returnPath": true,
						"sender": true
					}
				],
				"emailBody": "Lorem ipsum dolor sit amet...",
				"emailReceivedDate": "Sat, 17 Nov 2018 16:10:08 +0530",
				"emailReportedBy": "user@phishlabs.com",
				"furtherReviewReason": "Email headers required",
				"messageID": "124369.69372.1552996@wb.phishlabs.com",
				"offlineUponReview": false,
				"payloadFamily": "WannaCry",
				"sender": "marclowe@gmail.com",
				"severity": "High",
				"subClassification": "No Threat Detected",
				"submissionMethod": "Attachment",
				"urls": [
					{
						"malicious": false,
						"maliciousDomain": false,
						"url": "https://phishlabs.com"
					}
				]
			},
			"duration": 1366,
			"id": "INC123456",
			"modified": "2019-09-24T16:40:35Z",
			"service": "SEA",
			"status": "closed",
			"title": "Fwd: Phishing Email"
		}
	],
	"metadata": {
		"count": 1
	}
}

Workflow Library Example

Get Incidents with Phishlabs Incident Data and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop