API Reference

Email Security

Investigate

Detections

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Get message detection details

client.EmailSecurity.Investigate.Detections.Get(ctx, investigateID, query) (*InvestigateDetectionGetResponse, error)

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/detections

Returns detection details such as threat categories and sender information for non-benign messages.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Cloud Email Security: WriteCloud Email Security: Read

ParametersExpand Collapse

investigateID string

Unique identifier for a message retrieved from investigation

query InvestigateDetectionGetParams

AccountID param.Field[string]

Identifier.

maxLength32

ReturnsExpand Collapse

type InvestigateDetectionGetResponse struct{…}

Action string

Attachments []InvestigateDetectionGetResponseAttachment

Size int64

Size of the attachment in bytes

minimum0

ContentType stringOptional

MIME type of the attachment

Detection InvestigateDetectionGetResponseAttachmentsDetectionOptional

Detection result for this attachment

One of the following:

const InvestigateDetectionGetResponseAttachmentsDetectionMalicious InvestigateDetectionGetResponseAttachmentsDetection = "MALICIOUS"

const InvestigateDetectionGetResponseAttachmentsDetectionMaliciousBec InvestigateDetectionGetResponseAttachmentsDetection = "MALICIOUS-BEC"

const InvestigateDetectionGetResponseAttachmentsDetectionSuspicious InvestigateDetectionGetResponseAttachmentsDetection = "SUSPICIOUS"

const InvestigateDetectionGetResponseAttachmentsDetectionSpoof InvestigateDetectionGetResponseAttachmentsDetection = "SPOOF"

const InvestigateDetectionGetResponseAttachmentsDetectionSpam InvestigateDetectionGetResponseAttachmentsDetection = "SPAM"

const InvestigateDetectionGetResponseAttachmentsDetectionBulk InvestigateDetectionGetResponseAttachmentsDetection = "BULK"

const InvestigateDetectionGetResponseAttachmentsDetectionEncrypted InvestigateDetectionGetResponseAttachmentsDetection = "ENCRYPTED"

const InvestigateDetectionGetResponseAttachmentsDetectionExternal InvestigateDetectionGetResponseAttachmentsDetection = "EXTERNAL"

const InvestigateDetectionGetResponseAttachmentsDetectionUnknown InvestigateDetectionGetResponseAttachmentsDetection = "UNKNOWN"

const InvestigateDetectionGetResponseAttachmentsDetectionNone InvestigateDetectionGetResponseAttachmentsDetection = "NONE"

Encrypted boolOptional

Whether the attachment is encrypted

Filename stringOptional

Name of the attached file

Md5 stringOptional

MD5 hash of the attachment

Name stringOptional

Attachment name (alternative to filename)

Sha1 stringOptional

SHA1 hash of the attachment

Sha256 stringOptional

SHA256 hash of the attachment

Findings []InvestigateDetectionGetResponseFinding

Attachment stringOptional

Detail stringOptional

Detection InvestigateDetectionGetResponseFindingsDetectionOptional

One of the following:

const InvestigateDetectionGetResponseFindingsDetectionMalicious InvestigateDetectionGetResponseFindingsDetection = "MALICIOUS"

const InvestigateDetectionGetResponseFindingsDetectionMaliciousBec InvestigateDetectionGetResponseFindingsDetection = "MALICIOUS-BEC"

const InvestigateDetectionGetResponseFindingsDetectionSuspicious InvestigateDetectionGetResponseFindingsDetection = "SUSPICIOUS"

const InvestigateDetectionGetResponseFindingsDetectionSpoof InvestigateDetectionGetResponseFindingsDetection = "SPOOF"

const InvestigateDetectionGetResponseFindingsDetectionSpam InvestigateDetectionGetResponseFindingsDetection = "SPAM"

const InvestigateDetectionGetResponseFindingsDetectionBulk InvestigateDetectionGetResponseFindingsDetection = "BULK"

const InvestigateDetectionGetResponseFindingsDetectionEncrypted InvestigateDetectionGetResponseFindingsDetection = "ENCRYPTED"

const InvestigateDetectionGetResponseFindingsDetectionExternal InvestigateDetectionGetResponseFindingsDetection = "EXTERNAL"

const InvestigateDetectionGetResponseFindingsDetectionUnknown InvestigateDetectionGetResponseFindingsDetection = "UNKNOWN"

const InvestigateDetectionGetResponseFindingsDetectionNone InvestigateDetectionGetResponseFindingsDetection = "NONE"

Field stringOptional

Name stringOptional

Portion stringOptional

Reason stringOptional

Score float64Optional

formatdouble

Value stringOptional

Headers []InvestigateDetectionGetResponseHeader

Name string

Value string

Links []InvestigateDetectionGetResponseLink

Href string

Text stringOptional

SenderInfo InvestigateDetectionGetResponseSenderInfo

AsName stringOptional

The name of the autonomous system.

AsNumber int64Optional

The number of the autonomous system.

Geo stringOptional

IP stringOptional

Pld stringOptional

ThreatCategories []InvestigateDetectionGetResponseThreatCategory

ID int64Optional

Description stringOptional

Name stringOptional

Validation InvestigateDetectionGetResponseValidation

Comment stringOptional

DKIM InvestigateDetectionGetResponseValidationDKIMOptional

One of the following:

const InvestigateDetectionGetResponseValidationDKIMPass InvestigateDetectionGetResponseValidationDKIM = "pass"

const InvestigateDetectionGetResponseValidationDKIMNeutral InvestigateDetectionGetResponseValidationDKIM = "neutral"

const InvestigateDetectionGetResponseValidationDKIMFail InvestigateDetectionGetResponseValidationDKIM = "fail"

const InvestigateDetectionGetResponseValidationDKIMError InvestigateDetectionGetResponseValidationDKIM = "error"

const InvestigateDetectionGetResponseValidationDKIMNone InvestigateDetectionGetResponseValidationDKIM = "none"

DMARC InvestigateDetectionGetResponseValidationDMARCOptional

One of the following:

const InvestigateDetectionGetResponseValidationDMARCPass InvestigateDetectionGetResponseValidationDMARC = "pass"

const InvestigateDetectionGetResponseValidationDMARCNeutral InvestigateDetectionGetResponseValidationDMARC = "neutral"

const InvestigateDetectionGetResponseValidationDMARCFail InvestigateDetectionGetResponseValidationDMARC = "fail"

const InvestigateDetectionGetResponseValidationDMARCError InvestigateDetectionGetResponseValidationDMARC = "error"

const InvestigateDetectionGetResponseValidationDMARCNone InvestigateDetectionGetResponseValidationDMARC = "none"

SPF InvestigateDetectionGetResponseValidationSPFOptional

One of the following:

const InvestigateDetectionGetResponseValidationSPFPass InvestigateDetectionGetResponseValidationSPF = "pass"

const InvestigateDetectionGetResponseValidationSPFNeutral InvestigateDetectionGetResponseValidationSPF = "neutral"

const InvestigateDetectionGetResponseValidationSPFFail InvestigateDetectionGetResponseValidationSPF = "fail"

const InvestigateDetectionGetResponseValidationSPFError InvestigateDetectionGetResponseValidationSPF = "error"

const InvestigateDetectionGetResponseValidationSPFNone InvestigateDetectionGetResponseValidationSPF = "none"

FinalDisposition InvestigateDetectionGetResponseFinalDispositionOptional

One of the following:

const InvestigateDetectionGetResponseFinalDispositionMalicious InvestigateDetectionGetResponseFinalDisposition = "MALICIOUS"

const InvestigateDetectionGetResponseFinalDispositionMaliciousBec InvestigateDetectionGetResponseFinalDisposition = "MALICIOUS-BEC"

const InvestigateDetectionGetResponseFinalDispositionSuspicious InvestigateDetectionGetResponseFinalDisposition = "SUSPICIOUS"

const InvestigateDetectionGetResponseFinalDispositionSpoof InvestigateDetectionGetResponseFinalDisposition = "SPOOF"

const InvestigateDetectionGetResponseFinalDispositionSpam InvestigateDetectionGetResponseFinalDisposition = "SPAM"

const InvestigateDetectionGetResponseFinalDispositionBulk InvestigateDetectionGetResponseFinalDisposition = "BULK"

const InvestigateDetectionGetResponseFinalDispositionEncrypted InvestigateDetectionGetResponseFinalDisposition = "ENCRYPTED"

const InvestigateDetectionGetResponseFinalDispositionExternal InvestigateDetectionGetResponseFinalDisposition = "EXTERNAL"

const InvestigateDetectionGetResponseFinalDispositionUnknown InvestigateDetectionGetResponseFinalDisposition = "UNKNOWN"

const InvestigateDetectionGetResponseFinalDispositionNone InvestigateDetectionGetResponseFinalDisposition = "NONE"

Get message detection details

Go

HTTP

TypeScript

Python

Go

Terraform

package main

import (
  "context"
  "fmt"

  "github.com/stainless-sdks/cloudflare-go"
  "github.com/stainless-sdks/cloudflare-go/email_security"
  "github.com/stainless-sdks/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  detection, err := client.EmailSecurity.Investigate.Detections.Get(
    context.TODO(),
    "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
    email_security.InvestigateDetectionGetParams{
      AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    },
  )
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", detection.Validation)
}

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "action": "action",
    "attachments": [
      {
        "size": 0,
        "content_type": "content_type",
        "detection": "MALICIOUS",
        "encrypted": true,
        "filename": "filename",
        "md5": "md5",
        "name": "name",
        "sha1": "sha1",
        "sha256": "sha256"
      }
    ],
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "headers": [
      {
        "name": "name",
        "value": "value"
      }
    ],
    "links": [
      {
        "href": "href",
        "text": "text"
      }
    ],
    "sender_info": {
      "as_name": "as_name",
      "as_number": 0,
      "geo": "geo",
      "ip": "ip",
      "pld": "pld"
    },
    "threat_categories": [
      {
        "id": 0,
        "description": "description",
        "name": "name"
      }
    ],
    "validation": {
      "comment": "comment",
      "dkim": "pass",
      "dmarc": "pass",
      "spf": "pass"
    },
    "final_disposition": "MALICIOUS"
  },
  "success": true
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "action": "action",
    "attachments": [
      {
        "size": 0,
        "content_type": "content_type",
        "detection": "MALICIOUS",
        "encrypted": true,
        "filename": "filename",
        "md5": "md5",
        "name": "name",
        "sha1": "sha1",
        "sha256": "sha256"
      }
    ],
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "headers": [
      {
        "name": "name",
        "value": "value"
      }
    ],
    "links": [
      {
        "href": "href",
        "text": "text"
      }
    ],
    "sender_info": {
      "as_name": "as_name",
      "as_number": 0,
      "geo": "geo",
      "ip": "ip",
      "pld": "pld"
    },
    "threat_categories": [
      {
        "id": 0,
        "description": "description",
        "name": "name"
      }
    ],
    "validation": {
      "comment": "comment",
      "dkim": "pass",
      "dmarc": "pass",
      "spf": "pass"
    },
    "final_disposition": "MALICIOUS"
  },
  "success": true
}