Retrieve all incident metadata from Threat Response by specifying filter criteria such as the state of the incident or time of closure. For more information, visit the Proofpoint Incident documentation

Basic Parameters

ParameterDescription
Closed AfterRetrieve incidents that were closed after specified date, in ISO 8601 format (UTC).
Created AfterRetrieve incidents that were created after specified date, in ISO 8601 format (UTC).
Search ByQuery either by incident creation date or closing date.

Advanced Parameters

ParameterDescription
Closed BeforeRetrieve incidents that were closed before specified date, in ISO 8601 format (UTC). if parameter is omitted, the current timestamp of the system is used in its place.
Created BeforeRetrieve incidents that were created before specified date, in ISO 8601 format (UTC). if parameter is omitted, the current timestamp of the system is used in its place.
Expand EventsRetrieve incidents with events data expanded.
StateState of the incidents to retrieve.

Example Output

[
  {
    "id": 1,
    "type": "Malware",
    "summary": "Unsolicited Bulk Email",
    "description": "EvilScheme test message",
    "score": 4200,
    "state": "Open",
    "created_at": "2018-05-26T21:07:17Z",
    "event_count": 3,
    "event_sources": [
      "Proofpoint TAP"
    ],
    "users": [
      "nbadguy"
    ],
    "assignee": "Unassigned",
    "team": "Unassigned",
    "hosts": {
      "attacker": [
        "54.214.13.31",
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
      ],
      "forensics": [
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
        "tapdemo.evilscheme.org"
      ]
    },
    "incident_field_values": [
      {
        "name": "Attack Vector",
        "value": "Email"
      },
      {
        "name": "Classification",
        "value": "Spam"
      },
      {
        "name": "Severity",
        "value": "Critical"
      }
    ],
    "events": [
      {
        "id": 3,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "classified": false,
        "state": "Linked",
        "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z",
        "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
      },
      {
        "id": 1,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      },
      {
        "id": 2,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      }
    ],
    "quarantine_results": [],
    "successful_quarantines": 0,
    "failed_quarantines": 0,
    "pending_quarantines": 0
  },
  {
    "id": 2,
    "type": "Reported-abuse",
    "summary": "Unsolicited Bulk Email",
    "description": "",
    "score": 5200,
    "state": "Open",
    "created_at": "2018-06-01T17:57:09Z",
    "event_count": 2,
    "event_sources": [
      "Abuse Mailbox 1",
      "Proofpoint TAP"
    ],
    "users": [],
    "assignee": "Unassigned",
    "team": "Unassigned",
    "hosts": {
      "attacker": [
        "54.214.13.31",
        "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"
      ],
      "cnc": [
        "54.214.13.31"
      ],
      "url": [
        "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
        "https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="
      ],
      "forensics": [
        "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
        "tapdemo.evilscheme.org"
      ]
    },
    "incident_field_values": [
      {
        "name": "Attack Vector",
        "value": "Email"
      },
      {
        "name": "Severity",
        "value": "Critical"
      },
      {
        "name": "Classification",
        "value": "Reported Abuse"
      },
      {
        "name": "Abuse Disposition",
        "value": "Malicious"
      }
    ],
    "events": [
      {
        "id": 8,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Malicious content dropped during execution",
        "classified": false,
        "state": "Linked",
        "description": "Malicious content dropped during execution",
        "attackDirection": "inbound",
        "received": "2018-06-01T18:02:10Z",
        "malwareName": "Malicious content dropped during execution"
      },
      {
        "id": 6,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Example signature to fire on TAP demo evilness",
        "classified": false,
        "state": "Linked",
        "description": "Example signature to fire on TAP demo evilness",
        "attackDirection": "inbound",
        "received": "2018-06-01T17:57:10Z",
        "malwareName": "Example signature to fire on TAP demo evilness"
      },
    ],
    "quarantine_results": [
      {
        "alertSource": "Not Available",
        "startTime": "2018-06-01T18:17:43.941Z",
        "endTime": "2018-06-01T18:17:44.001Z",
        "status": "successful",
        "recipientType": "Search",
        "recipient": "jsmith@company.com",
        "messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"
          "isRead": "true",
        "wasUndone": "true",
        "details": "Success"
      }
    ],
    "successful_quarantines": 1,
    "failed_quarantines": 0,
    "pending_quarantines": 0
  }

Workflow Library Example

Retrieve Incidents with Proofpoint and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?

Proofpoint Custom ActionOverview