Retrieve Incidents - Blink Documentation

To learn more, visit the Proofpoint Threat Response Auto Pull documentation.

Basic Parameters

Parameter	Description
Closed After	Retrieve incidents that were closed after specified date.
Expand Events	Retrieve incidents with events data expanded.
Recipient	A comma separated list of recipients to filter by.
Sender	A comma separated list of senders to filter by.
Source Type	Retrieve incidents only belong to a specific source.
State	The state of the incidents to retrieve.

Advanced Parameters

Parameter	Description
Attack Vector	Retrieve incidents where the attack vector is specified.
Closed At	Retrieve incidents that were closed on a specific date.
Closed Before	Retrieve incidents that were closed before specified date.
Created After	Retrieve incidents that were created after specified date.
Created Before	Retrieve incidents that were created before specified date.
Disposition	Filter by deposition. This filtering parameter may be combined with the sub-disposition parameter only when the disposition parameter is specified as “Unknown”.
Exclude Message Body	Whether to exclude the message body from the json response.
Exclude Mime Content	Whether to exclude the mime content from the json response.
File Hash	Retrieve incidents which contain the specified file hash.
File Name	Retrieve incidents which contain an attachment with the specified name.
File Type	Retrieve incidents which contain a certain type of attachment.
Format To Timezone	Format the time values in the response to match the specified timezone. For more information please refer to Proofpoint’s documentation.
IP	Retrieve incidents by the attacker’s (sender’s) IP address.
Incident Value Fields To Json	Specify if the response’s incidentfieldvalues section should be returned as json.
Message ID	Retrieve incidents by the message IDs enclosed in <>.Example:34f3d3xda2f@foo.com,45g47sgvtt456@bar.com
Sub Disposition	Retrieve incidents which have either a `Needs Manual Review` or `Likely Harmless` sub-disposition.
Target User	Retrieve incidents where the alert threat name is specified.
URL	Retrieve incidents contain the specified url or a part of the specified URL.
Updated At	Retrieve incidents that were updated on a specific date.

Example Output

[    {        "id": 1,        "type": "Malware",        "summary": "Unsolicited Bulk Email",        "description": "EvilScheme test message",        "score": 4200,        "state": "Open",        "created_at": "2018-05-26T21:07:17Z",        "event_count": 3,        "event_sources": [            "Proofpoint TAP"        ],        "users": [            "nbadguy"        ],        "assignee": "Unassigned",        "team": "Unassigned",        "hosts": {            "attacker": [                "54.214.13.31",                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"            ],            "forensics": [                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",                "tapdemo.evilscheme.org"            ]        },        "incident_field_values": [            {                "name": "Attack Vector",                "value": "Email"            },            {                "name": "Classification",                "value": "Spam"            },            {                "name": "Severity",                "value": "Critical"            }        ],        "events": [            {                "id": 3,                "category": "malware",                "severity": "Info",                "source": "Proofpoint TAP",                "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",                "classified": false,                "state": "Linked",                "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",                "attackDirection": "inbound",                "received": "2018-05-26T21:07:17Z",                "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."            },            {                "id": 1,                "category": "spam",                "severity": "Critical",                "source": "Proofpoint TAP",                "threatname": "Unsolicited Bulk Email",                "classified": false,                "state": "Linked",                "attackDirection": "inbound",                "received": "2018-05-26T21:07:17Z"            },            {                "id": 2,                "category": "spam",                "severity": "Critical",                "source": "Proofpoint TAP",                "threatname": "Unsolicited Bulk Email",                "classified": false,                "state": "Linked",                "attackDirection": "inbound",                "received": "2018-05-26T21:07:17Z"            }        ],        "quarantine_results": [],        "successful_quarantines": 0,        "failed_quarantines": 0,        "pending_quarantines": 0    },    {        "id": 2,        "type": "Reported-abuse",        "summary": "Unsolicited Bulk Email",        "description": "",        "score": 5200,        "state": "Open",        "created_at": "2018-06-01T17:57:09Z",        "event_count": 2,        "event_sources": [            "Abuse Mailbox 1",            "Proofpoint TAP"        ],        "users": [],        "assignee": "Unassigned",        "team": "Unassigned",        "hosts": {            "attacker": [                "54.214.13.31",                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"            ],            "cnc": [                "54.214.13.31"            ],            "url": [                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",                "https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="            ],            "forensics": [                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",                "tapdemo.evilscheme.org"            ]        },        "incident_field_values": [            {                "name": "Attack Vector",                "value": "Email"            },            {                "name": "Severity",                "value": "Critical"            },            {                "name": "Classification",                "value": "Reported Abuse"            },            {                "name": "Abuse Disposition",                "value": "Malicious"            }        ],        "events": [            {                "id": 8,                "category": "malware",                "severity": "Info",                "source": "Proofpoint TAP",                "threatname": "Malicious content dropped during execution",                "classified": false,                "state": "Linked",                "description": "Malicious content dropped during execution",                "attackDirection": "inbound",                "received": "2018-06-01T18:02:10Z",                "malwareName": "Malicious content dropped during execution"            },            {                "id": 6,                "category": "malware",                "severity": "Info",                "source": "Proofpoint TAP",                "threatname": "Example signature to fire on TAP demo evilness",                "classified": false,                "state": "Linked",                "description": "Example signature to fire on TAP demo evilness",                "attackDirection": "inbound",                "received": "2018-06-01T17:57:10Z",                "malwareName": "Example signature to fire on TAP demo evilness"            },        ],        "quarantine_results": [            {                "alertSource": "Not Available",                "startTime": "2018-06-01T18:17:43.941Z",                "endTime": "2018-06-01T18:17:44.001Z",                "status": "successful",                "recipientType": "Search",                "recipient": "jsmith@company.com",                "messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"                "isRead": "true",                "wasUndone": "true",                "details": "Success"            }        ],        "successful_quarantines": 1,        "failed_quarantines": 0,        "pending_quarantines": 0    }]

Workflow Library Example

Retrieve Incidents with Proofpoint Threat Response Auto Pull and Send Results Via Email

Preview this Workflow on desktop

Integrations

​Basic Parameters​

​Advanced Parameters​

​Example Output​

​Workflow Library Example​

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example