Actions
Retrieve Incidents
List incidents.
Note: It is highly recommended to filter the results or increase the timeout value because of the potentially large amount of data that may be retrieved.
External Documentation
To learn more, visit the Proofpoint Threat Response Auto Pull documentation.
Basic Parameters
Parameter | Description |
---|---|
Created After | Get incidents that were created after specified date. |
Expand Events | Get incidents with events data expanded. |
Recipient | A comma separated list of recipients to filter by. |
Sender | A comma separated list of senders to filter by. |
Source Type | Get incidents only belong to a specific source. |
State | The state of the incidents. |
Advanced Parameters
Parameter | Description |
---|---|
Attack Vector | Get incidents where the attack vector is specified. |
Closed After | Get incidents that were closed after specified date. |
Closed At | Get incidents that were closed on a specific date. |
Closed Before | Get incidents that were closed before specified date. |
Created Before | Get incidents that were created before specified date. |
Disposition | Filter by deposition. This filtering parameter may be combined with the sub-disposition parameter only when the disposition parameter is specified as “Unknown”. |
Exclude Message Body | Whether to exclude the message body from the json response. |
Exclude Mime Content | Whether to exclude the mime content from the json response. |
File Hash | Get incidents which contain the specified file hash. |
File Name | Get incidents which contain an attachment with the specified name. |
File Type | Get incidents which contain a certain type of attachment. |
Format To Timezone | Format the time values in the response to match the specified timezone. For more information please refer to Proofpoint’s documentation. |
IP | Get incidents by the attacker’s (sender’s) IP address. |
Incident Value Fields To Json | Specify if the response’s incident_field_values section should be returned as json. |
Message ID | Get incidents by the message IDs enclosed in “.Example:<34f3d3xda2f@foo.com>,<45g47sgvtt456@bar.com> |
Sub Disposition | Get incidents which have either a Needs Manual Review or Likely Harmless sub-disposition. |
Target User | Get incidents where the alert threat name is specified. |
URL | Get incidents contain the specified url or a part of the specified URL. |
Updated At | Get incidents that were updated on a specific date. |
Example Output
Workflow Library Example
Retrieve Incidents with Proofpoint Threat Response Auto Pull and Send Results Via Email
Preview this Workflow on desktop