Find Indicators

GET /1.2/indicators/?q={indicator_value1,indicator_value2}&source={source1,source2}&limit={limit}

Description

Search all TruSTAR incident reports for provided indicators and return all correlated indicators from search results. Hits from any selected external intelligence services or open sources are also processed by TruSTAR and returned. You can limit the number of response indicators returned.

Parameters

Parameter Required Description
q X indicator value of any type; i.e. an IP address, email address, URL, MD5, SHA1, SHA256, Registry Key, Malware name, etc.
source   Source - Comma-delimited list of sources (defaults to INCIDENT_REPORT). Available Sources: INCIDENT_REPORT, OSINT, VIRUSTOTAL, FACEBOOK, CROWDSTRIKE
limit   Limit the number of correlated indicators returned in the response (default 10).

Responses

200 (OK)

{
    "indicators": {
        "IP": ["val1", ...],
        "URL": ["val1",...],
        "MD5": ["val1", ...],
        "SHA1": ["val1", ...],
        "SHA256": ["val1", ...],
        "SOFTWARE": ["val1", ...],
        "CVE": ["val1", ...],
        "EMAIL_ADDRESS": ["val1", ...],
        "MALWARE": ["val1", ...],
        "REGISTRY_KEY": ["val1", ...]
    },
    "externalIntelligence": [
        {
            "source": "<PRIVATE_SOURCE>",
            "responses": [
                <JSON>,
                <JSON>,
                ...
            ]
        },
        {
            "source": "<PUBLIC_SOURCE>",
            "responses": [
                <URL>,
                <URL>,
                ...
            ]
        },
        ...
    ],
    "openSourceCorrelations": [
        <URL>,
        <URL>,
        ...
    ]
}

An object with indicator arrays, open source arrays, external intelligence arrays grouped by source with URLs returned for public services (e.g. VirusTotal, Facebook, ThreatExchange) and JSON responses returned for private services (e.g. CrowdStrike).

400 (Bad Request)

{
    "timestamp": millisecond epoc,
    "status":400,
    "error":"Bad Request",
    "message": error detail (e.g 'q' parameter not provided)
}

Example Usage

Request

curl -k -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/indicators/?q=www.rinui.com,1.2.3.4&source=OSINT,VIRUSTOTAL,CROWDSTRIKE&limit=10"

Response

{
    "indicators": {
        "IP": [
            "1.2.3.4",
            "1.3.2.2"
        ],
        "URL": [
            "www.google.com",
            "evildomain.com"
        ],
        "MD5": [
            "d41d8cd98f00b204e9800998ecf8427e"
        ],
        "SHA1": [
            "da39a3ee5e6b4b0d3255bfef95601890afd80709"
        ],
        "SHA256": [
            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
        ],
        "SOFTWARE": [
            "malware.exe",
            "invoice.html",
            "bill.docx"
        ],
        "CVE": [
            "CVE-2016-2119",
            "CVE-2010-5075"
        ],
        "EMAIL_ADDRESS": [
            "joe@ourcompany.com"
        ],
        "MALWARE": [
            "Backdoor:Win32/Caphaw.D!lnk"
        ],
        "REGISTRY_KEY": [
            "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows"
        ]
    },
    "externalIntelligence": [
        {
            "source": "CROWDSTRIKE",
            "responses": [
                {
                    "malware_families": [
                        "njRAT"
                    ],
                    "indicator": "1.2.3.4",
                    "last_updated": 1440510110,
                    "kill_chains": [
                        "C2"
                    ]
                }
            ]
        },
        {
            "source": "VIRUSTOTAL",
            "responses": [
                "https://www.virustotal.com/en/ip-address/1.2.3.4/information/",
                "https://www.virustotal.com/en/ip-address/1.3.2.2/information/"
            ]
        }
    ],
    "openSourceCorrelations": [
        "https://isc.sans.edu/diary.html?storyid=21531",
        "http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html",
        "hailataxii"
    ]
}