It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Create Incident

  • Last updated on

 

This functionality is available only with Barracuda Email Protection Premium and Premium Plus plans. To upgrade to one of these plans, contact your Barracuda Networks Sales Representative. 

Creates an incident for a Microsoft 365 tenant.

Endpoint

POST /beta/accounts/{accountId}/forensics/{tenantId}/incident

Parameters

NameTypeRequiredDescription
Path Parameters
accountId  string*The Barracuda Cloud Control account ID obtained from the Get Accounts API.
tenantId string* The Microsoft 365 tenant ID obtained from the Get Tenants API.

Request Body

Content type: application/json

Name
Description
Type
remediationActions 

The remediation actions for an incident.

Entry Description Type
enableContinuousRemediationWhether continuous remediation is enabled for this incident. Message action must be set to DELETE or NONE.boolean
messageAction

The action taken on emails that match the incident search criteria.

Possible values : NONE, DELETE, QUARANTINE

string
notifyWhether a warning email alert is sent to the affected users.boolean
sendSummary Whether an incident summary is sent to your security team for tracking purposes.boolean
searchCriteria

The email search criteria used to find emails that will become the basis of a new incident.

Entry Description Type
attachmentNameThe email attachment name search query.string
emailSubjectThe email subject search query.string
includeQuarantinedWhether the search should include quarantined emails.boolean
includeSentWhether the search should include sent emails.boolean
sender

The email sender search query.

EntryDescriptionType
displayNameThe sender name search query.string
emailThe email address or domain name search query.string


timeframe

How far back the incident email search extends, in hours.

minimum: 1
maximum: 720

integer

Response Codes

Code
Description
200OK
401

Unauthorized: There is a missing or incorrect API token in header or the client did not have permission to access the requested resource.

Response

Entry Description Type
attachmentName
The email attachment name search query.
string
continuousRemediationCount
The number of emails for which remediation actions were taken via continuous remediation.
integer
continuousRemediationUntil 

The date at which continuous remediation stops.

string
created

The date the incident was created.

string
createdBy

The email address of the administrator who created the incident.

string
createdByName

The name of the administrator who created the incident.

string
distinctRecipientCount

The number of users involved in this incident.

integer
domains
A list of affected domains.
Array
idThe incident ID.string
incidentDetails
Details about the origins of an incident.

 

EntryDescriptionType
source

The method by which the incident was created:

  • Incident: Created by an administrator via the Incidents page.
  • Potential-Incidents: Created by an administrator via the Potential Incidents Insights page.
  • Insights-Automated: Created automatically via Automatic Remediation.
  • Region: Created by an administrator via the Emails by Region Insights page.
  • User-Reported: Created by an administrator via the User-Reported Emails page.
  • ESS: Created via Barracuda Email Security Service.
  • Sentinel: Created via Barracuda Sentinel.
  • Public-Api: Created by an administrator via the public API.

Possible values : ESS, Incident, Insights-Automated, Potential-Incidents, Public-Api, Region, Sentinel, User-Reported
string
subSource
Extra information about the source of the incident.
string
labels
A list of objects representing labels that can be used to filter incidents.

 

EntryDescriptionType
id

The unique ID of the label.

integer
name

The name of the label.

string
Array
notifiedEmailCount

The number of warning email alerts sent to the affected users.

integer

remediatedEmailCount 
The number of emails for which remediation actions were taken.
integer
remediationActions
The remediation actions for an incident.

 

EntryDescriptionType
enableContinuousRemediation

Whether continuous remediation is enabled for this incident. Message action must be set to DELETE or NONE.

boolean
messageAction

The action taken on emails that match the incident search criteria.
Possible values : NONE, DELETE, QUARANTINE

string
notify

Whether a warning email alert is sent to the affected users.

boolean
sendSummary

Whether an incident summary is sent to your security team for tracking purposes.

boolean
remediationStatus

The current remediation status.
Possible values : Completed, In Progress, Not Started

string
sender
The email sender search query.

 

EntryDescriptionType
displayName

The sender name search query.

string
email

The email address or domain name search query.

string
senderPolicies

A list of global sender policies added to your Barracuda Email Security Service account, if you have an account. The format is "{email|domain}:[quarantine|block]"

example: [ "john@email.com:quarantine" ]

Array
subject
The email subject search query.
string
timeframe
How far back the incident email search extends in hours.
integer


Sample Usage  

curl -X POST "https://api.barracudanetworks.com/beta/accounts/{accountId}/forensics/{tenantId}/incident" \
--header "Content-Type: application/json" \
--data-raw '{
    "searchCriteria": {
        "timeframe": 720,
        "emailSubject": "Example Subject",
        "sender": {
            "email": "",
            "displayName": ""
        },
        "attachmentName": "",
        "includeQuarantined": false,
        "includeSent": false
    },
    "remediationActions": {
        "messageAction": "DELETE",
        "notify": false,
        "sendSummary": true,
        "enableContinuousRemediation": false
    }
}' \
--header "Authorization: Bearer {access_token}" 

Sample Response

{
    "id": "2047f505-ea48-4740-a370-a98611ea0c9f",
    "created": "2021-04-05T09:00:00.000000Z",
    "createdBy": "",
    "createdByName": "Public API",
    "sender": {
        "email": "",
        "displayName": ""
    },
    "subject": "Example Subject",
    "attachmentName": "",
    "timeframe": 720,
    "remediatedEmailCount": 0,
    "notifiedEmailCount": 0,
    "continuousRemediationCount": 0,
    "distinctRecipientCount": 0,
    "remediationStatus": "Not Started",
    "remediationActions": {
        "messageAction": "DELETE",
        "notify": false,
        "sendSummary": true,
        "enableContinuousRemediation": false
    },
    "senderPolicies": null,
    "domains": [
        "barracuda.com"
    ],
    "continuousRemediationUntil": null,
    "incidentDetails": {
        "source": "Public-Api",
        "subSource": null
    },
    "labels": []
}

 

Content type: application/json