Retrieve Incidents
Retrieve all incident metadata from Threat Response by specifying filter criteria such as the state of the incident or time of closure. For more information, visit the Proofpoint Incident documentation
Basic Parameters
| Parameter | Description |
|---|---|
| Closed After | Retrieve incidents that were closed after specified date, in ISO 8601 format (UTC). |
| Created After | Retrieve incidents that were created after specified date, in ISO 8601 format (UTC). |
| Search By | Query either by incident creation date or closing date. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Closed Before | Retrieve incidents that were closed before specified date, in ISO 8601 format (UTC). if parameter is omitted, the current timestamp of the system is used in its place. |
| Created Before | Retrieve incidents that were created before specified date, in ISO 8601 format (UTC). if parameter is omitted, the current timestamp of the system is used in its place. |
| Expand Events | Retrieve incidents with events data expanded. |
| State | State of the incidents to retrieve. |
Example Output
[
{
"id": 1,
"type": "Malware",
"summary": "Unsolicited Bulk Email",
"description": "EvilScheme test message",
"score": 4200,
"state": "Open",
"created_at": "2018-05-26T21:07:17Z",
"event_count": 3,
"event_sources": [
"Proofpoint TAP"
],
"users": [
"nbadguy"
],
"assignee": "Unassigned",
"team": "Unassigned",
"hosts": {
"attacker": [
"54.214.13.31",
"http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
],
"forensics": [
"http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
"tapdemo.evilscheme.org"
]
},
"incident_field_values": [
{
"name": "Attack Vector",
"value": "Email"
},
{
"name": "Classification",
"value": "Spam"
},
{
"name": "Severity",
"value": "Critical"
}
],
"events": [
{
"id": 3,
"category": "malware",
"severity": "Info",
"source": "Proofpoint TAP",
"threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
"classified": false,
"state": "Linked",
"description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
"attackDirection": "inbound",
"received": "2018-05-26T21:07:17Z",
"malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
},
{
"id": 1,
"category": "spam",
"severity": "Critical",
"source": "Proofpoint TAP",
"threatname": "Unsolicited Bulk Email",
"classified": false,
"state": "Linked",
"attackDirection": "inbound",
"received": "2018-05-26T21:07:17Z"
},
{
"id": 2,
"category": "spam",
"severity": "Critical",
"source": "Proofpoint TAP",
"threatname": "Unsolicited Bulk Email",
"classified": false,
"state": "Linked",
"attackDirection": "inbound",
"received": "2018-05-26T21:07:17Z"
}
],
"quarantine_results": [],
"successful_quarantines": 0,
"failed_quarantines": 0,
"pending_quarantines": 0
},
{
"id": 2,
"type": "Reported-abuse",
"summary": "Unsolicited Bulk Email",
"description": "",
"score": 5200,
"state": "Open",
"created_at": "2018-06-01T17:57:09Z",
"event_count": 2,
"event_sources": [
"Abuse Mailbox 1",
"Proofpoint TAP"
],
"users": [],
"assignee": "Unassigned",
"team": "Unassigned",
"hosts": {
"attacker": [
"54.214.13.31",
"http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"
],
"cnc": [
"54.214.13.31"
],
"url": [
"http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
"https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="
],
"forensics": [
"http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
"tapdemo.evilscheme.org"
]
},
"incident_field_values": [
{
"name": "Attack Vector",
"value": "Email"
},
{
"name": "Severity",
"value": "Critical"
},
{
"name": "Classification",
"value": "Reported Abuse"
},
{
"name": "Abuse Disposition",
"value": "Malicious"
}
],
"events": [
{
"id": 8,
"category": "malware",
"severity": "Info",
"source": "Proofpoint TAP",
"threatname": "Malicious content dropped during execution",
"classified": false,
"state": "Linked",
"description": "Malicious content dropped during execution",
"attackDirection": "inbound",
"received": "2018-06-01T18:02:10Z",
"malwareName": "Malicious content dropped during execution"
},
{
"id": 6,
"category": "malware",
"severity": "Info",
"source": "Proofpoint TAP",
"threatname": "Example signature to fire on TAP demo evilness",
"classified": false,
"state": "Linked",
"description": "Example signature to fire on TAP demo evilness",
"attackDirection": "inbound",
"received": "2018-06-01T17:57:10Z",
"malwareName": "Example signature to fire on TAP demo evilness"
},
],
"quarantine_results": [
{
"alertSource": "Not Available",
"startTime": "2018-06-01T18:17:43.941Z",
"endTime": "2018-06-01T18:17:44.001Z",
"status": "successful",
"recipientType": "Search",
"recipient": "jsmith@company.com",
"messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"
"isRead": "true",
"wasUndone": "true",
"details": "Success"
}
],
"successful_quarantines": 1,
"failed_quarantines": 0,
"pending_quarantines": 0
}
Workflow Library Example
Retrieve Incidents with Proofpoint and Send Results Via Email
Preview this Workflow on desktop