Find Indicators¶
GET /1.2/indicators/?q={indicator_value1,indicator_value2}&source={source1,source2}&limit={limit}
Description¶
Search all TruSTAR incident reports for provided indicators and return all correlated indicators from search results. Hits from any selected external intelligence services or open sources are also processed by TruSTAR and returned. You can limit the number of response indicators returned.
Parameters¶
| Parameter | Required | Description |
| q | X | indicator value of any type; i.e. an IP address, email address, URL, MD5, SHA1, SHA256, Registry Key, Malware name, etc. |
| source | Source - Comma-delimited list of sources (defaults to INCIDENT_REPORT).
Available Sources: INCIDENT_REPORT, OSINT, VIRUSTOTAL, FACEBOOK, CROWDSTRIKE |
|
| limit | Limit the number of correlated indicators returned in the response (default 10). |
Responses¶
200 (OK)¶
{
"indicators": {
"IP": ["val1", ...],
"URL": ["val1",...],
"MD5": ["val1", ...],
"SHA1": ["val1", ...],
"SHA256": ["val1", ...],
"SOFTWARE": ["val1", ...],
"CVE": ["val1", ...],
"EMAIL_ADDRESS": ["val1", ...],
"MALWARE": ["val1", ...],
"REGISTRY_KEY": ["val1", ...]
},
"externalIntelligence": [
{
"source": "<PRIVATE_SOURCE>",
"responses": [
<JSON>,
<JSON>,
...
]
},
{
"source": "<PUBLIC_SOURCE>",
"responses": [
<URL>,
<URL>,
...
]
},
...
],
"openSourceCorrelations": [
<URL>,
<URL>,
...
]
}
An object with indicator arrays, open source arrays, external intelligence arrays grouped by source with URLs returned for public services (e.g. VirusTotal, Facebook, ThreatExchange) and JSON responses returned for private services (e.g. CrowdStrike).
400 (Bad Request)¶
{
"timestamp": millisecond epoc,
"status":400,
"error":"Bad Request",
"message": error detail (e.g 'q' parameter not provided)
}
Example Usage¶
Request¶
curl -k -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/indicators/?q=www.rinui.com,1.2.3.4&source=OSINT,VIRUSTOTAL,CROWDSTRIKE&limit=10"
Response¶
{
"indicators": {
"IP": [
"1.2.3.4",
"1.3.2.2"
],
"URL": [
"www.google.com",
"evildomain.com"
],
"MD5": [
"d41d8cd98f00b204e9800998ecf8427e"
],
"SHA1": [
"da39a3ee5e6b4b0d3255bfef95601890afd80709"
],
"SHA256": [
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
],
"SOFTWARE": [
"malware.exe",
"invoice.html",
"bill.docx"
],
"CVE": [
"CVE-2016-2119",
"CVE-2010-5075"
],
"EMAIL_ADDRESS": [
"joe@ourcompany.com"
],
"MALWARE": [
"Backdoor:Win32/Caphaw.D!lnk"
],
"REGISTRY_KEY": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows"
]
},
"externalIntelligence": [
{
"source": "CROWDSTRIKE",
"responses": [
{
"malware_families": [
"njRAT"
],
"indicator": "1.2.3.4",
"last_updated": 1440510110,
"kill_chains": [
"C2"
]
}
]
},
{
"source": "VIRUSTOTAL",
"responses": [
"https://www.virustotal.com/en/ip-address/1.2.3.4/information/",
"https://www.virustotal.com/en/ip-address/1.3.2.2/information/"
]
}
],
"openSourceCorrelations": [
"https://isc.sans.edu/diary.html?storyid=21531",
"http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html",
"hailataxii"
]
}