Single Incident

The incident endpoint provides a way to retrieve detailed information on a specific incident referenced by its id or by its subject (URL, domain, or subject field value).

Retrieve Incident by ID

Endpoint

GET /v1/incident/{id}

Request Example

cURLPythonNode.js

curl -X GET 'https://capi.phishfort.com/v1/incident/{id}' \
  -H 'accept: application/json' \
  -H 'x-api-key: YOUR_API_KEY'

import requests

incident_id = "054zKkjCnR1I3B3U812z"
response = requests.get(
    f"https://capi.phishfort.com/v1/incident/{incident_id}",
    headers={
        "accept": "application/json",
        "x-api-key": "YOUR_API_KEY",
    },
)
print(response.json())

const incidentId = "054zKkjCnR1I3B3U812z";
const response = await fetch(
  `https://capi.phishfort.com/v1/incident/${incidentId}`,
  {
    headers: {
      accept: "application/json",
      "x-api-key": "YOUR_API_KEY",
    },
  }
);
const data = await response.json();
console.log(data);

Where {id} is the ID of the incident you wish to query.

Response Example

The data field returned is a DetailedIncidentStructure type. If the incident cannot be found, a 404 response will be returned.

{
    "data": {
        "id": "054zKkjCnR1I3B3U812z",
        "clientId": "0Xp5voyA4y5xYNoufOVC",
        "safeDomain": "exampleclient.com",
        "subject": "uniformprivate.cc",
        "incidentType": "domain",
        "domain": "uniformprivate.cc",
        "url": "https://uniformprivate.cc/chevrolet/",
        "source": "PHISHFORT_DETECTED",
        "timestamp": "2021-11-08T20:36:43.765Z",
        "lastHistoryUpdateTimestamp": "2021-12-06T15:10:01.299Z",
        "burnStartedTimestamp": "2021-12-06T10:34:43.883Z",
        "takedownTimestamp": "2021-12-06T15:10:01.299Z",
        "reportedBy": "analyst@phishfort.com",
        "threatTaxonomy": {
            "name": "Brand - Website - Impersonation",
            "description": "Unauthorized representation of another person, brand, or entity. Includes fake profiles, cloned websites, or identity theft used to deceive victims.",
            "incidentClass": "phishing",
            "incidentTargetType": {
                "id": "abc123",
                "name": "Website",
                "description": "A website used to deceive victims"
            },
            "incidentType": {
                "id": "def456",
                "name": "Brand",
                "description": "Attacks targeting a specific brand"
            },
            "incidentThreatType": {
                "id": "ghi789",
                "name": "Impersonation",
                "description": "Unauthorized representation of another person, brand, or entity."
            }
        },
        "status": "takedown_success",
        "incidentClass": "phishing",
        "incidentState": {
            "unresponsive": true,
            "warningBanner": false,
            "responsive": false,
            "contentRemoved": false,
            "redirect": false,
            "inconclusive": false,
            "timestamp": "2021-12-21T15:21:02.324Z"
        },
        "registrar": {
            "name": "Example Registrar Inc.",
            "difficulty": "Medium",
            "description": "Registrar typically responds within 48 hours."
        },
        "hostingProvider": "Example Hosting Provider",
        "history": [
            {
                "timestamp": "2021-12-06T15:10:01.812Z",
                "type": "info",
                "message": "Marked as successful take down."
            },
            {
                "timestamp": "2021-11-08T20:36:43.946Z",
                "type": "info",
                "message": "Incident detected by mailbox:dashboard-report"
            }
        ]
    },
    "message": "success"
}

Retrieve Incident by Subject

You can also retrieve incident information using a subject identifier such as a URL, domain, or the subject field itself.

Endpoint

GET /v1/incident/subject/{subject}

Request Example

cURLPythonNode.js

curl -X GET 'https://capi.phishfort.com/v1/incident/subject/uniformprivate.cc' \
  -H 'accept: application/json' \
  -H 'x-api-key: YOUR_API_KEY'

import requests

subject = "uniformprivate.cc"
response = requests.get(
    f"https://capi.phishfort.com/v1/incident/subject/{subject}",
    headers={
        "accept": "application/json",
        "x-api-key": "YOUR_API_KEY",
    },
)
print(response.json())

const subject = "uniformprivate.cc";
const response = await fetch(
  `https://capi.phishfort.com/v1/incident/subject/${subject}`,
  {
    headers: {
      accept: "application/json",
      "x-api-key": "YOUR_API_KEY",
    },
  }
);
const data = await response.json();
console.log(data);

Where {subject} is the URL, domain, or subject field value of the incident you wish to query.

Response Example

The response structure is identical to the ID-based query, returning a DetailedIncidentStructure in the data field. If no incident is found for the given subject, a 404 response will be returned.

{
    "data": {
        "id": "054zKkjCnR1I3B3U812z",
        "clientId": "0Xp5voyA4y5xYNoufOVC",
        "safeDomain": "exampleclient.com",
        "subject": "uniformprivate.cc",
        "incidentType": "domain",
        "domain": "uniformprivate.cc",
        "url": "https://uniformprivate.cc/chevrolet/",
        "source": "PHISHFORT_DETECTED",
        "timestamp": "2021-11-08T20:36:43.765Z",
        "lastHistoryUpdateTimestamp": "2021-12-06T15:10:01.299Z",
        "burnStartedTimestamp": "2021-12-06T10:34:43.883Z",
        "takedownTimestamp": "2021-12-06T15:10:01.299Z",
        "reportedBy": "analyst@phishfort.com",
        "threatTaxonomy": {
            "name": "Brand - Website - Impersonation",
            "description": "Unauthorized representation of another person, brand, or entity. Includes fake profiles, cloned websites, or identity theft used to deceive victims.",
            "incidentClass": "phishing",
            "incidentTargetType": {
                "id": "abc123",
                "name": "Website",
                "description": "A website used to deceive victims"
            },
            "incidentType": {
                "id": "def456",
                "name": "Brand",
                "description": "Attacks targeting a specific brand"
            },
            "incidentThreatType": {
                "id": "ghi789",
                "name": "Impersonation",
                "description": "Unauthorized representation of another person, brand, or entity."
            }
        },
        "status": "takedown_success",
        "incidentClass": "phishing",
        "incidentState": {
            "unresponsive": true,
            "warningBanner": false,
            "responsive": false,
            "contentRemoved": false,
            "redirect": false,
            "inconclusive": false,
            "timestamp": "2021-12-21T15:21:02.324Z"
        },
        "registrar": {
            "name": "Example Registrar Inc.",
            "difficulty": "Medium",
            "description": "Registrar typically responds within 48 hours."
        },
        "hostingProvider": "Example Hosting Provider",
        "history": [
            {
                "timestamp": "2021-12-06T15:10:01.812Z",
                "type": "info",
                "message": "Marked as successful take down."
            },
            {
                "timestamp": "2021-11-08T20:36:43.946Z",
                "type": "info",
                "message": "Incident detected by mailbox:dashboard-report"
            }
        ]
    },
    "message": "success"
}