It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Get Incident

  • Last updated on

 

This functionality is available only with Barracuda Email Protection Premium and Premium Plus plans. To upgrade to one of these plans, contact your Barracuda Networks Sales Representative. 

Retrieves a single incident using the incident ID.

See Get Incidents to retrieve a list of incidents for a Microsoft 365 tenant.

Endpoint

GET /beta/accounts/{accountId}/forensics/{tenantId}/incident/{incidentId}

Parameters

NameTypeRequiredDescription
Path Parameters
accountId   string* The Barracuda Cloud Control account ID obtained from the Get Accounts API.
incidentId string* The incident ID obtained from the Create Incident or Get Incidents APIs.
tenantId  string* The Microsoft 365 tenant ID obtained from the Get Tenants API.

Response Codes

Code
Description
200OK
401 Unauthorized: There is a missing or incorrect API token in header or the client did not have permission to access the requested resource.

Response

EntryDescriptionType
attachmentName
The email attachment name search query.
string
continuousRemediationCount
The number of emails for which remediation actions were taken via continuous remediation.
integer
continuousRemediationUntil 

The date at which continuous remediation stops.

string
created

The date the incident was created.

string
createdBy

The email address of the administrator who created the incident.

string
createdByName

The name of the administrator who created the incident.

string
distinctRecipientCount

The number of users involved in this incident.

integer
domains
A list of affected domains.
Array
idThe incident ID.string
incidentDetails
Details about the origins of an incident.

 

EntryDescriptionType
source

The method by which the incident was created:

  • Incident: Created by an administrator via the Incidents page.
  • Potential-Incidents: Created by an administrator via the Potential Incidents Insights page.
  • Insights-Automated: Created automatically via Automatic Remediation.
  • Region: Created by an administrator via the Emails by Region Insights page.
  • User-Reported: Created by an administrator via the User-Reported Emails page.
  • ESS: Created via Barracuda Email Security Service.
  • Sentinel: Created via Barracuda Sentinel.
  • Public-Api: Created by an administrator via the public API.

Possible values : ESS, Incident, Insights-Automated, Potential-Incidents, Public-Api, Region, Sentinel, User-Reported
string
subSource
Extra information about the source of the incident.
string
labels
A list of objects representing labels that can be used to filter incidents.

 

EntryDescriptionType
id

The unique ID of the label.

integer
name

The name of the label.

string
Array
notifiedEmailCount

The number of warning email alerts sent to the affected users.

integer

remediatedEmailCount 
The number of emails for which remediation actions were taken.
integer
remediationActions
The remediation actions for an incident.

 

EntryDescriptionType
enableContinuousRemediation

Whether continuous remediation is enabled for this incident. Message action must be set to DELETE or NONE.

boolean
messageAction

The action taken on emails that match the incident search criteria.
Possible values : NONE, DELETE, QUARANTINE

string
notify

Whether a warning email alert is sent to the affected users.

boolean
sendSummary

Whether an incident summary is sent to your security team for tracking purposes.

boolean
remediationStatus

The current remediation status.
Possible values : Completed, In Progress, Not Started

string
sender
The email sender search query.

 

EntryDescriptionType
displayName

The sender name search query.

string
email

The email address or domain name search query.

string
senderPolicies

A list of global sender policies added to your Barracuda Email Security Service account, if you have an account. The format is "{email|domain}:[quarantine|block]"

example: [ "john@email.com:quarantine" ]

Array
subject
The email subject search query.
string
timeframe
How far back the incident email search extends in hours.
integer

Sample Request

curl -X GET "https://api.barracudanetworks.com/beta/accounts/{accountId}/forensics/{tenantId}/incident/{incidentId}" \
--header "Authorization: Bearer {access_token}"

Sample Response

{
    "id": "2047f505-ea48-4740-a370-a98611ea0c9f",
    "created": "2021-04-05T09:00:00.000000Z",
    "createdBy": "",
    "createdByName": "Public API",
    "sender": {
        "email": "",
        "displayName": ""
    },
    "subject": "Example Subject",
    "attachmentName": "",
    "timeframe": 720,
    "remediatedEmailCount": 1,
    "notifiedEmailCount": 0,
    "continuousRemediationCount": 0,
    "distinctRecipientCount": 1,
    "remediationStatus": "Completed",
    "remediationActions": {
        "messageAction": "DELETE",
        "notify": false,
        "sendSummary": true,
        "enableContinuousRemediation": false
    },
    "senderPolicies": [],
    "domains": [
        "barracuda.com"
    ],
    "continuousRemediationUntil": null,
    "incidentDetails": {
        "source": "Public-Api",
        "subSource": null
    },
    "labels": []
}