It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Get Incidents

  • Last updated on

This functionality is available only with Barracuda Email Protection Premium and Premium Plus plans. To upgrade to one of these plans, contact your Barracuda Networks Sales Representative. 

Retrieves a list of created incidents for a Microsoft 365 tenant.

See Get Incident to retrieve a single incident using the incident ID.

Endpoint

GET /beta/accounts/{accountId}/forensics/{tenantId}/incidents

Parameters

NameTypeRequiredDescription
Path Parameters
accountId string*The Barracuda Cloud Control account ID obtained from the Get Accounts API.
tenantId string*The Microsoft 365 tenant ID obtained from the Get Tenants API.
Query Parameters
labelsarray[string] The labels used to filter results.
pageinteger 

The current page to return.

Default value : 0

sizeinteger 

The number of results to return.

Default value : 10

Response Codes

Code
Description
200OK
401

Unauthorized: There is a missing or incorrect API token in header or the client did not have permission to access the requested resource.

Response
EntryDescriptionType
itemsTotal

The total number of items.

integer
pageNum

The current page number.

integer
pagesTotal

The total number of pages.

integer
results*
EntryDescriptionType
attachmentName

The email attachment name search query.

string
continuousRemediationCount

The number of emails for which remediation actions were taken via continuous remediation.

integer

continuousRemediationUntil
The date at which continuous remediation stops.
string
created
The date the incident was created.
string
createdBy

The email address of the administrator who created the incident.

string
createdByName 

The name of the administrator who created the incident.

string
distinctRecipientCount 
The number of users involved in this incident.

integer

domains

A list of affected domains.

Array
id
The incident ID.
string
incidentDetails

Details about the origins of an incident.

Entry Description Type
source

The method by which the incident was created:

  • Incident: Created by an administrator via the Incidents page.
  • Potential-Incidents: Created by an administrator via the Potential Incidents Insights page.
  • Insights-Automated: Created automatically via Automatic Remediation.
  • Region: Created by an administrator via the Emails by Region Insights page.
  • User-Reported: Created by an administrator via the User-Reported Emails page.
  • ESS: Created via Barracuda Email Security Service.
  • Sentinel: Created via Barracuda Sentinel.
  • Public-Api: Created by an administrator via the public API.

Possible values : ESS, Incident, Insights-Automated, Potential-Incidents, Public-Api, Region, Sentinel, User-Reported

string
subSource Extra information about the source of the incident.string
labels

A list of objects representing labels that can be used to filter incidents.

EntryDescriptionType
id
The unique ID of the label.

integer

name
The name of the label.
string
Array
notifiedEmailCount

The number of warning email alerts sent to the affected users.

integer

remediatedEmailCount

The number of emails for which remediation actions were taken.

integer
remediationActions 

The remediation actions for an incident.

Entry Description Type
enableContinuousRemediation

Whether continuous remediation is enabled for this incident. Message action must be set to DELETE or NONE.

boolean
messageAction

The action taken on emails that match the incident search criteria.
Possible values : NONE, DELETE, QUARANTINE

string
notify

Whether a warning email alert is sent to the affected users.

boolean
sendSummary

Whether an incident summary is sent to your security team for tracking purposes.

boolean
remediationStatus

The current remediation status.
Possible values : Completed, In Progress, Not Started

string
sender

The email sender search query.

EntryDescriptionType
displayName

The sender name search query.

string
email

The email address or domain name search query.

string
senderPolicies

A list of global sender policies added to your Barracuda Email Security Service account, if you have an account. The format is "{email|domain}:[quarantine|block]"

example: [ "john@email.com:quarantine" ]

Array
subject

The email subject search query.

string
timeframe

How far back the incident email search extends, in hours.

integer
resultsCount
The number of items on the current page.
integer

Sample Request

curl -X GET "https://api.barracudanetworks.com/beta/accounts/{accountId}/forensics/{tenantId}/incidents" \
--header "Authorization: Bearer {access_token}"

Sample Response

{
    "resultsCount": 1,
    "pageNum": 0,
    "itemsTotal": 1,
    "pagesTotal": 1,
    "results": [
        {
            "id": "2047f505-ea48-4740-a370-a98611ea0c9f",
            "created": "2021-04-05T09:00:00.000000Z",
            "createdBy": "",
            "createdByName": "Public API",
            "sender": {
                "email": "",
                "displayName": ""
            },
            "subject": "Example Subject",
            "attachmentName": "",
            "timeframe": 720,
            "remediatedEmailCount": 1,
            "notifiedEmailCount": 0,
            "continuousRemediationCount": 0,
            "distinctRecipientCount": 1,
            "remediationStatus": "Completed",
            "remediationActions": {
                "messageAction": "DELETE",
                "notify": false,
                "sendSummary": true,
                "enableContinuousRemediation": false
            },
            "senderPolicies": [],
            "domains": [
                "barracuda.com"
            ],
            "continuousRemediationUntil": null,
            "incidentDetails": {
                "source": "Public-Api",
                "subSource": null
            },
            "labels": []
        }
    ]
}