Skip to main content
Retrieve incident metadata by it’s ID.
External DocumentationTo learn more, visit the Proofpoint Threat Response Auto Pull documentation.

Parameters

ParameterDescription
Expand EventsRetrieve incident with events data expanded.
Incident IDThe ID value of incident to retrieve.

Example Output

{
    "id": 1,
    "type": "Malware",
    "summary": "Unsolicited Bulk Email",
    "description": "EvilScheme test message",
    "score": 4200,
    "state": "Open",
    "created_at": "2018-05-26T21:07:17Z",
    "false_positive_count": 0,
    "event_count": 3,
    "event_sources": [
      "Proofpoint TAP"
    ],
    "users": [
      "nbadguy"
    ],
    "assignee": "Unassigned",
    "team": "Unassigned",
    "hosts": {
      "attacker": [
        "54.214.13.31",
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
      ],
      "forensics": [
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
        "tapdemo.evilscheme.org"
      ]
    },
    "incident_field_values": [
      {
        "name": "Attack Vector",
        "value": "Email"
      },
      {
        "name": "Classification",
        "value": "Spam"
      },
      {
        "name": "Severity",
        "value": "Critical"
      },
    ],
    "events": [
      {
        "id": 3,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "classified": false,
        "state": "Linked",
        "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z",
        "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
      },
      {
        "id": 1,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      },
      {
        "id": 2,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      }
    ],
    "comments": [
      {
        "user": "soc-mgr",
        "comment": "This incident needs to be prioritized.",
        "commented_on": "2019-09-12T13:58:32Z"
      },
      {
        "user": "soc-1",
        "comment": "Email needs to be quarantined.",
        "commented_on": "2019-09-12T14:00:20Z"
      }
    ],
    "quarantine_results": [],
    "successful_quarantines": 0,
    "failed_quarantines": 0,
    "pending_quarantines": 0
}

Workflow Library Example

Get Incident Details with Proofpoint Threat Response Auto Pull and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop