Get Latest Indicators¶

GET /1.2/indicators/latest?source={source_type}&types={indicator_type_0,indicator_type_1,...,indicator_type_n}&limit={limit}&intervalSize={number}

Description¶

Return indicators recently submitted to TruSTAR (caller’s enclave(s) and community reports) or collected from open source (OSINT). You can specify the types of indicators as a CSV list, a limit result size, as well as a time limit in hours. For OSINT data, indicators must correlate with the caller’s enclave(s) reports or community reports to be returned.

Parameters¶

Parameter	Required	Description
source		The source of the indicators to be returned: `INCIDENT_REPORT` or `OSINT` (default `INCIDENT_REPORT`).
types		Comma-delimited list of indicator types to return. Returns all types if blank. Available types: `IPv4`, `IPv6`, `URL`, `MD5`, `SHA1`, `SHA256`, `SOFTWARE`, `EMAIL_ADDRESS`, `CVE`, `REGISTRY_KEY`, `MALWARE`, `BITCOIN_ADDRESS`, `CIDR_BLOCK`
limit		Limit the number of indicators returned in the response (default 5000).
intervalSize		Specifies the time window size, in hours, starting from the current instant (default and max value 24).

Responses¶

200 (OK)¶

{
    "status": "success",
    "indicators": {
        "IP": ["val1", ...],
        "URL": ["val1", ...],
        "MD5": ["val1", ...],
        "SHA1": ["val1", ...],
        "SHA256": ["val1", ...],
        "SOFTWARE": ["val1", ...],
        "CVE": ["val1", ...],
        "EMAIL_ADDRESS": ["val1", ...],
        "MALWARE": ["val1", ...],
        "REGISTRY_KEY": ["val1", ...],
    },
    "queryDate": milliseconds since epoch,
    "intervalSize": "HH",
    "limit": "val",
    "source": "val"
}

An object with status, indicator arrays, and the query parameters.

400 (Bad Request)¶

{
    "timestamp": milliseconds since epoc,
    "status": 400,
    "error": "Bad Request",
    "message": error detail (e.g. limit in hours exceed 24)
}

Example Usage¶

Request¶

curl -k -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/indicators/latest/?source=INCIDENT_REPORT&types={IP,URL}&limit=10&intervalSize=12"

Response¶

{
    "status": "success",
    "indicators": {
        "IP": [
            "1.2.3.4",
            "1.3.2.2"
        ],
        "URL": [
            "www.google.com",
            "evildomain.com"
        ],
        "MD5": [
            "d41d8cd98f00b204e9800998ecf8427e"
        ],
        "SHA1": [
            "da39a3ee5e6b4b0d3255bfef95601890afd80709"
        ],
        "SHA256": [
            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
        ],
        "SOFTWARE": [
            "malware.exe",
            "invoice.html",
            "bill.docx"
        ],
        "CVE": [
            "CVE-2016-2119",
            "CVE-2010-5075"
        ],
        "EMAIL_ADDRESS": [
            "joe@ourcompany.com"
        ],
        "MALWARE": [
            "Backdoor:Win32/Caphaw.D!lnk"
        ],
        "REGISTRY_KEY": [
            "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows"
        ]
    },
    "queryDate": 1501532247680,
    "limit": "50",
    "intervalSize": "12",
    "source": "INCIDENT_REPORT"
}