Get Email Incident Details
GET/incident/api/v1/incidents
Retrieves information about Email DLP incidents.
You can combine the query parameters to drill down on your Email DLP incidents and limit your response sizes. For example:
curl https://api.us-west1.email.dlp.paloaltonetworks.com/incident/api/v1/incidents?limit=10&from=2023-10-17T02:29:04.402Z&to=2023-11-20T21:44:07.611Z&app_type=exchange-email,gmail-email
curl https://api.us-west1.email.dlp.paloaltonetworks.com/incident/api/v1/incidents?to=2023-11-20T19:44:04.395Z&from=2023-10-17T02:29:04.402Z&statuses=resolved,open&severities=very_low&limit=10
Using the limit query, the response contains a next-batch field that you can use to obtain the next page of results. The response will contain the next endpoint based on the delta:
"nextLink": "incident/api/incidents/delta?limit=100&from=2021-05-21T01:02:56Z&to=2021-05-22T01:02:56Z"
The report ID field in the response can be used to further inspect the incdent with the DLP API.
Request
Query Parameters
Pagination support for the API, this enables you to limit the response size.
Indicates the beginning of a time-controlled filter.
Indicates the end of a time-controlled filter.
An automatically generated field based on batched results from a previous request.
Etiher a single sender or list of senders indicating where the emails came from.
Possible values: [closed, resolved, under_review, open]
Either a single status or a list of statuses to filter on for the Email DLP reports which can be either closed, resolved, under review, or open.
Possible values: [very_low, low, medium, high, critical]
The list of severity for the shown Email DLP Reports.
The Email DLP policy names that triggered the report.
An automatically generated ID for the messages.
Possible values: [exchange-email, gmail-email]
The email provider.
Responses
- 200
- 400
- 401
- 403
- 500
Ok
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
Specificies the batch limit for the requested result set. The minimum is 1, The maximum, is 1000, and the default is 20 incidents.
The link you can use to fetch the next set of entries when using a filter in the GET request.
resources object[]
Possible values: [monitor, fwd_to_manager, block, fwd_to_admin, encrypt, quarantine]
Action taken by Enterprise DLP based on the Email DLP policy the outbound email matched against.
Possible values: [exchange-email, gmail-email, default-app]
The email provider.
Incident assignee responsible to review and address the Email DLP incident.
Date the Email DLP incident occurred.
You can use this field as a pointer to remove duplicate incident entries with the same creation date across batched results. The response automatially includes this field as part of nextLink, if the results span over multiple batches.
An automatically generated ID for the incident.
An automtically generated ID for the message.
An automtically generated ID for the policy.
The name of the policy that triggered the initial report.
a list of the persons or entities that recieved the email.
The report ID.
The sender of the email.
The date an email was sent.
Possible values: [very_low, low, medium, high, critical]
Severity of the DLP incident specified in the Email DLP policy.
Possible values: [closed, resolved, under_review, open]
The status of the incident.
The subject of the email.
Date the Email DLP incident status or assignee was updated.
{
"limit": 10,
"nextLink": "/incident/api/v1/incidents?to=2022-12-03T12:15:30Z&from=2022-12-03T10:15:30Z&app_type=exchange-email&previous_incident_id=2&limit=10",
"resources": [
{
"action": "monitor",
"appType": "exchange-email",
"assigneeId": "string",
"createdAt": "2024-05-17T04:53:50.480Z",
"dataProfileId": "string",
"incidentId": "string",
"messageId": "string",
"policyId": "string",
"policyName": "string",
"receivers": [
"string"
],
"reportId": "string",
"sender": "string",
"sentDate": "2024-05-17T04:53:50.480Z",
"severity": "very_low",
"status": "closed",
"subject": "string",
"updatedAt": "2024-05-17T04:53:50.480Z"
}
]
}
Invalid Request
Unauthorized
Forbidden
Internal Server Error