• Rest API
    • Version 2.0
    • Version 1.3
      • Ping
      • Version
      • Request Quotas
      • Reports
        • Submit Report
        • Update Report
        • Upsert Report
        • Get Report Details
        • Delete Report
        • Copy Report
        • Move Report
        • Find Correlated Reports
        • Search Reports
        • Redact Report
        • Get Report Status
      • Indicators
        • Get Indicators for Report
        • Find Related Indicators
        • Search Indicators
        • Get Whitelist
        • Add to Whitelist
        • Delete from Whitelist
        • Get Indicator Metadata
        • Submit Indicators
        • Get Indicator Summaries
      • Tags
        • Get All Report Tags
        • Get Tags For Report
        • Alter Report Tags
        • Add Tag To Report (Deprecated)
        • Delete Tag From Report (Deprecated)
        • Get All Indicator Tags
        • Add Tag to Indicator
        • Delete Tag from Indicator
      • Enclaves
        • Get Enclaves
      • Phishing Triage
        • Get Phishing Submissions
        • Set Triage Status
        • Get Phishing Indicators
      • Errors
        • Invalid OAuth2 Token (400)
        • Expired OAuth2 Token (400)
        • Bad Request (400)
        • Unauthorized (401)
        • Forbidden (403)
        • Not Found (404)
        • Payload Too Large (413)
        • Query String Too Long (414)
        • Too Many Requests (429)
        • Internal Server Error (500)
      • Deprecated
        • Get Indicator List
        • Get Reports
  • Python SDK
    • Quick Start
    • TruStar (Main Class)
      • Reports
        • Get Report Details
        • Submit Report
        • Update Report
        • Delete Report
        • Copy Report
        • Move Report
        • Get Reports
        • Get Reports (Page)
        • Get Correlated Reports
        • Get Correlated Reports (Page)
        • Search Report
        • Search Report (Page)
      • Indicators
        • Get Indicators for Report
        • Get Indicators for Report (Page)
        • Get Related Indicators
        • Get Related Indicators (Page)
        • Search Indicators
        • Search Indicators (Page)
        • Get Whitelist
        • Get Whitelist (Page)
        • Get Indicators
        • Get Indicators (Page)
        • Get Indicator Summaries
        • Get Indicator Summaries (Page)
        • Add Terms to Whitelist
        • Delete Indicator from Whitelist
        • Get Community Trends
        • Submit Indicators
        • Get Indicators Metadata
        • Get Indicator Metadata (Deprecated)
      • Tags
        • Get Enclave Tags for Report
        • Alter Report Tags
        • Add Enclave Tag to Report (Deprecated)
        • Delete Enclave Tag from Report (Deprecated)
        • Get All Enclave Tags
        • Add Indicator Tag
        • Delete Indicator Tag
        • Get All Indicator Tags
      • Enclaves
        • Get Enclaves
      • Phishing Triage
        • Get Phishing Submissions
        • Get Phishing Submissions (Page)
        • Set Triage Status
        • Get Phishing Indicators
        • Get Phishing Indicators (Page)
      • Utility
        • Log
        • Ping
        • Version
        • Get Request Quotas
    • Models
      • Report
      • Indicator
      • Indicator Summary
      • Intelligence Source
      • Tag
      • Enclave
      • Enclave Permissions
      • Page
      • NumberedPage
      • CursorPage
      • Request Quota
      • PhishingSubmission
      • PhishingIndicator
    • Examples
      • Ingest Report CSV
      • Create Indicators CSV
      • Delete Reports
      • Pagination
TruSTAR Documentation
  • Docs »
  • TruSTAR API »
  • Version 1.3 »
  • Indicators »
  • Find Related Indicators

Find Related Indicators¶

GET /1.3/indicators/related

Description¶

Search all TruSTAR incident reports for provided indicators and return all correlated indicators from search results. Two indicators are considered “correlated” if they can be found in a common report.

Note

The correlated indicators will be searched across incident reports that were created or updated within last 90 days.

Parameters¶

Parameter Required Default Description
indicators X   indicator value of any type; i.e. an IP address, email address, URL, MD5, SHA1, SHA256, Registry Key, Malware name, etc.
enclaveIds   All enclaves the user has READ access to Comma-delimited list of IDs of enclaves to look in
pageNumber   0 which page of the result set to get
pageSize   100 The number of results per page. Max allowed size is 1000.

Response (200)¶

A page of Indicator objects.

Example Usage¶

Request¶

curl -k -H "Authorization: Bearer {access_token}" \
     "https://api.trustar.co/api/1.3/indicators/related?indicators=evil.com,bad@gmail.com"

Response¶

{
    "items": [
        {
            "indicatorType": "MALWARE",
            "value": "LOCKY"
        },
        {
            "indicatorType": "URL",
            "value": "evil.com"
        },
        {
            "indicatorType": "EMAIL_ADDRESS",
            "value": "attacker@evil.com"
        },
        {
            "indicatorType": "URL",
            "value": "bamb.com"
        }
    ],
    "hasNext": false,
    "pageSize": 25,
    "pageNumber": 0
}
Next Previous

© Copyright 2021, Splunk Inc..

Built with Sphinx using a theme provided by Read the Docs.