Retrieve Incidents
List incidents.
External Documentation
To learn more, visit the Proofpoint Threat Response Auto Pull documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Closed After | Retrieve incidents that were closed after specified date. |
| Expand Events | Retrieve incidents with events data expanded. |
| Recipient | A comma seperated list of recipients to filter by. |
| Sender | A comma seperated list of senders to filter by. |
| Source Type | Retrieve incidents only belong to a specific source. |
| State | The state of the incidents to retrieve. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Attack Vector | Retrieve incidents where the attack vector is specified. |
| Closed At | Retrieve incidents that were closed on a specific date. |
| Closed Before | Retrieve incidents that were closed before specified date. |
| Created After | Retrieve incidents that were created after specified date. |
| Created Before | Retrieve incidents that were created before specified date. |
| Disposition | Filter by deposition. This filtering parameter may be combined with the sub-disposition parameter only when the disposition parameter is specified as “Unknown”. |
| Exclude Message Body | Whether to exclude the message body from the json response. |
| Exclude Mime Content | Whether to exclude the mime content from the json response. |
| File Hash | Retrieve incidents which contain the specified file hash. |
| File Name | Retrieve incidents which contain an attachment with the specified name. |
| File Type | Retrieve incidents which contain a certain type of attachment. |
| Format To Timezone | Format the time values in the response to match the specified timezone. For more information please refer to Proofpoint's documentation. |
| IP | Retrieve incidents by the attacker’s (sender’s) IP address. |
| Incident Value Fields To Json | Specify if the response’s incident_field_values section should be returned as json. |
| Message ID | Retrieve incidents by the message IDs enclosed in . Example: 34f3d3xda2f@foo.com,45g47sgvtt456@bar.com |
| Sub Disposition | Retrieve incidents which have either a Needs Manual Review or Likely Harmless sub-disposition. |
| Target User | Retrieve incidents where the alert threat name is specified. |
| URL | Retrieve incidents contain the specified url or a part of the specified URL. |
| Updated At | Retrieve incidents that were updated on a specific date. |
Example Output
[
{
"id": 1,
"type": "Malware",
"summary": "Unsolicited Bulk Email",
"description": "EvilScheme test message",
"score": 4200,
"state": "Open",
"created_at": "2018-05-26T21:07:17Z",
"event_count": 3,
"event_sources": [
"Proofpoint TAP"
],
"users": [
"nbadguy"
],
"assignee": "Unassigned",
"team": "Unassigned",
"hosts": {
"attacker": [
"54.214.13.31",
"http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
],
"forensics": [
"http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
"tapdemo.evilscheme.org"
]
},
"incident_field_values": [
{
"name": "Attack Vector",
"value": "Email"
},
{
"name": "Classification",
"value": "Spam"
},
{
"name": "Severity",
"value": "Critical"
}
],
"events": [
{
"id": 3,
"category": "malware",
"severity": "Info",
"source": "Proofpoint TAP",
"threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
"classified": false,
"state": "Linked",
"description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
"attackDirection": "inbound",
"received": "2018-05-26T21:07:17Z",
"malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
},
{
"id": 1,
"category": "spam",
"severity": "Critical",
"source": "Proofpoint TAP",
"threatname": "Unsolicited Bulk Email",
"classified": false,
"state": "Linked",
"attackDirection": "inbound",
"received": "2018-05-26T21:07:17Z"
},
{
"id": 2,
"category": "spam",
"severity": "Critical",
"source": "Proofpoint TAP",
"threatname": "Unsolicited Bulk Email",
"classified": false,
"state": "Linked",
"attackDirection": "inbound",
"received": "2018-05-26T21:07:17Z"
}
],
"quarantine_results": [],
"successful_quarantines": 0,
"failed_quarantines": 0,
"pending_quarantines": 0
},
{
"id": 2,
"type": "Reported-abuse",
"summary": "Unsolicited Bulk Email",
"description": "",
"score": 5200,
"state": "Open",
"created_at": "2018-06-01T17:57:09Z",
"event_count": 2,
"event_sources": [
"Abuse Mailbox 1",
"Proofpoint TAP"
],
"users": [],
"assignee": "Unassigned",
"team": "Unassigned",
"hosts": {
"attacker": [
"54.214.13.31",
"http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"
],
"cnc": [
"54.214.13.31"
],
"url": [
"http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
"https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="
],
"forensics": [
"http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
"tapdemo.evilscheme.org"
]
},
"incident_field_values": [
{
"name": "Attack Vector",
"value": "Email"
},
{
"name": "Severity",
"value": "Critical"
},
{
"name": "Classification",
"value": "Reported Abuse"
},
{
"name": "Abuse Disposition",
"value": "Malicious"
}
],
"events": [
{
"id": 8,
"category": "malware",
"severity": "Info",
"source": "Proofpoint TAP",
"threatname": "Malicious content dropped during execution",
"classified": false,
"state": "Linked",
"description": "Malicious content dropped during execution",
"attackDirection": "inbound",
"received": "2018-06-01T18:02:10Z",
"malwareName": "Malicious content dropped during execution"
},
{
"id": 6,
"category": "malware",
"severity": "Info",
"source": "Proofpoint TAP",
"threatname": "Example signature to fire on TAP demo evilness",
"classified": false,
"state": "Linked",
"description": "Example signature to fire on TAP demo evilness",
"attackDirection": "inbound",
"received": "2018-06-01T17:57:10Z",
"malwareName": "Example signature to fire on TAP demo evilness"
},
],
"quarantine_results": [
{
"alertSource": "Not Available",
"startTime": "2018-06-01T18:17:43.941Z",
"endTime": "2018-06-01T18:17:44.001Z",
"status": "successful",
"recipientType": "Search",
"recipient": "jsmith@company.com",
"messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"
"isRead": "true",
"wasUndone": "true",
"details": "Success"
}
],
"successful_quarantines": 1,
"failed_quarantines": 0,
"pending_quarantines": 0
}
]
Workflow Library Example
Retrieve Incidents with Proofpoint Threat Response Auto Pull and Send Results Via Email
Preview this Workflow on desktop