Report Submission¶
POST /1.2/report
Description¶
Submit a report to either community or enclaves and you’ll receive it’s TruSTAR report id and extracted indicators from the submitted report.
The id can be used to find the report through the Station, or issue subsequent calls on the API.
Parameters¶
Body must be well formed JSON with the following fields:
| Parameter | Required | Description |
|---|---|---|
| incidentReport.title | X | Title of the report |
| incidentReport.reportBody | X | Text content of report |
| incidentReport.externalTrackingId | External tracking id provided by user. Limit 500 alphanumeric characters. Must be unique across all reports for a given company. | |
| incidentReport.externalUrl | URL for the external report that this originated from, if one exists. | |
| incidentReport.timeBegan | ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00 |
|
| incidentReport.distributionType | X | COMMUNITY or ENCLAVE |
| enclaveIds | Array of TruSTAR-generated enclave ids (available on Station on same page as API KEY and API SECRET). Use the enclave id, NOT the enclave name. |
Responses¶
200 (OK)¶
{
"reportId": <report_id>,
"externalTrackingId": <external_id>,
"reportIndicators": {
"IP": ["val1", ...],
"URL": ["val1", ...],
"MD5": ["val1", ...],
"SHA1": ["val1", ...],
"SHA256": ["val1", ...],
"SOFTWARE": ["val1", ...],
"CVE": ["val1", ...],
"EMAIL_ADDRESS": ["val1", ...],
"MALWARE": ["val1", ...],
"REGISTRY_KEY": ["val1", ...],
},
}
400 (Bad Request)¶
{
"timestamp": <milliseconds since epoc>,
"status": 400,
"error": "Bad Request",
"message": <error detail (e.g. missing report body)>
}
or
{
"error": "invalid_request",
"error_description": "Expired oaut2 access token"
}
403 (Forbidden)¶
{
"timestamp": <milliseconds since epoc>,
"status": 403,
"error": "Forbidden",
"message": <error detail (e.g. user cannot submit enclave reports)>
}
Example Usage¶
curl -k -H "Content-Type: application/json" -X POST -d '{"incidentReport":{"title":"curl api-report", "externalTrackingId": 1234, "timeBegan":""2016-09-22T11:38:35+00:00", "reportBody":"This is a test report body with some indicators: 1.2.3.4, evil.exe, api.evildomain.com, hash d2dd1bcdd6d6cfac59ba9638d2cd886c ","distributionType":"ENCLAVE"}, "enclaveIds":["eba9bf3f", "b93f6d70"]}' -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/report"