Skip to main content

Get Incident Details

GET 
/v2/api/incidents/:incidentID

Similarly to how you can view DLP Incidents on Panorama, you can view your DLP incidents programatically. The API retrieves all DLP incidents which you can filter using the query parameters. When using the API note:

  • If you are using multiple filtering parameters such as report ID, user ID, file SHA, and channel, all are combined via an "AND" operation
  • All filters are exact matches
  • Fields with null values are not included in the response.

Request

Path Parameters

    incidentID stringrequired

    The incident ID to filter.

    Examples:

    Example: 3fb38abe-a83b-44e5-99d5-4bec3765bba6

Query Parameters

    region string

    Possible values: [us, eu, uk, jp, in, ap, ca, au, par]

    region(default to us)

Responses

OK

Schema
    action string

    Possible values: [alert, block]

    Action taken on the incident.

    app_id string

    Palo Alto Networks assigned Application ID.

    app_name string

    The name of the application.

    assignee_id string

    Automatically assigned ID of the assignee.

    channel string

    Possible values: [ngfw, prisma-access]

    The Palo Alto Networks channel that identified the incident.

    data_profile_id int64

    The UUID profile descriptor used to characterize the incident.

    data_profile_name string

    The data profile descriptor used to characterize the incident.

    file_name string

    The analyzed file name.

    file_sha string

    The analyzed file SHA hash.

    file_type string

    The analyzed file type.

    incident_creation_time string

    The time the incident first occurred.

    incident_feedback_status string

    Current status of the feedback assosicated with the incident.

    incident_id uuid

    The Palo Alto Networks automatically assigned incident ID.

    incident_notes string

    User defined notes for the incident.

    match_info object
    detection_technique string

    Possible values: [document_fingerprint, edm, file_property, ml, ml_document, regex, titus_tag, trainable_classifier, weighted_regex]

    One of several techniques used to identify the incident.

    edm_columns string[]

    Exact Data Matching (EDM) is a method of detecting and protecting your most sensitive content. Unlike data patterns, EDM uses specific data—such as a patient’s first and last name or a patient’s social security number or a customer’s bank account number—to identify matches.

    hcf int32

    The indicator for high confidence freqeuncy.

    lcf int32

    The indicator for low confidence frequency.

    mcf int32

    Indicator for medium confidence frequency.

    name string

    The name of the pattern.

    uhcf int32

    The unique high confidence frequency pattern.

    ulcf int32

    The unique low confidence freqeuncy pattern.

    umcf int32

    The unique medium confidence frequency pattern.

    version int32

    Data pattern version.

    report_id string

    The Palo Alto Networks automatically assigned report ID that you can use to retrieve reports.

    resolution_status string

    Resolution status from Enterprise DLP status.

    session_key string

    Specifies a session key assosciated with the incident.

    snippets string

    A JSON structure containing snippet data, if snippets are not enabled, the field returns as null.

    source string

    The Palo Alto Networks source that identified the incident.

    tenant_id string

    The TSG enabled tenant used to identify the Incident.

    user string

    The user assosciated with te incident.

Loading...