Get Latest Indicators

GET /1.2/indicators/latest?source={source_type}&types={indicator_type_0,indicator_type_1,...,indicator_type_n}&limit={limit}&intervalSize={number}

Description

Return indicators recently submitted to TruSTAR (caller’s enclave(s) and community reports) or collected from open source (OSINT). You can specify the types of indicators as a CSV list, a limit result size, as well as a time limit in hours. For OSINT data, indicators must correlate with the caller’s enclave(s) reports or community reports to be returned.

Parameters

Parameter Required Description
source   The source of the indicators to be returned: INCIDENT_REPORT or OSINT (default INCIDENT_REPORT).
types   Comma-delimited list of indicator types to return. Returns all types if blank. Available types: IPv4, IPv6, URL, MD5, SHA1, SHA256, SOFTWARE, EMAIL_ADDRESS, CVE, REGISTRY_KEY, MALWARE, BITCOIN_ADDRESS, CIDR_BLOCK
limit   Limit the number of indicators returned in the response (default 5000).
intervalSize   Specifies the time window size, in hours, starting from the current instant (default and max value 24).

Responses

200 (OK)

{
    "status": "success",
    "indicators": {
        "IP": ["val1", ...],
        "URL": ["val1", ...],
        "MD5": ["val1", ...],
        "SHA1": ["val1", ...],
        "SHA256": ["val1", ...],
        "SOFTWARE": ["val1", ...],
        "CVE": ["val1", ...],
        "EMAIL_ADDRESS": ["val1", ...],
        "MALWARE": ["val1", ...],
        "REGISTRY_KEY": ["val1", ...],
    },
    "queryDate": milliseconds since epoch,
    "intervalSize": "HH",
    "limit": "val",
    "source": "val"
}

An object with status, indicator arrays, and the query parameters.

400 (Bad Request)

{
    "timestamp": milliseconds since epoc,
    "status": 400,
    "error": "Bad Request",
    "message": error detail (e.g. limit in hours exceed 24)
}

Example Usage

Request

curl -k -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/indicators/latest/?source=INCIDENT_REPORT&types={IP,URL}&limit=10&intervalSize=12"

Response

{
    "status": "success",
    "indicators": {
        "IP": [
            "1.2.3.4",
            "1.3.2.2"
        ],
        "URL": [
            "www.google.com",
            "evildomain.com"
        ],
        "MD5": [
            "d41d8cd98f00b204e9800998ecf8427e"
        ],
        "SHA1": [
            "da39a3ee5e6b4b0d3255bfef95601890afd80709"
        ],
        "SHA256": [
            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
        ],
        "SOFTWARE": [
            "malware.exe",
            "invoice.html",
            "bill.docx"
        ],
        "CVE": [
            "CVE-2016-2119",
            "CVE-2010-5075"
        ],
        "EMAIL_ADDRESS": [
            "joe@ourcompany.com"
        ],
        "MALWARE": [
            "Backdoor:Win32/Caphaw.D!lnk"
        ],
        "REGISTRY_KEY": [
            "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows"
        ]
    },
    "queryDate": 1501532247680,
    "limit": "50",
    "intervalSize": "12",
    "source": "INCIDENT_REPORT"
}