Report Submission

POST /1.2/report

Description

Submit a report to either community or enclaves and you’ll receive it’s TruSTAR report id and extracted indicators from the submitted report.

The id can be used to find the report through the Station, or issue subsequent calls on the API.

Parameters

Body must be well formed JSON with the following fields:

Parameter Required Description
incidentReport.title X Title of the report
incidentReport.reportBody X Text content of report
incidentReport.externalTrackingId   External tracking id provided by user. Limit 500 alphanumeric characters. Must be unique across all reports for a given company.
incidentReport.externalUrl   URL for the external report that this originated from, if one exists.
incidentReport.timeBegan   ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00
incidentReport.distributionType X COMMUNITY or ENCLAVE
enclaveIds   Array of TruSTAR-generated enclave ids (available on Station on same page as API KEY and API SECRET). Use the enclave id, NOT the enclave name.

Responses

200 (OK)

{
    "reportId": <report_id>,
    "externalTrackingId": <external_id>,
    "reportIndicators": {
        "IP": ["val1", ...],
        "URL": ["val1", ...],
        "MD5": ["val1", ...],
        "SHA1": ["val1", ...],
        "SHA256": ["val1", ...],
        "SOFTWARE": ["val1", ...],
        "CVE": ["val1", ...],
        "EMAIL_ADDRESS": ["val1", ...],
        "MALWARE": ["val1", ...],
        "REGISTRY_KEY": ["val1", ...],
    },
}

400 (Bad Request)

{
    "timestamp": <milliseconds since epoc>,
    "status": 400,
    "error": "Bad Request",
    "message": <error detail (e.g. missing report body)>
}

or

{
    "error": "invalid_request",
    "error_description": "Expired oaut2 access token"
}

403 (Forbidden)

{
    "timestamp": <milliseconds since epoc>,
    "status": 403,
    "error": "Forbidden",
    "message": <error detail (e.g. user cannot submit enclave reports)>
}

Example Usage

curl -k -H "Content-Type: application/json" -X POST -d '{"incidentReport":{"title":"curl api-report", "externalTrackingId": 1234, "timeBegan":""2016-09-22T11:38:35+00:00", "reportBody":"This is a test report body with some indicators: 1.2.3.4, evil.exe, api.evildomain.com, hash d2dd1bcdd6d6cfac59ba9638d2cd886c ","distributionType":"ENCLAVE"}, "enclaveIds":["eba9bf3f", "b93f6d70"]}' -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/report"