Update Report

PUT /1.2/report/{id}?idType={id_type}

Description

Updates a report as specified by given id (id can be TruSTAR report id or external tracking id) and only update fields provided in request body.

Parameters

Body must be well formed JSON with the following fields:

Parameter Required Description
id X TruSTAR report id or external tracking id
idType   internal or external (defaults to internal when not provided)
incidentReport.title X Title of the report
incidentReport.reportBody X Text content of report
incidentReport.timeBegan   ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00
incidentReport.distributionType X COMMUNITY or ENCLAVE
enclaveIds   Array of TruSTAR-generated enclave ids (available on Station on same page as API KEY and API SECRET). Use the enclave id, NOT the enclave name.

Responses

200 (OK)

The raw report data, extracted indicators and other metadata in JSON format.

{
    "reportId": <report_id>,
    "externalTrackingId": <external_id>,
    "reportIndicators": {
        "IP": ["val1", ...],
        "URL": ["val1", ...],
        "MD5": ["val1", ...],
        "SHA1": ["val1", ...],
        "SHA256": ["val1", ...],
        "SOFTWARE": ["val1", ...],
        "CVE": ["val1", ...],
        "EMAIL_ADDRESS": ["val1", ...],
        "MALWARE": ["val1", ...],
        "REGISTRY_KEY": ["val1", ...],
    },
}

400 (Bad Request)

{
    "timestamp": <milliseconds since epoc>,
    "status": 400,
    "error": "Bad Request",
    "message": <error detail (e.g. invalid distribution type)>
}

or

{
    "timestamp": <milliseconds since epoc>,
    "status": 400,
    "error": "Forbidden",
    "message": <error detail (e.g. user does not have update permissions)>
}

403 (Forbidden)

{
    "timestamp": <milliseconds since epoc>,
    "status": 403,
    "error": "Forbidden",
    "message": <error detail (e.g. user cannot submit enclave reports)>
}

Example Usage

Request

curl -k -H "Content-Type: application/json" -X PUT -d '{"incidentReport":{"title":"new title", "externalTrackingId": newId1234, "reportBody":"This is a test report body with some indicators: 1.2.3.4, 5.6.7.8, evil.exe, api.evildomain.com, hash d2dd1bcdd6d6cfac59ba9638d2cd886c "}}' -H "Authorization: Bearer {access_token}" "https://api.trustar.co/api/1.2/report"

Response

{
    "reportId": "1a23bc4d-5e6f-7890-g123-h456789i0jb",
    "externalTrackingId": "newId1234",
    "reportIndicators": {
        "IP": [
            "1.2.3.4",
            "5.6.7.8"
        ],
        "URL": [
            "api.evildomain.com"
        ],
        "MD5": [
            "d2dd1bcdd6d6cfac59ba9638d2cd886c"
        ]
    }
}