Find Related Indicators¶
GET /1.3/indicators/related
Description¶
Search all TruSTAR incident reports for provided indicators and return all correlated indicators from search results. Two indicators are considered “correlated” if they can be found in a common report.
Note
The correlated indicators will be searched across incident reports that were created or updated within last 90 days.
Parameters¶
Parameter | Required | Default | Description |
---|---|---|---|
indicators | X | indicator value of any type; i.e. an IP address, email address, URL, MD5, SHA1, SHA256, Registry Key, Malware name, etc. | |
enclaveIds | All enclaves the user has READ access to |
Comma-delimited list of IDs of enclaves to look in | |
pageNumber | 0 | which page of the result set to get | |
pageSize | 100 | The number of results per page. Max allowed size is 1000. |
Example Usage¶
Request¶
curl -k -H "Authorization: Bearer {access_token}" \
"https://api.trustar.co/api/1.3/indicators/related?indicators=evil.com,bad@gmail.com"
Response¶
{
"items": [
{
"indicatorType": "MALWARE",
"value": "LOCKY"
},
{
"indicatorType": "URL",
"value": "evil.com"
},
{
"indicatorType": "EMAIL_ADDRESS",
"value": "attacker@evil.com"
},
{
"indicatorType": "URL",
"value": "bamb.com"
}
],
"hasNext": false,
"pageSize": 25,
"pageNumber": 0
}