List incidents.

Note: It is highly recommended to filter the results or increase the timeout value because of the potentially large amount of data that may be retrieved.

External Documentation

To learn more, visit the Proofpoint Threat Response Auto Pull documentation.

Basic Parameters

ParameterDescription
Created AfterGet incidents that were created after specified date.
Expand EventsGet incidents with events data expanded.
RecipientA comma separated list of recipients to filter by.
SenderA comma separated list of senders to filter by.
Source TypeGet incidents only belong to a specific source.
StateThe state of the incidents.

Advanced Parameters

ParameterDescription
Attack VectorGet incidents where the attack vector is specified.
Closed AfterGet incidents that were closed after specified date.
Closed AtGet incidents that were closed on a specific date.
Closed BeforeGet incidents that were closed before specified date.
Created BeforeGet incidents that were created before specified date.
DispositionFilter by deposition. This filtering parameter may be combined with the sub-disposition parameter only when the disposition parameter is specified as “Unknown”.
Exclude Message BodyWhether to exclude the message body from the json response.
Exclude Mime ContentWhether to exclude the mime content from the json response.
File HashGet incidents which contain the specified file hash.
File NameGet incidents which contain an attachment with the specified name.
File TypeGet incidents which contain a certain type of attachment.
Format To TimezoneFormat the time values in the response to match the specified timezone. For more information please refer to Proofpoint’s documentation.
IPGet incidents by the attacker’s (sender’s) IP address.
Incident Value Fields To JsonSpecify if the response’s incident_field_values section should be returned as json.
Message IDGet incidents by the message IDs enclosed in “.Example:<34f3d3xda2f@foo.com>,<45g47sgvtt456@bar.com>
Sub DispositionGet incidents which have either a Needs Manual Review or Likely Harmless sub-disposition.
Target UserGet incidents where the alert threat name is specified.
URLGet incidents contain the specified url or a part of the specified URL.
Updated AtGet incidents that were updated on a specific date.

Example Output

[
    {
        "id": 1,
        "type": "Malware",
        "summary": "Unsolicited Bulk Email",
        "description": "EvilScheme test message",
        "score": 4200,
        "state": "Open",
        "created_at": "2018-05-26T21:07:17Z",
        "event_count": 3,
        "event_sources": [
            "Proofpoint TAP"
        ],
        "users": [
            "nbadguy"
        ],
        "assignee": "Unassigned",
        "team": "Unassigned",
        "hosts": {
            "attacker": [
                "54.214.13.31",
                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
            ],
            "forensics": [
                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
                "tapdemo.evilscheme.org"
            ]
        },
        "incident_field_values": [
            {
                "name": "Attack Vector",
                "value": "Email"
            },
            {
                "name": "Classification",
                "value": "Spam"
            },
            {
                "name": "Severity",
                "value": "Critical"
            }
        ],
        "events": [
            {
                "id": 3,
                "category": "malware",
                "severity": "Info",
                "source": "Proofpoint TAP",
                "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
                "classified": false,
                "state": "Linked",
                "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
                "attackDirection": "inbound",
                "received": "2018-05-26T21:07:17Z",
                "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
            },
            {
                "id": 1,
                "category": "spam",
                "severity": "Critical",
                "source": "Proofpoint TAP",
                "threatname": "Unsolicited Bulk Email",
                "classified": false,
                "state": "Linked",
                "attackDirection": "inbound",
                "received": "2018-05-26T21:07:17Z"
            },
            {
                "id": 2,
                "category": "spam",
                "severity": "Critical",
                "source": "Proofpoint TAP",
                "threatname": "Unsolicited Bulk Email",
                "classified": false,
                "state": "Linked",
                "attackDirection": "inbound",
                "received": "2018-05-26T21:07:17Z"
            }
        ],
        "quarantine_results": [],
        "successful_quarantines": 0,
        "failed_quarantines": 0,
        "pending_quarantines": 0
    },
    {
        "id": 2,
        "type": "Reported-abuse",
        "summary": "Unsolicited Bulk Email",
        "description": "",
        "score": 5200,
        "state": "Open",
        "created_at": "2018-06-01T17:57:09Z",
        "event_count": 2,
        "event_sources": [
            "Abuse Mailbox 1",
            "Proofpoint TAP"
        ],
        "users": [],
        "assignee": "Unassigned",
        "team": "Unassigned",
        "hosts": {
            "attacker": [
                "54.214.13.31",
                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"
            ],
            "cnc": [
                "54.214.13.31"
            ],
            "url": [
                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
                "https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="
            ],
            "forensics": [
                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
                "tapdemo.evilscheme.org"
            ]
        },
        "incident_field_values": [
            {
                "name": "Attack Vector",
                "value": "Email"
            },
            {
                "name": "Severity",
                "value": "Critical"
            },
            {
                "name": "Classification",
                "value": "Reported Abuse"
            },
            {
                "name": "Abuse Disposition",
                "value": "Malicious"
            }
        ],
        "events": [
            {
                "id": 8,
                "category": "malware",
                "severity": "Info",
                "source": "Proofpoint TAP",
                "threatname": "Malicious content dropped during execution",
                "classified": false,
                "state": "Linked",
                "description": "Malicious content dropped during execution",
                "attackDirection": "inbound",
                "received": "2018-06-01T18:02:10Z",
                "malwareName": "Malicious content dropped during execution"
            },
            {
                "id": 6,
                "category": "malware",
                "severity": "Info",
                "source": "Proofpoint TAP",
                "threatname": "Example signature to fire on TAP demo evilness",
                "classified": false,
                "state": "Linked",
                "description": "Example signature to fire on TAP demo evilness",
                "attackDirection": "inbound",
                "received": "2018-06-01T17:57:10Z",
                "malwareName": "Example signature to fire on TAP demo evilness"
            },
        ],
        "quarantine_results": [
            {
                "alertSource": "Not Available",
                "startTime": "2018-06-01T18:17:43.941Z",
                "endTime": "2018-06-01T18:17:44.001Z",
                "status": "successful",
                "recipientType": "Search",
                "recipient": "jsmith@company.com",
                "messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"
                "isRead": "true",
                "wasUndone": "true",
                "details": "Success"
            }
        ],
        "successful_quarantines": 1,
        "failed_quarantines": 0,
        "pending_quarantines": 0
    }
]

Workflow Library Example

Retrieve Incidents with Proofpoint Threat Response Auto Pull and Send Results Via Email

Preview this Workflow on desktop