ProofPoint Threat Response

this connector integrates threat response with swimlane turbine it provides functionality and supports customizations and custom integrations prerequisites to utilize the proofpoint threat response connector within swimlane turbine, ensure you have the following prerequisites api key authentication with the following parameters url endpoint for the proofpoint threat response api api token unique identifier used to authenticate requests to the proofpoint api capabilities this connector provides the following capabilities add member to list add incident comments add user to incident block urls, domains, hashes, or ips close incident close multiple incidents delete member of list get alert details get all list members get incident details get incidents get investigation details get single list member ingest an alert update incident description and so on update incident description setting "overwrite" to false will append the specified description to the existing value in the incident setting "overwrite" to true will overwrite the specified description over the existing value in the incident ingest alert the proofpoint threat response connector enables automated interactions with the proofpoint platform, facilitating incident management and response activities proofpoint threat response is a robust threat management platform that enables security teams to efficiently manage incidents and automate responses this connector allows swimlane turbine users to integrate with proofpoint to add comments to incidents, manage lists and members, block malicious indicators, and retrieve detailed threat intelligence by leveraging this integration, users can streamline their security operations, enhance incident response times, and enforce proactive threat mitigation within their environment inputs input example email attachments \[{"content type" "jpeg", "date" "2014 01 01t10 11 12z ", "md5" "somemd5sumhere", "name" "attachment1 atch", "sha256" "somesha256here", "size" 567}] classification supported classifications malware policy violation vulnerability network spam phish command and control data match authentication system behavior impostor reported abuse unknown cnc hosts \[ { "host" "cnc1 com", "port" 443 }, { "host" "cnc2 com", "port" 22 } ] forensics hosts \['{"host" "forensics1 com","port" 80}', '{"host" "forensics2 com","port" 443}'] link attribute supported attributes for linking target ip address target hostname target machine name target user target mac address attacker ip address attacker hostname attacker machine name attacker user attacker mac address email recipient email sender email subject message id threat filename threat filehash severity supported values info minor moderate major critical informational low medium high critical custom fields { "custom field 1" "custom value string 1", "custom field 2" "custom value string 2", "custom field 3" "custom value string 3", "custom field 4" "custom value string 4", "custom field 5" "custom value string 5", "custom field 6" "custom value string 6" } api documentation for more information, click https //ptr docs proofpoint com/extensibility guides/ptr api/# configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required authorization api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add incident comments add a user defined comment to an existing incident in proofpoint threat response using the specified incident id and summary endpoint url /api/incidents/{{incident id}}/comments json method post input argument name type required description path parameters incident id number required parameters for the add incident comments action summary string optional parameter for add incident comments detail string optional parameter for add incident comments input example {"json body" {"summary" "general idea behind the comment","detail" "more in depth explanation"},"path parameters" {"incident id" 16}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier incident id number unique identifier response id object unique identifier user id object unique identifier history type string type of the resource state from string output field state from state to string output field state to summary string output field summary detail string output field detail created at string output field created at updated at string output field updated at output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 56,"incident id" 16,"response id"\ null,"user id"\ null,"history type" "comment","state from" "none","state to" "none","summary" "comments here","detail" "details here","created at" "2017 01 17t20 58 38z","updated at" "2017 01 17t20 58 38z"}} add member to list adds a specified member to a designated list in proofpoint threat response by using the provided list id endpoint url /api/lists/{{list id}}/members json method post input argument name type required description path parameters list id number required parameters for the add member to list action member string optional parameter for add member to list description string optional parameter for add member to list expiration string optional timestamp to expire member format 2017 01 11t03 47 15z duration string optional (#) of milliseconds after which to expire membership expiration takes precedence input example {"json body" {"member" "175 76 13 144","description" "ip to block","expiration" "2018 12 18 18 59 51 545783","duration" "duration"},"path parameters" {"list id" 2}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier list id number unique identifier host id number unique identifier response id object unique identifier reverse user id object unique identifier hash reputation id object unique identifier user id object unique identifier enabled boolean output field enabled deleted boolean output field deleted description string output field description expiration string output field expiration created at string output field created at updated at string output field updated at host object output field host host created at string output field host created at host host string output field host host host id number unique identifier host resolution state number output field host resolution state host ttl number output field host ttl host updated at string output field host updated at output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 8,"list id" 2,"host id" 20,"response id"\ null,"reverse user id"\ null,"hash reputation id"\ null,"user id"\ null,"enabled"\ true,"deleted"\ false,"description" "ip to block","expiration" "2018 12 18t19 08 56z","created at" "2017 01 11t03 47 15z","updated at" "2017 01 11t03 47 15z","host" {"created at" "2017 01 11t03 47 15z","host" "75 add user to incident adds specified users as targets or attackers to an existing incident in proofpoint threat response using the provided incident id endpoint url /api/incidents/{{incident id}}/users json method post input argument name type required description path parameters incident id number required parameters for the add user to incident action targets array optional parameter for add user to incident attackers array optional parameter for add user to incident input example {"json body" {"targets" \["user1"],"attackers" \["user2"]},"path parameters" {"incident id" 16}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {}} block urls, domains, hashes, or ips blocks urls, domains, hashes, or ip addresses in proofpoint threat response by utilizing a specified list id and blacklist elements endpoint url /api/lists/{{list id}}/members json method post input argument name type required description path parameters list id number required parameters for the block urls, domains, hashes, or ips action blacklist elements array optional parameter for block urls, domains, hashes, or ips expiration string optional parameter for block urls, domains, hashes, or ips input example {"json body" {"blacklist elements" \["150 150 150 150"],"expiration" "2018 12 18 18 59 51 545783"},"path parameters" {"list id" 2}} output parameter type description status code number http status code of the response reason string response reason phrase host host string output field host host host id array unique identifier host created at string output field host created at expiration string output field expiration hash reputation id string unique identifier list id number unique identifier raw json object output field raw json updated at string output field updated at enabled boolean output field enabled host ttl number output field host ttl description string output field description created at string output field created at user id string unique identifier host resolution state number output field host resolution state id number unique identifier reverse user id string unique identifier deleted boolean output field deleted host updated at string output field host updated at response id string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"host host" "host","host id" \["150 150 150 150"],"host created at" "2017 12 18 18 59 51 545783","expiration" "2018 12 18 18 59 51 545783","hash reputation id" "hash reputation id","list id" 3,"raw json" {},"updated at" "2018 12 18 18 59 51 545783","enabled"\ true,"host ttl" 13,"description" "description","created at" "2018 12 18 18 59 5 close incident closes an incident in proofpoint threat response by using the unique incident id and includes a summary with detailed explanation endpoint url /api/incidents/{{incident id}}/close json method post input argument name type required description path parameters incident id number required parameters for the close incident action summary string optional parameter for close incident detail string optional parameter for close incident input example {"json body" {"summary" "closing incident","detail" "message has been quarantined and user has been notified "},"path parameters" {"incident id" 2}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {}} close multiple incidents closes multiple incidents in proofpoint threat response using specified ids and a creation date range endpoint url /api/incidents/close json method post input argument name type required description parameters incidentids string required this should be a comma separated list of incidents ids parameters created after string required created after cannot be a greater date than created before accepted format is yyyy mm dd parameters created before string required created before must be a lesser date than created after accepted format is yyyy mm dd close summary string optional this optional parameter allows for a closing summary to be placed into each closed incident close detail string optional this optional parameter allows for a closing details to be placed into each closed incident input example {"parameters" {"incidentids" \[1605,2245],"created after" "2019 05 29","created before" "2020 05 29"},"json body" {"close summary" "","close detail" ""}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" "incidents closed "}} delete member of list removes a specific member from a designated list in proofpoint threat response using unique list and member identifiers endpoint url /api/lists/{{list id}}/members/{{member id}} json method delete input argument name type required description path parameters list id number required parameters for the delete member of list action path parameters member id number required parameters for the delete member of list action input example {"path parameters" {"list id" 2,"member id" 4}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get alert details retrieve detailed information for a specific alert in proofpoint threat response using the provided alert id endpoint url /api/v1/alerts method get input argument name type required description parameters id number required parameters for the get alert details action input example {"parameters" {"id" 3}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier severity string output field severity source string output field source state string output field state attackdirection string output field attackdirection received string output field received emails array output field emails emails sender object output field emails sender emails sender email string output field emails sender email emails recipient object output field emails recipient emails recipient email string output field emails recipient email emails subject string output field emails subject emails messageid string unique identifier emails body string request body data emails bodytype string request body data emails headers object http headers for the request emails headers thread index string http headers for the request emails headers received string http headers for the request emails headers x ms tnef correlator string http headers for the request emails headers thread topic string http headers for the request emails headers message id string http headers for the request emails headers content transfer encoding string http headers for the request emails headers x ms exchange organization authas string http headers for the request output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 3,"severity" "info","source" "abuse mailbox monitor","state" "linked","attackdirection" "inbound","received" "2019 02 25t17 22 48z","emails" \[{},{}]}} get all list members retrieve all members from a specified list in proofpoint threat response, requiring list id and member type endpoint url /api/lists/{{list id}}/{{member type}} method get input argument name type required description path parameters list id number required parameters for the get all list members action path parameters member type string required the information format to get in return available options include members pan(for published lists) members bluecoat(for published lists) members json input example {"path parameters" {"list id" 2,"member type" "members json"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" 8,"list id" 2,"host id" 20,"response id"\ null,"reverse user id"\ null,"hash reputation id"\ null,"user id"\ null,"enabled"\ true,"deleted"\ false,"description" "ip to block","expiration" "2018 12 18t19 08 56z","created at" "2017 01 11t03 47 15z","updated at" "2017 01 11t03 47 15z","host" {}},{"id" 6,"list id" 2,"host id" 6,"response i get incident details retrieve detailed information for a specific incident by providing the incident id in proofpoint threat response endpoint url /api/incidents/{{incident id}} json method get input argument name type required description path parameters incident id number required parameters for the get incident details action expand events boolean optional parameter for get incident details input example {"json body" {"expand events"\ true},"path parameters" {"incident id" 3}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier type string type of the resource summary string output field summary description string output field description score number score value state string output field state created at string output field created at false positive count number count value event count number count value event sources array output field event sources users array output field users assignee string output field assignee team string output field team hosts object output field hosts hosts attacker array output field hosts attacker hosts forensics array output field hosts forensics incident field values array unique identifier incident field values name string unique identifier incident field values value string unique identifier events array output field events events id number unique identifier events category string output field events category events severity string output field events severity output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 1,"type" "malware","summary" "unsolicited bulk email","description" "evilscheme test message","score" 4200,"state" "open","created at" "2018 05 26t21 07 17z","false positive count" 0,"event count" 3,"event sources" \["proofpoint tap"],"users" \["nbadguy"],"assignee" "unassigned","team" "unassigned","hosts" {"attacker" \[],"forensics" get incidents gathers detailed information from multiple incidents within proofpoint threat response for analysis and response endpoint url /api/incidents method get input argument name type required description parameters state string optional state of the incidents to retrive parameters created after string optional retrieve incidents that were created after specified date, in iso 8601 format (utc) parameters created before string optional retrieve incidents that were created before specified date, in iso 8601 format (utc) parameters closed after string optional retrieve incidents that were closed after specified date, in iso 8601 format (utc) parameters closed before string optional retrieve incidents that were closed before specified date, in iso 8601 format (utc) parameters closed at string optional retrieve incidents that were closed at on a specific date example closed at=yyyy mm dd parameters updated at string optional retrieve incidents that were updated at on a specific date example updated at=yyyy mm dd parameters format to timezone string optional when specified the all time values in the response will be in the specified timezone please note that the typical + is represented with ’%2b’ in the call, where as the use of is accepted as is example request format to timezone=utc%2b6 00 for specifying a + symbol in utc+6 00 whereas the use of utc 6 00 may be represented as format to timezone=utc 6 00 parameters expand events string optional retrieve incidents with events data expanded parameters sender string optional retrieve incidents with a specific sender this parameter accepts single or multiple entries separate multiple entries with a comma as shown parameters recipient string optional retrieve incidents with a specific recipient this parameter accepts single or multiple entries separate multiple entries with a comma as shown parameters ip string optional retrieve incidents by the attacker’s (sender’s) ip address parameters message id string optional retrieve incidents by the message id enclosed in <> this parameter accepts single or multiple entries multiple entries shold be separated with a comma as shown in the example parameters file hash string optional retrieve incidents which contain the specified file hash parameters source type string optional retrieve incidents only belong to that source parameters url string optional retrieve incidents contain the specified url this will look to match on the partial and full url parameters file name string optional retrieve incidents which contain an attachment with the specified name parameters file type string optional retrieve incidents which contain a certain type of attachment parameters incident value fields to json boolean optional specify if the response’s incident field values section should be returned as json parameters disposition string optional specify if the response’s incident field values section should be returned as json parameters sub disposition string optional retrieve incidents which have either a needs manual review or likely harmless sub disposition this parameter accepts either needs manual review or likely harmless parameters target user string optional retrieve incidents where the target user is specified parameters threat name string optional retrieve incidents where the alert threat name is specified parameters attack vector string optional retrieve incidents where the attack vector is specified parameters exclude message body boolean optional when set to true this will exclude the message body from the json response input example {"parameters" {"state" "open","created after" "2018 05 26t21 07 17z","created before" "2018 05 26t21 07 17z","closed after" "2018 05 26t21 07 17z","closed before" "2018 05 26t21 07 17z","closed at" "2015 03 25","updated at" "2015 03 25","format to timezone" "utc 6 00","expand events" "true","sender" "foo\@bar com","recipient" "foo\@bar com","ip" "0 0 0 0","message id" "4f3d3xda2f\@foo com","file hash" "234324fj23543jf","source type" "abuse mailbox monitor","url" "www foobar com","file name" "test docx","file type" "doc","incident value fields to json"\ true,"disposition" "suspicious","sub disposition" "likely harmless","target user" "user12","threat name" "impostor","attack vector" "email","exclude message body"\ true,"exclude mime content"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" \[{"id" 1,"type" "malware","summary" "unsolicited bulk email","description" "evilscheme test message","score" 4200,"state" "open","created at" "2018 05 26t21 07 17z","event count" 3,"event sources" \[],"users" \[],"assignee" "unassigned","team" "unassigned","hosts" {},"incident field values" \[],"events" \[]},{"id" 2,"type" "reported abuse", get investigation details retrieve detailed information for a specific investigation in proofpoint threat response using the provided investigation id endpoint url /api/investigations/{{investigation id}} json method get input argument name type required description path parameters investigation id number required parameters for the get investigation details action parameters expand incidents boolean optional parameters for the get investigation details action parameters expand events boolean optional parameters for the get investigation details action input example {"parameters" {"expand incidents"\ true,"expand events"\ false},"path parameters" {"investigation id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier created at string output field created at updated at string output field updated at name string name of the resource assignee string output field assignee team string output field team description string output field description investigation field values array value for the parameter investigation field values name string name of the resource investigation field values value string value for the parameter incident ids array unique identifier incidents array unique identifier incidents file name string unique identifier incidents file string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 1,"created at" "2021 01 08t17 20 07z","updated at" "2021 03 11t05 49 15z","name" "test","assignee" "system administrator","team" "script admins","description" "asdadad","investigation field values" \[{"name" "classification","value" "malware"},{"name" "severity","value" "informational"},{"name" "attack vector","value" "email"}],"in get single list member retrieves a specific member from a list in proofpoint threat response using the provided list and member ids endpoint url /api/lists/{{list id}}/members/{{member id}} json method get input argument name type required description path parameters list id number required parameters for the get single list member action path parameters member id number required parameters for the get single list member action input example {"path parameters" {"list id" 2,"member id" 6}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier list id number unique identifier host id number unique identifier response id object unique identifier reverse user id object unique identifier hash reputation id object unique identifier user id object unique identifier enabled boolean output field enabled deleted boolean output field deleted description string output field description expiration object output field expiration created at string output field created at updated at string output field updated at host object output field host host created at string output field host created at host host string output field host host host id number unique identifier host resolution state number output field host resolution state host ttl number output field host ttl host updated at string output field host updated at output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 6,"list id" 2,"host id" 6,"response id"\ null,"reverse user id"\ null,"hash reputation id"\ null,"user id"\ null,"enabled"\ true,"deleted"\ false,"description" "test","expiration"\ null,"created at" "2017 01 11t03 43 54z","updated at" "2017 01 11t03 43 54z","host" {"created at" "2016 12 29t04 56 13z","host" "string","id" 6,"resolution st ingest an alert ingest an alert into proofpoint threat response using a specified source id, requiring path parameters and json body endpoint url /threat/json event/events/{{json source id}} method post input argument name type required description path parameters json source id string required parameters for the ingest an alert action attacker object optional parameter for ingest an alert attacker host name string optional name of the resource attacker ip address string optional parameter for ingest an alert attacker port number optional parameter for ingest an alert attacker url string optional url endpoint for the request attacker user string optional parameter for ingest an alert cnc hosts array optional parameter for ingest an alert cnc hosts host string optional parameter for ingest an alert cnc hosts port number optional parameter for ingest an alert detector object optional parameter for ingest an alert detector action string optional parameter for ingest an alert detector event category string optional parameter for ingest an alert detector host name string optional name of the resource detector ip address string optional parameter for ingest an alert detector product string optional parameter for ingest an alert detector vendor string optional parameter for ingest an alert email object optional parameter for ingest an alert email attachments array optional parameter for ingest an alert email attachments content type string optional type of the resource email attachments date string optional date value email attachments md5 string optional parameter for ingest an alert email attachments name string optional name of the resource email attachments sha256 string optional parameter for ingest an alert email attachments size number optional parameter for ingest an alert input example {"json body" {"json version" "2 0","attacker" {"host name" "evil com","ip address" "103 251 90 43","port" 443,"url" "http //badurl example com","user" "user id"},"classification" "malware","cnc hosts" \[{"host" "cnc1 com","port" 443},{"host" "cnc2 com","port" 22}],"custom fields" {"custom field 1" "custom value string 1","custom field 2" "custom value string 2","custom field 3" "custom value string 3","custom field 4" "custom value string 4","custom field 5" "custom value string 5","custom field 6" "custom value string 6"},"description" "a description","detector" {"action" "cleaned","event category" "malware","host name" "siem corp domain com","ip address" "192 168 1 1","product" "siem product","vendor" "awesomesoft"},"email" {"attachments" \[{"content type" "jpeg","date" "2014 01 01t10 11 12z","md5" "somemd5sumhere","name" "attachment1 atch","sha256" "somesha256here","size" 567},{"content type" "html","date" "2014 01 01t10 11 12z","md5" "somemd5sumhere","name" "attachment2 atch","sha256" "somesha256here","size" 567763}],"body" "some body text","body type" "text","headers" {"foo" "bar","fooey" "barry"},"message delivery time" "2014 01 01t10 11 12z","message id" "abcdefg","recipient" "recipient\@corp com","sender" "sender\@whatever com","subject" "click me!","urls" \["http //foo com","https //bar com/foobar/test?foo=5"]},"forensics hosts" \[{"host" "forensics1 com","port" 80},{"host" "forensics2 com","port" 443}],"link attribute" "target ip address","severity" "medium","target" {"host name" "host yourdomain com","ip address" "10 10 111 111","mac address" "01 23 45 67 89\ ab","port" 22,"url" "http //sample example com","user" "user id"},"threat info" {"filename" "malware ppt","name" "zeus","occurred at" "2014 01 01t10 11 12z","type" "trojan"},"url" "http //www badurl com"},"path parameters" {"json source id" "2"},"attacker" {"host name" "evil com","ip address" "103 251 90 43","port" 443,"url" "http //badurl example com","user" "user id"},"cnc hosts" \[{"host" "cnc1 com","port" 443},{"host" "cnc2 com","port" 22}],"detector" {"action" "cleaned","event category" "malware","host name" "siem corp domain com","ip address" "192 168 1 1","product" "siem product","vendor" "awesomesoft"},"email" {"attachments" \[{"content type" "jpeg","date" "2014 01 01t10 11 12z","md5" "somemd5sumhere","name" "attachment1 atch","sha256" "somesha256here","size" 567},{"content type" "html","date" "2014 01 01t10 11 12z","md5" "somemd5sumhere","name" "attachment2 atch","sha256" "somesha256here","size" 567763}],"body" "some body text","body type" "text","headers" {"foo" "bar","fooey" "barry"},"message delivery time" "2014 01 01t10 11 12z","message id" "abcdefg","recipient" "recipient\@corp com","sender" "sender\@whatever com","subject" "click me!","urls" \["http //foo com","https //bar com/foobar/test?foo=5"]},"forensics hosts" \[{"host" "forensics1 com","port" 80},{"host" "forensics2 com","port" 443}],"target" {"host name" "host yourdomain com","ip address" "10 10 111 111","mac address" "01 23 45 67 89\ ab","port" 22,"url" "http //sample example com","user" "user id"},"threat info" {"filehash" "77b63872fabf3884d694f694a2a87e2e","filename" "malware ppt","name" "zeus","occurred at" "2014 01 01t10 11 12z","type" "trojan"},"custom fields" {"custom field 1" "custom value string 1","custom field 2" "custom value string 2","custom field 3" "custom value string 3","custom field 4" "custom value string 4","custom field 5" "custom value string 5","custom field 6" "custom value string 6"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {}} update incident description updates an incident's description in proofpoint threat response using the provided incident id endpoint url /api/incidents/{{incident id}}/description json method post input argument name type required description path parameters incident id number required parameters for the update incident description action description string optional parameter for update incident description overwrite string optional parameter for update incident description input example {"json body" {"description" "handing off incident to threat research team","overwrite" "false"},"path parameters" {"incident id" 2}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {}} update member of list updates a specific member within a list using the provided list and member ids in proofpoint threat response endpoint url /api/lists/{{list id}}/members/{{member id}} json method put input argument name type required description path parameters list id number required parameters for the update member of list action path parameters member id number required parameters for the update member of list action input example {"path parameters" {"list id" 2,"member id" 6}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier list id number unique identifier host id number unique identifier response id object unique identifier reverse user id object unique identifier hash reputation id object unique identifier user id object unique identifier enabled boolean output field enabled deleted boolean output field deleted description string output field description expiration string output field expiration created at string output field created at updated at string output field updated at host object output field host host created at string output field host created at host host string output field host host host id number unique identifier host resolution state number output field host resolution state host ttl number output field host ttl host updated at string output field host updated at output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 4,"list id" 2,"host id" 4,"response id"\ null,"reverse user id"\ null,"hash reputation id"\ null,"user id"\ null,"enabled"\ true,"deleted"\ false,"description" "hello ptr","expiration" "2017 12 03t10 15 30z","created at" "2016 12 29t01 52 33z","updated at" "2017 01 13t00 55 27z","host" {"created at" "2016 12 29t01 52 33z","host" "7 7 7 response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 23 aug 2023 20 37 23 gmt