> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Retrieve Incidents

List incidents.

**Note**: It is highly recommended to filter the results or increase the timeout value because of the potentially large amount of data that may be retrieved.

<Note>
  External Documentation

  To learn more, visit the [Proofpoint Threat Response Auto Pull documentation](https://ptr-docs.proofpoint.com/extensibility-guides/ptr-api/#retrieve-incidents).
</Note>

## Basic Parameters

<div className="integrations-table">
  | Parameter     | Description                                           |
  | ------------- | ----------------------------------------------------- |
  | Created After | Get incidents that were created after specified date. |
  | Expand Events | Get incidents with events data expanded.              |
  | Recipient     | A comma separated list of recipients to filter by.    |
  | Sender        | A comma separated list of senders to filter by.       |
  | Source Type   | Get incidents only belong to a specific source.       |
  | State         | The state of the incidents.                           |
</div>

## Advanced Parameters

<div className="integrations-table">
  | Parameter                     | Description                                                                                                                                                                                                                  |
  | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  | Attack Vector                 | Get incidents where the attack vector is specified.                                                                                                                                                                          |
  | Closed After                  | Get incidents that were closed after specified date.                                                                                                                                                                         |
  | Closed At                     | Get incidents that were closed on a specific date.                                                                                                                                                                           |
  | Closed Before                 | Get incidents that were closed before specified date.                                                                                                                                                                        |
  | Created Before                | Get incidents that were created before specified date.                                                                                                                                                                       |
  | Disposition                   | Filter by deposition. This filtering parameter may be combined with the sub-disposition parameter only when the disposition parameter is specified as "Unknown".                                                             |
  | Exclude Message Body          | Whether to exclude the message body from the json response.                                                                                                                                                                  |
  | Exclude Mime Content          | Whether to exclude the mime content from the json response.                                                                                                                                                                  |
  | File Hash                     | Get incidents which contain the specified file hash.                                                                                                                                                                         |
  | File Name                     | Get incidents which contain an attachment with the specified name.                                                                                                                                                           |
  | File Type                     | Get incidents which contain a certain type of attachment.                                                                                                                                                                    |
  | Format To Timezone            | Format the time values in the response to match the specified timezone. For more information please refer to [Proofpoint's documentation](https://ptr-docs.proofpoint.com/extensibility-guides/ptr-api/#retrieve-incidents). |
  | IP                            | Get incidents by the attacker's (sender's) IP address.                                                                                                                                                                       |
  | Incident Value Fields To Json | Specify if the response's incident\_field\_values section should be returned as json.                                                                                                                                        |
  | Message ID                    | Get incidents by the message IDs enclosed in \`\`.<br /><br />For example- `<34f3d3xda2f@foo.com>,<45g47sgvtt456@bar.com>`                                                                                                   |
  | Sub Disposition               | Get incidents which have either a `Needs Manual Review` or `Likely Harmless` sub-disposition.                                                                                                                                |
  | Target User                   | Get incidents where the alert threat name is specified.                                                                                                                                                                      |
  | URL                           | Get incidents contain the specified url or a part of the specified URL.                                                                                                                                                      |
  | Updated At                    | Get incidents that were updated on a specific date.                                                                                                                                                                          |
</div>

## Example Output

```json theme={"dark"}
[
    {
        "id": 1,
        "type": "Malware",
        "summary": "Unsolicited Bulk Email",
        "description": "EvilScheme test message",
        "score": 4200,
        "state": "Open",
        "created_at": "2018-05-26T21:07:17Z",
        "event_count": 3,
        "event_sources": [
            "Proofpoint TAP"
        ],
        "users": [
            "nbadguy"
        ],
        "assignee": "Unassigned",
        "team": "Unassigned",
        "hosts": {
            "attacker": [
                "54.214.13.31",
                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
            ],
            "forensics": [
                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
                "tapdemo.evilscheme.org"
            ]
        },
        "incident_field_values": [
            {
                "name": "Attack Vector",
                "value": "Email"
            },
            {
                "name": "Classification",
                "value": "Spam"
            },
            {
                "name": "Severity",
                "value": "Critical"
            }
        ],
        "events": [
            {
                "id": 3,
                "category": "malware",
                "severity": "Info",
                "source": "Proofpoint TAP",
                "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
                "classified": false,
                "state": "Linked",
                "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
                "attackDirection": "inbound",
                "received": "2018-05-26T21:07:17Z",
                "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
            },
            {
                "id": 1,
                "category": "spam",
                "severity": "Critical",
                "source": "Proofpoint TAP",
                "threatname": "Unsolicited Bulk Email",
                "classified": false,
                "state": "Linked",
                "attackDirection": "inbound",
                "received": "2018-05-26T21:07:17Z"
            },
            {
                "id": 2,
                "category": "spam",
                "severity": "Critical",
                "source": "Proofpoint TAP",
                "threatname": "Unsolicited Bulk Email",
                "classified": false,
                "state": "Linked",
                "attackDirection": "inbound",
                "received": "2018-05-26T21:07:17Z"
            }
        ],
        "quarantine_results": [],
        "successful_quarantines": 0,
        "failed_quarantines": 0,
        "pending_quarantines": 0
    },
    {
        "id": 2,
        "type": "Reported-abuse",
        "summary": "Unsolicited Bulk Email",
        "description": "",
        "score": 5200,
        "state": "Open",
        "created_at": "2018-06-01T17:57:09Z",
        "event_count": 2,
        "event_sources": [
            "Abuse Mailbox 1",
            "Proofpoint TAP"
        ],
        "users": [],
        "assignee": "Unassigned",
        "team": "Unassigned",
        "hosts": {
            "attacker": [
                "54.214.13.31",
                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"
            ],
            "cnc": [
                "54.214.13.31"
            ],
            "url": [
                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
                "https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="
            ],
            "forensics": [
                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
                "tapdemo.evilscheme.org"
            ]
        },
        "incident_field_values": [
            {
                "name": "Attack Vector",
                "value": "Email"
            },
            {
                "name": "Severity",
                "value": "Critical"
            },
            {
                "name": "Classification",
                "value": "Reported Abuse"
            },
            {
                "name": "Abuse Disposition",
                "value": "Malicious"
            }
        ],
        "events": [
            {
                "id": 8,
                "category": "malware",
                "severity": "Info",
                "source": "Proofpoint TAP",
                "threatname": "Malicious content dropped during execution",
                "classified": false,
                "state": "Linked",
                "description": "Malicious content dropped during execution",
                "attackDirection": "inbound",
                "received": "2018-06-01T18:02:10Z",
                "malwareName": "Malicious content dropped during execution"
            },
            {
                "id": 6,
                "category": "malware",
                "severity": "Info",
                "source": "Proofpoint TAP",
                "threatname": "Example signature to fire on TAP demo evilness",
                "classified": false,
                "state": "Linked",
                "description": "Example signature to fire on TAP demo evilness",
                "attackDirection": "inbound",
                "received": "2018-06-01T17:57:10Z",
                "malwareName": "Example signature to fire on TAP demo evilness"
            },
        ],
        "quarantine_results": [
            {
                "alertSource": "Not Available",
                "startTime": "2018-06-01T18:17:43.941Z",
                "endTime": "2018-06-01T18:17:44.001Z",
                "status": "successful",
                "recipientType": "Search",
                "recipient": "jsmith@company.com",
                "messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"
                "isRead": "true",
                "wasUndone": "true",
                "details": "Success"
            }
        ],
        "successful_quarantines": 1,
        "failed_quarantines": 0,
        "pending_quarantines": 0
    }
]
```

## Workflow Library Example

[Retrieve Incidents with Proofpoint Threat Response Auto Pull and Send Results Via Email](https://library.blinkops.com/workflows/retrieve-incidents-with-proofpoint-threat-response-auto-pull-and-send-results-via-email)

<div className="iframe-wrapper">
  <div className="iframe-media">
    <img src="https://mintcdn.com/blinkops-2/ojHYuDeYX5FWuN8a/img/Icons/play-box.svg?fit=max&auto=format&n=ojHYuDeYX5FWuN8a&q=85&s=b8af968e71438a9499c3223c9bd29fb2" alt="Workflow Library" width="16" height="16" data-path="img/Icons/play-box.svg" />

    Preview this Workflow on desktop
  </div>

  <iframe className="iframe" src="https://library.blinkops.com/workflows/retrieve-incidents-with-proofpoint-threat-response-auto-pull-and-send-results-via-email/canvas" />
</div>
