> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Retrieve Incidents

Retrieve all incident metadata from Threat Response by specifying filter criteria such as the state of the incident or time of closure.
For more information, visit the [Proofpoint Incident documentation](https://ptr-docs.proofpoint.com/extensibility-guides/ptr-api/?shell#retrieve-incidents)

## Basic Parameters

<div className="integrations-table">
  | Parameter     | Description                                                                          |
  | ------------- | ------------------------------------------------------------------------------------ |
  | Closed After  | Retrieve incidents that were closed after specified date, in ISO 8601 format (UTC).  |
  | Created After | Retrieve incidents that were created after specified date, in ISO 8601 format (UTC). |
  | Search By     | Query either by incident creation date or closing date.                              |
</div>

## Advanced Parameters

<div className="integrations-table">
  | Parameter      | Description                                                                                                                                                              |
  | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
  | Closed Before  | Retrieve incidents that were closed before specified date, in ISO 8601 format (UTC). if parameter is omitted, the current timestamp of the system is used in its place.  |
  | Created Before | Retrieve incidents that were created before specified date, in ISO 8601 format (UTC). if parameter is omitted, the current timestamp of the system is used in its place. |
  | Expand Events  | Retrieve incidents with events data expanded.                                                                                                                            |
  | State          | State of the incidents to retrieve.                                                                                                                                      |
</div>

## Example Output

```json theme={"dark"}
[
  {
    "id": 1,
    "type": "Malware",
    "summary": "Unsolicited Bulk Email",
    "description": "EvilScheme test message",
    "score": 4200,
    "state": "Open",
    "created_at": "2018-05-26T21:07:17Z",
    "event_count": 3,
    "event_sources": [
      "Proofpoint TAP"
    ],
    "users": [
      "nbadguy"
    ],
    "assignee": "Unassigned",
    "team": "Unassigned",
    "hosts": {
      "attacker": [
        "54.214.13.31",
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"
      ],
      "forensics": [
        "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",
        "tapdemo.evilscheme.org"
      ]
    },
    "incident_field_values": [
      {
        "name": "Attack Vector",
        "value": "Email"
      },
      {
        "name": "Classification",
        "value": "Spam"
      },
      {
        "name": "Severity",
        "value": "Critical"
      }
    ],
    "events": [
      {
        "id": 3,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "classified": false,
        "state": "Linked",
        "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z",
        "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."
      },
      {
        "id": 1,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      },
      {
        "id": 2,
        "category": "spam",
        "severity": "Critical",
        "source": "Proofpoint TAP",
        "threatname": "Unsolicited Bulk Email",
        "classified": false,
        "state": "Linked",
        "attackDirection": "inbound",
        "received": "2018-05-26T21:07:17Z"
      }
    ],
    "quarantine_results": [],
    "successful_quarantines": 0,
    "failed_quarantines": 0,
    "pending_quarantines": 0
  },
  {
    "id": 2,
    "type": "Reported-abuse",
    "summary": "Unsolicited Bulk Email",
    "description": "",
    "score": 5200,
    "state": "Open",
    "created_at": "2018-06-01T17:57:09Z",
    "event_count": 2,
    "event_sources": [
      "Abuse Mailbox 1",
      "Proofpoint TAP"
    ],
    "users": [],
    "assignee": "Unassigned",
    "team": "Unassigned",
    "hosts": {
      "attacker": [
        "54.214.13.31",
        "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"
      ],
      "cnc": [
        "54.214.13.31"
      ],
      "url": [
        "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
        "https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="
      ],
      "forensics": [
        "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",
        "tapdemo.evilscheme.org"
      ]
    },
    "incident_field_values": [
      {
        "name": "Attack Vector",
        "value": "Email"
      },
      {
        "name": "Severity",
        "value": "Critical"
      },
      {
        "name": "Classification",
        "value": "Reported Abuse"
      },
      {
        "name": "Abuse Disposition",
        "value": "Malicious"
      }
    ],
    "events": [
      {
        "id": 8,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Malicious content dropped during execution",
        "classified": false,
        "state": "Linked",
        "description": "Malicious content dropped during execution",
        "attackDirection": "inbound",
        "received": "2018-06-01T18:02:10Z",
        "malwareName": "Malicious content dropped during execution"
      },
      {
        "id": 6,
        "category": "malware",
        "severity": "Info",
        "source": "Proofpoint TAP",
        "threatname": "Example signature to fire on TAP demo evilness",
        "classified": false,
        "state": "Linked",
        "description": "Example signature to fire on TAP demo evilness",
        "attackDirection": "inbound",
        "received": "2018-06-01T17:57:10Z",
        "malwareName": "Example signature to fire on TAP demo evilness"
      },
    ],
    "quarantine_results": [
      {
        "alertSource": "Not Available",
        "startTime": "2018-06-01T18:17:43.941Z",
        "endTime": "2018-06-01T18:17:44.001Z",
        "status": "successful",
        "recipientType": "Search",
        "recipient": "jsmith@company.com",
        "messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"
          "isRead": "true",
        "wasUndone": "true",
        "details": "Success"
      }
    ],
    "successful_quarantines": 1,
    "failed_quarantines": 0,
    "pending_quarantines": 0
  }
```

## Workflow Library Example

[Retrieve Incidents with Proofpoint and Send Results Via Email](https://library.blinkops.com/workflows/retrieve-incidents-with-proofpoint-and-send-results-via-email)

<div className="iframe-wrapper">
  <div className="iframe-media">
    <img src="https://mintcdn.com/blinkops-2/ojHYuDeYX5FWuN8a/img/Icons/play-box.svg?fit=max&auto=format&n=ojHYuDeYX5FWuN8a&q=85&s=b8af968e71438a9499c3223c9bd29fb2" alt="Workflow Library" width="16" height="16" data-path="img/Icons/play-box.svg" />

    Preview this Workflow on desktop
  </div>

  <iframe className="iframe" src="https://library.blinkops.com/workflows/retrieve-incidents-with-proofpoint-and-send-results-via-email/canvas" />
</div>
