Skip to main content

Get Email Incident Details

GET 

/incident/api/v1/incidents

Retrieves information about Email DLP incidents.

You can combine the query parameters to drill down on your Email DLP incidents and limit your response sizes. For example:

curl https://api.us-west1.email.dlp.paloaltonetworks.com/incident/api/v1/incidents?limit=10&from=2023-10-17T02:29:04.402Z&to=2023-11-20T21:44:07.611Z&app_type=exchange-email,gmail-email
curl https://api.us-west1.email.dlp.paloaltonetworks.com/incident/api/v1/incidents?to=2023-11-20T19:44:04.395Z&from=2023-10-17T02:29:04.402Z&statuses=resolved,open&severities=very_low&limit=10

Using the limit query, the response contains a next-batch field that you can use to obtain the next page of results. The response will contain the next endpoint based on the delta:

"nextLink": "incident/api/incidents/delta?limit=100&from=2021-05-21T01:02:56Z&to=2021-05-22T01:02:56Z"

The report ID field in the response can be used to further inspect the incdent with the DLP API.

Request

Query Parameters

    limit string

    Pagination support for the API, this enables you to limit the response size.

    from date-time

    Indicates the beginning of a time-controlled filter.

    to date-time

    Indicates the end of a time-controlled filter.

    previous_incident_id string

    An automatically generated field based on batched results from a previous request.

    senders string[]

    Etiher a single sender or list of senders indicating where the emails came from.

    statuses string[]

    Possible values: [closed, resolved, under_review, open]

    Either a single status or a list of statuses to filter on for the Email DLP reports which can be either closed, resolved, under review, or open.

    severities string[]

    Possible values: [very_low, low, medium, high, critical]

    The list of severity for the shown Email DLP Reports.

    policy_names string[]

    The Email DLP policy names that triggered the report.

    message_ids string[]

    An automatically generated ID for the messages.

    app_type string[]

    Possible values: [exchange-email, gmail-email]

    The email provider.

Responses

Ok

Schema
    limit int32

    Specificies the batch limit for the requested result set. The minimum is 1, The maximum, is 1000, and the default is 20 incidents.

    nextLink string

    The link you can use to fetch the next set of entries when using a filter in the GET request.

    resources object[]
  • Array [
  • action string

    Possible values: [monitor, fwd_to_manager, block, fwd_to_admin, encrypt, quarantine]

    Action taken by Enterprise DLP based on the Email DLP policy the outbound email matched against.

    appType string

    Possible values: [exchange-email, gmail-email, default-app]

    The email provider.

    assigneeId string

    Incident assignee responsible to review and address the Email DLP incident.

    createdAt date-time

    Date the Email DLP incident occurred.

    dataProfileId string

    You can use this field as a pointer to remove duplicate incident entries with the same creation date across batched results. The response automatially includes this field as part of nextLink, if the results span over multiple batches.

    incidentId string

    An automatically generated ID for the incident.

    messageId string

    An automtically generated ID for the message.

    policyId string

    An automtically generated ID for the policy.

    policyName string

    The name of the policy that triggered the initial report.

    receivers string[]

    a list of the persons or entities that recieved the email.

    reportId string

    The report ID.

    sender string

    The sender of the email.

    sentDate date-time

    The date an email was sent.

    severity string

    Possible values: [very_low, low, medium, high, critical]

    Severity of the DLP incident specified in the Email DLP policy.

    status string

    Possible values: [closed, resolved, under_review, open]

    The status of the incident.

    subject string

    The subject of the email.

    updatedAt date-time

    Date the Email DLP incident status or assignee was updated.

  • ]
Loading...