Get Incident Details

Retrieve incident metadata by it's ID.

External Documentation

To learn more, visit the Proofpoint Threat Response Auto Pull documentation.

Parameters

Parameter	Description
Expand Events	Retrieve incident with events data expanded.
Incident ID	The ID value of incident to retrieve.

Example Output

{
    "id": 1,
    "type": "Malware",
    "summary": "Unsolicited Bulk Email",
    "description": "EvilScheme test message",
    "score": 4200,
    "state": "Open",
    "created_at": "2018-05-26T21:07:17Z",
    "false_positive_count": 0,
    "event_count": 3,
    "event_sources": [
      "Proofpoint TAP"
    ],
    "users": [
      "nbadguy"
    ],
    "assignee": "Unassigned",
    "team": "Unassigned",
    "hosts": {
      "attacker": [
        "54.214.13.31",
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
      ],
      "forensics": [
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
        "tapdemo.evilscheme.org"
      ]
    },
    "incident_field_values": [
      {
        "name": "Attack Vector",
        "value": "Email"
      },
      {
        "name": "Classification",
        "value": "Spam"
      },
      {
        "name": "Severity",
        "value": "Critical"
      },
    ],
    "events": [
      {
        "id": 3,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "classified": false,
        "state": "Linked",
        "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z",
        "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
      },
      {
        "id": 1,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      },
      {
        "id": 2,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      }
    ],
    "comments": [
      {
        "user": "soc-mgr",
        "comment": "This incident needs to be prioritized.",
        "commented_on": "2019-09-12T13:58:32Z"
      },
      {
        "user": "soc-1",
        "comment": "Email needs to be quarantined.",
        "commented_on": "2019-09-12T14:00:20Z"
      }
    ],
    "quarantine_results": [],
    "successful_quarantines": 0,
    "failed_quarantines": 0,
    "pending_quarantines": 0
}

Workflow Library Example

Get Incident Details with Proofpoint Threat Response Auto Pull and Send Results Via Email

Preview this Workflow on desktop