Skip to main content

Get Incidents



Similarly to how you can view DLP Incidents on Panorama or Strata Cloud Manager, you can view your DLP incidents programatically. The API retrieves all DLP incidents which you can filter using the query paramaters.

When using the API note:

  • If you are using multiple filtering parameters such as report ID, user ID, file SHA, and channel, all are combined via an “AND” operation
  • All filters are exact matches
  • Fields with null values are not included in the response


Query Parameters

    ascending boolean

    Sort incidents in ascending order

    channel string

    Possible values: [ngfw, prisma-access]

    Source of the DLP incident you are viewing

    end_time date-time

    The end time of the incident

    file_shas string

    The file SHA assosciated with the incident

    page_number int32

    Pagination support to track the number incidents you retrieved

    page_size int32

    Pagination support to reduce the number incidents you retrieved

    region string

    Region the incident was triggered in

    report_ids string[]

    ID of the retrieved report

    sort_by string

    sort by. default sort by creation time

    start_time date-time


    user_ids string[]

    User IDs assosciated with the incident.



    page objectrequired

    Inidicates the page of the current response.

    number int32

    Pagination support for the API, this enables you to limit the response size.

    size int32

    Indicates the size of the responose.

    total_elements int32

    Indicates the total number of incidents included.

    total_pages int32

    Indicates the total number of pages available.

    resources object[]

    Inidicates the current status of the Email DLP incident, this can indicate whether the incident is open, under review, resovled, or closed

  • Array [
  • action string

    Possible values: [alert, block, none]

    The action taken on the Incident.

    app_id string

    The ID of the application.

    app_name string

    The name of the application.

    channel string

    Possible values: [ngfw, prisma-access]

    The product the indcident was recorded in.

    data_profile_id int64

    The ID of the data profile used to capture the incident.

    data_profile_name string

    The name of the data profile used to capture the incident.

    file_name string

    The file name of the capture file.

    file_sha string

    The SHA hash of the captured file.

    file_type string

    The specific file type of the captured file.

    incident_creation_time string

    The datetime of th incident.

    incident_id uuid

    The automatically generated incident ID.

    report_id string

    The automatically generated report ID.

    source string

    Source of the incident report.

    tenant_id string

    ID of the TSG enabled tentant.

    user string

    User identified by the DLP engine.

  • ]