Find Correlated Reports

GET /1.2/reports/correlate?q={indicator_value}

Description

Return IDs of all TruSTAR incident reports that correlate with the provided indicator value.

Parameters

Parameter Required Description
q   Comma-delimited list of indicator types to return. Returns all types if blank. Available types: IPv4, IPv6, URL, MD5, SHA1, SHA256, SOFTWARE, EMAIL_ADDRESS, CVE, REGISTRY_KEY, MALWARE, BITCOIN_ADDRESS, CIDR_BLOCK

Responses

200 (OK)

A list of report IDs.

[report id1, report id2, ....]

400 (Bad Request)

{
     "timestamp": milliseconds since epoc,
     "status": 400,
     "error": "Bad Request",
     "message": error detail (e.g. q parameter is empty)
}

Example Usage

Request

curl -k -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/reports/correlate?q=WANNACRY"

Response

[
    "371118b8-2ef5-4fc8-a802-9db217667f26",
    "dfc3073e-1292-443a-9c11-705879c11ec9",
    "c6cb670c-7b77-4155-9928-a1d2cf4d709e"
]

The first result could be viewed in Station at https://station.trustar.co/reports/371118b8-2ef5-4fc8-a802-9db217667f26.