Get Reports¶
GET /1.2/reports?from={from_time}&to={to_time}&distributionType={distribution_type}&enclaveIds={enclave_id1,enclave_id2,...}&submittedBy={submitted_by}&tag={tag_name}
Description¶
Returns incident reports matching the specified filters. All parameters are optional: if nothing is specified, the latest 25 reports accessible by the user will be returned (therefore matching the view the user would have by logging into Station).
Parameters¶
Parameter | Required | Description |
---|---|---|
from | start of time window (Unix timestamp - seconds since epoch) | |
to | end of time window (Unix timestamp - seconds since epoch) | |
distributionType | filters by distribution type: COMMUNITY or ENCLAVE , otherwise should be left blank |
|
enclaveIds | comma separated list of enclave ids, when requesting enclave reports | |
submittedBy | filters by ownership: ME or OTHERS , otherwise should be left blank |
|
tag | the name of a tag to filter by (Note: the tag cannot exist in more than one of the requested enclaves) |
Responses¶
200 (OK)¶
{
"status": status of the query,
"pageSize": amount of records returned per page,
"totalPages": how many pages are returned by this query,
"pageNumber": current page number,
"moreResults": if more results are available,
"totalElements": count of elements returned by this query,
"data": {
"reports" : [
{
"id": report_id,
"created": time when report was created,
"updated": time when report was updated,
"title": title of the report,
"timeBegan": time when the incident began,
"reportBody": content of the report submitted to TruSTAR,
"sector": {
"name": name of sector,
"label": label of sector,
},
"distributionType": "COMMUNITY" or "ENCLAVE",
"indicators": [
{
"indicatorType": "IP", "URL", etc,
"value": indicator value,
}
]
}
]
}
}
A JSON object with standard metadata and a data
field with an array of matching incident reports. Each incident report includes the following fields: id
, created
, updated
, title
, sector
, distributionType
, enclaves
, reportBody
, and indicators
. The reports are sorted based on updated time. Also the from
and to
timestamps, if provided, filter reports based on their updated times, not their created times.
Please note that the field correlationCount
is not provided in this case. To obtain it, you must issue a single call for the specific report
400 (Bad Request)¶
{
"timestamp": milliseconds since epoc,
"status": 400,
"error": "Bad Request",
"message": error detail (e.g. from epoch value is higher than to; invalid param value, etc)
}
Example Usage¶
Request¶
curl -k -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/reports?from=1500142249&to=1500401449"
Response¶
{
"status": "Success",
"pageSize": 25,
"totalPages": 1,
"pageNumber": 0,
"moreResults": false,
"totalElements": 5,
"data": {
"reports": [
{
"id": "5207f5f9-047f-4192-994d-e876c120ff78",
"created": 1500574637966,
"updated": 1500574637966,
"title": "Malware sample",
"sector": {
"label": "Education",
"name": "education"
},
"timeBegan": 1485941025000,
"reportBody": "Malware traffic detected on 103.255.61.39",
"enclaves": [
{
"id": "e630ceb0-9f4d-4b0c-8ee4-d2942251f897",
"name": "SOMA"
}
],
"distributionType": "ENCLAVE",
"indicators": [
{
"indicatorType": "IP",
"value": "103.255.61.39"
}
],
"indicatorsCount": 1
}
]
}
}