Get Incidents

GET /v2/api/incidents

Similarly to how you can view DLP Incidents on Panorama or Strata Cloud Manager, you can view your DLP incidents programatically. The API retrieves all DLP incidents which you can filter using the query paramaters.

When using the API note:

If you are using multiple filtering parameters such as report ID, user ID, file SHA, and channel, all are combined via an “AND” operation
All filters are exact matches
Fields with null values are not included in the response

Request

Query Parameters

ascending boolean

Sort incidents in ascending order

channel string

Possible values: [ngfw, prisma-access]

Source of the DLP incident you are viewing

end_time date-time

The end time of the incident

file_shas string

The file SHA assosciated with the incident

page_number int32

Pagination support to track the number incidents you retrieved

page_size int32

Pagination support to reduce the number incidents you retrieved

region string

Region the incident was triggered in

report_ids string[]

ID of the retrieved report

sort_by string

Sorts incidents. The default sort order is by creation time.

start_time date-time

The start time to sort the incidents by.

user_ids string[]

User IDs assosciated with the incident.

Responses

application/json

Schema
Example (from schema)
incidentResponseExample

Schema

page objectrequired

Indicates the page of the current response.

number int32

Pagination support for the API, this enables you to limit the response size.

size int32

Indicates the size of the responose.

total_elements int32

Indicates the total number of incidents included.

total_pages int32

Indicates the total number of pages available.

resources object[]

Indicates the current status of the DLP incident, this can indicate whether the incident is open, under review, resolved, or closed

Array [

action string

Possible values: [alert, block, none]

The action taken on the Incident.

app_id string

The ID of the application.

app_name string

The name of the application.

channel string

Possible values: [ngfw, prisma-access]

The product the indcident was recorded in.

data_profile_id int64

The ID of the data profile used to capture the incident.

data_profile_name string

The name of the data profile used to capture the incident.

file_name string

The file name of the capture file.

file_sha string

The SHA hash of the captured file.

file_type string

The specific file type of the captured file.

incident_creation_time string

The datetime of th incident.

incident_id uuid

The automatically generated incident ID.

report_id string

The automatically generated report ID.

source string

Source of the incident report.

tenant_id string

ID of the TSG enabled tentant.

user string

User identified by the DLP engine.

]

{
  "page": {
    "number": 0,
    "size": 0,
    "total_elements": 0,
    "total_pages": 0
  },
  "resources": [
    {
      "action": "alert",
      "app_id": "string",
      "app_name": "string",
      "channel": "ngfw",
      "data_profile_id": 0,
      "data_profile_name": "string",
      "file_name": "string",
      "file_sha": "string",
      "file_type": "string",
      "incident_creation_time": "yyyy-MMM-dd HH:mm:ss z",
      "incident_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "report_id": "string",
      "source": "string",
      "tenant_id": "string",
      "user": "string"
    }
  ]
}

{
  "page": {
    "number": 1,
    "size": 10,
    "total_elements": 290,
    "total_pages": 29
  },
  "resources": [
    {
      "action": "alert",
      "channel": "ngfw",
      "data_profile_id": 11995044,
      "data_profile_name": "PII",
      "file_name": "SSNpattern",
      "file_sha": "a4d58aa3caeb73b56028f597de2b3263d64e2835f277f31c97be53bc76a29e47",
      "file_type": "pdf",
      "incident_creation_time": "2023-Dec-07 18:41:12 UTC",
      "incident_id": "7c3dca3d-1c08-4147-b171-9faba84739d4",
      "report_id": "1572154781",
      "source": "ngfw",
      "tenant_id": "5886928188517009408"
    },
    {
      "action": "alert",
      "channel": "ngfw",
      "data_profile_id": 11995410,
      "data_profile_name": "Portugal_LNAME_high",
      "file_name": "test_portugal_LNAME.txt",
      "file_sha": "6c25d79cd1dee00b3a6ee6bbb985dae6ee5bdfa31a8dfcffa241786c8c3893a7",
      "file_type": "txt",
      "incident_creation_time": "2023-Dec-07 18:39:38 UTC",
      "incident_id": "81985a40-dae5-4e80-8147-678892ccfc00",
      "report_id": "2968440380",
      "source": "ngfw",
      "tenant_id": "5886928188517009408"
    },
    {
      "action": "alert",
      "channel": "ngfw",
      "data_profile_id": 11995355,
      "data_profile_name": "inline_timing_11_12_edm",
      "file_name": "all_patterns_data_1_MB.txt",
      "file_sha": "6c8d18c544aba3b44cfa487d5020ec102a6317a6a5164e270bbecf6ea37df925",
      "file_type": "txt",
      "incident_creation_time": "2023-Dec-06 19:39:46 UTC",
      "incident_id": "08f014d8-ed13-490e-bfc4-7363f43a4af1",
      "report_id": "1347859663",
      "source": "ngfw",
      "tenant_id": "5886928188517009408"
    },
    {
      "action": "alert",
      "channel": "ngfw",
      "data_profile_id": 11995295,
      "data_profile_name": "DemoWideNestedProfile",
      "file_name": "SSNpattern",
      "file_sha": "a4d58aa3caeb73b56028f597de2b3263d64e2835f277f31c97be53bc76a29e47",
      "file_type": "pdf",
      "incident_creation_time": "2023-Dec-05 21:54:21 UTC",
      "incident_id": "6c7d838a-1b25-44fe-8917-1ff760c0eae5",
      "report_id": "3741398016",
      "source": "ngfw",
      "tenant_id": "5886928188517009408"
    }
  ]
}

Get Incidents

/v2/api/incidents

Request​

Query Parameters

Responses​

Request

Responses